CN110190955A - Information processing method and device based on secure socket layer protocol certification - Google Patents

Information processing method and device based on secure socket layer protocol certification Download PDF

Info

Publication number
CN110190955A
CN110190955A CN201910447394.8A CN201910447394A CN110190955A CN 110190955 A CN110190955 A CN 110190955A CN 201910447394 A CN201910447394 A CN 201910447394A CN 110190955 A CN110190955 A CN 110190955A
Authority
CN
China
Prior art keywords
message
server
random number
session
user equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910447394.8A
Other languages
Chinese (zh)
Other versions
CN110190955B (en
Inventor
岳炳词
乔兴华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201910447394.8A priority Critical patent/CN110190955B/en
Publication of CN110190955A publication Critical patent/CN110190955A/en
Application granted granted Critical
Publication of CN110190955B publication Critical patent/CN110190955B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the present application provides a kind of information processing method and device based on secure socket layer protocol certification.Firewall box exchanges in message from user equipment with the first handshake message, the second handshake message and the key of server interaction, obtains client random number, server random number, Encryption Algorithm and encrypted random number evidence respectively.Encrypted random number evidence and Encryption Algorithm are sent to server by firewall box.The private key and Encryption Algorithm of server by utilizing server, according to being decrypted, obtain original random number evidence to encrypted random number, and original random number evidence is sent to firewall box.Firewall box generates the encryption key communicated between user equipment and server according to original random number evidence, client random number and server random number.Using technical solution provided by the embodiments of the present application, it can be realized and safety detection is carried out to the encryption data of ssl protocol two-way authentication.

Description

Information processing method and device based on secure socket layer protocol certification
Technical field
This application involves fields of communication technology, more particularly to a kind of information processing based on secure socket layer protocol certification Method and device.
Background technique
With the development of internet technology, the equipment for accessing internet is more and more.In order to improve two communication between devices Safety, usually using Secure Socket Layer (English: Secure Sockets Layer, referred to as: SSL), agreement authenticated, SSL connection is established, and then the data of transmission are encrypted.Ssl protocol certification is divided into unilateral authentication and two-way authentication.Unidirectionally recognize Card is certification of the user equipment to server.Two-way authentication includes that user equipment sets the certification of server and server to user Standby certification.
It, at present can be by the way that firewall box by way of " go-between ", be realized that ssl protocol is recognized for unilateral authentication Card.Its work basic principle is divided into two parts: first part is certification of the user equipment to firewall box, and second part is anti- Certification of the wall with flues equipment to server.For first part, user equipment slave firewall equipment obtains certificate, compares the card of acquisition The firewall certificate installed on book and user equipment, if the two matches, it is determined that the certificate verification success to acquisition, firewall are set It is standby legal, go out the public key communicated from the certificate acquisition of acquisition and is transferred to firewall after being encrypted with the public key to negotiation data and sets Standby, the negotiation data that firewall box can use the private key pair encryption of itself is decrypted, and firewall box can be according to decryption Encryption key of the user equipment side for data encrypting and deciphering is calculated in the negotiation data obtained afterwards.For second part, fire prevention Wall equipment obtains certificate from server, the server certificate installed on the certificate and firewall box of acquisition is compared, if the two Match, it is determined that the certificate verification success to acquisition, server legitimacy go out the public key communicated, from the certificate acquisition of acquisition with the public affairs After key encrypts negotiation data, it is transferred to server, the negotiation data that server can use the private key pair encryption of itself carries out Encryption key of the server side for data encrypting and deciphering is calculated according to the negotiation data obtained after decryption in decryption.
For two-way authentication, work basic principle are as follows: be mutually authenticated between user equipment and server, it may be assumed that user equipment From server obtain certificate, authenticated with the certificate of the server to acquisition and server from user equipment obtain certificate, With authenticating for the certificate of the user equipment to acquisition.User equipment and server are in the certificate verification success to respectively obtaining Afterwards, it is based respectively on the negotiation data transmitted between user equipment and server, generates and adds between user equipment and server for data The encryption key of decryption.
For above-mentioned unilateral authentication, firewall box can get respectively user equipment side and server side adds for data Close encryption key, and then the safety detection to data may be implemented.But for two-way authentication, original idea is exactly to enhance The security level of SSL certification avoids the presence of the visitor (attacker) forged in network, therefore, no matter comes from ssl protocol itself Say or the security requirement of ISP on for, can not all support in simply by being forged in similar unilateral authentication scene Between the mode of people realize two-way authentication.On the one hand, except non-server install firewall certificate, otherwise firewall box be can not Two-way authentication is completed by forging internuncial mode;On the other hand, if server installs firewall certificate, mean to prevent The ability for the Credential-Security detection that wall with flues equipment must have same server the same, this cannot achieve for firewall box, And for server, this " authorization " of installation firewall certificate is also not allow.
Therefore, in two-way authentication, firewall box can not get the encryption key that user equipment and server are negotiated, And then the data transmitted between user equipment and server can not be decrypted, and safety detection can not be carried out to data.
Summary of the invention
The embodiment of the present application be designed to provide it is a kind of based on secure socket layer protocol certification information processing method and Device, to realize that the encryption data to ssl protocol two-way authentication carries out safety detection.Specific technical solution is as follows:
In a first aspect, the embodiment of the present application provides a kind of information processing method based on ssl protocol certification, it is applied to anti- Wall with flues equipment, which comprises
Receive the first handshake message that user equipment is sent, will first handshake message to server forwarding, and from institute State acquisition client random number in the first handshake message;
The second handshake message for receiving the first handshake message described in the response that the server is sent, described second is shaken hands Message is forwarded to the user equipment, and server random number and Encryption Algorithm are obtained from second handshake message;
The key exchange message that the user equipment is sent is received, obtains encrypted random number from key exchange message According to the encrypted random number is according to the public key and the Encryption Algorithm for utilizing the server for the user equipment to original random It is obtained after data encryption;
The encrypted random number evidence and the Encryption Algorithm are sent to the server, so that server by utilizing institute The encrypted random number evidence is decrypted in the private key and the Encryption Algorithm for stating server, obtains original random number evidence;
Receive the original random number evidence that the server is sent;
According to the original random number evidence, the client random number and the server random number, the user is generated The encryption key communicated between equipment and the server.
Second aspect, the embodiment of the present application provide a kind of information processing unit based on ssl protocol certification, are applied to anti- Wall with flues equipment, described device include:
First acquisition unit, for receive user equipment transmission the first handshake message, by first handshake message to Server forwarding, and client random number is obtained from first handshake message;
Second acquisition unit is shaken hands report for receiving second of the first handshake message described in the response that the server is sent Text forwards second handshake message to the user equipment, and acquisition server is random from second handshake message Several and Encryption Algorithm;
Third acquiring unit exchanges message for receiving the key that the user equipment is sent, exchanges and report from the key Obtain encrypted random number evidence in text, the encrypted random number utilizes the public key of the server and described according to being the user equipment Encryption Algorithm is to original random number according to the random data obtained after encryption;
Transmission unit, for the encrypted random number evidence and the Encryption Algorithm to be sent to the server, so that institute The encrypted random number evidence is decrypted in the private key and the Encryption Algorithm for stating server described in server by utilizing, obtains Original random number evidence;
First receiving unit, the original random number evidence sent for receiving the server;
Generation unit is used for according to the original random number evidence, the client random number and the server random number, Generate the encryption key communicated between the user equipment and the server.
The third aspect, the embodiment of the present application provide a kind of firewall box, including processor and machine readable storage are situated between Matter, the machine readable storage medium are stored with the machine-executable instruction that can be executed by the processor, the processor Promoted by the machine-executable instruction: realizing a kind of information processing method based on ssl protocol certification that first aspect provides Either step.
Fourth aspect, the embodiment of the present application provide a kind of machine readable storage medium, the machine readable storage medium It is stored with the machine-executable instruction that can be executed by the processor, the processor is promoted by the machine-executable instruction Make: realizing a kind of either step for information processing method based on ssl protocol certification that first aspect provides.
A kind of information processing method and device based on secure socket layer protocol certification provided by the embodiments of the present application, In ssl protocol certification, user equipment sends the first handshake message, the key exchange messages such as message to server, server to Family equipment sends the messages such as the second handshake message.Firewall box obtains client random number from the first handshake message, from Server random number and Encryption Algorithm are obtained in two handshake message.Later, firewall box obtains from key exchange message and adds Encrypted random number evidence and Encryption Algorithm are sent to server by close random data simultaneously.At this point, server can use itself The Encryption Algorithm that private key and firewall box are sent obtains original random number evidence to encrypted random number according to being decrypted, will Original random number evidence is sent to firewall box.Firewall box is according to original random number evidence, client random number and server Random number generates the encryption key communicated between user equipment and server.User equipment is same as server be according to it is original with Machine data, client random number and server random number generate encryption key.Therefore, the encryption key that firewall box generates Identical as the encryption key that user equipment and server generate, firewall box can be to the datagram of user equipment or server The user data that text carries is decrypted, and obtains original user data, and then carry out safety detection to original user data, It realizes and safety detection is carried out to the encryption data of ssl protocol two-way authentication.
Certainly, any product or method for implementing the application must be not necessarily required to reach all the above excellent simultaneously Point.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of application for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is a kind of structural schematic diagram that ssl protocol provided by the embodiments of the present application authenticates networking;
Fig. 2 is a kind of signaling diagram of existing two-way authentication;
Fig. 3 is the first process signal of the information processing method provided by the embodiments of the present application based on ssl protocol certification Figure;
Fig. 4 is a kind of signaling diagram of the information processing provided by the embodiments of the present application based on ssl protocol certification;
Fig. 5 is second of process signal of the information processing method provided by the embodiments of the present application based on ssl protocol certification Figure;
Fig. 6 is a kind of flow diagram of warning message provided by the embodiments of the present application processing;
Fig. 7 is a kind of flow diagram of data message provided by the embodiments of the present application processing;
Fig. 8 is a kind of structural schematic diagram of the information processing unit provided by the embodiments of the present application based on ssl protocol certification;
Fig. 9 is a kind of structural schematic diagram of firewall box provided by the embodiments of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall in the protection scope of this application.
Ssl protocol certification is divided into unilateral authentication and two-way authentication.Unilateral authentication is certification of the user equipment to server.It is double It include certification of the user equipment to the certification and server of server to user equipment to certification.
For unilateral authentication, firewall certificate is installed on user equipment, server certificate is installed on firewall box.With Family equipment and firewall box arranging key, establish SSL connection 1.Firewall box and server arranging key establish SSL company Connect 2.At this point, encryption and decryption data is carried out using the encryption key that SSL connection 1 negotiates between user equipment and firewall box, Encryption and decryption data is carried out using the encryption key that SSL connection 2 negotiates between firewall box and server.Firewall box can User equipment side is got respectively and server side is used for the encryption key of data encryption, and then the safety to data may be implemented Detection.
With the continuous renewal of cyber-attack techniques, the continuous enhancing that user realizes personal privacy protection, in network silver Row, the exigent business scope of data storage safety, generally use ssl protocol two-way authentication.SSL association as shown in Figure 1 View certification networking, including user equipment 100, firewall box 101 and server 102-104.Ssl protocol authenticates networking One or more user equipmenies, one or more servers.Here, it is only carried out by taking a user equipment, three servers as an example Illustrate, it is not from the limited effect.
For two-way authentication, in networking shown in Fig. 1 server 102 and user equipment 100 carry out that ssl protocol is two-way to be recognized For card, the signaling diagram of two-way authentication as shown in connection with fig. 2 is illustrated ssl protocol two-way authentication process.Specifically, SSL Agreement two-way authentication process includes the following steps.
User equipment 100 by firewall box 101 to server 102 send client shake hands (Client Hello) report Text.Client hello packet include user equipment 100 support ssl protocol version information, encryption suite candidate list and For generating the client random number of encryption key.Wherein, encryption suite candidate list includes the multiple of the support of user equipment 100 Encryption suite etc..Each encryption suite includes Diffie-Hellman, message authentication information code (abstract) algorithm, Encryption Algorithm, close Key generating algorithm and pseudo-random function.
The ssl protocol version information that server 102 includes according to Client hello packet, determining and user equipment 100 The ssl protocol version information of SSL connection is established, and is selected from the encryption suite candidate list that Client hello packet includes One encryption suite.Server 102 sends server handshaking (Server to user equipment 100 by firewall box 101 Hello) message.Server hello packet includes determining ssl protocol version information, the encryption suite and server of selection with Machine number.
Certificate (Certificate) message 1 is sent to user equipment 100 by firewall box 101 by server 102. Certificate message 1 includes the certificate 1 of server 102, and certificate 1 includes the identity information for 102 authentication of server With the public key 1 of server 102.In addition, server 102 sends certificate request to user equipment 100 by firewall box 101 (Certificate Request) message 1.Certificate Request message 1 is used for requiring user equipment 100 to send The certificate 2 of family equipment 100 gives server 102.Certificate 2 includes the identity information and user for 100 authentication of user equipment The public key 2 of equipment 100.Again, server 102 sends server handshaking to user equipment 100 by firewall box 101 and terminates (Server Hello Done) message.Server Hello Done message, which is used to indicate the transmission of Server hello packet, to be terminated Message.
After user equipment 100 receives Certificate message 1, whether verifying certificate 1 is legal.If certificate 1 is illegal, Then user equipment 100 makes indicating risk according to different illegal situations.If certificate 1 is legal, 100 basis of user equipment Certificate Request message 1 sends Certificate message 2 to server 102 by firewall box 101, Certificate message 2 includes the certificate 2 of user equipment 100, and certificate 2 includes the identity for 100 authentication of user equipment The public key 2 of information and user equipment 100.In addition, user equipment 100 generates random data 1 according to preset algorithm, Server is utilized The public key 1 for including in the encryption suite and certificate 1 of hello packet confirmation after encrypting to random data 1, is carried and is handed in key It changes in (Key Exchange) message and server 102 is sent to by firewall box 101.At this point, user equipment 100 has obtained The all information for calculating encryption key, i.e. client random number, server random number and random data 1 have been got, so as to The encryption key communicated between server is calculated.
In order to avoid the information that user equipment 100 and server 102 are negotiated is distorted by man-in-the-middle attack, user equipment 100 send certification authentication (Certificate Verity) message to server 102 by firewall box 101, the institute by before There is the private key 2 of interactive message certificate 2 to sign, is verified for server 102.In this way, any one message before once It lives through and distorts, as long as private key 2 does not leak, server 102 is centainly it can be found that the presence of attacker.Later, user equipment 100 notify the subsequent communication of server 102 all using negotiation by changing regular (the Change Cipher Spec) message 1 of password Encryption key and Encryption Algorithm, and to server 102 send encryption end (Finish) message 1.Wherein, Finish message 1, which is used to indicate server 102, verifies the encryption key negotiated.
After server 102 receives Certificate message 2, whether verifying certificate 2 is legal.If certificate 2 is illegal, Server 102 makes indicating risk according to different illegal situations.If certificate 2 is legal, server 102 uses certificate 2 Public key 2 is decrypted and verifies to the signature of Certificate Verity message.To Certificate Verity message After signature verification passes through, server 102 think user equipment 100 be it is believable, using the private key of certificate 1 to Key Exchange The encrypted random data 1 for including in message is decrypted, obtain random data 1, based on client random number, server with Machine number and random data 1, so as to which the encryption key communicated with user equipment 100 is calculated.
Later, server 102 utilizes the encryption information in the encryption key decryption Finish message 1 obtained, verifying decryption The correctness of data and encryption key afterwards.After determining correctly, server 102 sends Change Cipher to user equipment 100 Spec message 2 and Finish message 2, with the subsequent communication of notifying user equipment 100 all using the encryption key and encryption negotiated Algorithm.
So far, ssl protocol is negotiated to complete by user equipment 100 and server 102, and negotiation can be used in follow-up data message Encryption key and Encryption Algorithm out carries out encrypted transmission.
As it can be seen that in ssl protocol two-way authentication, firewall box can not be got as " go-between " user equipment side and Server side is used for the encryption key of data encryption, therefore can not solve to the data transmitted between user equipment and server It is close, and then can not be to the safety detection of data.
To realize that the encryption data to ssl protocol two-way authentication carries out safety detection, the embodiment of the present application provides one kind Information processing method based on ssl protocol certification.In ssl protocol certification, user equipment sends first to server and shakes hands report Messages, the servers such as text, key exchange message send the messages such as the second handshake message to user equipment.Firewall box is from first Client random number is obtained in handshake message, and server random number and Encryption Algorithm are obtained from the second handshake message.Later, prevent Wall with flues equipment obtains encrypted random number evidence from key exchange message, and encrypted random number evidence and Encryption Algorithm are sent to clothes simultaneously Business device.At this point, the Encryption Algorithm that server can use the private key of server and firewall box is sent, to encrypted random number evidence It is decrypted, obtains original random number evidence, original random number evidence is sent to firewall box.Firewall box is according to original Beginning random data, client random number and server random number generate the encryption key communicated between user equipment and server.With Family equipment same as server is to generate encryption key according to original random number evidence, client random number and server random number. Therefore, the encryption key that firewall box generates, firewall box identical as the encryption key that user equipment and server generate User data can be carried to received data message to be decrypted, obtain original user data, and then to original user Data carry out safety detection, realize and carry out safety detection to the encryption data of ssl protocol two-way authentication.
Below by specific embodiment, to the information processing provided by the embodiments of the present application based on ssl protocol two-way authentication Method is illustrated.
With reference to Fig. 3, Fig. 3 is the first of the information processing method provided by the embodiments of the present application based on ssl protocol certification Flow diagram.This method is suitable for the scene of ssl protocol two-way authentication.This method is applied to firewall box, including as follows Step.
Step 301, the first handshake message that user equipment is sent is received, the first handshake message is forwarded to server, and Client random number is obtained from the first handshake message.In the embodiment of the present application, a certain information is obtained from a certain message is Refer to: the message is parsed, to obtain the information.Such as: client random number is obtained from the first handshake message and is referred to: parsing the One handshake message, to obtain client random number.This explanation is done in similar description in the embodiment of the present application.
In ssl protocol two-way authentication, the first handshake message is Client hello packet.
In ssl protocol certification, the first handshake message is sent to firewall box by user equipment.Firewall box is from Client random number is obtained in one handshake message.After getting client random number, firewall box is by the first handshake message It is sent to server.
In one embodiment of the application, firewall box receives user equipment is sent to server first and shakes hands report Text.From in the first handshake message obtain client random number after, firewall box include according to the first handshake message five The client random number that tuple information and the first handshake message carry, creates the first session.It, can in the first session in one example To include five-tuple information and negotiation information, negotiation information includes client random number, server random number, encryption suite and adds The information such as key.Session as shown in table 1.
Table 1
Source address Source port Destination address Destination port Negotiation information
In an optional embodiment, firewall box can virtually be multiple equipment, to realize user isolation, firewall Equipment be this multiple virtual unit distribute virtual routing forwarding (English: Virtual Routing Forwarding, referred to as: VRF).At this point, can also include the mark of VRF in the first session of firewall box creation, as shown in table 2.
Table 2
Source address Source port Destination address Destination port VRF Negotiation information
VRF table shows the mark of VRF.The mark of VRF can be understood as the mark of a virtual unit.
Negotiation information in Tables 1 and 2 can be found in shown in table 3.
Table 3
Encryption suite Client random number Server random number Encryption key
Step 302, the second handshake message for receiving the first handshake message of response that server is sent, by the second handshake message It is forwarded to user equipment, and obtains server random number and Encryption Algorithm from the second handshake message.
In ssl protocol two-way authentication, the second handshake message is Server hello packet.
After server receives the first handshake message, according to the first handshake message, the second handshake message is sent to fire prevention Wall equipment.Firewall box obtains server random number and Encryption Algorithm from the second handshake message.Get server with After machine number and Encryption Algorithm, the second handshake message is sent to server by firewall box.
In one embodiment of the application, firewall box receives server is sent to user equipment second and shakes hands report Text.The five-tuple information that the five-tuple information that second handshake message includes is included by firewall box with above-mentioned first session Match.If the five-tuple information that the second handshake message includes and the five-tuple information matches that the first session includes, firewall box Server random number and Encryption Algorithm are obtained from the second handshake message, and the carrying of the second handshake message is recorded in the first session Server random number and Encryption Algorithm.As shown in table 3, the server random number that firewall box carries the second handshake message is remembered The server random number field in table 3 is recorded, the Encryption Algorithm that the second handshake message carries is recorded in the encryption suite word of table 3 Section.If the five-tuple information that the second handshake message includes and the five-tuple information that the first session includes mismatch, firewall is set It is standby to abandon the second handshake message.
In the embodiment of the present application, the message from user equipment to server is positive message, from server to user equipment Message be reversed message.Above-mentioned first session is the five-tuple information creating based on the first handshake message, i.e., based on forward direction What message was established.For the second handshake message as reversed message, firewall box is in include by the second handshake message five When the five-tuple information matches that tuple information and the first session include, include by the source address of the second handshake message and the first session Destination address matching, the source port of the second handshake message is matched with the destination port that the first session includes, second is shaken hands The source address matches that the destination address of message and the first session include, by the destination port of the second handshake message and the first session packet The source port matching included, the affiliated VRF of the second handshake message is matched with the VRF that the first session includes.If above- mentioned information match, Then firewall box obtains server random number and Encryption Algorithm from the second handshake message.If any information is not in above- mentioned information Matching, then firewall box abandons the second handshake message.
Step 303, it receives the key that user equipment is sent and exchanges message, obtain encrypted random number from key exchange message According to, encrypted random number according to being user equipment using the public key and Encryption Algorithm of server to original random number according to being obtained after encryption Random data.
In ssl protocol two-way authentication, it is Key Exchange message that key, which exchanges message,.
In the embodiment of the present application, after server receives the first handshake message, other than sending the second handshake message, may be used also To send Certificate message, Certificate Request message and Server Hello Done message.Firewall is set It is standby that Certificate message, Certificate Request message and Server Hello Done message are not processed, directly Switch through and issues user equipment.
User equipment generates an original random number evidence according to preset algorithm, is calculated using the encryption that the second handshake message carries The public key that certificate is carried in the Certificate message that method and server are sent, to the original random number of generation according to adding Close processing obtains encrypted random number evidence.Encrypted random number is sent to fire prevention in key exchange message according to carrying by user equipment Wall equipment.Wherein, the public key that certificate is carried in the Certificate message that server is sent is the public key of server.Fire prevention Wall equipment obtains encrypted random number evidence from key exchange message.
In one embodiment of the application, firewall box receives the key exchange report that user equipment is sent to server Text.The five-tuple information that the five-tuple information that key exchange message includes is included by firewall box with above-mentioned first session Match.If the five-tuple information matches that five-tuple information and the first session that key exchange message includes include, firewall box Encrypted random number evidence is obtained from key exchange message.If the five-tuple information that key exchange message includes includes with the first session Five-tuple information mismatch, then firewall box abandon key exchange message.
In the embodiment of the present application, above-mentioned first session is established based on positive message.For as the close of positive message Key exchanges message, and firewall box is believed in the five-tuple that the five-tuple information and the first session for including by key exchange message include When breath matching, the source address matches for including by the source address of key exchange message and the first session, by the source of key exchange message Port is matched with the source port that the first session includes, the destination for including by the destination address of key exchange message and the first session The destination port of key exchange message is matched with the destination port that the first session includes, key is exchanged message institute by location matching Belong to VRF to match with the VRF that the first session includes.If above- mentioned information match, firewall box is obtained from key exchange message Take encrypted random number evidence.If any information mismatches in above- mentioned information, firewall box abandons key and exchanges message.
Step 304, encrypted random number evidence and Encryption Algorithm are sent to server.
Firewall box exchanges Receive message to encrypted random number after, by encrypted random number accordingly and from second from key The Encryption Algorithm got in handshake message is sent to server.Server receives encrypted random number evidence and Encryption Algorithm Afterwards, original random number evidence is obtained to encrypted random number according to being decrypted using the private key of server and the Encryption Algorithm. Wherein, the private key of server is the corresponding private key of public key that certificate is carried in the Certificate message of above-mentioned server transmission. The private key is merely stored in server local, will not carry and be sent to user equipment in the certificate.
In one embodiment of the application, for the safety of improve data transfer, between server and firewall box Negotiate the protocol informations such as port and the data format of transmission data in advance.Firewall box exchanges Receive message to encryption from key After random data, according to the protocol information negotiated in advance, encrypted random number evidence and Encryption Algorithm are carried in transmission control protocol Server is sent in (English: Transmission Control Protocol, abbreviation: TCP) message.Server is according to pre- The protocol information first negotiated obtains encrypted random number evidence and Encryption Algorithm, private key and encryption using server from TCP message Algorithm obtains original random number evidence to encrypted random number according to being decrypted.Server is believed according to the agreement negotiated in advance Original random number is sent to firewall box according to carrying by breath in TCP message.
For example, the protocol information negotiated in advance includes 30-37 byte storage encrypted random number evidence, the load of port 1, load 41-52 byte storage Encryption Algorithm, the 30-49 byte of load of lotus store original random number evidence.Firewall box is from close After key exchanges Receive message to encrypted random number evidence, according to the protocol information negotiated in advance, the encrypted random number evidence that will acquire It is stored in the 30-37 byte of the load of TCP message 1, the Encryption Algorithm that will acquire is stored in the of the load of TCP message 1 41-52 byte puts TCP message 1 to server by port 1.After server receives TCP message 1 by port 1, reported from TCP The 30-37 byte of text 1 obtains encrypted random number evidence, and gets Encryption Algorithm from the 41-52 byte of TCP message 1, utilizes The private key and Encryption Algorithm of server obtain original random number evidence to encrypted random number according to being decrypted.Server will be former Beginning random data is stored in the 30-49 byte of the load of TCP message 2, and TCP message 2 is sent to firewall by port 1 Equipment.At this point, original random number evidence can be obtained from TCP message 2 after firewall box receives TCP message 2 by port 1.
It should be understood that only realizing the information between firewall box and server with TCP message in the embodiment of the present application Transmission for be illustrated.It is sent out in TCP message specifically, firewall box carries encrypted random number evidence and Encryption Algorithm Server is given, original random number evidence is also carried and is sent to firewall box in TCP message by server.In other embodiment party In formula, firewall box and service can also be realized with the message of user-defined format or other existing messages (such as IP packet) The transmission of information between device, the embodiment of the present application are not particularly limited.
Step 305, the original random number evidence that server is sent is received.
Server is decrypted to obtain original random number after to encrypted random number evidence, by the original random number according to hair Give firewall box.
In one embodiment of the application, for convenient for server to encrypted random number according to handling, can service Firewall plug-in unit is installed on device.Firewall box exchanges Receive message to encrypted random number after, by encrypted random number from key Accordingly and Encryption Algorithm is sent to firewall plug-in unit.Firewall plug-in unit obtains the private key of server, using the private key of server, Combining encryption algorithm obtains original random number evidence to encrypted random number according to being decrypted.Firewall plug-in unit will be original random Data are sent to firewall box.
Step 306, according to original random number evidence, client random number and server random number, user equipment and clothes are generated The encryption key communicated between business device.
The information that user equipment and server calculate encryption key includes: original random number evidence, client random number kimonos Business device random number.Firewall box has got all information for calculating encryption key at this time, according to original random number evidence, visitor Family end random number and server random number generate the encryption key communicated between user equipment and server.
In one embodiment, firewall box can obtain after receiving the second handshake message from the second handshake message The encryption suites information such as key schedule, Diffie-Hellman, digest algorithm and pseudo-random function is taken, and in the first session Record the encryption suite information got from the second handshake message.As shown in table 3, firewall box will be from the second handshake message In the encryption suite information that gets be recorded in the encryption suite field of table 3.
Firewall box is getting original random number after, is generated using the key got from the second handshake message Algorithm handles original random number evidence, client random number and server random number, generates between user equipment and server The encryption key of communication.
In the embodiment of the present application, user equipment and server carry out data using identical Encryption Algorithm and encryption key Encryption and decryption process encrypts data it is, the encryption key that user equipment and server generate is symmetric key Encryption Algorithm with decryption processing is symmetric encipherment algorithm.Wherein, symmetric encipherment algorithm can for data encryption standards (English: Data Encryption Standard, referred to as: DES) algorithm, triple des (referred to as: 3DES) algorithm, international data add Close algorithm (English: International Data Encryption Algorithm, abbreviation: IDEA), Fast Data Encipherment are calculated Method (English: Fast Data Encipherment Algorithm, referred to as: FEAL, Bruce (English: Blowfish) algorithm Deng.
Firewall box is used to generate the information of encryption key and user equipment and server are used to generate encryption key Information is identical.Therefore, the encryption key that firewall box generates is symmetric key, the encryption got from the second handshake message Algorithm is symmetric encipherment algorithm.In turn, encryption key and the Encryption Algorithm that gets of the firewall box using generation, to reception Data message carry user data processing is encrypted and decrypted.
In one embodiment of the application, after firewall box generates encryption key, which can be existed In first session, and key exchange message is sent to server.
In addition, the Certificate message, the Certificate Verify message, Change that are sent for user equipment Cipher Spec message and Finish message etc., firewall box is not processed, and is directly forwarded to server.
In technical solution provided by the embodiments of the present application, firewall box can be in the feelings that do not modify to any message Under condition, the encryption key communicated between user equipment and server is obtained, and utilize the encryption key, to user equipment or server The user data that the data message of transmission carries is decrypted, and obtains original user data, and then to original user data Safety detection is carried out, realizes and safety detection is carried out to the encryption data of ssl protocol two-way authentication.
Technical solution provided by the embodiments of the present application can also be applied to ssl protocol unilateral authentication, when obtaining unilateral authentication The encryption key communicated between user equipment and server is realized and carries out safety detection to the encryption data of ssl protocol unilateral authentication.
In technical solution provided by the embodiments of the present application, firewall box only receive key exchange message after, it is right Encrypted random number evidence has done a decryption processing.User equipment need not carry out unilateral authentication to firewall box, establish SSL company It connects, firewall box also need not carry out unilateral authentication to server, establish SSL connection, effectively reduce equipment computing resource Loss.
In conjunction with a kind of signaling diagram of Fig. 3 and the information processing shown in Fig. 4 authenticated based on ssl protocol, the application is implemented The information processing method based on ssl protocol certification that example provides is illustrated.
Step 401, user equipment 100 sends Client hello packet to firewall box 101.
Step 402, firewall box 101 receives Client hello packet, and visitor is obtained from Client hello packet Family end random number.
Step 403, firewall box 101 sends Client hello packet to server 102.
Step 404, server 102 receives Client hello packet and is set according to Client hello packet to firewall Standby 101 send Server hello packet.
Step 405, firewall box 101 receives Server hello packet, and clothes are obtained from Server hello packet Business device random number, Encryption Algorithm and key schedule.
Step 406, firewall box 101 sends Server hello packet to server 102.
Step 407, user equipment 100 receives Server hello packet, according to Server hello packet, obtains service The public key and original random number evidence of device 102, using the public key and Encryption Algorithm of server 102, to original random number according to adding Close processing obtains encrypted random number evidence, and the Key Exchange report for carrying the encrypted random number evidence is sent to firewall box 101 Text.
Step 408, firewall box 101 receives Key Exchange message, obtains and adds from Key Exchange message Close random data.
Step 409, firewall box 101 sends to server 102 and carries the first of encrypted random number evidence and Encryption Algorithm Message.It should be understood that the first message can be TCP message.In other embodiments, the first message, which can also be, makes by oneself The message of adopted format or other existing messages (such as IP packet, the embodiment of the present application are not particularly limited.
Step 410, server 102 receives the first message, obtains the private key of itself, utilizes itself private key and the first message The Encryption Algorithm of carrying obtains original random number evidence to encrypted random number according to being decrypted.
Step 411, server 102 sends the second message for carrying original random number evidence to firewall box 101.It should manage Solution, the second message can be TCP message.In other embodiments, the second message can also be the report of user-defined format Text or other existing messages (such as IP packet, the embodiment of the present application are not particularly limited.
Step 412, firewall box 101 receives the second message, by original random number evidence, client random number and server Random number inputs key schedule, obtains the encryption key communicated between user equipment 100 and server 102.
The description of above-mentioned steps 401-412 is fairly simple, specifically refers to the description of the part step 301-306.
In conjunction with above-mentioned embodiment illustrated in fig. 3, the embodiment of the present application also provides at a kind of information based on ssl protocol certification Reason method.With reference to Fig. 5, Fig. 5 is second of stream of the information processing method provided by the embodiments of the present application based on ssl protocol certification Journey schematic diagram.This method is applied to firewall box, may include steps of.
Step 501, the first handshake message that user equipment is sent is received, the first handshake message is forwarded to server, and Client random number is obtained from the first handshake message.Step 501 is identical as step 301.
Step 502, the second handshake message for receiving the first handshake message of response that server is sent, by the second handshake message It is forwarded to user equipment, and obtains server random number and Encryption Algorithm from the second handshake message.
Step 502 is identical as step 302.
Step 503, it receives the key that user equipment is sent and exchanges message, obtain encrypted random number from key exchange message According to, encrypted random number according to being user equipment using the public key and Encryption Algorithm of server to original random number according to being obtained after encryption Random data.Step 503 is identical as step 303.
Step 504, encrypted random number evidence and Encryption Algorithm are sent to server.Step 504 is identical as step 304.
Step 505, the original random number evidence that server is sent is received.Step 505 is identical as step 305.
Step 506, according to original random number evidence, client random number and server random number, user equipment and clothes are generated The encryption key communicated between business device.Step 506 is identical as step 306.
Step 507, data message is received.Data message be the message that is sent to server of user equipment or server to The message that user equipment is sent.
In the embodiment of the present application, after firewall box generates encryption key, key exchange message is sent to server.It is right In Certificate message, Certificate Verify message, Change Cipher Spec message that user equipment is sent With Finish message etc., firewall box is not processed, and is directly forwarded to user equipment.In this way, in user equipment and server After generating encryption key and establishing SSL connection, user equipment can be communicated with server.It is, user equipment can be with The data message sent by firewall box to server, server pass through the data that firewall box is sent to user equipment Message.
Step 508, using encryption key and Encryption Algorithm, user data is carried to data message and is decrypted, is obtained To original user data.
After firewall box receives data message, the Encryption Algorithm obtained using the encryption key and step 503 of generation, User data is carried to data message to be decrypted, and obtains original user data.
In an optional embodiment, after firewall box receives data message, by the five-tuple information of data message It is matched with the five-tuple information that session includes.If the five-tuple that the five-tuple information of data message and the first session include is believed Breath matching, then firewall box obtains the Encryption Algorithm for including in the first session and encryption key, utilizes the encryption key of acquisition And Encryption Algorithm, user data is carried to data message and is decrypted, original user data is obtained.
Step 509, safety detection is carried out to original user data.
After firewall box gets original user data, safety detection is carried out to original user data.Wherein, safety inspection Survey includes deep-packet detection (English: Deep Packet Inspection, abbreviation: DPI), content safety detection and audit etc. Reason.
In an optional embodiment, if determining data after firewall box carries out safety detection to original user data Message is attack message, then can construct message of waving, be sent respectively to user equipment and server, with disconnect user equipment with Connection between server, and delete the first session with the five-tuple information matches of data message.In this way, net can be improved effectively The safety of network.If after firewall box carries out safety detection to original user data, determining that data message is normal message, then Forward the data message.
In an optional embodiment, user equipment and server can be to firewall boxes in the case where detecting and threatening Send warning message.For example, determine that the certificate of server is illegal after user equipment verifies the certificate of server, then to Firewall box sends warning message.For another example determining user equipment after server verifies the certificate of user equipment Certificate is illegal, then sends warning message to firewall box.It is as shown in Figure 6 for the process flow of warning message.
Step 601, warning message is received.
Wherein, the message that warning message can be sent to server for user equipment, or server is to user equipment The message of transmission.It include the type of warning message in warning message.For example, the type of warning message can be divided into it is fatal (Fatal) type and warning (Warning) type.Fatal type, which is used to indicate, disconnects SSL connection.Warning type is for mentioning Showing user, there are risks, it is not necessary to disconnect SSL connection.The type of warning message can be set according to actual needs, the application Embodiment is to this without limiting.
Step 602, whether the type for detecting warning message is fatal form.If so, thening follow the steps 603.If it is not, then holding Row step 605.
After firewall box receives warning message, whether the type for detecting warning message is fatal form.
Step 603, the second session with the five-tuple information matches of warning message is searched.If finding, then follow the steps 604.If not finding, 605 are thened follow the steps.
If the type of warning message is fatal form, the determining five-tuple information with current alarm message of firewall box The very big risk of the matched corresponding SSL connection presence of SSL session, needs to disconnect this SSL connection, searches five with warning message Matched second session of tuple information.
Step 604, the second session is deleted, and sends message of waving to user equipment and server.
If firewall box finds the second session with the five-tuple information matches of warning message, to user equipment and Server sends message of waving, and deletes the second session, to disconnect SSL connection where current alarm message, recycles Session Resources. User equipment and server are according to message of waving, the connection that is each turned off between user equipment and server.
Step 605, warning message is forwarded.
If the type of warning message is fatal form, or does not find the second session, then firewall box carries out subsequent place Reason forwards warning message.
In one embodiment of the application, if firewall box receive that server or user equipment send wave to report Text then searches the third session with the five-tuple information matches of the message of waving, and deletes the third session, recycling session money Source, and forward message of waving.
In one embodiment of the application, SSL connection keepalive mechanism is can be set in firewall box.Specifically, if super Preset duration is crossed not receive and the matched message of the first session, then the first session of firewall box deletion.This avoids users to set The standby SSL between server connect disconnection after, session remain the problem of, saved Session Resources.
In one embodiment of the application, for the ease of firewall box management, meeting can be set on firewall box Speech phase may include as shown in table 4 session status field in negotiation information.
Table 4
Session status Encryption suite Client random number Server random number Encryption key
Wherein, session status may include that the first handshake message has reached state, the second handshake message has reached state and key Exchange message has reached state.Wherein, the first handshake message has reached state (Client Hello Received state) and has been used to indicate Have received the first handshake message.Under Client Hello Received state, subsequent expectation processing is that server is sent The second handshake message.
Second handshake message, which has reached state (Server Hello Received state) and is used to indicate, to be had received second and holds Hand message.Under Server Hello Received state, subsequent expectation processing is key exchange message.
Key exchange message has reached state (Key Exchange Received state) for having received key exchange report Text.Under Key Exchange Received state, what subsequent expectation was handled is Change Cipher Spec message and answers With the encryption data message of layer.
In this case, after firewall box receives the first handshake message, include according to the first handshake message five yuan Group information creates the first session;The client random number of the first handshake message carrying is recorded in the first session, and by session State is set as Client Hello Received state.
After firewall box receives the second handshake message, if five-tuple information and the first meeting that the second handshake message includes The five-tuple information matches that words include, detect the first session and whether the second handshake message meets the first preset condition, and first is pre- If the state that the state that condition is the first session is Client Hello Received state or the first session is Server Hello Received state and the second handshake message are to retransmit message.If meeting the first preset condition, firewall box exists The server random number and Encryption Algorithm of the carrying of the second handshake message are recorded in first session, and the state of the first session is arranged For Server Hello Received state.If being unsatisfactory for the first preset condition, firewall box abandons second and shakes hands report Text.
After firewall box receives key exchange message, if five-tuple information and the first meeting that key exchange message includes The five-tuple information matches that words include, then detect the first session and whether key exchange message meets the second preset condition, and second It is the state of Server Hello Received state or the first session is Key that preset condition, which is the state of the first session, Exchange Received state and key exchange message are re-transmission message.If meeting the second preset condition, firewall box Encrypted random number evidence is obtained from key exchange message, and sets Key Exchange for the state of the first session Received state.If being unsatisfactory for the second preset condition, firewall box abandons key and exchanges message.
Based on above-mentioned session status, the process of firewall box processing data message be can refer to shown in Fig. 7.
Step 701, data message is received.Data message be the message that is sent to server of user equipment or server to The message that user equipment is sent.
Step 702, the 4th session with the five-tuple information matches of data message is searched.If finding, then follow the steps 703.If not finding, 707 are thened follow the steps.
Step 703, whether the state for detecting the 4th session is Key Exchange Received state.If so, executing Step 704.If it is not, thening follow the steps 707.
Step 704, using the Encryption Algorithm and encryption key recorded in the 4th session, user data is carried to data message It is decrypted, obtains original user data.
Step 705, safety detection is carried out to original user data, determines whether data message is attack message.If so, Execute step 706.If it is not, thening follow the steps 708.
Step 706, message of waving is constructed, user equipment and server are sent respectively to.
Step 707, data message is abandoned.
Step 708, forwarding data packets.
The description of the part step 701-708 is relatively easy, specifically refers to the associated description of the above-mentioned part Fig. 3-5.
Above-mentioned first session, the second session, third session and the 4th session may be the same or different.The application is real Example is applied to this without limiting.In technical solution provided by the embodiments of the present application, firewall box only needs three kinds of session status, State machine is relatively easy, is effectively saved device resource.
Based on identical inventive concept, according to the above-mentioned information processing method based on ssl protocol certification, the embodiment of the present application Additionally provide a kind of information processing unit based on ssl protocol certification.With reference to Fig. 8, Fig. 8 is provided by the embodiments of the present application is based on A kind of structural schematic diagram of the information processing unit of ssl protocol certification, the device are applied to firewall box, comprising: first obtains It takes unit 801, second acquisition unit 802, third acquiring unit 803, transmission unit 804, the first receiving unit 805 and generates single Member 806.
First acquisition unit 801, for receiving the first handshake message of user equipment transmission, by the first handshake message to clothes Business device forwarding, and client random number is obtained from the first handshake message;
Second acquisition unit 802, the second handshake message of the first handshake message of response for receiving server transmission, will Second handshake message is forwarded to user equipment, and server random number and Encryption Algorithm are obtained from the second handshake message;
Third acquiring unit 803, the key for receiving user equipment transmission exchange message, obtain from key exchange message Encrypted random number evidence is taken, encrypted random number is according to the public key and Encryption Algorithm for utilizing server for user equipment to original random number evidence The random data obtained after encryption;
Transmission unit 804, for encrypted random number evidence and Encryption Algorithm to be sent to server, so that server by utilizing takes The private key and Encryption Algorithm of business device, according to being decrypted, obtain original random number evidence to encrypted random number;
First receiving unit 805, for receiving the original random number evidence of server transmission;
Generation unit 806, for generating user according to original random number evidence, client random number and server random number The encryption key communicated between equipment and server.
In an optional embodiment, the above-mentioned information processing unit based on ssl protocol certification can also include:
Second receiving unit, for receiving data after generating the encryption key communicated between user equipment and server Message, data message are the message that the message that user equipment is sent to server or server are sent to user equipment;
Decryption unit carries user data to data message and place is decrypted for utilizing encryption key and Encryption Algorithm Reason, obtains original user data;
Detection unit, for carrying out safety detection to original user data.
In an optional embodiment, first acquisition unit 801 specifically can be used for obtaining from the first handshake message The client that the five-tuple information for including according to the first handshake message after client random number and the first handshake message carry with Machine number creates the first session;
Second acquisition unit 802, if specifically can be used for five-tuple information and the first session that the second handshake message includes Including five-tuple information matches, then server random number and Encryption Algorithm are obtained from the second handshake message;
Third acquiring unit 803, if specifically can be used for five-tuple information and the first session that key exchange message includes Including five-tuple information matches, then from key exchange message in obtain encrypted random number evidence.
In an optional embodiment, first acquisition unit 801, specifically can be used for include according to the first handshake message Five-tuple information creates the first session;The client random number of the first handshake message carrying is recorded in the first session, and will The state of words is set as the first handshake message and has reached state, and the first handshake message, which has reached state and is used to indicate, to be had received first and hold Hand message;
Second acquisition unit 802, specifically can be used for detecting the first session and whether the second handshake message meets first in advance If condition, the first preset condition is that the state of the first session is that the first handshake message has reached state or the state of the first session is Second handshake message has reached state and the second handshake message to retransmit message, and the second handshake message, which has reached state and is used to indicate, have been connect Receive the second handshake message;If so, recording server random number and the encryption of the second handshake message carrying in the first session Algorithm, and set the second handshake message for the state of the first session and reached state;
Third acquiring unit 803, specifically can be used for detecting the first session and whether key exchange message meets second in advance If condition, the second preset condition is that the state of the first session is that the second handshake message has reached state or the state of the first session is Key exchange message has reached state and key exchange message to retransmit message, and key exchange message, which has reached state and is used to indicate, have been connect Receive key exchange message;If so, obtaining encrypted random number evidence from key exchange message, and the state of the first session is set It is set to key exchange message and has reached state.
In an optional embodiment, the above-mentioned information processing unit based on ssl protocol certification can also include:
Third receiving unit, for receiving warning message;
Searching unit searches the five-tuple information with warning message if the type for warning message is fatal form Matched second session, fatal form, which is used to indicate, disconnects SSL connection;
Unit is deleted, if deleting the second session, and send to user equipment and server for finding the second session It waves message, so that the company that user equipment and the server according to message of waving, are each turned off between user equipment and server It connects.
In technical solution provided by the embodiments of the present application, firewall box can be in the feelings that do not modify to any message Under condition, the encryption key communicated between user equipment and server is obtained, and then utilize the encryption key, to user equipment or service The user data that the data message that device is sent carries is decrypted, and obtains original user data, and then to original user number According to safety detection is carried out, realizes and safety detection is carried out to the encryption data of ssl protocol two-way authentication.
Based on identical inventive concept, according to the above-mentioned information processing method based on ssl protocol certification, the embodiment of the present application A kind of firewall box is additionally provided, as shown in figure 9, including processor 901 and machine readable storage medium 902, it is machine readable Storage medium 902 is stored with the machine-executable instruction that can be executed by processor 901.Processor 901 is by the executable finger of machine Order promotes to realize above-mentioned Fig. 3-either step shown in Fig. 7.
In an optional embodiment, as shown in figure 9, firewall box can also include: that communication interface 903 and communication are total Line 904;Wherein, processor 901, machine readable storage medium 902, communication interface 903 are completed each other by communication bus 904 Communication, communication interface 903 is for communication between above-mentioned firewall box and other equipment.
Based on identical inventive concept, according to the above-mentioned information processing method based on ssl protocol certification, the embodiment of the present application A kind of machine readable storage medium is additionally provided, machine readable storage medium is stored with the machine that can be executed by processor and can hold Row instruction.Processor is promoted to realize above-mentioned Fig. 3-either step shown in Fig. 7 by machine-executable instruction.
Above-mentioned communication bus can be PCI (Peripheral Component Interconnect, Peripheral Component Interconnect Standard) bus or EISA (Extended Industry Standard Architecture, expanding the industrial standard structure) bus Deng.The communication bus can be divided into address bus, data/address bus, control bus etc..
Above-mentioned machine readable storage medium may include RAM (Random Access Memory, random access memory), It also may include NVM (Non-Volatile Memory, nonvolatile memory), for example, at least a magnetic disk storage.Separately Outside, machine readable storage medium can also be that at least one is located remotely from the storage device of aforementioned processor.
Above-mentioned processor can be general processor, including CPU (Central Processing Unit, central processing Device), NP (Network Processor, network processing unit) etc.;Can also be DSP (Digital Signal Processing, Digital signal processor), ASIC (Application Specific Integrated Circuit, specific integrated circuit), It is FPGA (Field-Programmable Gate Array, field programmable gate array) or other programmable logic device, discrete Door or transistor logic, discrete hardware components.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for being based on For information processing unit, firewall box and machine readable storage medium embodiment that ssl protocol authenticates, due to its basic phase It is similar to the information processing method embodiment authenticated based on ssl protocol, so be described relatively simple, related place is referring to being based on The part explanation of the information processing method embodiment of ssl protocol certification.
The foregoing is merely the preferred embodiments of the application, are not intended to limit the protection scope of the application.It is all Any modification, equivalent replacement, improvement and so within spirit herein and principle are all contained in the protection scope of the application It is interior.

Claims (12)

1. a kind of information processing method based on secure socket layer protocol certification, which is characterized in that be applied to firewall box, institute The method of stating includes:
Receive the first handshake message that user equipment is sent, will first handshake message to server forwarding, and from described the Client random number is obtained in one handshake message;
The second handshake message for receiving the first handshake message described in the response that the server is sent, by second handshake message It is forwarded to the user equipment, and obtains server random number and Encryption Algorithm from second handshake message;
The key exchange message that the user equipment is sent is received, obtains encrypted random number evidence from key exchange message, The encrypted random number is according to the public key and the Encryption Algorithm for utilizing the server for the user equipment to original random number According to the random data obtained after encryption;
The encrypted random number evidence and the Encryption Algorithm are sent to the server, so as to take described in the server by utilizing The encrypted random number evidence is decrypted in the private key of business device and the Encryption Algorithm, obtains original random number evidence;
Receive the original random number evidence that the server is sent;
According to the original random number evidence, the client random number and the server random number, the user equipment is generated The encryption key communicated between the server.
2. the method according to claim 1, wherein being communicated between the user equipment and the server generating Encryption key after, further includes:
Data message is received, the data message is the message or the service that the user equipment is sent to the server The message that device is sent to the user equipment;
Using the encryption key and the Encryption Algorithm, user data is carried to the data message and is decrypted, is obtained To original user data;
Safety detection is carried out to the original user data.
3. the method according to claim 1, wherein random obtaining client from first handshake message After number, further includes:
The client random number that the five-tuple information for including according to first handshake message and first handshake message carry, Create the first session;
Described the step of server random number and Encryption Algorithm are obtained from second handshake message, comprising:
If the five-tuple information that second handshake message includes and the five-tuple information matches that first session includes, from Server random number and Encryption Algorithm are obtained in second handshake message;
It is described from the key exchange message in obtain encrypted random number according to the step of, comprising:
If the five-tuple information matches that five-tuple information and first session that the key exchange message includes include, from Encrypted random number evidence is obtained in the key exchange message.
4. according to the method described in claim 3, it is characterized in that, the five-tuple for including according to first handshake message The step of client random number that information and first handshake message carry, creation session, comprising:
According to the five-tuple information that first handshake message includes, the first session is created;Institute is recorded in first session The client random number of the first handshake message carrying is stated, and sets the first handshake message for the state of the session and has reached shape State, first handshake message, which has reached state and is used to indicate, has received first handshake message;
Described the step of server random number and Encryption Algorithm are obtained from second handshake message, comprising:
It detects first session and whether second handshake message meets the first preset condition, first preset condition is The state of first session is that the state that first handshake message has reached state or first session is second to shake hands report It is re-transmission message that text, which reach state and second handshake message, and second handshake message, which has reached state and is used to indicate, have been received To second handshake message;If so, recorded in first session server that second handshake message carries with Machine number and Encryption Algorithm, and set second handshake message for the state of first session and reached state;
It is described from the key exchange message in obtain encrypted random number according to the step of, comprising:
It detects first session and whether key exchange message meets the second preset condition, second preset condition is The state of first session is key exchange report for the state that second handshake message has reached state or first session Text reach state and key exchange message to retransmit message, and the key, which exchanges message and reached state and be used to indicate, have been received Message is exchanged to the key;If so, obtaining encrypted random number evidence from key exchange message, and by first meeting The state of words is set as the key exchange message and has reached state.
5. the method according to claim 3 or 4, which is characterized in that the method also includes:
Receive warning message;
If the type of the warning message is fatal form, second with the five-tuple information matches of the warning message is searched Session;
If finding, second session is deleted, and send message of waving to the user equipment and the server, so that The user equipment and the server are waved message according to, are each turned off between the user equipment and the server Connection.
6. a kind of information processing unit based on secure socket layer protocol certification, which is characterized in that be applied to firewall box, institute Stating device includes:
First acquisition unit, for receiving the first handshake message of user equipment transmission, by first handshake message to service Device forwarding, and client random number is obtained from first handshake message;
Second acquisition unit, for receiving the second handshake message of the first handshake message described in the response that the server is sent, Second handshake message is forwarded to the user equipment, and from second handshake message obtain server random number and Encryption Algorithm;
Third acquiring unit exchanges message for receiving the key that the user equipment is sent, from key exchange message Encrypted random number evidence is obtained, the encrypted random number is according to the public key and the encryption for utilizing the server for the user equipment Algorithm is to original random number according to the random data obtained after encryption;
Transmission unit, for the encrypted random number evidence and the Encryption Algorithm to be sent to the server, so that the clothes Business device is decrypted the encrypted random number evidence using the private key and the Encryption Algorithm of the server, obtains original Random data;
First receiving unit, the original random number evidence sent for receiving the server;
Generation unit, for generating according to the original random number evidence, the client random number and the server random number The encryption key communicated between the user equipment and the server.
7. device according to claim 6, which is characterized in that described device further include:
Second receiving unit, for receiving after generating the encryption key communicated between the user equipment and the server Data message, the data message are the message that sends to the server of the user equipment or the server to described The message that user equipment is sent;
Decryption unit, for utilize the encryption key and the Encryption Algorithm, to the data message carry user data into Row decryption processing, obtains original user data;
Detection unit, for carrying out safety detection to the original user data.
8. device according to claim 6, which is characterized in that the first acquisition unit is specifically used for from described the After obtaining client random number in one handshake message, the five-tuple information that includes according to first handshake message and described the The client random number that one handshake message carries creates the first session;
The second acquisition unit, if the five-tuple information and first session that include specifically for second handshake message Including five-tuple information matches, then server random number and Encryption Algorithm are obtained from second handshake message;
The third acquiring unit, if the five-tuple information and first session that include specifically for key exchange message Including five-tuple information matches, then from the key exchange message in obtain encrypted random number evidence.
9. device according to claim 8, which is characterized in that the first acquisition unit is specifically used for according to described the The five-tuple information that one handshake message includes creates the first session;First handshake message is recorded in first session The client random number of carrying, and set the first handshake message for the state of the session and reached state, described first shakes hands Message, which has reached state and is used to indicate, has received first handshake message;
The second acquisition unit, specifically for detecting whether first session and second handshake message meet first in advance If condition, first preset condition is that the state of first session is that first handshake message has reached state or described The state of first session is that the second handshake message has reached state and second handshake message is to retransmit message, and described second shakes hands Message, which has reached state and is used to indicate, has received second handshake message;If so, in first session described in record The server random number and Encryption Algorithm that second handshake message carries, and described second is set by the state of first session Handshake message has reached state;
The third acquiring unit, specifically for detecting whether first session and key exchange message meet second in advance If condition, second preset condition is that the state of first session is that second handshake message has reached state or described The state of first session is that have reached state and key exchange message be to retransmit message to key exchange message, key exchange Message, which has reached state and is used to indicate, has received key exchange message;If so, being obtained from key exchange message Encrypted random number evidence, and set the key exchange message for the state of first session and reached state.
10. device according to claim 8 or claim 9, which is characterized in that described device further include:
Third receiving unit, for receiving warning message;
Searching unit searches the five-tuple with the warning message if the type for the warning message is fatal form Second session of information matches, the fatal form, which is used to indicate, disconnects SSL connection;
Unit is deleted, if deleting second session for finding second session, and to the user equipment and institute It states server and sends message of waving, the message so that user equipment and the server are waved according to is each turned off institute State the connection between user equipment and the server.
11. a kind of firewall box, which is characterized in that described machine readable to deposit including processor and machine readable storage medium Storage media is stored with the machine-executable instruction that can be executed by the processor, and the processor is by the executable finger of the machine Order promotes: realizing any method and step of claim 1-5.
12. a kind of machine readable storage medium, which is characterized in that the machine readable storage medium is stored with can be by the place The machine-executable instruction that device executes is managed, the processor is promoted by the machine-executable instruction: realizing that claim 1-5 appoints Method and step described in one.
CN201910447394.8A 2019-05-27 2019-05-27 Information processing method and device based on secure socket layer protocol authentication Active CN110190955B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910447394.8A CN110190955B (en) 2019-05-27 2019-05-27 Information processing method and device based on secure socket layer protocol authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910447394.8A CN110190955B (en) 2019-05-27 2019-05-27 Information processing method and device based on secure socket layer protocol authentication

Publications (2)

Publication Number Publication Date
CN110190955A true CN110190955A (en) 2019-08-30
CN110190955B CN110190955B (en) 2022-05-24

Family

ID=67718114

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910447394.8A Active CN110190955B (en) 2019-05-27 2019-05-27 Information processing method and device based on secure socket layer protocol authentication

Country Status (1)

Country Link
CN (1) CN110190955B (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110557244A (en) * 2019-09-06 2019-12-10 江苏省水文水资源勘测局 Application data unit encryption method in water conservancy industrial control system
CN110677389A (en) * 2019-09-09 2020-01-10 杭州迪普科技股份有限公司 SSL protocol-based hybrid attack protection method and device
CN110944001A (en) * 2019-12-06 2020-03-31 浙江军盾信息科技有限公司 Server safety protection method, device and related equipment
CN111107087A (en) * 2019-12-19 2020-05-05 杭州迪普科技股份有限公司 Message detection method and device
CN111541682A (en) * 2020-04-17 2020-08-14 北京天融信网络安全技术有限公司 Data security detection method and device, storage medium and electronic equipment
CN112383392A (en) * 2020-11-13 2021-02-19 随锐科技集团股份有限公司 Video conference alternate encryption method and device and computer readable storage medium
CN112689014A (en) * 2020-12-24 2021-04-20 百果园技术(新加坡)有限公司 Double-full-duplex communication method and device, computer equipment and storage medium
CN112751858A (en) * 2020-12-30 2021-05-04 恒安嘉新(北京)科技股份公司 Data encryption communication terminal method, device, terminal, server and storage medium
CN113765927A (en) * 2021-09-09 2021-12-07 图易(常熟)信息技术有限公司 Method and system for encrypting network copyright of cloud uploaded content
CN114679299A (en) * 2022-02-24 2022-06-28 广东电网有限责任公司 Communication protocol encryption method, device, computer equipment and storage medium
CN114830602A (en) * 2019-12-17 2022-07-29 微芯片技术股份有限公司 Mutual authentication protocol for systems with low throughput communication links and apparatus for performing the protocol
CN115701026A (en) * 2021-07-21 2023-02-07 中移物联网有限公司 Test method, device and terminal for transport layer security protocol
CN116032545A (en) * 2022-12-06 2023-04-28 北京中睿天下信息技术有限公司 Multi-stage filtering method and system for ssl or tls flow

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8707027B1 (en) * 2012-07-02 2014-04-22 Symantec Corporation Automatic configuration and provisioning of SSL server certificates
CN104468560A (en) * 2014-12-02 2015-03-25 中国科学院声学研究所 Method and system for collecting network confidential data plaintext
US20150341317A1 (en) * 2012-10-19 2015-11-26 Telefonaktiebolaget L M Ericsson (Publ) Unidirectional Deep Packet Inspection
CN105763566A (en) * 2016-04-19 2016-07-13 成都知道创宇信息技术有限公司 Communication method between client and server
CN106941401A (en) * 2017-03-23 2017-07-11 深信服科技股份有限公司 Acceleration equipment and the method that session key is obtained based on acceleration equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8707027B1 (en) * 2012-07-02 2014-04-22 Symantec Corporation Automatic configuration and provisioning of SSL server certificates
US20150341317A1 (en) * 2012-10-19 2015-11-26 Telefonaktiebolaget L M Ericsson (Publ) Unidirectional Deep Packet Inspection
CN104468560A (en) * 2014-12-02 2015-03-25 中国科学院声学研究所 Method and system for collecting network confidential data plaintext
CN105763566A (en) * 2016-04-19 2016-07-13 成都知道创宇信息技术有限公司 Communication method between client and server
CN106941401A (en) * 2017-03-23 2017-07-11 深信服科技股份有限公司 Acceleration equipment and the method that session key is obtained based on acceleration equipment

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110557244B (en) * 2019-09-06 2021-12-28 江苏省水文水资源勘测局 Application data unit encryption method in water conservancy industrial control system
CN110557244A (en) * 2019-09-06 2019-12-10 江苏省水文水资源勘测局 Application data unit encryption method in water conservancy industrial control system
CN110677389A (en) * 2019-09-09 2020-01-10 杭州迪普科技股份有限公司 SSL protocol-based hybrid attack protection method and device
CN110677389B (en) * 2019-09-09 2022-01-25 杭州迪普科技股份有限公司 SSL protocol-based hybrid attack protection method and device
CN110944001A (en) * 2019-12-06 2020-03-31 浙江军盾信息科技有限公司 Server safety protection method, device and related equipment
CN114830602A (en) * 2019-12-17 2022-07-29 微芯片技术股份有限公司 Mutual authentication protocol for systems with low throughput communication links and apparatus for performing the protocol
CN111107087A (en) * 2019-12-19 2020-05-05 杭州迪普科技股份有限公司 Message detection method and device
CN111107087B (en) * 2019-12-19 2022-03-25 杭州迪普科技股份有限公司 Message detection method and device
CN111541682A (en) * 2020-04-17 2020-08-14 北京天融信网络安全技术有限公司 Data security detection method and device, storage medium and electronic equipment
CN112383392A (en) * 2020-11-13 2021-02-19 随锐科技集团股份有限公司 Video conference alternate encryption method and device and computer readable storage medium
CN112383392B (en) * 2020-11-13 2024-03-15 随锐科技集团股份有限公司 Video conference rotation encryption method, video conference rotation encryption equipment and computer readable storage medium
CN112689014A (en) * 2020-12-24 2021-04-20 百果园技术(新加坡)有限公司 Double-full-duplex communication method and device, computer equipment and storage medium
CN112751858A (en) * 2020-12-30 2021-05-04 恒安嘉新(北京)科技股份公司 Data encryption communication terminal method, device, terminal, server and storage medium
CN112751858B (en) * 2020-12-30 2023-04-07 恒安嘉新(北京)科技股份公司 Data encryption communication terminal method, device, terminal, server and storage medium
CN115701026A (en) * 2021-07-21 2023-02-07 中移物联网有限公司 Test method, device and terminal for transport layer security protocol
CN113765927A (en) * 2021-09-09 2021-12-07 图易(常熟)信息技术有限公司 Method and system for encrypting network copyright of cloud uploaded content
CN114679299A (en) * 2022-02-24 2022-06-28 广东电网有限责任公司 Communication protocol encryption method, device, computer equipment and storage medium
CN114679299B (en) * 2022-02-24 2024-03-15 广东电网有限责任公司 Communication protocol encryption method, device, computer equipment and storage medium
CN116032545A (en) * 2022-12-06 2023-04-28 北京中睿天下信息技术有限公司 Multi-stage filtering method and system for ssl or tls flow
CN116032545B (en) * 2022-12-06 2024-03-22 北京中睿天下信息技术有限公司 Multi-stage filtering method and system for ssl or tls flow

Also Published As

Publication number Publication date
CN110190955B (en) 2022-05-24

Similar Documents

Publication Publication Date Title
CN110190955A (en) Information processing method and device based on secure socket layer protocol certification
US8886934B2 (en) Authorizing physical access-links for secure network connections
US7039713B1 (en) System and method of user authentication for network communication through a policy agent
US7992193B2 (en) Method and apparatus to secure AAA protocol messages
US8843750B1 (en) Monitoring content transmitted through secured communication channels
EP1913728B1 (en) Total exchange session security
US11736304B2 (en) Secure authentication of remote equipment
CN107708112A (en) A kind of encryption method suitable for MQTT SN agreements
KR20050002632A (en) Reducing network configuration complexity with transparent virtual private networks
WO2020252611A1 (en) Data interaction method and related equipments
Sari et al. Comparative analysis of wireless security protocols: WEP vs WPA
US11792186B2 (en) Secure peer-to-peer based communication sessions via network operating system in secure data network
CN111935213A (en) Distributed trusted authentication virtual networking system and method
JP2007318806A (en) Method for securing data traffic in mobile network environment
US20180013729A1 (en) Secure Application Communication System
CN110572392A (en) Identity authentication method based on HyperLegger network
US20210377239A1 (en) Method for distributed application segmentation through authorization
Bella et al. Verifying second-level security protocols
Cheng et al. Analysis and improvement of the Internet‐Draft IKEv3 protocol
Gupta et al. Security mechanisms of Internet of things (IoT) for reliable communication: a comparative review
Bella What is correctness of security protocols?
Jin-Gang et al. An improved NSSK authentication protocol and its formal analysis
Heo et al. Vulnerability of information disclosure in data transfer section for constructing a safe smart work infrastructure
CN110557360B (en) System and method for message transmission
Ajay et al. Security of Web Applications with short web service: a review Study

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant