CN110190955A - Information processing method and device based on secure socket layer protocol certification - Google Patents
Information processing method and device based on secure socket layer protocol certification Download PDFInfo
- Publication number
- CN110190955A CN110190955A CN201910447394.8A CN201910447394A CN110190955A CN 110190955 A CN110190955 A CN 110190955A CN 201910447394 A CN201910447394 A CN 201910447394A CN 110190955 A CN110190955 A CN 110190955A
- Authority
- CN
- China
- Prior art keywords
- message
- server
- random number
- session
- user equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the present application provides a kind of information processing method and device based on secure socket layer protocol certification.Firewall box exchanges in message from user equipment with the first handshake message, the second handshake message and the key of server interaction, obtains client random number, server random number, Encryption Algorithm and encrypted random number evidence respectively.Encrypted random number evidence and Encryption Algorithm are sent to server by firewall box.The private key and Encryption Algorithm of server by utilizing server, according to being decrypted, obtain original random number evidence to encrypted random number, and original random number evidence is sent to firewall box.Firewall box generates the encryption key communicated between user equipment and server according to original random number evidence, client random number and server random number.Using technical solution provided by the embodiments of the present application, it can be realized and safety detection is carried out to the encryption data of ssl protocol two-way authentication.
Description
Technical field
This application involves fields of communication technology, more particularly to a kind of information processing based on secure socket layer protocol certification
Method and device.
Background technique
With the development of internet technology, the equipment for accessing internet is more and more.In order to improve two communication between devices
Safety, usually using Secure Socket Layer (English: Secure Sockets Layer, referred to as: SSL), agreement authenticated,
SSL connection is established, and then the data of transmission are encrypted.Ssl protocol certification is divided into unilateral authentication and two-way authentication.Unidirectionally recognize
Card is certification of the user equipment to server.Two-way authentication includes that user equipment sets the certification of server and server to user
Standby certification.
It, at present can be by the way that firewall box by way of " go-between ", be realized that ssl protocol is recognized for unilateral authentication
Card.Its work basic principle is divided into two parts: first part is certification of the user equipment to firewall box, and second part is anti-
Certification of the wall with flues equipment to server.For first part, user equipment slave firewall equipment obtains certificate, compares the card of acquisition
The firewall certificate installed on book and user equipment, if the two matches, it is determined that the certificate verification success to acquisition, firewall are set
It is standby legal, go out the public key communicated from the certificate acquisition of acquisition and is transferred to firewall after being encrypted with the public key to negotiation data and sets
Standby, the negotiation data that firewall box can use the private key pair encryption of itself is decrypted, and firewall box can be according to decryption
Encryption key of the user equipment side for data encrypting and deciphering is calculated in the negotiation data obtained afterwards.For second part, fire prevention
Wall equipment obtains certificate from server, the server certificate installed on the certificate and firewall box of acquisition is compared, if the two
Match, it is determined that the certificate verification success to acquisition, server legitimacy go out the public key communicated, from the certificate acquisition of acquisition with the public affairs
After key encrypts negotiation data, it is transferred to server, the negotiation data that server can use the private key pair encryption of itself carries out
Encryption key of the server side for data encrypting and deciphering is calculated according to the negotiation data obtained after decryption in decryption.
For two-way authentication, work basic principle are as follows: be mutually authenticated between user equipment and server, it may be assumed that user equipment
From server obtain certificate, authenticated with the certificate of the server to acquisition and server from user equipment obtain certificate,
With authenticating for the certificate of the user equipment to acquisition.User equipment and server are in the certificate verification success to respectively obtaining
Afterwards, it is based respectively on the negotiation data transmitted between user equipment and server, generates and adds between user equipment and server for data
The encryption key of decryption.
For above-mentioned unilateral authentication, firewall box can get respectively user equipment side and server side adds for data
Close encryption key, and then the safety detection to data may be implemented.But for two-way authentication, original idea is exactly to enhance
The security level of SSL certification avoids the presence of the visitor (attacker) forged in network, therefore, no matter comes from ssl protocol itself
Say or the security requirement of ISP on for, can not all support in simply by being forged in similar unilateral authentication scene
Between the mode of people realize two-way authentication.On the one hand, except non-server install firewall certificate, otherwise firewall box be can not
Two-way authentication is completed by forging internuncial mode;On the other hand, if server installs firewall certificate, mean to prevent
The ability for the Credential-Security detection that wall with flues equipment must have same server the same, this cannot achieve for firewall box,
And for server, this " authorization " of installation firewall certificate is also not allow.
Therefore, in two-way authentication, firewall box can not get the encryption key that user equipment and server are negotiated,
And then the data transmitted between user equipment and server can not be decrypted, and safety detection can not be carried out to data.
Summary of the invention
The embodiment of the present application be designed to provide it is a kind of based on secure socket layer protocol certification information processing method and
Device, to realize that the encryption data to ssl protocol two-way authentication carries out safety detection.Specific technical solution is as follows:
In a first aspect, the embodiment of the present application provides a kind of information processing method based on ssl protocol certification, it is applied to anti-
Wall with flues equipment, which comprises
Receive the first handshake message that user equipment is sent, will first handshake message to server forwarding, and from institute
State acquisition client random number in the first handshake message;
The second handshake message for receiving the first handshake message described in the response that the server is sent, described second is shaken hands
Message is forwarded to the user equipment, and server random number and Encryption Algorithm are obtained from second handshake message;
The key exchange message that the user equipment is sent is received, obtains encrypted random number from key exchange message
According to the encrypted random number is according to the public key and the Encryption Algorithm for utilizing the server for the user equipment to original random
It is obtained after data encryption;
The encrypted random number evidence and the Encryption Algorithm are sent to the server, so that server by utilizing institute
The encrypted random number evidence is decrypted in the private key and the Encryption Algorithm for stating server, obtains original random number evidence;
Receive the original random number evidence that the server is sent;
According to the original random number evidence, the client random number and the server random number, the user is generated
The encryption key communicated between equipment and the server.
Second aspect, the embodiment of the present application provide a kind of information processing unit based on ssl protocol certification, are applied to anti-
Wall with flues equipment, described device include:
First acquisition unit, for receive user equipment transmission the first handshake message, by first handshake message to
Server forwarding, and client random number is obtained from first handshake message;
Second acquisition unit is shaken hands report for receiving second of the first handshake message described in the response that the server is sent
Text forwards second handshake message to the user equipment, and acquisition server is random from second handshake message
Several and Encryption Algorithm;
Third acquiring unit exchanges message for receiving the key that the user equipment is sent, exchanges and report from the key
Obtain encrypted random number evidence in text, the encrypted random number utilizes the public key of the server and described according to being the user equipment
Encryption Algorithm is to original random number according to the random data obtained after encryption;
Transmission unit, for the encrypted random number evidence and the Encryption Algorithm to be sent to the server, so that institute
The encrypted random number evidence is decrypted in the private key and the Encryption Algorithm for stating server described in server by utilizing, obtains
Original random number evidence;
First receiving unit, the original random number evidence sent for receiving the server;
Generation unit is used for according to the original random number evidence, the client random number and the server random number,
Generate the encryption key communicated between the user equipment and the server.
The third aspect, the embodiment of the present application provide a kind of firewall box, including processor and machine readable storage are situated between
Matter, the machine readable storage medium are stored with the machine-executable instruction that can be executed by the processor, the processor
Promoted by the machine-executable instruction: realizing a kind of information processing method based on ssl protocol certification that first aspect provides
Either step.
Fourth aspect, the embodiment of the present application provide a kind of machine readable storage medium, the machine readable storage medium
It is stored with the machine-executable instruction that can be executed by the processor, the processor is promoted by the machine-executable instruction
Make: realizing a kind of either step for information processing method based on ssl protocol certification that first aspect provides.
A kind of information processing method and device based on secure socket layer protocol certification provided by the embodiments of the present application,
In ssl protocol certification, user equipment sends the first handshake message, the key exchange messages such as message to server, server to
Family equipment sends the messages such as the second handshake message.Firewall box obtains client random number from the first handshake message, from
Server random number and Encryption Algorithm are obtained in two handshake message.Later, firewall box obtains from key exchange message and adds
Encrypted random number evidence and Encryption Algorithm are sent to server by close random data simultaneously.At this point, server can use itself
The Encryption Algorithm that private key and firewall box are sent obtains original random number evidence to encrypted random number according to being decrypted, will
Original random number evidence is sent to firewall box.Firewall box is according to original random number evidence, client random number and server
Random number generates the encryption key communicated between user equipment and server.User equipment is same as server be according to it is original with
Machine data, client random number and server random number generate encryption key.Therefore, the encryption key that firewall box generates
Identical as the encryption key that user equipment and server generate, firewall box can be to the datagram of user equipment or server
The user data that text carries is decrypted, and obtains original user data, and then carry out safety detection to original user data,
It realizes and safety detection is carried out to the encryption data of ssl protocol two-way authentication.
Certainly, any product or method for implementing the application must be not necessarily required to reach all the above excellent simultaneously
Point.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of application for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is a kind of structural schematic diagram that ssl protocol provided by the embodiments of the present application authenticates networking;
Fig. 2 is a kind of signaling diagram of existing two-way authentication;
Fig. 3 is the first process signal of the information processing method provided by the embodiments of the present application based on ssl protocol certification
Figure;
Fig. 4 is a kind of signaling diagram of the information processing provided by the embodiments of the present application based on ssl protocol certification;
Fig. 5 is second of process signal of the information processing method provided by the embodiments of the present application based on ssl protocol certification
Figure;
Fig. 6 is a kind of flow diagram of warning message provided by the embodiments of the present application processing;
Fig. 7 is a kind of flow diagram of data message provided by the embodiments of the present application processing;
Fig. 8 is a kind of structural schematic diagram of the information processing unit provided by the embodiments of the present application based on ssl protocol certification;
Fig. 9 is a kind of structural schematic diagram of firewall box provided by the embodiments of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on
Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall in the protection scope of this application.
Ssl protocol certification is divided into unilateral authentication and two-way authentication.Unilateral authentication is certification of the user equipment to server.It is double
It include certification of the user equipment to the certification and server of server to user equipment to certification.
For unilateral authentication, firewall certificate is installed on user equipment, server certificate is installed on firewall box.With
Family equipment and firewall box arranging key, establish SSL connection 1.Firewall box and server arranging key establish SSL company
Connect 2.At this point, encryption and decryption data is carried out using the encryption key that SSL connection 1 negotiates between user equipment and firewall box,
Encryption and decryption data is carried out using the encryption key that SSL connection 2 negotiates between firewall box and server.Firewall box can
User equipment side is got respectively and server side is used for the encryption key of data encryption, and then the safety to data may be implemented
Detection.
With the continuous renewal of cyber-attack techniques, the continuous enhancing that user realizes personal privacy protection, in network silver
Row, the exigent business scope of data storage safety, generally use ssl protocol two-way authentication.SSL association as shown in Figure 1
View certification networking, including user equipment 100, firewall box 101 and server 102-104.Ssl protocol authenticates networking
One or more user equipmenies, one or more servers.Here, it is only carried out by taking a user equipment, three servers as an example
Illustrate, it is not from the limited effect.
For two-way authentication, in networking shown in Fig. 1 server 102 and user equipment 100 carry out that ssl protocol is two-way to be recognized
For card, the signaling diagram of two-way authentication as shown in connection with fig. 2 is illustrated ssl protocol two-way authentication process.Specifically, SSL
Agreement two-way authentication process includes the following steps.
User equipment 100 by firewall box 101 to server 102 send client shake hands (Client Hello) report
Text.Client hello packet include user equipment 100 support ssl protocol version information, encryption suite candidate list and
For generating the client random number of encryption key.Wherein, encryption suite candidate list includes the multiple of the support of user equipment 100
Encryption suite etc..Each encryption suite includes Diffie-Hellman, message authentication information code (abstract) algorithm, Encryption Algorithm, close
Key generating algorithm and pseudo-random function.
The ssl protocol version information that server 102 includes according to Client hello packet, determining and user equipment 100
The ssl protocol version information of SSL connection is established, and is selected from the encryption suite candidate list that Client hello packet includes
One encryption suite.Server 102 sends server handshaking (Server to user equipment 100 by firewall box 101
Hello) message.Server hello packet includes determining ssl protocol version information, the encryption suite and server of selection with
Machine number.
Certificate (Certificate) message 1 is sent to user equipment 100 by firewall box 101 by server 102.
Certificate message 1 includes the certificate 1 of server 102, and certificate 1 includes the identity information for 102 authentication of server
With the public key 1 of server 102.In addition, server 102 sends certificate request to user equipment 100 by firewall box 101
(Certificate Request) message 1.Certificate Request message 1 is used for requiring user equipment 100 to send
The certificate 2 of family equipment 100 gives server 102.Certificate 2 includes the identity information and user for 100 authentication of user equipment
The public key 2 of equipment 100.Again, server 102 sends server handshaking to user equipment 100 by firewall box 101 and terminates
(Server Hello Done) message.Server Hello Done message, which is used to indicate the transmission of Server hello packet, to be terminated
Message.
After user equipment 100 receives Certificate message 1, whether verifying certificate 1 is legal.If certificate 1 is illegal,
Then user equipment 100 makes indicating risk according to different illegal situations.If certificate 1 is legal, 100 basis of user equipment
Certificate Request message 1 sends Certificate message 2 to server 102 by firewall box 101,
Certificate message 2 includes the certificate 2 of user equipment 100, and certificate 2 includes the identity for 100 authentication of user equipment
The public key 2 of information and user equipment 100.In addition, user equipment 100 generates random data 1 according to preset algorithm, Server is utilized
The public key 1 for including in the encryption suite and certificate 1 of hello packet confirmation after encrypting to random data 1, is carried and is handed in key
It changes in (Key Exchange) message and server 102 is sent to by firewall box 101.At this point, user equipment 100 has obtained
The all information for calculating encryption key, i.e. client random number, server random number and random data 1 have been got, so as to
The encryption key communicated between server is calculated.
In order to avoid the information that user equipment 100 and server 102 are negotiated is distorted by man-in-the-middle attack, user equipment
100 send certification authentication (Certificate Verity) message to server 102 by firewall box 101, the institute by before
There is the private key 2 of interactive message certificate 2 to sign, is verified for server 102.In this way, any one message before once
It lives through and distorts, as long as private key 2 does not leak, server 102 is centainly it can be found that the presence of attacker.Later, user equipment
100 notify the subsequent communication of server 102 all using negotiation by changing regular (the Change Cipher Spec) message 1 of password
Encryption key and Encryption Algorithm, and to server 102 send encryption end (Finish) message 1.Wherein, Finish message
1, which is used to indicate server 102, verifies the encryption key negotiated.
After server 102 receives Certificate message 2, whether verifying certificate 2 is legal.If certificate 2 is illegal,
Server 102 makes indicating risk according to different illegal situations.If certificate 2 is legal, server 102 uses certificate 2
Public key 2 is decrypted and verifies to the signature of Certificate Verity message.To Certificate Verity message
After signature verification passes through, server 102 think user equipment 100 be it is believable, using the private key of certificate 1 to Key Exchange
The encrypted random data 1 for including in message is decrypted, obtain random data 1, based on client random number, server with
Machine number and random data 1, so as to which the encryption key communicated with user equipment 100 is calculated.
Later, server 102 utilizes the encryption information in the encryption key decryption Finish message 1 obtained, verifying decryption
The correctness of data and encryption key afterwards.After determining correctly, server 102 sends Change Cipher to user equipment 100
Spec message 2 and Finish message 2, with the subsequent communication of notifying user equipment 100 all using the encryption key and encryption negotiated
Algorithm.
So far, ssl protocol is negotiated to complete by user equipment 100 and server 102, and negotiation can be used in follow-up data message
Encryption key and Encryption Algorithm out carries out encrypted transmission.
As it can be seen that in ssl protocol two-way authentication, firewall box can not be got as " go-between " user equipment side and
Server side is used for the encryption key of data encryption, therefore can not solve to the data transmitted between user equipment and server
It is close, and then can not be to the safety detection of data.
To realize that the encryption data to ssl protocol two-way authentication carries out safety detection, the embodiment of the present application provides one kind
Information processing method based on ssl protocol certification.In ssl protocol certification, user equipment sends first to server and shakes hands report
Messages, the servers such as text, key exchange message send the messages such as the second handshake message to user equipment.Firewall box is from first
Client random number is obtained in handshake message, and server random number and Encryption Algorithm are obtained from the second handshake message.Later, prevent
Wall with flues equipment obtains encrypted random number evidence from key exchange message, and encrypted random number evidence and Encryption Algorithm are sent to clothes simultaneously
Business device.At this point, the Encryption Algorithm that server can use the private key of server and firewall box is sent, to encrypted random number evidence
It is decrypted, obtains original random number evidence, original random number evidence is sent to firewall box.Firewall box is according to original
Beginning random data, client random number and server random number generate the encryption key communicated between user equipment and server.With
Family equipment same as server is to generate encryption key according to original random number evidence, client random number and server random number.
Therefore, the encryption key that firewall box generates, firewall box identical as the encryption key that user equipment and server generate
User data can be carried to received data message to be decrypted, obtain original user data, and then to original user
Data carry out safety detection, realize and carry out safety detection to the encryption data of ssl protocol two-way authentication.
Below by specific embodiment, to the information processing provided by the embodiments of the present application based on ssl protocol two-way authentication
Method is illustrated.
With reference to Fig. 3, Fig. 3 is the first of the information processing method provided by the embodiments of the present application based on ssl protocol certification
Flow diagram.This method is suitable for the scene of ssl protocol two-way authentication.This method is applied to firewall box, including as follows
Step.
Step 301, the first handshake message that user equipment is sent is received, the first handshake message is forwarded to server, and
Client random number is obtained from the first handshake message.In the embodiment of the present application, a certain information is obtained from a certain message is
Refer to: the message is parsed, to obtain the information.Such as: client random number is obtained from the first handshake message and is referred to: parsing the
One handshake message, to obtain client random number.This explanation is done in similar description in the embodiment of the present application.
In ssl protocol two-way authentication, the first handshake message is Client hello packet.
In ssl protocol certification, the first handshake message is sent to firewall box by user equipment.Firewall box is from
Client random number is obtained in one handshake message.After getting client random number, firewall box is by the first handshake message
It is sent to server.
In one embodiment of the application, firewall box receives user equipment is sent to server first and shakes hands report
Text.From in the first handshake message obtain client random number after, firewall box include according to the first handshake message five
The client random number that tuple information and the first handshake message carry, creates the first session.It, can in the first session in one example
To include five-tuple information and negotiation information, negotiation information includes client random number, server random number, encryption suite and adds
The information such as key.Session as shown in table 1.
Table 1
Source address | Source port | Destination address | Destination port | Negotiation information |
In an optional embodiment, firewall box can virtually be multiple equipment, to realize user isolation, firewall
Equipment be this multiple virtual unit distribute virtual routing forwarding (English: Virtual Routing Forwarding, referred to as:
VRF).At this point, can also include the mark of VRF in the first session of firewall box creation, as shown in table 2.
Table 2
Source address | Source port | Destination address | Destination port | VRF | Negotiation information |
VRF table shows the mark of VRF.The mark of VRF can be understood as the mark of a virtual unit.
Negotiation information in Tables 1 and 2 can be found in shown in table 3.
Table 3
Encryption suite | Client random number | Server random number | Encryption key |
Step 302, the second handshake message for receiving the first handshake message of response that server is sent, by the second handshake message
It is forwarded to user equipment, and obtains server random number and Encryption Algorithm from the second handshake message.
In ssl protocol two-way authentication, the second handshake message is Server hello packet.
After server receives the first handshake message, according to the first handshake message, the second handshake message is sent to fire prevention
Wall equipment.Firewall box obtains server random number and Encryption Algorithm from the second handshake message.Get server with
After machine number and Encryption Algorithm, the second handshake message is sent to server by firewall box.
In one embodiment of the application, firewall box receives server is sent to user equipment second and shakes hands report
Text.The five-tuple information that the five-tuple information that second handshake message includes is included by firewall box with above-mentioned first session
Match.If the five-tuple information that the second handshake message includes and the five-tuple information matches that the first session includes, firewall box
Server random number and Encryption Algorithm are obtained from the second handshake message, and the carrying of the second handshake message is recorded in the first session
Server random number and Encryption Algorithm.As shown in table 3, the server random number that firewall box carries the second handshake message is remembered
The server random number field in table 3 is recorded, the Encryption Algorithm that the second handshake message carries is recorded in the encryption suite word of table 3
Section.If the five-tuple information that the second handshake message includes and the five-tuple information that the first session includes mismatch, firewall is set
It is standby to abandon the second handshake message.
In the embodiment of the present application, the message from user equipment to server is positive message, from server to user equipment
Message be reversed message.Above-mentioned first session is the five-tuple information creating based on the first handshake message, i.e., based on forward direction
What message was established.For the second handshake message as reversed message, firewall box is in include by the second handshake message five
When the five-tuple information matches that tuple information and the first session include, include by the source address of the second handshake message and the first session
Destination address matching, the source port of the second handshake message is matched with the destination port that the first session includes, second is shaken hands
The source address matches that the destination address of message and the first session include, by the destination port of the second handshake message and the first session packet
The source port matching included, the affiliated VRF of the second handshake message is matched with the VRF that the first session includes.If above- mentioned information match,
Then firewall box obtains server random number and Encryption Algorithm from the second handshake message.If any information is not in above- mentioned information
Matching, then firewall box abandons the second handshake message.
Step 303, it receives the key that user equipment is sent and exchanges message, obtain encrypted random number from key exchange message
According to, encrypted random number according to being user equipment using the public key and Encryption Algorithm of server to original random number according to being obtained after encryption
Random data.
In ssl protocol two-way authentication, it is Key Exchange message that key, which exchanges message,.
In the embodiment of the present application, after server receives the first handshake message, other than sending the second handshake message, may be used also
To send Certificate message, Certificate Request message and Server Hello Done message.Firewall is set
It is standby that Certificate message, Certificate Request message and Server Hello Done message are not processed, directly
Switch through and issues user equipment.
User equipment generates an original random number evidence according to preset algorithm, is calculated using the encryption that the second handshake message carries
The public key that certificate is carried in the Certificate message that method and server are sent, to the original random number of generation according to adding
Close processing obtains encrypted random number evidence.Encrypted random number is sent to fire prevention in key exchange message according to carrying by user equipment
Wall equipment.Wherein, the public key that certificate is carried in the Certificate message that server is sent is the public key of server.Fire prevention
Wall equipment obtains encrypted random number evidence from key exchange message.
In one embodiment of the application, firewall box receives the key exchange report that user equipment is sent to server
Text.The five-tuple information that the five-tuple information that key exchange message includes is included by firewall box with above-mentioned first session
Match.If the five-tuple information matches that five-tuple information and the first session that key exchange message includes include, firewall box
Encrypted random number evidence is obtained from key exchange message.If the five-tuple information that key exchange message includes includes with the first session
Five-tuple information mismatch, then firewall box abandon key exchange message.
In the embodiment of the present application, above-mentioned first session is established based on positive message.For as the close of positive message
Key exchanges message, and firewall box is believed in the five-tuple that the five-tuple information and the first session for including by key exchange message include
When breath matching, the source address matches for including by the source address of key exchange message and the first session, by the source of key exchange message
Port is matched with the source port that the first session includes, the destination for including by the destination address of key exchange message and the first session
The destination port of key exchange message is matched with the destination port that the first session includes, key is exchanged message institute by location matching
Belong to VRF to match with the VRF that the first session includes.If above- mentioned information match, firewall box is obtained from key exchange message
Take encrypted random number evidence.If any information mismatches in above- mentioned information, firewall box abandons key and exchanges message.
Step 304, encrypted random number evidence and Encryption Algorithm are sent to server.
Firewall box exchanges Receive message to encrypted random number after, by encrypted random number accordingly and from second from key
The Encryption Algorithm got in handshake message is sent to server.Server receives encrypted random number evidence and Encryption Algorithm
Afterwards, original random number evidence is obtained to encrypted random number according to being decrypted using the private key of server and the Encryption Algorithm.
Wherein, the private key of server is the corresponding private key of public key that certificate is carried in the Certificate message of above-mentioned server transmission.
The private key is merely stored in server local, will not carry and be sent to user equipment in the certificate.
In one embodiment of the application, for the safety of improve data transfer, between server and firewall box
Negotiate the protocol informations such as port and the data format of transmission data in advance.Firewall box exchanges Receive message to encryption from key
After random data, according to the protocol information negotiated in advance, encrypted random number evidence and Encryption Algorithm are carried in transmission control protocol
Server is sent in (English: Transmission Control Protocol, abbreviation: TCP) message.Server is according to pre-
The protocol information first negotiated obtains encrypted random number evidence and Encryption Algorithm, private key and encryption using server from TCP message
Algorithm obtains original random number evidence to encrypted random number according to being decrypted.Server is believed according to the agreement negotiated in advance
Original random number is sent to firewall box according to carrying by breath in TCP message.
For example, the protocol information negotiated in advance includes 30-37 byte storage encrypted random number evidence, the load of port 1, load
41-52 byte storage Encryption Algorithm, the 30-49 byte of load of lotus store original random number evidence.Firewall box is from close
After key exchanges Receive message to encrypted random number evidence, according to the protocol information negotiated in advance, the encrypted random number evidence that will acquire
It is stored in the 30-37 byte of the load of TCP message 1, the Encryption Algorithm that will acquire is stored in the of the load of TCP message 1
41-52 byte puts TCP message 1 to server by port 1.After server receives TCP message 1 by port 1, reported from TCP
The 30-37 byte of text 1 obtains encrypted random number evidence, and gets Encryption Algorithm from the 41-52 byte of TCP message 1, utilizes
The private key and Encryption Algorithm of server obtain original random number evidence to encrypted random number according to being decrypted.Server will be former
Beginning random data is stored in the 30-49 byte of the load of TCP message 2, and TCP message 2 is sent to firewall by port 1
Equipment.At this point, original random number evidence can be obtained from TCP message 2 after firewall box receives TCP message 2 by port 1.
It should be understood that only realizing the information between firewall box and server with TCP message in the embodiment of the present application
Transmission for be illustrated.It is sent out in TCP message specifically, firewall box carries encrypted random number evidence and Encryption Algorithm
Server is given, original random number evidence is also carried and is sent to firewall box in TCP message by server.In other embodiment party
In formula, firewall box and service can also be realized with the message of user-defined format or other existing messages (such as IP packet)
The transmission of information between device, the embodiment of the present application are not particularly limited.
Step 305, the original random number evidence that server is sent is received.
Server is decrypted to obtain original random number after to encrypted random number evidence, by the original random number according to hair
Give firewall box.
In one embodiment of the application, for convenient for server to encrypted random number according to handling, can service
Firewall plug-in unit is installed on device.Firewall box exchanges Receive message to encrypted random number after, by encrypted random number from key
Accordingly and Encryption Algorithm is sent to firewall plug-in unit.Firewall plug-in unit obtains the private key of server, using the private key of server,
Combining encryption algorithm obtains original random number evidence to encrypted random number according to being decrypted.Firewall plug-in unit will be original random
Data are sent to firewall box.
Step 306, according to original random number evidence, client random number and server random number, user equipment and clothes are generated
The encryption key communicated between business device.
The information that user equipment and server calculate encryption key includes: original random number evidence, client random number kimonos
Business device random number.Firewall box has got all information for calculating encryption key at this time, according to original random number evidence, visitor
Family end random number and server random number generate the encryption key communicated between user equipment and server.
In one embodiment, firewall box can obtain after receiving the second handshake message from the second handshake message
The encryption suites information such as key schedule, Diffie-Hellman, digest algorithm and pseudo-random function is taken, and in the first session
Record the encryption suite information got from the second handshake message.As shown in table 3, firewall box will be from the second handshake message
In the encryption suite information that gets be recorded in the encryption suite field of table 3.
Firewall box is getting original random number after, is generated using the key got from the second handshake message
Algorithm handles original random number evidence, client random number and server random number, generates between user equipment and server
The encryption key of communication.
In the embodiment of the present application, user equipment and server carry out data using identical Encryption Algorithm and encryption key
Encryption and decryption process encrypts data it is, the encryption key that user equipment and server generate is symmetric key
Encryption Algorithm with decryption processing is symmetric encipherment algorithm.Wherein, symmetric encipherment algorithm can for data encryption standards (English:
Data Encryption Standard, referred to as: DES) algorithm, triple des (referred to as: 3DES) algorithm, international data add
Close algorithm (English: International Data Encryption Algorithm, abbreviation: IDEA), Fast Data Encipherment are calculated
Method (English: Fast Data Encipherment Algorithm, referred to as: FEAL, Bruce (English: Blowfish) algorithm
Deng.
Firewall box is used to generate the information of encryption key and user equipment and server are used to generate encryption key
Information is identical.Therefore, the encryption key that firewall box generates is symmetric key, the encryption got from the second handshake message
Algorithm is symmetric encipherment algorithm.In turn, encryption key and the Encryption Algorithm that gets of the firewall box using generation, to reception
Data message carry user data processing is encrypted and decrypted.
In one embodiment of the application, after firewall box generates encryption key, which can be existed
In first session, and key exchange message is sent to server.
In addition, the Certificate message, the Certificate Verify message, Change that are sent for user equipment
Cipher Spec message and Finish message etc., firewall box is not processed, and is directly forwarded to server.
In technical solution provided by the embodiments of the present application, firewall box can be in the feelings that do not modify to any message
Under condition, the encryption key communicated between user equipment and server is obtained, and utilize the encryption key, to user equipment or server
The user data that the data message of transmission carries is decrypted, and obtains original user data, and then to original user data
Safety detection is carried out, realizes and safety detection is carried out to the encryption data of ssl protocol two-way authentication.
Technical solution provided by the embodiments of the present application can also be applied to ssl protocol unilateral authentication, when obtaining unilateral authentication
The encryption key communicated between user equipment and server is realized and carries out safety detection to the encryption data of ssl protocol unilateral authentication.
In technical solution provided by the embodiments of the present application, firewall box only receive key exchange message after, it is right
Encrypted random number evidence has done a decryption processing.User equipment need not carry out unilateral authentication to firewall box, establish SSL company
It connects, firewall box also need not carry out unilateral authentication to server, establish SSL connection, effectively reduce equipment computing resource
Loss.
In conjunction with a kind of signaling diagram of Fig. 3 and the information processing shown in Fig. 4 authenticated based on ssl protocol, the application is implemented
The information processing method based on ssl protocol certification that example provides is illustrated.
Step 401, user equipment 100 sends Client hello packet to firewall box 101.
Step 402, firewall box 101 receives Client hello packet, and visitor is obtained from Client hello packet
Family end random number.
Step 403, firewall box 101 sends Client hello packet to server 102.
Step 404, server 102 receives Client hello packet and is set according to Client hello packet to firewall
Standby 101 send Server hello packet.
Step 405, firewall box 101 receives Server hello packet, and clothes are obtained from Server hello packet
Business device random number, Encryption Algorithm and key schedule.
Step 406, firewall box 101 sends Server hello packet to server 102.
Step 407, user equipment 100 receives Server hello packet, according to Server hello packet, obtains service
The public key and original random number evidence of device 102, using the public key and Encryption Algorithm of server 102, to original random number according to adding
Close processing obtains encrypted random number evidence, and the Key Exchange report for carrying the encrypted random number evidence is sent to firewall box 101
Text.
Step 408, firewall box 101 receives Key Exchange message, obtains and adds from Key Exchange message
Close random data.
Step 409, firewall box 101 sends to server 102 and carries the first of encrypted random number evidence and Encryption Algorithm
Message.It should be understood that the first message can be TCP message.In other embodiments, the first message, which can also be, makes by oneself
The message of adopted format or other existing messages (such as IP packet, the embodiment of the present application are not particularly limited.
Step 410, server 102 receives the first message, obtains the private key of itself, utilizes itself private key and the first message
The Encryption Algorithm of carrying obtains original random number evidence to encrypted random number according to being decrypted.
Step 411, server 102 sends the second message for carrying original random number evidence to firewall box 101.It should manage
Solution, the second message can be TCP message.In other embodiments, the second message can also be the report of user-defined format
Text or other existing messages (such as IP packet, the embodiment of the present application are not particularly limited.
Step 412, firewall box 101 receives the second message, by original random number evidence, client random number and server
Random number inputs key schedule, obtains the encryption key communicated between user equipment 100 and server 102.
The description of above-mentioned steps 401-412 is fairly simple, specifically refers to the description of the part step 301-306.
In conjunction with above-mentioned embodiment illustrated in fig. 3, the embodiment of the present application also provides at a kind of information based on ssl protocol certification
Reason method.With reference to Fig. 5, Fig. 5 is second of stream of the information processing method provided by the embodiments of the present application based on ssl protocol certification
Journey schematic diagram.This method is applied to firewall box, may include steps of.
Step 501, the first handshake message that user equipment is sent is received, the first handshake message is forwarded to server, and
Client random number is obtained from the first handshake message.Step 501 is identical as step 301.
Step 502, the second handshake message for receiving the first handshake message of response that server is sent, by the second handshake message
It is forwarded to user equipment, and obtains server random number and Encryption Algorithm from the second handshake message.
Step 502 is identical as step 302.
Step 503, it receives the key that user equipment is sent and exchanges message, obtain encrypted random number from key exchange message
According to, encrypted random number according to being user equipment using the public key and Encryption Algorithm of server to original random number according to being obtained after encryption
Random data.Step 503 is identical as step 303.
Step 504, encrypted random number evidence and Encryption Algorithm are sent to server.Step 504 is identical as step 304.
Step 505, the original random number evidence that server is sent is received.Step 505 is identical as step 305.
Step 506, according to original random number evidence, client random number and server random number, user equipment and clothes are generated
The encryption key communicated between business device.Step 506 is identical as step 306.
Step 507, data message is received.Data message be the message that is sent to server of user equipment or server to
The message that user equipment is sent.
In the embodiment of the present application, after firewall box generates encryption key, key exchange message is sent to server.It is right
In Certificate message, Certificate Verify message, Change Cipher Spec message that user equipment is sent
With Finish message etc., firewall box is not processed, and is directly forwarded to user equipment.In this way, in user equipment and server
After generating encryption key and establishing SSL connection, user equipment can be communicated with server.It is, user equipment can be with
The data message sent by firewall box to server, server pass through the data that firewall box is sent to user equipment
Message.
Step 508, using encryption key and Encryption Algorithm, user data is carried to data message and is decrypted, is obtained
To original user data.
After firewall box receives data message, the Encryption Algorithm obtained using the encryption key and step 503 of generation,
User data is carried to data message to be decrypted, and obtains original user data.
In an optional embodiment, after firewall box receives data message, by the five-tuple information of data message
It is matched with the five-tuple information that session includes.If the five-tuple that the five-tuple information of data message and the first session include is believed
Breath matching, then firewall box obtains the Encryption Algorithm for including in the first session and encryption key, utilizes the encryption key of acquisition
And Encryption Algorithm, user data is carried to data message and is decrypted, original user data is obtained.
Step 509, safety detection is carried out to original user data.
After firewall box gets original user data, safety detection is carried out to original user data.Wherein, safety inspection
Survey includes deep-packet detection (English: Deep Packet Inspection, abbreviation: DPI), content safety detection and audit etc.
Reason.
In an optional embodiment, if determining data after firewall box carries out safety detection to original user data
Message is attack message, then can construct message of waving, be sent respectively to user equipment and server, with disconnect user equipment with
Connection between server, and delete the first session with the five-tuple information matches of data message.In this way, net can be improved effectively
The safety of network.If after firewall box carries out safety detection to original user data, determining that data message is normal message, then
Forward the data message.
In an optional embodiment, user equipment and server can be to firewall boxes in the case where detecting and threatening
Send warning message.For example, determine that the certificate of server is illegal after user equipment verifies the certificate of server, then to
Firewall box sends warning message.For another example determining user equipment after server verifies the certificate of user equipment
Certificate is illegal, then sends warning message to firewall box.It is as shown in Figure 6 for the process flow of warning message.
Step 601, warning message is received.
Wherein, the message that warning message can be sent to server for user equipment, or server is to user equipment
The message of transmission.It include the type of warning message in warning message.For example, the type of warning message can be divided into it is fatal
(Fatal) type and warning (Warning) type.Fatal type, which is used to indicate, disconnects SSL connection.Warning type is for mentioning
Showing user, there are risks, it is not necessary to disconnect SSL connection.The type of warning message can be set according to actual needs, the application
Embodiment is to this without limiting.
Step 602, whether the type for detecting warning message is fatal form.If so, thening follow the steps 603.If it is not, then holding
Row step 605.
After firewall box receives warning message, whether the type for detecting warning message is fatal form.
Step 603, the second session with the five-tuple information matches of warning message is searched.If finding, then follow the steps
604.If not finding, 605 are thened follow the steps.
If the type of warning message is fatal form, the determining five-tuple information with current alarm message of firewall box
The very big risk of the matched corresponding SSL connection presence of SSL session, needs to disconnect this SSL connection, searches five with warning message
Matched second session of tuple information.
Step 604, the second session is deleted, and sends message of waving to user equipment and server.
If firewall box finds the second session with the five-tuple information matches of warning message, to user equipment and
Server sends message of waving, and deletes the second session, to disconnect SSL connection where current alarm message, recycles Session Resources.
User equipment and server are according to message of waving, the connection that is each turned off between user equipment and server.
Step 605, warning message is forwarded.
If the type of warning message is fatal form, or does not find the second session, then firewall box carries out subsequent place
Reason forwards warning message.
In one embodiment of the application, if firewall box receive that server or user equipment send wave to report
Text then searches the third session with the five-tuple information matches of the message of waving, and deletes the third session, recycling session money
Source, and forward message of waving.
In one embodiment of the application, SSL connection keepalive mechanism is can be set in firewall box.Specifically, if super
Preset duration is crossed not receive and the matched message of the first session, then the first session of firewall box deletion.This avoids users to set
The standby SSL between server connect disconnection after, session remain the problem of, saved Session Resources.
In one embodiment of the application, for the ease of firewall box management, meeting can be set on firewall box
Speech phase may include as shown in table 4 session status field in negotiation information.
Table 4
Session status | Encryption suite | Client random number | Server random number | Encryption key |
Wherein, session status may include that the first handshake message has reached state, the second handshake message has reached state and key
Exchange message has reached state.Wherein, the first handshake message has reached state (Client Hello Received state) and has been used to indicate
Have received the first handshake message.Under Client Hello Received state, subsequent expectation processing is that server is sent
The second handshake message.
Second handshake message, which has reached state (Server Hello Received state) and is used to indicate, to be had received second and holds
Hand message.Under Server Hello Received state, subsequent expectation processing is key exchange message.
Key exchange message has reached state (Key Exchange Received state) for having received key exchange report
Text.Under Key Exchange Received state, what subsequent expectation was handled is Change Cipher Spec message and answers
With the encryption data message of layer.
In this case, after firewall box receives the first handshake message, include according to the first handshake message five yuan
Group information creates the first session;The client random number of the first handshake message carrying is recorded in the first session, and by session
State is set as Client Hello Received state.
After firewall box receives the second handshake message, if five-tuple information and the first meeting that the second handshake message includes
The five-tuple information matches that words include, detect the first session and whether the second handshake message meets the first preset condition, and first is pre-
If the state that the state that condition is the first session is Client Hello Received state or the first session is Server
Hello Received state and the second handshake message are to retransmit message.If meeting the first preset condition, firewall box exists
The server random number and Encryption Algorithm of the carrying of the second handshake message are recorded in first session, and the state of the first session is arranged
For Server Hello Received state.If being unsatisfactory for the first preset condition, firewall box abandons second and shakes hands report
Text.
After firewall box receives key exchange message, if five-tuple information and the first meeting that key exchange message includes
The five-tuple information matches that words include, then detect the first session and whether key exchange message meets the second preset condition, and second
It is the state of Server Hello Received state or the first session is Key that preset condition, which is the state of the first session,
Exchange Received state and key exchange message are re-transmission message.If meeting the second preset condition, firewall box
Encrypted random number evidence is obtained from key exchange message, and sets Key Exchange for the state of the first session
Received state.If being unsatisfactory for the second preset condition, firewall box abandons key and exchanges message.
Based on above-mentioned session status, the process of firewall box processing data message be can refer to shown in Fig. 7.
Step 701, data message is received.Data message be the message that is sent to server of user equipment or server to
The message that user equipment is sent.
Step 702, the 4th session with the five-tuple information matches of data message is searched.If finding, then follow the steps
703.If not finding, 707 are thened follow the steps.
Step 703, whether the state for detecting the 4th session is Key Exchange Received state.If so, executing
Step 704.If it is not, thening follow the steps 707.
Step 704, using the Encryption Algorithm and encryption key recorded in the 4th session, user data is carried to data message
It is decrypted, obtains original user data.
Step 705, safety detection is carried out to original user data, determines whether data message is attack message.If so,
Execute step 706.If it is not, thening follow the steps 708.
Step 706, message of waving is constructed, user equipment and server are sent respectively to.
Step 707, data message is abandoned.
Step 708, forwarding data packets.
The description of the part step 701-708 is relatively easy, specifically refers to the associated description of the above-mentioned part Fig. 3-5.
Above-mentioned first session, the second session, third session and the 4th session may be the same or different.The application is real
Example is applied to this without limiting.In technical solution provided by the embodiments of the present application, firewall box only needs three kinds of session status,
State machine is relatively easy, is effectively saved device resource.
Based on identical inventive concept, according to the above-mentioned information processing method based on ssl protocol certification, the embodiment of the present application
Additionally provide a kind of information processing unit based on ssl protocol certification.With reference to Fig. 8, Fig. 8 is provided by the embodiments of the present application is based on
A kind of structural schematic diagram of the information processing unit of ssl protocol certification, the device are applied to firewall box, comprising: first obtains
It takes unit 801, second acquisition unit 802, third acquiring unit 803, transmission unit 804, the first receiving unit 805 and generates single
Member 806.
First acquisition unit 801, for receiving the first handshake message of user equipment transmission, by the first handshake message to clothes
Business device forwarding, and client random number is obtained from the first handshake message;
Second acquisition unit 802, the second handshake message of the first handshake message of response for receiving server transmission, will
Second handshake message is forwarded to user equipment, and server random number and Encryption Algorithm are obtained from the second handshake message;
Third acquiring unit 803, the key for receiving user equipment transmission exchange message, obtain from key exchange message
Encrypted random number evidence is taken, encrypted random number is according to the public key and Encryption Algorithm for utilizing server for user equipment to original random number evidence
The random data obtained after encryption;
Transmission unit 804, for encrypted random number evidence and Encryption Algorithm to be sent to server, so that server by utilizing takes
The private key and Encryption Algorithm of business device, according to being decrypted, obtain original random number evidence to encrypted random number;
First receiving unit 805, for receiving the original random number evidence of server transmission;
Generation unit 806, for generating user according to original random number evidence, client random number and server random number
The encryption key communicated between equipment and server.
In an optional embodiment, the above-mentioned information processing unit based on ssl protocol certification can also include:
Second receiving unit, for receiving data after generating the encryption key communicated between user equipment and server
Message, data message are the message that the message that user equipment is sent to server or server are sent to user equipment;
Decryption unit carries user data to data message and place is decrypted for utilizing encryption key and Encryption Algorithm
Reason, obtains original user data;
Detection unit, for carrying out safety detection to original user data.
In an optional embodiment, first acquisition unit 801 specifically can be used for obtaining from the first handshake message
The client that the five-tuple information for including according to the first handshake message after client random number and the first handshake message carry with
Machine number creates the first session;
Second acquisition unit 802, if specifically can be used for five-tuple information and the first session that the second handshake message includes
Including five-tuple information matches, then server random number and Encryption Algorithm are obtained from the second handshake message;
Third acquiring unit 803, if specifically can be used for five-tuple information and the first session that key exchange message includes
Including five-tuple information matches, then from key exchange message in obtain encrypted random number evidence.
In an optional embodiment, first acquisition unit 801, specifically can be used for include according to the first handshake message
Five-tuple information creates the first session;The client random number of the first handshake message carrying is recorded in the first session, and will
The state of words is set as the first handshake message and has reached state, and the first handshake message, which has reached state and is used to indicate, to be had received first and hold
Hand message;
Second acquisition unit 802, specifically can be used for detecting the first session and whether the second handshake message meets first in advance
If condition, the first preset condition is that the state of the first session is that the first handshake message has reached state or the state of the first session is
Second handshake message has reached state and the second handshake message to retransmit message, and the second handshake message, which has reached state and is used to indicate, have been connect
Receive the second handshake message;If so, recording server random number and the encryption of the second handshake message carrying in the first session
Algorithm, and set the second handshake message for the state of the first session and reached state;
Third acquiring unit 803, specifically can be used for detecting the first session and whether key exchange message meets second in advance
If condition, the second preset condition is that the state of the first session is that the second handshake message has reached state or the state of the first session is
Key exchange message has reached state and key exchange message to retransmit message, and key exchange message, which has reached state and is used to indicate, have been connect
Receive key exchange message;If so, obtaining encrypted random number evidence from key exchange message, and the state of the first session is set
It is set to key exchange message and has reached state.
In an optional embodiment, the above-mentioned information processing unit based on ssl protocol certification can also include:
Third receiving unit, for receiving warning message;
Searching unit searches the five-tuple information with warning message if the type for warning message is fatal form
Matched second session, fatal form, which is used to indicate, disconnects SSL connection;
Unit is deleted, if deleting the second session, and send to user equipment and server for finding the second session
It waves message, so that the company that user equipment and the server according to message of waving, are each turned off between user equipment and server
It connects.
In technical solution provided by the embodiments of the present application, firewall box can be in the feelings that do not modify to any message
Under condition, the encryption key communicated between user equipment and server is obtained, and then utilize the encryption key, to user equipment or service
The user data that the data message that device is sent carries is decrypted, and obtains original user data, and then to original user number
According to safety detection is carried out, realizes and safety detection is carried out to the encryption data of ssl protocol two-way authentication.
Based on identical inventive concept, according to the above-mentioned information processing method based on ssl protocol certification, the embodiment of the present application
A kind of firewall box is additionally provided, as shown in figure 9, including processor 901 and machine readable storage medium 902, it is machine readable
Storage medium 902 is stored with the machine-executable instruction that can be executed by processor 901.Processor 901 is by the executable finger of machine
Order promotes to realize above-mentioned Fig. 3-either step shown in Fig. 7.
In an optional embodiment, as shown in figure 9, firewall box can also include: that communication interface 903 and communication are total
Line 904;Wherein, processor 901, machine readable storage medium 902, communication interface 903 are completed each other by communication bus 904
Communication, communication interface 903 is for communication between above-mentioned firewall box and other equipment.
Based on identical inventive concept, according to the above-mentioned information processing method based on ssl protocol certification, the embodiment of the present application
A kind of machine readable storage medium is additionally provided, machine readable storage medium is stored with the machine that can be executed by processor and can hold
Row instruction.Processor is promoted to realize above-mentioned Fig. 3-either step shown in Fig. 7 by machine-executable instruction.
Above-mentioned communication bus can be PCI (Peripheral Component Interconnect, Peripheral Component Interconnect
Standard) bus or EISA (Extended Industry Standard Architecture, expanding the industrial standard structure) bus
Deng.The communication bus can be divided into address bus, data/address bus, control bus etc..
Above-mentioned machine readable storage medium may include RAM (Random Access Memory, random access memory),
It also may include NVM (Non-Volatile Memory, nonvolatile memory), for example, at least a magnetic disk storage.Separately
Outside, machine readable storage medium can also be that at least one is located remotely from the storage device of aforementioned processor.
Above-mentioned processor can be general processor, including CPU (Central Processing Unit, central processing
Device), NP (Network Processor, network processing unit) etc.;Can also be DSP (Digital Signal Processing,
Digital signal processor), ASIC (Application Specific Integrated Circuit, specific integrated circuit),
It is FPGA (Field-Programmable Gate Array, field programmable gate array) or other programmable logic device, discrete
Door or transistor logic, discrete hardware components.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for being based on
For information processing unit, firewall box and machine readable storage medium embodiment that ssl protocol authenticates, due to its basic phase
It is similar to the information processing method embodiment authenticated based on ssl protocol, so be described relatively simple, related place is referring to being based on
The part explanation of the information processing method embodiment of ssl protocol certification.
The foregoing is merely the preferred embodiments of the application, are not intended to limit the protection scope of the application.It is all
Any modification, equivalent replacement, improvement and so within spirit herein and principle are all contained in the protection scope of the application
It is interior.
Claims (12)
1. a kind of information processing method based on secure socket layer protocol certification, which is characterized in that be applied to firewall box, institute
The method of stating includes:
Receive the first handshake message that user equipment is sent, will first handshake message to server forwarding, and from described the
Client random number is obtained in one handshake message;
The second handshake message for receiving the first handshake message described in the response that the server is sent, by second handshake message
It is forwarded to the user equipment, and obtains server random number and Encryption Algorithm from second handshake message;
The key exchange message that the user equipment is sent is received, obtains encrypted random number evidence from key exchange message,
The encrypted random number is according to the public key and the Encryption Algorithm for utilizing the server for the user equipment to original random number
According to the random data obtained after encryption;
The encrypted random number evidence and the Encryption Algorithm are sent to the server, so as to take described in the server by utilizing
The encrypted random number evidence is decrypted in the private key of business device and the Encryption Algorithm, obtains original random number evidence;
Receive the original random number evidence that the server is sent;
According to the original random number evidence, the client random number and the server random number, the user equipment is generated
The encryption key communicated between the server.
2. the method according to claim 1, wherein being communicated between the user equipment and the server generating
Encryption key after, further includes:
Data message is received, the data message is the message or the service that the user equipment is sent to the server
The message that device is sent to the user equipment;
Using the encryption key and the Encryption Algorithm, user data is carried to the data message and is decrypted, is obtained
To original user data;
Safety detection is carried out to the original user data.
3. the method according to claim 1, wherein random obtaining client from first handshake message
After number, further includes:
The client random number that the five-tuple information for including according to first handshake message and first handshake message carry,
Create the first session;
Described the step of server random number and Encryption Algorithm are obtained from second handshake message, comprising:
If the five-tuple information that second handshake message includes and the five-tuple information matches that first session includes, from
Server random number and Encryption Algorithm are obtained in second handshake message;
It is described from the key exchange message in obtain encrypted random number according to the step of, comprising:
If the five-tuple information matches that five-tuple information and first session that the key exchange message includes include, from
Encrypted random number evidence is obtained in the key exchange message.
4. according to the method described in claim 3, it is characterized in that, the five-tuple for including according to first handshake message
The step of client random number that information and first handshake message carry, creation session, comprising:
According to the five-tuple information that first handshake message includes, the first session is created;Institute is recorded in first session
The client random number of the first handshake message carrying is stated, and sets the first handshake message for the state of the session and has reached shape
State, first handshake message, which has reached state and is used to indicate, has received first handshake message;
Described the step of server random number and Encryption Algorithm are obtained from second handshake message, comprising:
It detects first session and whether second handshake message meets the first preset condition, first preset condition is
The state of first session is that the state that first handshake message has reached state or first session is second to shake hands report
It is re-transmission message that text, which reach state and second handshake message, and second handshake message, which has reached state and is used to indicate, have been received
To second handshake message;If so, recorded in first session server that second handshake message carries with
Machine number and Encryption Algorithm, and set second handshake message for the state of first session and reached state;
It is described from the key exchange message in obtain encrypted random number according to the step of, comprising:
It detects first session and whether key exchange message meets the second preset condition, second preset condition is
The state of first session is key exchange report for the state that second handshake message has reached state or first session
Text reach state and key exchange message to retransmit message, and the key, which exchanges message and reached state and be used to indicate, have been received
Message is exchanged to the key;If so, obtaining encrypted random number evidence from key exchange message, and by first meeting
The state of words is set as the key exchange message and has reached state.
5. the method according to claim 3 or 4, which is characterized in that the method also includes:
Receive warning message;
If the type of the warning message is fatal form, second with the five-tuple information matches of the warning message is searched
Session;
If finding, second session is deleted, and send message of waving to the user equipment and the server, so that
The user equipment and the server are waved message according to, are each turned off between the user equipment and the server
Connection.
6. a kind of information processing unit based on secure socket layer protocol certification, which is characterized in that be applied to firewall box, institute
Stating device includes:
First acquisition unit, for receiving the first handshake message of user equipment transmission, by first handshake message to service
Device forwarding, and client random number is obtained from first handshake message;
Second acquisition unit, for receiving the second handshake message of the first handshake message described in the response that the server is sent,
Second handshake message is forwarded to the user equipment, and from second handshake message obtain server random number and
Encryption Algorithm;
Third acquiring unit exchanges message for receiving the key that the user equipment is sent, from key exchange message
Encrypted random number evidence is obtained, the encrypted random number is according to the public key and the encryption for utilizing the server for the user equipment
Algorithm is to original random number according to the random data obtained after encryption;
Transmission unit, for the encrypted random number evidence and the Encryption Algorithm to be sent to the server, so that the clothes
Business device is decrypted the encrypted random number evidence using the private key and the Encryption Algorithm of the server, obtains original
Random data;
First receiving unit, the original random number evidence sent for receiving the server;
Generation unit, for generating according to the original random number evidence, the client random number and the server random number
The encryption key communicated between the user equipment and the server.
7. device according to claim 6, which is characterized in that described device further include:
Second receiving unit, for receiving after generating the encryption key communicated between the user equipment and the server
Data message, the data message are the message that sends to the server of the user equipment or the server to described
The message that user equipment is sent;
Decryption unit, for utilize the encryption key and the Encryption Algorithm, to the data message carry user data into
Row decryption processing, obtains original user data;
Detection unit, for carrying out safety detection to the original user data.
8. device according to claim 6, which is characterized in that the first acquisition unit is specifically used for from described the
After obtaining client random number in one handshake message, the five-tuple information that includes according to first handshake message and described the
The client random number that one handshake message carries creates the first session;
The second acquisition unit, if the five-tuple information and first session that include specifically for second handshake message
Including five-tuple information matches, then server random number and Encryption Algorithm are obtained from second handshake message;
The third acquiring unit, if the five-tuple information and first session that include specifically for key exchange message
Including five-tuple information matches, then from the key exchange message in obtain encrypted random number evidence.
9. device according to claim 8, which is characterized in that the first acquisition unit is specifically used for according to described the
The five-tuple information that one handshake message includes creates the first session;First handshake message is recorded in first session
The client random number of carrying, and set the first handshake message for the state of the session and reached state, described first shakes hands
Message, which has reached state and is used to indicate, has received first handshake message;
The second acquisition unit, specifically for detecting whether first session and second handshake message meet first in advance
If condition, first preset condition is that the state of first session is that first handshake message has reached state or described
The state of first session is that the second handshake message has reached state and second handshake message is to retransmit message, and described second shakes hands
Message, which has reached state and is used to indicate, has received second handshake message;If so, in first session described in record
The server random number and Encryption Algorithm that second handshake message carries, and described second is set by the state of first session
Handshake message has reached state;
The third acquiring unit, specifically for detecting whether first session and key exchange message meet second in advance
If condition, second preset condition is that the state of first session is that second handshake message has reached state or described
The state of first session is that have reached state and key exchange message be to retransmit message to key exchange message, key exchange
Message, which has reached state and is used to indicate, has received key exchange message;If so, being obtained from key exchange message
Encrypted random number evidence, and set the key exchange message for the state of first session and reached state.
10. device according to claim 8 or claim 9, which is characterized in that described device further include:
Third receiving unit, for receiving warning message;
Searching unit searches the five-tuple with the warning message if the type for the warning message is fatal form
Second session of information matches, the fatal form, which is used to indicate, disconnects SSL connection;
Unit is deleted, if deleting second session for finding second session, and to the user equipment and institute
It states server and sends message of waving, the message so that user equipment and the server are waved according to is each turned off institute
State the connection between user equipment and the server.
11. a kind of firewall box, which is characterized in that described machine readable to deposit including processor and machine readable storage medium
Storage media is stored with the machine-executable instruction that can be executed by the processor, and the processor is by the executable finger of the machine
Order promotes: realizing any method and step of claim 1-5.
12. a kind of machine readable storage medium, which is characterized in that the machine readable storage medium is stored with can be by the place
The machine-executable instruction that device executes is managed, the processor is promoted by the machine-executable instruction: realizing that claim 1-5 appoints
Method and step described in one.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910447394.8A CN110190955B (en) | 2019-05-27 | 2019-05-27 | Information processing method and device based on secure socket layer protocol authentication |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910447394.8A CN110190955B (en) | 2019-05-27 | 2019-05-27 | Information processing method and device based on secure socket layer protocol authentication |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110190955A true CN110190955A (en) | 2019-08-30 |
CN110190955B CN110190955B (en) | 2022-05-24 |
Family
ID=67718114
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910447394.8A Active CN110190955B (en) | 2019-05-27 | 2019-05-27 | Information processing method and device based on secure socket layer protocol authentication |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110190955B (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110557244A (en) * | 2019-09-06 | 2019-12-10 | 江苏省水文水资源勘测局 | Application data unit encryption method in water conservancy industrial control system |
CN110677389A (en) * | 2019-09-09 | 2020-01-10 | 杭州迪普科技股份有限公司 | SSL protocol-based hybrid attack protection method and device |
CN110944001A (en) * | 2019-12-06 | 2020-03-31 | 浙江军盾信息科技有限公司 | Server safety protection method, device and related equipment |
CN111107087A (en) * | 2019-12-19 | 2020-05-05 | 杭州迪普科技股份有限公司 | Message detection method and device |
CN111541682A (en) * | 2020-04-17 | 2020-08-14 | 北京天融信网络安全技术有限公司 | Data security detection method and device, storage medium and electronic equipment |
CN112383392A (en) * | 2020-11-13 | 2021-02-19 | 随锐科技集团股份有限公司 | Video conference alternate encryption method and device and computer readable storage medium |
CN112689014A (en) * | 2020-12-24 | 2021-04-20 | 百果园技术(新加坡)有限公司 | Double-full-duplex communication method and device, computer equipment and storage medium |
CN112751858A (en) * | 2020-12-30 | 2021-05-04 | 恒安嘉新(北京)科技股份公司 | Data encryption communication terminal method, device, terminal, server and storage medium |
CN113765927A (en) * | 2021-09-09 | 2021-12-07 | 图易(常熟)信息技术有限公司 | Method and system for encrypting network copyright of cloud uploaded content |
CN114679299A (en) * | 2022-02-24 | 2022-06-28 | 广东电网有限责任公司 | Communication protocol encryption method, device, computer equipment and storage medium |
CN114830602A (en) * | 2019-12-17 | 2022-07-29 | 微芯片技术股份有限公司 | Mutual authentication protocol for systems with low throughput communication links and apparatus for performing the protocol |
CN115701026A (en) * | 2021-07-21 | 2023-02-07 | 中移物联网有限公司 | Test method, device and terminal for transport layer security protocol |
CN116032545A (en) * | 2022-12-06 | 2023-04-28 | 北京中睿天下信息技术有限公司 | Multi-stage filtering method and system for ssl or tls flow |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8707027B1 (en) * | 2012-07-02 | 2014-04-22 | Symantec Corporation | Automatic configuration and provisioning of SSL server certificates |
CN104468560A (en) * | 2014-12-02 | 2015-03-25 | 中国科学院声学研究所 | Method and system for collecting network confidential data plaintext |
US20150341317A1 (en) * | 2012-10-19 | 2015-11-26 | Telefonaktiebolaget L M Ericsson (Publ) | Unidirectional Deep Packet Inspection |
CN105763566A (en) * | 2016-04-19 | 2016-07-13 | 成都知道创宇信息技术有限公司 | Communication method between client and server |
CN106941401A (en) * | 2017-03-23 | 2017-07-11 | 深信服科技股份有限公司 | Acceleration equipment and the method that session key is obtained based on acceleration equipment |
-
2019
- 2019-05-27 CN CN201910447394.8A patent/CN110190955B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8707027B1 (en) * | 2012-07-02 | 2014-04-22 | Symantec Corporation | Automatic configuration and provisioning of SSL server certificates |
US20150341317A1 (en) * | 2012-10-19 | 2015-11-26 | Telefonaktiebolaget L M Ericsson (Publ) | Unidirectional Deep Packet Inspection |
CN104468560A (en) * | 2014-12-02 | 2015-03-25 | 中国科学院声学研究所 | Method and system for collecting network confidential data plaintext |
CN105763566A (en) * | 2016-04-19 | 2016-07-13 | 成都知道创宇信息技术有限公司 | Communication method between client and server |
CN106941401A (en) * | 2017-03-23 | 2017-07-11 | 深信服科技股份有限公司 | Acceleration equipment and the method that session key is obtained based on acceleration equipment |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110557244B (en) * | 2019-09-06 | 2021-12-28 | 江苏省水文水资源勘测局 | Application data unit encryption method in water conservancy industrial control system |
CN110557244A (en) * | 2019-09-06 | 2019-12-10 | 江苏省水文水资源勘测局 | Application data unit encryption method in water conservancy industrial control system |
CN110677389A (en) * | 2019-09-09 | 2020-01-10 | 杭州迪普科技股份有限公司 | SSL protocol-based hybrid attack protection method and device |
CN110677389B (en) * | 2019-09-09 | 2022-01-25 | 杭州迪普科技股份有限公司 | SSL protocol-based hybrid attack protection method and device |
CN110944001A (en) * | 2019-12-06 | 2020-03-31 | 浙江军盾信息科技有限公司 | Server safety protection method, device and related equipment |
CN114830602A (en) * | 2019-12-17 | 2022-07-29 | 微芯片技术股份有限公司 | Mutual authentication protocol for systems with low throughput communication links and apparatus for performing the protocol |
CN111107087A (en) * | 2019-12-19 | 2020-05-05 | 杭州迪普科技股份有限公司 | Message detection method and device |
CN111107087B (en) * | 2019-12-19 | 2022-03-25 | 杭州迪普科技股份有限公司 | Message detection method and device |
CN111541682A (en) * | 2020-04-17 | 2020-08-14 | 北京天融信网络安全技术有限公司 | Data security detection method and device, storage medium and electronic equipment |
CN112383392A (en) * | 2020-11-13 | 2021-02-19 | 随锐科技集团股份有限公司 | Video conference alternate encryption method and device and computer readable storage medium |
CN112383392B (en) * | 2020-11-13 | 2024-03-15 | 随锐科技集团股份有限公司 | Video conference rotation encryption method, video conference rotation encryption equipment and computer readable storage medium |
CN112689014A (en) * | 2020-12-24 | 2021-04-20 | 百果园技术(新加坡)有限公司 | Double-full-duplex communication method and device, computer equipment and storage medium |
CN112751858A (en) * | 2020-12-30 | 2021-05-04 | 恒安嘉新(北京)科技股份公司 | Data encryption communication terminal method, device, terminal, server and storage medium |
CN112751858B (en) * | 2020-12-30 | 2023-04-07 | 恒安嘉新(北京)科技股份公司 | Data encryption communication terminal method, device, terminal, server and storage medium |
CN115701026A (en) * | 2021-07-21 | 2023-02-07 | 中移物联网有限公司 | Test method, device and terminal for transport layer security protocol |
CN113765927A (en) * | 2021-09-09 | 2021-12-07 | 图易(常熟)信息技术有限公司 | Method and system for encrypting network copyright of cloud uploaded content |
CN114679299A (en) * | 2022-02-24 | 2022-06-28 | 广东电网有限责任公司 | Communication protocol encryption method, device, computer equipment and storage medium |
CN114679299B (en) * | 2022-02-24 | 2024-03-15 | 广东电网有限责任公司 | Communication protocol encryption method, device, computer equipment and storage medium |
CN116032545A (en) * | 2022-12-06 | 2023-04-28 | 北京中睿天下信息技术有限公司 | Multi-stage filtering method and system for ssl or tls flow |
CN116032545B (en) * | 2022-12-06 | 2024-03-22 | 北京中睿天下信息技术有限公司 | Multi-stage filtering method and system for ssl or tls flow |
Also Published As
Publication number | Publication date |
---|---|
CN110190955B (en) | 2022-05-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110190955A (en) | Information processing method and device based on secure socket layer protocol certification | |
US8886934B2 (en) | Authorizing physical access-links for secure network connections | |
US7039713B1 (en) | System and method of user authentication for network communication through a policy agent | |
US7992193B2 (en) | Method and apparatus to secure AAA protocol messages | |
US8843750B1 (en) | Monitoring content transmitted through secured communication channels | |
EP1913728B1 (en) | Total exchange session security | |
US11736304B2 (en) | Secure authentication of remote equipment | |
CN107708112A (en) | A kind of encryption method suitable for MQTT SN agreements | |
KR20050002632A (en) | Reducing network configuration complexity with transparent virtual private networks | |
WO2020252611A1 (en) | Data interaction method and related equipments | |
Sari et al. | Comparative analysis of wireless security protocols: WEP vs WPA | |
US11792186B2 (en) | Secure peer-to-peer based communication sessions via network operating system in secure data network | |
CN111935213A (en) | Distributed trusted authentication virtual networking system and method | |
JP2007318806A (en) | Method for securing data traffic in mobile network environment | |
US20180013729A1 (en) | Secure Application Communication System | |
CN110572392A (en) | Identity authentication method based on HyperLegger network | |
US20210377239A1 (en) | Method for distributed application segmentation through authorization | |
Bella et al. | Verifying second-level security protocols | |
Cheng et al. | Analysis and improvement of the Internet‐Draft IKEv3 protocol | |
Gupta et al. | Security mechanisms of Internet of things (IoT) for reliable communication: a comparative review | |
Bella | What is correctness of security protocols? | |
Jin-Gang et al. | An improved NSSK authentication protocol and its formal analysis | |
Heo et al. | Vulnerability of information disclosure in data transfer section for constructing a safe smart work infrastructure | |
CN110557360B (en) | System and method for message transmission | |
Ajay et al. | Security of Web Applications with short web service: a review Study |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |