CN110190955B - Information processing method and device based on secure socket layer protocol authentication - Google Patents

Information processing method and device based on secure socket layer protocol authentication Download PDF

Info

Publication number
CN110190955B
CN110190955B CN201910447394.8A CN201910447394A CN110190955B CN 110190955 B CN110190955 B CN 110190955B CN 201910447394 A CN201910447394 A CN 201910447394A CN 110190955 B CN110190955 B CN 110190955B
Authority
CN
China
Prior art keywords
message
server
session
data
handshake message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910447394.8A
Other languages
Chinese (zh)
Other versions
CN110190955A (en
Inventor
岳炳词
乔兴华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201910447394.8A priority Critical patent/CN110190955B/en
Publication of CN110190955A publication Critical patent/CN110190955A/en
Application granted granted Critical
Publication of CN110190955B publication Critical patent/CN110190955B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the application provides an information processing method and device based on secure socket layer protocol authentication. The firewall equipment respectively acquires the client random number, the server random number, the encryption algorithm and the encrypted random data from a first handshake message, a second handshake message and a key exchange message interacted between the user equipment and the server. The firewall device sends the encrypted random data and the encryption algorithm to the server. The server decrypts the encrypted random data by using a private key and an encryption algorithm of the server to obtain original random data, and sends the original random data to the firewall equipment. And the firewall equipment generates an encryption key for communication between the user equipment and the server according to the original random data, the client random number and the server random number. By applying the technical scheme provided by the embodiment of the application, the security detection of the encrypted data of the SSL protocol bidirectional authentication can be realized.

Description

Information processing method and device based on secure socket layer protocol authentication
Technical Field
The present application relates to the field of communications technologies, and in particular, to an information processing method and apparatus based on secure socket layer protocol authentication.
Background
With the development of internet technology, more and more devices access to the internet. In order to improve the security of communication between two devices, a Secure Socket Layer (SSL) protocol is often used for authentication, an SSL connection is established, and then transmitted data is encrypted. The SSL protocol authentication is divided into one-way authentication and two-way authentication. The one-way authentication is the authentication of the user equipment to the server. The bidirectional authentication includes authentication of the user equipment to the server and authentication of the user equipment by the server.
For one-way authentication, the SSL protocol authentication can be implemented by using a firewall device as a "man-in-the-middle". The basic working principle of the method is divided into two parts: the first part is the authentication of the user equipment to the firewall equipment, and the second part is the authentication of the firewall equipment to the server. For the first part, the user equipment acquires a certificate from the firewall equipment, compares the acquired certificate with the firewall certificate installed on the user equipment, if the two are matched, the acquired certificate is determined to be successfully authenticated, the firewall equipment is legal, a public key of communication is acquired from the acquired certificate, the negotiation data is encrypted by the public key and then transmitted to the firewall equipment, the firewall equipment can decrypt the encrypted negotiation data by using a private key of the firewall equipment, and the firewall equipment can calculate an encryption key used for data encryption and decryption on the user equipment side according to the negotiation data obtained after decryption. And for the second part, the firewall equipment acquires the certificate from the server, compares the acquired certificate with the server certificate installed on the firewall equipment, if the acquired certificate is matched with the server certificate, the acquired certificate is determined to be successfully authenticated, the server is legal, a communication public key is acquired from the acquired certificate, the negotiation data is encrypted by the public key and then transmitted to the server, the server can decrypt the encrypted negotiation data by using a private key of the server, and an encryption key for data encryption and decryption on the server side is calculated according to the decrypted negotiation data.
For bidirectional authentication, the basic principle of operation is as follows: mutual authentication between the user equipment and the server, namely: the user equipment obtains the certificate from the server to authenticate the obtained certificate of the server, and the server obtains the certificate from the user equipment to authenticate the obtained certificate of the user equipment. After the user equipment and the server successfully authenticate the acquired certificates, the encryption key for data encryption and decryption between the user equipment and the server is generated respectively based on the negotiation data transmitted between the user equipment and the server.
For the one-way authentication, the firewall device can respectively obtain the encryption keys used for data encryption on the user device side and the server side, and then the security detection of the data can be realized. However, for the bidirectional authentication, the intention is to enhance the security level of the SSL authentication and avoid the existence of a forged visitor (attacker) in the network, so that, both from the viewpoint of the SSL protocol itself and the security requirements of the service provider, it cannot support the realization of the bidirectional authentication simply by forging a man-in-the-middle in a unidirectional authentication scenario. On one hand, unless the server installs the firewall certificate, the firewall equipment cannot complete the bidirectional authentication by forging the man-in-the-middle; on the other hand, if the server installs the firewall certificate, it means that the firewall device must have the same capability of certificate security detection as the server, which is not possible for the firewall device, and such "authorization" to install the firewall certificate is also not allowed for the server.
Therefore, during the bidirectional authentication, the firewall device cannot acquire the encryption key negotiated between the user equipment and the server, and further cannot decrypt data transmitted between the user equipment and the server, and cannot perform security detection on the data.
Disclosure of Invention
An object of the embodiments of the present application is to provide an information processing method and apparatus based on secure socket layer protocol authentication, so as to implement security detection on encrypted data of SSL protocol mutual authentication. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present application provides an information processing method based on SSL protocol authentication, which is applied to a firewall device, and the method includes:
receiving a first handshake message sent by user equipment, forwarding the first handshake message to a server, and acquiring a client random number from the first handshake message;
receiving a second handshake message which is sent by the server and responds to the first handshake message, forwarding the second handshake message to the user equipment, and acquiring a server random number and an encryption algorithm from the second handshake message;
receiving a key exchange message sent by the user equipment, and acquiring encrypted random data from the key exchange message, wherein the encrypted random data is obtained by encrypting original random data by the user equipment by using a public key of the server and the encryption algorithm;
sending the encrypted random data and the encryption algorithm to the server so that the server decrypts the encrypted random data by using a private key of the server and the encryption algorithm to obtain original random data;
receiving the original random data sent by the server;
and generating an encryption key for communication between the user equipment and the server according to the original random data, the client random number and the server random number. .
In a second aspect, an embodiment of the present application provides an information processing apparatus based on SSL authentication, which is applied to a firewall device, and the apparatus includes:
the system comprises a first obtaining unit, a second obtaining unit and a sending unit, wherein the first obtaining unit is used for receiving a first handshake message sent by user equipment, forwarding the first handshake message to a server, and obtaining a client random number from the first handshake message;
a second obtaining unit, configured to receive a second handshake message that is sent by the server and responds to the first handshake message, forward the second handshake message to the user equipment, and obtain a server random number and an encryption algorithm from the second handshake message;
a third obtaining unit, configured to receive a key exchange packet sent by the user equipment, and obtain encrypted random data from the key exchange packet, where the encrypted random data is obtained by encrypting, by the user equipment, original random data by using a public key of the server and the encryption algorithm;
a sending unit, configured to send the encrypted random data and the encryption algorithm to the server, so that the server decrypts the encrypted random data by using a private key of the server and the encryption algorithm to obtain original random data;
a first receiving unit, configured to receive the original random data sent by the server;
and the generating unit is used for generating an encryption key for communication between the user equipment and the server according to the original random data, the client random number and the server random number.
In a third aspect, embodiments of the present application provide a firewall device, including a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: any step of the information processing method based on the SSL protocol authentication provided by the first aspect is realized.
In a fourth aspect, embodiments of the present application provide a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: any step of the information processing method based on the SSL protocol authentication provided by the first aspect is realized.
In the information processing method and device based on the secure socket layer protocol authentication, in the SSL protocol authentication, the user equipment sends messages such as a first handshake message and a key exchange message to the server, and the server sends messages such as a second handshake message to the user equipment. The firewall equipment acquires the client random number from the first handshake message, and acquires the server random number and the encryption algorithm from the second handshake message. And then, the firewall equipment acquires the encrypted random data from the key exchange message and simultaneously sends the encrypted random data and the encryption algorithm to the server. At this time, the server may decrypt the encrypted random data by using its own private key and the encryption algorithm sent by the firewall device to obtain the original random data, and send the original random data to the firewall device. And the firewall equipment generates an encryption key for communication between the user equipment and the server according to the original random data, the client random number and the server random number. The user equipment and the server generate an encryption key according to the original random data, the client random number and the server random number. Therefore, the encryption key generated by the firewall device is the same as the encryption keys generated by the user device and the server, the firewall device can decrypt the user data carried by the data message of the user device or the server to obtain the original user data, and further perform security detection on the original user data, so that the security detection on the encrypted data of the SSL protocol bidirectional authentication is realized.
Of course, it is not necessary for any product or method of practicing the present application to achieve all of the advantages set forth above at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an SSL authentication networking according to an embodiment of the present application;
fig. 2 is a signaling diagram of conventional mutual authentication;
fig. 3 is a first flowchart illustrating an information processing method based on SSL authentication according to an embodiment of the present application;
fig. 4 is a signaling diagram of information processing based on SSL authentication according to an embodiment of the present application;
fig. 5 is a second flowchart illustrating an information processing method based on SSL authentication according to an embodiment of the present application;
fig. 6 is a schematic flowchart of a process of processing an alarm packet according to an embodiment of the present application;
fig. 7 is a schematic flowchart of data packet processing according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an information processing apparatus based on SSL authentication according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a firewall device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The SSL protocol authentication is divided into one-way authentication and two-way authentication. The one-way authentication is the authentication of the user equipment to the server. The bidirectional authentication includes authentication of the user equipment to the server and authentication of the user equipment by the server.
For one-way authentication, a firewall certificate is installed on the user equipment, and a server certificate is installed on the firewall equipment. The user equipment and the firewall equipment negotiate a key to establish the SSL connection 1. The firewall equipment negotiates a key with the server to establish an SSL connection 2. At this time, the user equipment and the firewall equipment use the encryption key negotiated by the SSL connection 1 to encrypt and decrypt data, and the firewall equipment and the server use the encryption key negotiated by the SSL connection 2 to encrypt and decrypt data. The firewall device can respectively obtain the encryption keys used for data encryption on the user equipment side and the server side, and then the security detection of the data can be realized.
With the continuous update of the network attack technology, the protection consciousness of the user on the personal privacy is continuously enhanced, and the SSL protocol bidirectional authentication is generally adopted in the business fields with high requirements on the security of network banks and data storage. The SSL authentication networking shown in fig. 1 includes a user device 100, a firewall device 101, and a server 102 and 104. The SSL protocol authentication networking can comprise one or more user equipment and one or more servers. Here, only one user equipment and three servers are taken as an example for explanation, and the description is not limited.
For bidirectional authentication, the SSL protocol bidirectional authentication performed by the server 102 and the user equipment 100 in the networking shown in fig. 1 is taken as an example, and a signaling diagram of bidirectional authentication shown in fig. 2 is combined to describe a flow of SSL protocol bidirectional authentication. Specifically, the SSL protocol mutual authentication procedure includes the following steps.
The user equipment 100 sends a Client handshake (Client Hello) message to the server 102 through the firewall device 101. The Client Hello message includes SSL protocol version information supported by the user equipment 100, an encryption suite candidate list, and a Client random number used to generate an encryption key. Wherein the encryption suite candidate list comprises a plurality of encryption suites supported by the user equipment 100, and the like. Each encryption suite includes a key exchange algorithm, a message authentication information code (digest) algorithm, an encryption algorithm, a key generation algorithm, and a pseudo-random function.
The server 102 determines SSL protocol version information for establishing SSL connection with the user equipment 100 according to the SSL protocol version information included in the Client Hello packet, and selects an encryption suite from an encryption suite candidate list included in the Client Hello packet. The Server 102 sends a Server handshake (Server Hello) message to the user equipment 100 through the firewall device 101. The Server Hello message contains the determined SSL protocol version information, the selected encryption suite and the Server random number.
The server 102 sends a Certificate (Certificate) message 1 to the user equipment 100 through the firewall apparatus 101. The Certificate message 1 includes a Certificate 1 of the server 102, and the Certificate 1 includes identity information for authenticating the server 102 and a public key 1 of the server 102. In addition, the server 102 transmits a Certificate Request (Certificate Request) message 1 to the user equipment 100 through the firewall apparatus 101. The Certificate Request message 1 is used to Request the ue 100 to send the Certificate 2 of the ue 100 to the server 102. Certificate 2 comprises identity information for authentication of user equipment 100 and public key 2 of user equipment 100. Again, the Server 102 sends a Server Hello Done (Server Hello Done) message to the user equipment 100 through the firewall device 101. The Server Hello Done message is used for indicating the message of the end of sending the Server Hello message.
After receiving the Certificate message 1, the user equipment 100 verifies whether the Certificate 1 is legal. If the certificate 1 is illegal, the user equipment 100 makes a risk prompt according to different illegal situations. If the Certificate 1 is legal, the user equipment 100 sends a Certificate message 2 to the server 102 through the firewall device 101 according to the Certificate Request message 1, where the Certificate message 2 includes the Certificate 2 of the user equipment 100, and the Certificate 2 includes identity information used for authenticating the user equipment 100 and the public key 2 of the user equipment 100. In addition, the user equipment 100 generates random data 1 according to a preset algorithm, encrypts the random data 1 by using an encryption suite confirmed by the Server Hello message and a public Key 1 included in the certificate 1, and then sends the encrypted random data 1 to the Server 102 through the firewall device 101 while carrying the encrypted random data in a Key Exchange (Key Exchange) message. At this time, the user equipment 100 has already acquired all the information for calculating the encryption key, i.e., the client random number, the server random number, and the random data 1, so that the encryption key for communication with the server can be calculated.
In order to avoid tampering with the information negotiated between the user equipment 100 and the server 102 by man-in-the-middle attack, the user equipment 100 sends a Certificate verification (Certificate verify) message to the server 102 through the firewall device 101, and signs all the messages interacted before with the private key 2 of the Certificate 2 for verification by the server 102. Thus, once any of the previous messages have been subject to tampering, the server 102 must be able to discover the presence of the attacker as long as the private key 2 has not been compromised. Thereafter, the ue 100 notifies the server 102 of using the negotiated encryption key and encryption algorithm for subsequent communication through Change Cipher rule (Change Cipher Spec) message 1, and sends an end of encryption (Finish) message 1 to the server 102. The Finish message 1 is used to instruct the server 102 to verify the negotiated encryption key.
After receiving the Certificate message 2, the server 102 verifies whether the Certificate 2 is legal. If the certificate 2 is illegal, the server 102 makes a risk prompt according to different illegal conditions. If Certificate 2 is legitimate, server 102 decrypts and verifies the signature of the Certificate verify message using public key 2 of Certificate 2. After the signature verification of the Certificate verify message is passed, the server 102 considers that the user equipment 100 is authentic, decrypts the encrypted random data 1 included in the Key Exchange message by using the private Key of the Certificate 1 to obtain random data 1, and based on the client random number, the server random number and the random data 1, the encryption Key communicated with the user equipment 100 can be obtained through calculation.
Then, the server 102 decrypts the encrypted information in the Finish message 1 by using the obtained encryption key, and verifies the correctness of the decrypted data and the encryption key. After determining that the communication is correct, the server 102 sends a Change Cipher Spec message 2 and a Finish message 2 to the user equipment 100 to notify the user equipment 100 that the subsequent communication adopts the negotiated encryption key and encryption algorithm.
To this end, the user equipment 100 and the server 102 complete the SSL negotiation, and the subsequent data packet may be encrypted and transmitted by using the negotiated encryption key and encryption algorithm.
As can be seen, in the SSL bidirectional authentication, the firewall device cannot acquire the encryption keys for data encryption on the user device side and the server side as a "man-in-the-middle", so that the data transmitted between the user device and the server cannot be decrypted, and further the security of the data cannot be detected.
In order to realize security detection on encrypted data of SSL protocol mutual authentication, the embodiment of the application provides an information processing method based on SSL protocol authentication. In the SSL protocol authentication, the user equipment sends messages such as a first handshake message and a key exchange message to the server, and the server sends messages such as a second handshake message to the user equipment. The firewall equipment acquires the client random number from the first handshake message, and acquires the server random number and the encryption algorithm from the second handshake message. And then, the firewall equipment acquires the encrypted random data from the key exchange message and simultaneously sends the encrypted random data and the encryption algorithm to the server. At this time, the server may decrypt the encrypted random data using a private key of the server and an encryption algorithm sent by the firewall device to obtain original random data, and send the original random data to the firewall device. And the firewall equipment generates an encryption key for communication between the user equipment and the server according to the original random data, the client random number and the server random number. The user equipment and the server generate an encryption key according to the original random data, the client random number and the server random number. Therefore, the encryption key generated by the firewall device is the same as the encryption keys generated by the user device and the server, the firewall device can decrypt the user data carried by the received data message to obtain the original user data, and further perform security detection on the original user data, thereby realizing security detection on the encrypted data of the SSL protocol bidirectional authentication.
The following describes, by way of specific embodiments, an information processing method based on mutual authentication of SSL protocols according to embodiments of the present application.
Referring to fig. 3, fig. 3 is a schematic flowchart of an information processing method based on SSL protocol authentication according to an embodiment of the present disclosure. The method is suitable for the SSL protocol bidirectional authentication scene. The method is applied to the firewall device and comprises the following steps.
Step 301, receiving a first handshake message sent by a user equipment, forwarding the first handshake message to a server, and obtaining a client random number from the first handshake message. In this embodiment of the present application, obtaining a certain piece of information from a certain message means: and analyzing the message to obtain the information. For example: the step of obtaining the client random number from the first handshake message is as follows: and analyzing the first handshake message so as to obtain the random number of the client. Similar descriptions in the embodiments of the present application are explained herein.
In the SSL protocol bidirectional authentication, the first handshake message is a Client Hello message.
In the SSL protocol authentication, the user equipment sends the first handshake message to the firewall equipment. And the firewall equipment acquires the client random number from the first handshake message. After the random number of the client is obtained, the firewall equipment sends the first handshake message to the server.
In one embodiment of the application, a firewall device receives a first handshake message sent by a user equipment to a server. After the client random number is obtained from the first handshake message, the firewall device creates a first session according to the quintuple information included in the first handshake message and the client random number carried in the first handshake message. In one example, five-tuple information and negotiation information may be included in the first session, and the negotiation information includes information such as a client nonce, a server nonce, an encryption suite, and an encryption key. The session is as shown in table 1.
TABLE 1
Source address Source port Destination address Destination port Negotiation information
In an optional embodiment, the firewall device may be virtualized as multiple devices, and to implement user isolation, the firewall device allocates a Virtual Routing Forwarding table (VRF for short) to the multiple Virtual devices. At this time, the first session created by the firewall device may further include an identifier of the VRF, as shown in table 2.
TABLE 2
Source address Source port Destination address Destination port VRF Negotiation information
VRF denotes the identity of the VRF. The identity of a VRF may be understood as the identity of a virtual device.
The negotiation information in tables 1 and 2 can be seen in table 3.
TABLE 3
Encryption kit Client random number Server random number Encryption key
Step 302, receiving a second handshake message which is sent by the server and responds to the first handshake message, forwarding the second handshake message to the user equipment, and obtaining the server random number and the encryption algorithm from the second handshake message.
In the SSL protocol bidirectional authentication, the second handshake message is a Server Hello message.
And after receiving the first handshake message, the server sends a second handshake message to the firewall equipment according to the first handshake message. And the firewall equipment acquires the server random number and the encryption algorithm from the second handshake message. After the random number and the encryption algorithm of the server are obtained, the firewall equipment sends the second handshake message to the server.
In an embodiment of the present application, the firewall device receives the second handshake message sent by the server to the user equipment. And the firewall equipment matches the quintuple information included in the second handshake message with the quintuple information included in the first session. And if the quintuple information included in the second handshake message is matched with the quintuple information included in the first session, the firewall equipment acquires the server random number and the encryption algorithm from the second handshake message, and records the server random number and the encryption algorithm carried in the second handshake message in the first session. As shown in table 3, the firewall device records the server random number carried in the second handshake message in the server random number field in table 3, and records the encryption algorithm carried in the second handshake message in the encryption suite field in table 3. And if the quintuple information included in the second handshake message is not matched with the quintuple information included in the first session, the firewall equipment discards the second handshake message.
In the embodiment of the application, the message from the user equipment to the server is a forward message, and the message from the server to the user equipment is a reverse message. The first session is created based on the five-tuple information of the first handshake packet, i.e., based on the forward packet. For a second handshake message serving as a reverse message, when matching quintuple information included in the second handshake message with quintuple information included in a first session, the firewall device matches a source address of the second handshake message with a destination address included in the first session, matches a source port of the second handshake message with a destination port included in the first session, matches a destination address of the second handshake message with a source address included in the first session, matches a destination port of the second handshake message with a source port included in the first session, and matches a VRF to which the second handshake message belongs with a VRF included in the first session. And if the information is matched, the firewall equipment acquires the server random number and the encryption algorithm from the second handshake message. And if any one of the information is not matched, the firewall equipment discards the second handshake message.
Step 303, receiving a key exchange message sent by the user equipment, and obtaining encrypted random data from the key exchange message, where the encrypted random data is obtained by encrypting the original random data by the user equipment using a public key and an encryption algorithm of the server.
In the SSL protocol bidirectional authentication, the Key Exchange message is a Key Exchange message.
In this embodiment, after receiving the first handshake message, the Server may send a Certificate message, a Certificate Request message, and a Server Hello Done message, in addition to the second handshake message. The firewall equipment directly forwards the Certificate message, the Certificate Request message and the Server Hello Done message to the user equipment without processing.
The user equipment generates original random data according to a preset algorithm, and encrypts the generated original random data by using an encryption algorithm carried by the second handshake message and a public key of a Certificate carried by a Certificate message sent by the server to obtain encrypted random data. The user equipment carries the encrypted random data in the key exchange message and sends the key exchange message to the firewall equipment. The public key carrying the Certificate in the Certificate message sent by the server is the public key of the server. The firewall equipment acquires the encrypted random data from the key exchange message.
In one embodiment of the present application, a firewall device receives a key exchange message sent by a user device to a server. And the firewall equipment matches the quintuple information included in the key exchange message with the quintuple information included in the first session. And if the quintuple information included in the key exchange message is matched with the quintuple information included in the first session, the firewall equipment acquires the encrypted random data from the key exchange message. And if the quintuple information included in the key exchange message is not matched with the quintuple information included in the first session, the firewall equipment discards the key exchange message.
In this embodiment of the present application, the first session is established based on a forward packet. For a key exchange message as a forward message, when matching quintuple information included in the key exchange message with quintuple information included in a first session, a firewall device matches a source address of the key exchange message with the source address included in the first session, matches a source port of the key exchange message with a source port included in the first session, matches a destination address of the key exchange message with the destination address included in the first session, matches a destination port of the key exchange message with the destination port included in the first session, and matches a VRF to which the key exchange message belongs with a VRF included in the first session. If the information is matched, the firewall equipment acquires the encrypted random data from the key exchange message. And if any one of the information is not matched, the firewall equipment discards the key exchange message.
Step 304, the encrypted random data and the encryption algorithm are sent to the server.
And after the firewall equipment acquires the encrypted random data from the key exchange message, sending the encrypted random data and the encryption algorithm acquired from the second handshake message to the server. And after receiving the encrypted random data and the encryption algorithm, the server decrypts the encrypted random data by using a private key of the server and the encryption algorithm to obtain the original random data. The private key of the server is the private key corresponding to the public key carrying the Certificate in the Certificate message sent by the server. The private key is only stored in the local server and is not carried in the certificate and sent to the user equipment.
In one embodiment of the present application, in order to improve the security of data transmission, protocol information such as a port and a data format of data transmission is negotiated in advance between a server and a firewall device. After obtaining the encrypted random data from the key exchange message, the firewall device carries the encrypted random data and the encryption algorithm in a Transmission Control Protocol (TCP) message according to the Protocol information negotiated in advance, and sends the message to the server. The server obtains the encrypted random data and the encryption algorithm from the TCP message according to the protocol information negotiated in advance, and decrypts the encrypted random data by using the private key and the encryption algorithm of the server to obtain the original random data. And the server carries the original random data in a TCP message according to the protocol information negotiated in advance and sends the TCP message to the firewall equipment.
For example, the pre-negotiated protocol information includes port 1, bytes 30-37 of the payload store encrypted random data, bytes 41-52 of the payload store an encryption algorithm, and bytes 30-49 of the payload store original random data. After the firewall equipment acquires the encrypted random data from the key exchange message, the acquired encrypted random data is stored in the 30 th to 37 th bytes of the load of the TCP message 1 according to protocol information negotiated in advance, the acquired encryption algorithm is stored in the 41 th to 52 th bytes of the load of the TCP message 1, and the TCP message 1 is placed to the server through the port 1. After receiving the TCP message 1 through the port 1, the server acquires encrypted random data from the 30 th to 37 th bytes of the TCP message 1, acquires an encryption algorithm from the 41 th to 52 th bytes of the TCP message 1, and decrypts the encrypted random data by using a private key and the encryption algorithm of the server to obtain original random data. The server stores the original random data in the 30 th-49 th byte of the load of the TCP message 2, and sends the TCP message 2 to the firewall equipment through the port 1. At this time, after receiving the TCP packet 2 through the port 1, the firewall device may obtain the original random data from the TCP packet 2.
It should be understood that, in the embodiment of the present application, only TCP messages are used to implement transmission of information between the firewall device and the server. Specifically, the firewall device carries the encrypted random data and the encryption algorithm in a TCP message and sends the TCP message to the server, and the server also carries the original random data in the TCP message and sends the TCP message to the firewall device. In other embodiments, the transmission of information between the firewall device and the server may also be implemented by using a message in a custom format or other existing messages (e.g., an IP message), and the embodiment of the present application is not particularly limited.
Step 305, receiving the original random data sent by the server.
And after the server decrypts the encrypted random data to obtain original random data, the original random data is sent to the firewall equipment.
In one embodiment of the present application, in order to facilitate the server to process the encrypted random data, a firewall plug-in may be installed on the server. And after obtaining the encrypted random data from the key exchange message, the firewall equipment sends the encrypted random data and the encryption algorithm to the firewall plugin. The firewall plug-in obtains the private key of the server, and decrypts the encrypted random data by using the private key of the server and combining an encryption algorithm to obtain the original random data. And the firewall plug-in sends the original random data to the firewall equipment.
And step 306, generating an encryption key for communication between the user equipment and the server according to the original random data, the client random number and the server random number.
The information for the user equipment and the server to calculate the encryption key comprises: original random data, a client random number, and a server random number. At this time, the firewall device has obtained all the information for calculating the encryption key, and generates the encryption key for the communication between the user device and the server according to the original random data, the client random number and the server random number.
In an embodiment, after receiving the second handshake message, the firewall device may obtain, from the second handshake message, encryption suite information such as a key generation algorithm, a key exchange algorithm, a digest algorithm, and a pseudo random function, and record, in the first session, the encryption suite information obtained from the second handshake message. As shown in table 3, the firewall device records the encryption suite information acquired from the second handshake message in the encryption suite field of table 3.
After the firewall device acquires the original random data, the client random number and the server random number are processed by using a key generation algorithm acquired from the second handshake message, and an encryption key for communication between the user device and the server is generated.
In the embodiment of the application, the user equipment and the server use the same encryption algorithm and encryption key to encrypt and decrypt data, that is, the encryption key generated by the user equipment and the server is a symmetric key, and the encryption algorithm for encrypting and decrypting data is a symmetric encryption algorithm. The symmetric Encryption Algorithm may be a Data Encryption Standard (DES) Algorithm, a triple DES (3 DES) Algorithm, an International Data Encryption Algorithm (IDEA), a Fast Data Encryption Algorithm (FEAL), a bruise Algorithm, etc.
The information used by the firewall device to generate the encryption key is the same as the information used by the user device and the server to generate the encryption key. Therefore, the encryption key generated by the firewall device is a symmetric key, and the encryption algorithm obtained from the second handshake message is a symmetric encryption algorithm. And then, the firewall equipment encrypts and decrypts the user data carried by the received data message by using the generated encryption key and the obtained encryption algorithm.
In an embodiment of the present application, after the firewall device generates the encryption key, the firewall device may record the encryption key in the first session and send the key exchange message to the server.
In addition, for a Certificate message, a Certificate Verify message, a Change Cipher Spec message, a Finish message and the like sent by the user equipment, the firewall equipment does not process the messages and directly forwards the messages to the server.
In the technical scheme provided by the embodiment of the application, the firewall device can obtain the encryption key of communication between the user equipment and the server under the condition that any message is not modified, decrypt the user data carried by the data message sent by the user equipment or the server by using the encryption key to obtain the original user data, further perform security detection on the original user data, and realize the security detection on the encrypted data of the SSL protocol bidirectional authentication.
The technical scheme provided by the embodiment of the application can also be applied to SSL protocol one-way authentication, the encryption key of communication between the user equipment and the server during one-way authentication is obtained, and the security detection of the encrypted data of the SSL protocol one-way authentication is realized.
In the technical scheme provided by the embodiment of the application, the firewall equipment performs decryption processing on the encrypted random data only once after receiving the key exchange message. The user equipment does not need to perform one-way authentication on the firewall equipment to establish SSL connection, and the firewall equipment does not need to perform one-way authentication on the server to establish SSL connection, so that the loss of computing resources of the equipment is effectively reduced.
The information processing method based on the SSL authentication according to the embodiment of the present application is described with reference to fig. 3 and fig. 4, which are signaling diagrams of information processing based on the SSL authentication.
Step 401, the user equipment 100 sends a Client Hello message to the firewall device 101.
Step 402, the firewall device 101 receives the Client Hello message, and acquires the Client random number from the Client Hello message.
Step 403, the firewall device 101 sends a Client Hello packet to the server 102.
Step 404, the Server 102 receives the Client Hello message, and sends a Server Hello message to the firewall device 101 according to the Client Hello message.
Step 405, the firewall device 101 receives the Server Hello message, and obtains the Server random number, the encryption algorithm and the key generation algorithm from the Server Hello message.
In step 406, the firewall device 101 sends a Server Hello packet to the Server 102.
Step 407, the user equipment 100 receives the Server Hello packet, obtains the public Key and the original random data of the Server 102 according to the Server Hello packet, encrypts the original random data by using the public Key and the encryption algorithm of the Server 102 to obtain encrypted random data, and sends a Key Exchange packet carrying the encrypted random data to the firewall device 101.
Step 408, the firewall device 101 receives the Key Exchange message, and acquires the encrypted random data from the Key Exchange message.
In step 409, the firewall device 101 sends a first packet carrying the encrypted random data and the encryption algorithm to the server 102. It should be understood that the first message may be a TCP message. In other embodiments, the first message may also be a message in a custom format or other existing messages (e.g., an IP message, which is not limited in this embodiment of the present application.
Step 410, the server 102 receives the first message, obtains its own private key, and decrypts the encrypted random data by using its own private key and the encryption algorithm carried in the first message, so as to obtain the original random data.
In step 411, the server 102 sends a second packet carrying the original random data to the firewall device 101. It should be understood that the second message may be a TCP message. In other embodiments, the second message may also be a message in a custom format or other existing messages (e.g., an IP message, which is not limited in this embodiment of the present application.
In step 412, the firewall device 101 receives the second packet, and inputs the original random data, the client random number, and the server random number into the key generation algorithm to obtain the encryption key for the communication between the user device 100 and the server 102.
The description of the steps 401-412 is relatively simple, and reference may be made to the description of the step 301-306.
In combination with the embodiment shown in fig. 3, the embodiment of the present application further provides an information processing method based on SSL protocol authentication. Referring to fig. 5, fig. 5 is a schematic flowchart of a second information processing method based on SSL authentication according to an embodiment of the present application. The method is applied to the firewall device and can comprise the following steps.
Step 501, receiving a first handshake message sent by a user equipment, forwarding the first handshake message to a server, and acquiring a client random number from the first handshake message. Step 501 is the same as step 301.
Step 502, receiving a second handshake message which is sent by the server and responds to the first handshake message, forwarding the second handshake message to the user equipment, and obtaining the server random number and the encryption algorithm from the second handshake message.
Step 502 is the same as step 302.
Step 503, receiving a key exchange message sent by the user equipment, and obtaining encrypted random data from the key exchange message, where the encrypted random data is obtained by encrypting the original random data by the user equipment using the public key and the encryption algorithm of the server. Step 503 is the same as step 303.
Step 504, the encrypted random data and the encryption algorithm are sent to the server. Step 504 is the same as step 304.
And step 505, receiving the original random data sent by the server. Step 505 is the same as step 305.
Step 506, generating an encryption key for communication between the user equipment and the server according to the original random data, the client random number and the server random number. Step 506 is the same as step 306.
Step 507, receiving the data message. The data message is a message sent by the user equipment to the server, or a message sent by the server to the user equipment.
In the embodiment of the application, after the firewall equipment generates the encryption key, the key exchange message is sent to the server. For a Certificate message, a Certificate Verify message, a Change Cipher Spec message, a Finish message and the like sent by the user equipment, the firewall equipment does not process the messages and directly forwards the messages to the user equipment. In this way, after the user equipment and the server both generate the encryption key and establish the SSL connection, the user equipment and the server may communicate. That is, the user equipment may send a data packet to the server through the firewall device, and the server may send a data packet to the user equipment through the firewall device.
And step 508, decrypting the user data carried by the data message by using the encryption key and the encryption algorithm to obtain the original user data.
After receiving the data message, the firewall device decrypts the user data carried in the data message by using the generated encryption key and the encryption algorithm obtained in step 503 to obtain the original user data.
In an optional embodiment, after receiving the data packet, the firewall device matches five-tuple information of the data packet with five-tuple information included in the session. And if the quintuple information of the data message is matched with the quintuple information included in the first session, the firewall equipment acquires the encryption algorithm and the encryption key included in the first session, and decrypts the user data carried by the data message by using the acquired encryption key and encryption algorithm to obtain the original user data.
Step 509, security detection is performed on the original user data.
And after the firewall equipment acquires the original user data, carrying out security detection on the original user data. The security detection comprises Deep Packet Inspection (DPI), content security detection, auditing and the like.
In an optional embodiment, if the firewall device determines that the data packet is an attack packet after performing security detection on the original user data, a waving packet may be constructed and sent to the user device and the server, respectively, to disconnect the connection between the user device and the server, and delete the first session matched with the five-tuple information of the data packet. Therefore, the safety of the network can be effectively improved. And if the firewall equipment determines that the data message is a normal message after the original user data is subjected to security detection, forwarding the data message.
In an alternative embodiment, the user device and the server send an alarm message to the firewall device if a threat is detected. For example, after the user equipment verifies the certificate of the server, and determines that the certificate of the server is illegal, an alarm message is sent to the firewall equipment. For another example, after the server verifies the certificate of the user equipment, and determines that the certificate of the user equipment is illegal, the server sends an alarm message to the firewall equipment. The processing flow for the alarm message is shown in fig. 6.
Step 601, receiving an alarm message.
The warning message may be a message sent by the user equipment to the server, or may be a message sent by the server to the user equipment. The alarm message includes the type of the alarm message. For example, the types of the alarm message may be classified into a Fatal (total) type and a Warning (Warning) type. The family type is used to indicate that the SSL connection is disconnected. The Warning type is used to alert the user that there is a risk without having to disconnect the SSL connection. The type of the alarm message may be set according to actual requirements, which is not limited in the embodiment of the present application.
Step 602, detecting whether the type of the alarm message is a fatal type. If yes, go to step 603. If not, go to step 605.
After receiving the alarm message, the firewall device detects whether the type of the alarm message is a fatal type.
Step 603, searching for a second session matched with the quintuple information of the alarm message. If so, go to step 604. If not, go to step 605.
If the type of the alarm message is a fatal type, the firewall equipment determines that the SSL connection corresponding to the SSL session matched with the quintuple information of the current alarm message has a great risk, and needs to disconnect the SSL connection and search for a second session matched with the quintuple information of the alarm message.
And step 604, deleting the second session, and sending a waving message to the user equipment and the server.
And if the firewall equipment finds the second session matched with the quintuple information of the alarm message, sending the waving message to the user equipment and the server, and deleting the second session to disconnect the SSL connection where the current alarm message is located and recover session resources. And the user equipment and the server are respectively disconnected according to the hand waving message.
Step 605, forwarding the alarm message.
If the type of the alarm message is a fatal type or the second session is not found, the firewall equipment performs subsequent processing and forwards the alarm message.
In an embodiment of the present application, if the firewall device receives a hand waving message sent by a server or a user device, the firewall device searches for a third session matched with quintuple information of the hand waving message, deletes the third session, recycles session resources, and develops the hand message.
In one embodiment of the present application, the firewall device may set the SSL connection keep-alive mechanism. Specifically, if the message matched with the first session is not received after the preset duration, the firewall device deletes the first session. The problem of session residue after the SSL connection between the user equipment and the server is disconnected is solved, and session resources are saved.
In one embodiment of the present application, to facilitate firewall device management, a session state may be set on the firewall device, and as shown in table 4, a session state field may be included in the negotiation information.
TABLE 4
Session state Encryption kit Client random number Server random number Encryption key
The session state may include a first handshake message reached state, a second handshake message reached state, and a key exchange message reached state. The first handshake message reached state (Client Hello Received state) is used to indicate that the first handshake message has been Received. In the Client Hello Received state, the second handshake message sent by the server is expected to be processed subsequently.
The second handshake message reached state (Server Hello Received state) is used to indicate that the second handshake message has been Received. In the Server Hello Received state, the subsequent expected processing is the key exchange message.
The Key Exchange message reached state (Key Exchange Received state) is used for receiving the Key Exchange message. In the Key Exchange Received state, the subsequent expected processing is the Change Cipher Spec message and the encrypted data message of the application layer.
In this case, after receiving the first handshake message, the firewall device creates a first session according to the quintuple information included in the first handshake message; and recording a Client random number carried by the first handshake message in the first session, and setting the state of the session as a Client Hello Received state.
After receiving the second handshake message, the firewall device detects whether the first session and the second handshake message satisfy a first preset condition if five-tuple information included in the second handshake message matches five-tuple information included in the first session, where the first preset condition is that the first session is in a Client Hello Received state, or the first session is in a Server Hello Received state and the second handshake message is a retransmission message. If the first preset condition is met, the firewall equipment records the Server random number and the encryption algorithm carried by the second handshake message in the first session, and sets the state of the first session as a Server Hello Received state. And if the first preset condition is not met, the firewall equipment discards the second handshake message.
After receiving the Key Exchange message, the firewall device detects whether the first session and the Key Exchange message satisfy a second preset condition if five-tuple information included in the Key Exchange message matches five-tuple information included in the first session, where the second preset condition is that the state of the first session is a Server Hello Received state, or the state of the first session is a Key Exchange Received state and the Key Exchange message is a retransmission message. If the second preset condition is met, the firewall equipment acquires the encrypted random data from the Key Exchange message, and sets the state of the first session as a Key Exchange Received state. And if the second preset condition is not met, the firewall equipment discards the key exchange message.
Based on the session state, the flow of the firewall device processing the data packet can be referred to fig. 7.
Step 701, receiving a data message. The data message is a message sent by the user equipment to the server, or a message sent by the server to the user equipment.
Step 702, find a fourth session matching with the quintuple information of the data packet. If so, go to step 703. If not, go to step 707.
Step 703, detecting whether the state of the fourth session is a Key Exchange Received state. If yes, go to step 704. If not, go to step 707.
Step 704, the encryption algorithm and the encryption key recorded in the fourth session are used to decrypt the user data carried in the data message, so as to obtain the original user data.
Step 705, performing security detection on the original user data, and determining whether the data packet is an attack packet. If yes, go to step 706. If not, go to step 708.
Step 706, constructing a waving message, and respectively sending to the user equipment and the server.
Step 707, discarding the data message.
Step 708, forward the data packet.
The description of the step 701-708 is relatively simple, and reference may be made to the related description of fig. 3-5.
The first session, the second session, the third session and the fourth session may be the same or different. This is not limited in the embodiments of the present application. According to the technical scheme, the firewall equipment only needs three session states, the state machines are relatively simple, and equipment resources are effectively saved.
Based on the same inventive concept, according to the information processing method based on the SSL protocol authentication, the embodiment of the present application further provides an information processing apparatus based on the SSL protocol authentication. Referring to fig. 8, fig. 8 is a schematic structural diagram of an information processing apparatus based on SSL protocol authentication according to an embodiment of the present application, where the apparatus is applied to a firewall device, and includes: a first acquisition unit 801, a second acquisition unit 802, a third acquisition unit 803, a transmission unit 804, a first reception unit 805, and a generation unit 806.
A first obtaining unit 801, configured to receive a first handshake message sent by a user equipment, forward the first handshake message to a server, and obtain a client random number from the first handshake message;
a second obtaining unit 802, configured to receive a second handshake message that is sent by the server and responds to the first handshake message, forward the second handshake message to the user equipment, and obtain a server random number and an encryption algorithm from the second handshake message;
a third obtaining unit 803, configured to receive a key exchange packet sent by the user equipment, and obtain encrypted random data from the key exchange packet, where the encrypted random data is obtained by encrypting, by the user equipment, the original random data with the public key of the server and an encryption algorithm;
a sending unit 804, configured to send the encrypted random data and the encryption algorithm to a server, so that the server decrypts the encrypted random data by using a private key and the encryption algorithm of the server, and obtains original random data;
a first receiving unit 805, configured to receive original random data sent by a server;
a generating unit 806, configured to generate an encryption key for communication between the user equipment and the server according to the original random data, the client random number, and the server random number.
In an optional embodiment, the information processing apparatus based on SSL authentication may further include:
a second receiving unit, configured to receive a data packet after generating an encryption key for communication between the user equipment and the server, where the data packet is a packet sent by the user equipment to the server or a packet sent by the server to the user equipment;
the decryption unit is used for decrypting the user data carried by the data message by using the encryption key and the encryption algorithm to obtain original user data;
and the detection unit is used for carrying out security detection on the original user data.
In an optional embodiment, the first obtaining unit 801 may be specifically configured to, after obtaining the client random number from the first handshake packet, create a first session according to five tuple information included in the first handshake packet and the client random number carried in the first handshake packet;
the second obtaining unit 802 may be specifically configured to obtain the server random number and the encryption algorithm from the second handshake message if the quintuple information included in the second handshake message matches the quintuple information included in the first session;
the third obtaining unit 803 may be specifically configured to obtain the encrypted random data from the key exchange packet if the five-tuple information included in the key exchange packet matches the five-tuple information included in the first session.
In an optional embodiment, the first obtaining unit 801 may be specifically configured to create a first session according to five-tuple information included in the first handshake packet; recording a client random number carried by a first handshake message in a first session, and setting the state of the session as a first handshake message reached state, wherein the first handshake message reached state is used for indicating that the first handshake message is received;
the second obtaining unit 802 may be specifically configured to detect whether the first session and the second handshake packet meet a first preset condition, where the first preset condition is that the state of the first session is a first handshake packet reached state, or the state of the first session is a second handshake packet reached state and the second handshake packet is a retransmission packet, and the second handshake packet reached state is used to indicate that the second handshake packet has been received; if so, recording a server random number and an encryption algorithm carried by the second handshake message in the first session, and setting the state of the first session as the reached state of the second handshake message;
the third obtaining unit 803 may be specifically configured to detect whether the first session and the key exchange packet satisfy a second preset condition, where the second preset condition is that the state of the first session is an achieved state of the second handshake packet, or that the state of the first session is an achieved state of the key exchange packet and the key exchange packet is a retransmission packet, and the achieved state of the key exchange packet is used to indicate that the key exchange packet has been received; if yes, obtaining the encrypted random data from the key exchange message, and setting the state of the first session as the state reached by the key exchange message.
In an optional embodiment, the information processing apparatus based on SSL authentication may further include:
a third receiving unit, configured to receive an alarm message;
the searching unit is used for searching a second session matched with the quintuple information of the alarm message if the type of the alarm message is a fatal type, and the fatal type is used for indicating that the SSL connection is disconnected;
and the deleting unit is used for deleting the second session and sending the hand waving message to the user equipment and the server if the second session is found, so that the user equipment and the server are respectively disconnected from the user equipment and the server according to the hand waving message.
According to the technical scheme provided by the embodiment of the application, the firewall device can obtain the encryption key of communication between the user equipment and the server under the condition that any message is not modified, and then decrypt the user data carried by the data message sent by the user equipment or the server by using the encryption key to obtain the original user data, so that the original user data is subjected to security detection, and the security detection of the encrypted data subjected to SSL protocol bidirectional authentication is realized.
Based on the same inventive concept, according to the above information processing method based on the SSL authentication, the present application embodiment further provides a firewall device, as shown in fig. 9, including a processor 901 and a machine-readable storage medium 902, where the machine-readable storage medium 902 stores machine-executable instructions that can be executed by the processor 901. Processor 901 is caused by machine executable instructions to implement any of the steps shown in fig. 3-7 described above.
In an optional embodiment, as shown in fig. 9, the firewall device may further include: a communication interface 903 and a communication bus 904; the processor 901, the machine-readable storage medium 902, and the communication interface 903 complete communication with each other through the communication bus 904, and the communication interface 903 is used for communication between the firewall device and other devices.
Based on the same inventive concept, according to the information processing method based on the SSL protocol authentication, the embodiment of the present application further provides a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions capable of being executed by a processor. The processor is caused by machine executable instructions to implement any of the steps shown in figures 3-7 above.
The communication bus may be a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc.
The machine-readable storage medium may include a RAM (Random Access Memory) and a NVM (Non-Volatile Memory), such as at least one disk Memory. Additionally, the machine-readable storage medium may be at least one memory device located remotely from the aforementioned processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also DSPs (Digital Signal Processing), ASICs (Application Specific Integrated circuits), FPGAs (Field Programmable Gate arrays) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiments of the information processing apparatus, the firewall device and the machine-readable storage medium based on the SSL authentication, since they are substantially similar to the embodiments of the information processing method based on the SSL authentication, the description is relatively simple, and relevant points can be found in the partial description of the embodiments of the information processing method based on the SSL authentication.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (12)

1. An information processing method based on secure socket layer protocol authentication is applied to firewall equipment, and the method comprises the following steps:
receiving a first handshake message sent by user equipment, forwarding the first handshake message to a server, and acquiring a client random number from the first handshake message;
receiving a second handshake message which is sent by the server and responds to the first handshake message, forwarding the second handshake message to the user equipment, and acquiring a server random number and an encryption algorithm from the second handshake message;
receiving a key exchange message sent by the user equipment, and acquiring encrypted random data from the key exchange message, wherein the encrypted random data is obtained by encrypting original random data by the user equipment by using a public key of the server and the encryption algorithm;
sending the encrypted random data and the encryption algorithm to the server so that the server decrypts the encrypted random data by using a private key of the server and the encryption algorithm to obtain original random data;
receiving the original random data sent by the server;
and generating an encryption key for communication between the user equipment and the server according to the original random data, the client random number and the server random number.
2. The method of claim 1, further comprising, after generating the encryption key for communication between the user equipment and the server:
receiving a data message, wherein the data message is a message sent by the user equipment to the server or a message sent by the server to the user equipment;
decrypting the user data carried by the data message by using the encryption key and the encryption algorithm to obtain original user data;
and carrying out security detection on the original user data.
3. The method of claim 1, after obtaining a client random number from the first handshake message, further comprising:
creating a first session according to quintuple information included in the first handshake message and a client random number carried in the first handshake message;
the step of obtaining the server random number and the encryption algorithm from the second handshake message includes:
if the quintuple information included in the second handshake message is matched with the quintuple information included in the first session, acquiring a server random number and an encryption algorithm from the second handshake message;
the step of obtaining encrypted random data from the key exchange message includes:
and if the quintuple information included in the key exchange message is matched with the quintuple information included in the first session, acquiring encrypted random data from the key exchange message.
4. The method according to claim 3, wherein the step of creating a session according to five-tuple information included in the first handshake packet and a client random number carried in the first handshake packet comprises:
creating a first session according to quintuple information included in the first handshake message; recording a client random number carried by the first handshake message in the first session, and setting the state of the session as a first handshake message reached state, wherein the first handshake message reached state is used for indicating that the first handshake message is received;
the step of obtaining the server random number and the encryption algorithm from the second handshake message includes:
detecting whether the first session and the second handshake message meet a first preset condition, wherein the first preset condition is that the state of the first session is the first handshake message reached state, or the state of the first session is the second handshake message reached state and the second handshake message is a retransmission message, and the second handshake message reached state is used for indicating that the second handshake message is received; if so, recording a server random number and an encryption algorithm carried by the second handshake message in the first session, and setting the state of the first session as the reached state of the second handshake message;
the step of obtaining encrypted random data from the key exchange message includes:
detecting whether the first session and the key exchange message meet a second preset condition, wherein the second preset condition is that the state of the first session is the reached state of the second handshake message, or the state of the first session is the reached state of the key exchange message and the key exchange message is a retransmission message, and the reached state of the key exchange message is used for indicating that the key exchange message is received; if yes, obtaining encrypted random data from the key exchange message, and setting the state of the first session as the state reached by the key exchange message.
5. The method according to claim 3 or 4, characterized in that the method further comprises:
receiving an alarm message;
if the type of the alarm message is a fatal type, searching a second session matched with quintuple information of the alarm message;
and if the user equipment and the server are found, deleting the second session, and sending hand waving messages to the user equipment and the server, so that the user equipment and the server are respectively disconnected from the connection between the user equipment and the server according to the hand waving messages.
6. An information processing apparatus based on secure socket layer protocol authentication, applied to a firewall device, the apparatus comprising:
the system comprises a first obtaining unit, a second obtaining unit and a sending unit, wherein the first obtaining unit is used for receiving a first handshake message sent by user equipment, forwarding the first handshake message to a server, and obtaining a client random number from the first handshake message;
a second obtaining unit, configured to receive a second handshake message that is sent by the server and responds to the first handshake message, forward the second handshake message to the ue, and obtain a server random number and an encryption algorithm from the second handshake message;
a third obtaining unit, configured to receive a key exchange packet sent by the user equipment, and obtain encrypted random data from the key exchange packet, where the encrypted random data is obtained by encrypting, by the user equipment, original random data by using a public key of the server and the encryption algorithm;
a sending unit, configured to send the encrypted random data and the encryption algorithm to the server, so that the server decrypts the encrypted random data by using a private key of the server and the encryption algorithm to obtain original random data;
a first receiving unit, configured to receive the original random data sent by the server;
and the generating unit is used for generating an encryption key for communication between the user equipment and the server according to the original random data, the client random number and the server random number.
7. The apparatus of claim 6, further comprising:
a second receiving unit, configured to receive a data packet after generating an encryption key for communication between the user equipment and the server, where the data packet is a packet sent by the user equipment to the server or a packet sent by the server to the user equipment;
the decryption unit is used for decrypting the user data carried by the data message by using the encryption key and the encryption algorithm to obtain original user data;
and the detection unit is used for carrying out security detection on the original user data.
8. The apparatus according to claim 6, wherein the first obtaining unit is specifically configured to, after obtaining a client nonce from the first handshake message, create a first session according to five tuple information included in the first handshake message and the client nonce carried in the first handshake message;
the second obtaining unit is specifically configured to obtain a server random number and an encryption algorithm from the second handshake message if quintuple information included in the second handshake message matches quintuple information included in the first session;
the third obtaining unit is specifically configured to obtain the encrypted random data from the key exchange packet if the quintuple information included in the key exchange packet matches the quintuple information included in the first session.
9. The apparatus according to claim 8, wherein the first obtaining unit is specifically configured to create a first session according to quintuple information included in the first handshake message; recording a client random number carried by the first handshake message in the first session, and setting the state of the session as a first handshake message reached state, wherein the first handshake message reached state is used for indicating that the first handshake message is received;
the second obtaining unit is specifically configured to detect whether the first session and the second handshake message meet a first preset condition, where the first preset condition is that the state of the first session is the first handshake message reached state, or that the state of the first session is the second handshake message reached state and the second handshake message is a retransmission message, and the second handshake message reached state is used to indicate that the second handshake message has been received; if so, recording a server random number and an encryption algorithm carried by the second handshake message in the first session, and setting the state of the first session as the reached state of the second handshake message;
the third obtaining unit is specifically configured to detect whether the first session and the key exchange packet satisfy a second preset condition, where the second preset condition is that the state of the first session is the second handshake packet reached state, or that the state of the first session is the key exchange packet reached state and the key exchange packet is a retransmission packet, and the key exchange packet reached state is used to indicate that the key exchange packet has been received; if yes, obtaining encrypted random data from the key exchange message, and setting the state of the first session as the state reached by the key exchange message.
10. The apparatus of claim 8 or 9, further comprising:
a third receiving unit, configured to receive an alarm message;
the searching unit is used for searching a second session matched with the quintuple information of the alarm message if the type of the alarm message is a fatal type, wherein the fatal type is used for indicating that SSL connection is disconnected;
and the deleting unit is used for deleting the second session and sending a hand waving message to the user equipment and the server if the second session is found, so that the user equipment and the server are respectively disconnected from the user equipment and the server according to the hand waving message.
11. A firewall device, comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: carrying out the method steps of any one of claims 1 to 5.
12. A machine-readable storage medium having stored thereon machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: carrying out the method steps of any one of claims 1 to 5.
CN201910447394.8A 2019-05-27 2019-05-27 Information processing method and device based on secure socket layer protocol authentication Active CN110190955B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910447394.8A CN110190955B (en) 2019-05-27 2019-05-27 Information processing method and device based on secure socket layer protocol authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910447394.8A CN110190955B (en) 2019-05-27 2019-05-27 Information processing method and device based on secure socket layer protocol authentication

Publications (2)

Publication Number Publication Date
CN110190955A CN110190955A (en) 2019-08-30
CN110190955B true CN110190955B (en) 2022-05-24

Family

ID=67718114

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910447394.8A Active CN110190955B (en) 2019-05-27 2019-05-27 Information processing method and device based on secure socket layer protocol authentication

Country Status (1)

Country Link
CN (1) CN110190955B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110557244B (en) * 2019-09-06 2021-12-28 江苏省水文水资源勘测局 Application data unit encryption method in water conservancy industrial control system
CN110677389B (en) * 2019-09-09 2022-01-25 杭州迪普科技股份有限公司 SSL protocol-based hybrid attack protection method and device
CN110944001A (en) * 2019-12-06 2020-03-31 浙江军盾信息科技有限公司 Server safety protection method, device and related equipment
US20210184869A1 (en) * 2019-12-17 2021-06-17 Microchip Technology Incorporated Mutual authentication protocol for systems with low-throughput communication links, and devices for performing the same
CN111107087B (en) * 2019-12-19 2022-03-25 杭州迪普科技股份有限公司 Message detection method and device
CN111541682B (en) * 2020-04-17 2022-08-12 北京天融信网络安全技术有限公司 Data security detection method and device, storage medium and electronic equipment
CN112383392B (en) * 2020-11-13 2024-03-15 随锐科技集团股份有限公司 Video conference rotation encryption method, video conference rotation encryption equipment and computer readable storage medium
CN112751858B (en) * 2020-12-30 2023-04-07 恒安嘉新(北京)科技股份公司 Data encryption communication terminal method, device, terminal, server and storage medium
CN115701026A (en) * 2021-07-21 2023-02-07 中移物联网有限公司 Test method, device and terminal for transport layer security protocol
CN113765927A (en) * 2021-09-09 2021-12-07 图易(常熟)信息技术有限公司 Method and system for encrypting network copyright of cloud uploaded content
CN114679299B (en) * 2022-02-24 2024-03-15 广东电网有限责任公司 Communication protocol encryption method, device, computer equipment and storage medium
CN116032545B (en) * 2022-12-06 2024-03-22 北京中睿天下信息技术有限公司 Multi-stage filtering method and system for ssl or tls flow

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8707027B1 (en) * 2012-07-02 2014-04-22 Symantec Corporation Automatic configuration and provisioning of SSL server certificates
CN104468560A (en) * 2014-12-02 2015-03-25 中国科学院声学研究所 Method and system for collecting network confidential data plaintext
CN105763566A (en) * 2016-04-19 2016-07-13 成都知道创宇信息技术有限公司 Communication method between client and server
CN106941401A (en) * 2017-03-23 2017-07-11 深信服科技股份有限公司 Acceleration equipment and the method that session key is obtained based on acceleration equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2909988B1 (en) * 2012-10-19 2018-05-16 Telefonaktiebolaget LM Ericsson (publ) Unidirectional deep packet inspection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8707027B1 (en) * 2012-07-02 2014-04-22 Symantec Corporation Automatic configuration and provisioning of SSL server certificates
CN104468560A (en) * 2014-12-02 2015-03-25 中国科学院声学研究所 Method and system for collecting network confidential data plaintext
CN105763566A (en) * 2016-04-19 2016-07-13 成都知道创宇信息技术有限公司 Communication method between client and server
CN106941401A (en) * 2017-03-23 2017-07-11 深信服科技股份有限公司 Acceleration equipment and the method that session key is obtained based on acceleration equipment

Also Published As

Publication number Publication date
CN110190955A (en) 2019-08-30

Similar Documents

Publication Publication Date Title
CN110190955B (en) Information processing method and device based on secure socket layer protocol authentication
Vanhoef et al. Key reinstallation attacks: Forcing nonce reuse in WPA2
US9432340B1 (en) System and method for secure end-to-end chat system
CN109428867B (en) Message encryption and decryption method, network equipment and system
US8468347B2 (en) Secure network communications
CN109302412B (en) VoIP communication processing method based on CPK, terminal, server and storage medium
US20090220080A1 (en) Application-Level Service Access to Encrypted Data Streams
CN109167802B (en) Method, server and terminal for preventing session hijacking
KR20080089500A (en) Authentication method, system and authentication center based on end to end communication in the mobile network
CN113225352B (en) Data transmission method and device, electronic equipment and storage medium
CN114503507A (en) Secure publish-subscribe communications method and apparatus
CN107547559B (en) Message processing method and device
CN110719248A (en) Method and device for forwarding user datagram protocol message
US10291600B2 (en) Synchronizing secure session keys
Sari et al. Comparative analysis of wireless security protocols: WEP vs WPA
CN110493367B (en) Address-free IPv6 non-public server, client and communication method
CN112637136A (en) Encrypted communication method and system
CN114143082B (en) Encryption communication method, system and device
WO2017185978A1 (en) Method and device for parsing packet
Noh et al. Secure key exchange scheme for WPA/WPA2-PSK using public key cryptography
CN104243452A (en) Method and system for cloud computing access control
Hu et al. Gatekeeper: A gateway-based broadcast authentication protocol for the in-vehicle Ethernet
KR101448866B1 (en) Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof
Huang et al. A secure communication over wireless environments by using a data connection core
US10015208B2 (en) Single proxies in secure communication using service function chaining

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant