CN111526161A - Communication method, communication equipment and proxy system - Google Patents
Communication method, communication equipment and proxy system Download PDFInfo
- Publication number
- CN111526161A CN111526161A CN202010460944.2A CN202010460944A CN111526161A CN 111526161 A CN111526161 A CN 111526161A CN 202010460944 A CN202010460944 A CN 202010460944A CN 111526161 A CN111526161 A CN 111526161A
- Authority
- CN
- China
- Prior art keywords
- certificate
- client
- digital certificate
- target
- target data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application relates to a communication method, a communication device and an agent system, in the communication method, after a cache agent device obtains a client request, a second digital certificate of a target network station which is declared as the client request is further obtained, identity counterfeiting is carried out on a server in the agent device based on the second digital certificate, namely the agent device is disguised as the server to be communicated with the client based on the second digital certificate, the problem that the client considers that the agent device is not credible due to lack of the certificate and refuses to accept forwarded data is avoided, in addition, the client identity can be adopted by the agent device (disguised as the client) to take data from the server based on encryption communication without limitation because the encryption communication technology such as TPS HTSSL does not require the server to carry out identity verification on the client, and therefore, the cache agent technology suitable for an encryption communication environment is realized, the purpose of optimizing network service in an encrypted communication environment can be achieved.
Description
Technical Field
The present application relates to the field of network communication and network caching technologies, and in particular, to a communication method, a communication device, and a proxy system.
Background
Based on the data security consideration between the browser and the server, more and more internet websites start to use an encryption communication technology, such as HTTPS/SSL, where HTTPS is known as Hyper Text Transfer protocol security Layer, that is, the hypertext Transfer security protocol is an HTTP channel targeting security, and the security base of HTTPS is SSL (Secure Sockets Layer).
In the lan environment, people often adopt caching technology to optimize the internet experience. By acquiring the network content and caching the content in the cache device, the cached content can be directly returned when the subsequent request is hit, so that the network response speed is improved, and the internet surfing experience is optimized. However, as the internet websites gradually promote and enable the encryption communication technologies such as HTTPS/SSL, etc., it becomes extremely difficult to provide the cache service based on the content cache in the encryption communication environment, which results in that the conventional cache technology gradually loses its function and is difficult to achieve the purpose of optimizing the network service.
Disclosure of Invention
In view of this, the present application discloses a communication method, a communication device, and an agent system, which achieve the purpose of optimizing network services in an encrypted communication environment by providing a cache agent technology suitable for the encrypted communication environment.
The specific technical scheme is as follows:
a communication method is applied to a proxy device, and the method comprises the following steps:
obtaining a client request; the client request comprises a network resource address of target data;
determining a target network station requested by a client based on the network resource address;
acquiring a second digital certificate according to the target network station; the second digital certificate is a certificate declared as the target network station;
sending second certificate information of the second digital certificate to a client;
and feeding back the target data to the client based on a verification passing result when the client verifies the second digital certificate by using the root certificate of the second certificate issuing authority.
Preferably, the acquiring the second digital certificate according to the target network station includes:
determining whether a second digital certificate corresponding to the target network station is available in a locally stored certificate set;
in the event that presence is determined, obtaining the second digital certificate from the set of certificates;
and under the condition that the first digital certificate does not exist, acquiring a first digital certificate of the target network station, applying for a second digital certificate declared as the target network station from a second certificate issuing authority based on the first digital certificate, wherein the first digital certificate is issued by the first certificate issuing authority.
Preferably, the applying for the second digital certificate declared as the target network station from a second certificate issuing authority based on the first digital certificate includes:
acquiring a first digital certificate of the target network station from a target server where the target network station is located;
extracting first certificate information of the first digital certificate;
sending a certificate application request including the first certificate information to the second certificate issuing authority;
acquiring a second digital certificate issued by the second certificate issuing authority based on the first certificate information;
the first certificate information comprises a domain name of the target network station, a first public key and a first signature of the first public key, and the second certificate information comprises the domain name of the target network station, a second public key and a second signature of the second public key; the second certificate issuing authority is established in a local area network where the proxy equipment is located.
Preferably, before feeding back the target data to the client, the method further includes:
establishing a second encryption channel with the client;
the feeding back the target data to the client comprises:
and feeding back second encrypted data of the target data to the client based on the second encryption channel.
Preferably, between the obtaining the client request and the determining the target network station requested by the client based on the network resource address, further includes:
determining whether a cache device is provided with the target data corresponding to the network resource address;
if yes, obtaining the target data from the cache device:
and if not, acquiring the target data from the target server where the target network site is located.
Preferably, wherein:
under the condition that the cache equipment has the target data, after the target data is obtained from the cache equipment, skipping to the step of feeding back the target data to the client;
and under the condition that the cache equipment does not have the target data, triggering the steps of determining a target network station requested by the client based on the network resource address and acquiring a second digital certificate according to the target network station, so that the target data is fed back to the client based on the verification passing result of the client to the second digital certificate.
Preferably, after applying for the second digital certificate declared as the target network station from a second certificate issuing authority, the method further includes:
storing the second digital certificate.
A communication method applied to a client device comprises the following steps:
sending a client request including a network resource address of the target data to the network;
obtaining second certificate information of a second digital certificate fed back by the proxy equipment based on the client request; the second digital certificate is: the declaration acquired locally by the proxy equipment from the proxy equipment is a certificate of the target network site or a first digital certificate of the target network site corresponding to the network resource address, and the declaration applied by a second certificate issuing authority is a certificate of the target network site, wherein the first digital certificate is issued by the first certificate issuing authority;
verifying the second digital certificate by using a root certificate issued by the second certificate issuing authority;
and obtaining target data fed back by the agent equipment based on the verification result passing the verification.
Preferably, before obtaining the target data fed back by the proxy device, the method further includes:
establishing a second encryption channel with the proxy equipment;
the obtaining of the target data fed back by the agent device includes:
obtaining second encryption data fed back by the agent device based on the second encryption channel;
and decrypting the second encrypted data to obtain the target data.
A communication device, comprising:
a memory for storing at least one set of computer instructions;
a processor for implementing the communication method applied to the proxy device as described in any one of the above items or implementing the communication method applied to the client device as described in any one of the above items by executing the instruction set stored in the memory.
A proxy system, comprising:
the cache device is used for caching data of the network station;
the second certificate issuing mechanism is used for issuing a second digital certificate declared as a corresponding network site to the cache equipment;
a proxy device for executing the communication method applied to the proxy device as described in any one of the above;
the caching device, the second certificate issuing authority and the proxy device are arranged on the same physical device in an integrated mode or are arranged on different physical devices in a scattered mode.
The inventor finds that the communication encryption technology such as HTTPS/SSL limits that a client needs to forcedly verify a certificate of a server for providing content service so as to ensure the security of the client by verifying the credibility of the server, and does not require the server to perform credible verification on the client.
In order to solve the characteristic, in the communication method provided by the application, after obtaining a client request, the proxy device at the cache end further obtains a second digital certificate of a target website declared as the client request, and based on the second digital certificate of the target website, identity counterfeiting is performed on the server at the proxy device, namely the proxy device is disguised as the server to communicate with the client based on the second digital certificate, so that the problem that the proxy device is not considered as credible by the client and refuses to accept forwarded data due to lack of the certificate is avoided, in addition, because the encryption communication technology such as HTTPS/SSL does not require the server to perform identity verification on the client, the proxy device can adopt the client identity (disguised as the client) to take data from the server and cache the data based on encryption communication without limitation, thereby realizing a cache proxy technology suitable for the encryption communication environment, the purpose of optimizing network service in an encrypted communication environment can be achieved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a schematic diagram of a caching technique in a content interception manner;
FIG. 2 is a schematic diagram illustrating the invalidation of caching techniques in content interception in an encrypted communication environment;
FIG. 3 is a schematic diagram of the failure of the MITM-mode caching technique in an encrypted communication environment;
fig. 4 is a flowchart of a communication method applied to a proxy device according to an embodiment of the present application;
fig. 5 is another schematic flowchart of a communication method applied to a proxy device according to an embodiment of the present application;
FIG. 6 is a schematic diagram of ensuring that an agent is trusted by a client based on an owned CA provided by an embodiment of the present application;
fig. 7 is a schematic flowchart of a communication method applied to a proxy device according to an embodiment of the present application;
fig. 8 is a further flowchart of a communication method applied to a proxy device according to an embodiment of the present application;
fig. 9 is a schematic flowchart of a communication method applied to a proxy device according to an embodiment of the present application;
fig. 10 is a flowchart of a communication method applied to a client device according to an embodiment of the present application;
fig. 11 is another schematic flowchart of a communication method applied to a client device according to an embodiment of the present application;
fig. 12 is a sequence diagram of encrypted communication based on trusted authentication between devices according to the caching proxy technology of the present application provided in the embodiment of the present application;
fig. 13 is a schematic flowchart of intra-domain distribution of a root certificate of an own CA according to an embodiment of the present application;
fig. 14 is a schematic flowchart of a process in which an own CA issues a certificate to a proxy device according to an embodiment of the present application;
fig. 15 is a schematic diagram illustrating an establishment process of an SSL secure communication channel according to an embodiment of the present application;
fig. 16 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 17 is a schematic structural diagram of a proxy system according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to better understand the communication method, the communication device and the agent system provided by the present application, some technologies of encryption communication, caching, etc. in the prior art are first described, and meanwhile, related research and problem discovery of the inventor on the technologies of encryption communication, caching, etc. are provided.
At present, two main ways for optimizing network services based on caching technology are available, one is a way based on content interception, and the other is a Man-in-the-middle attack (MITM) way similar to the caching server scheme.
In the content interception based approach, as shown in fig. 1, the cache server relies on being able to intercept the transmitted content between the client (e.g. browser) and the server (e.g. HTTPS server in internet) and cache the content, so as to achieve that when the subsequent client requests hit, the cached content can be directly returned to the client without obtaining the content from the server of the website. However, referring to fig. 2, an encrypted communication tunnel (tunnel) is established between the client and the remote server by using an encrypted communication technology such as HTTPS/SSL, which enables a cache, such as a proxy device at the cache, to intercept only the encrypted data content, and the cache cannot restore the original content of the intercepted data due to lack of decryption information (e.g., a private key of the client). Furthermore, modern encrypted communications have forward security, even if the same content is monitored in different transmission processes, the monitored encrypted content is different (e.g., the same content is encrypted by using a session key that is temporarily negotiated at each transmission), and uniqueness of the content cannot be identified through playback, which also results in that even if the encrypted data is blindly cached, a cache index cannot be effectively generated (for the same content, because the data obtained after encryption is different, the same content is cached into multiple different encrypted data, uniqueness thereof cannot be identified and a unique and effective cache index cannot be formed).
In the MITM method, referring to fig. 3, communication channels, such as an encrypted communication tunnel 2 and an encrypted communication tunnel 1 in fig. 3, need to be respectively established between the client and the cache-side proxy device, and between the cache-side proxy device and a remote server (e.g., a server of a website), and the proxy device obtains content from the server by masquerading as the client and masquerading as the server to output the content to the client. However, the encryption communication technologies such as HTTPS/SSL restrict the client from forcibly verifying the certificate of the server for providing the content service, so as to ensure the security of the client by verifying the authenticity of the server (e.g., refuse to receive the content provided by the server when the server certificate is not verified), and since the proxy device cannot provide the digital certificate issued by the trusted Certificate Authority (CA) for the server, the proxy device cannot counterfeit the identity of the server, and the content forwarded to the client by the proxy device is easily forwarded by the client identified as an intermediate third person (possibly tampered), and is rejected.
Therefore, as the encryption communication technologies such as HTTPS/SSL and the like are gradually popularized and started in Internet websites, no matter the cache technology based on content interception or an MITM mode, effective cache service is difficult to provide in an encryption communication environment, and accordingly, the purpose of optimizing network service is difficult to achieve.
In order to solve at least the above problems of the conventional technologies, the present application provides a communication method, a communication device, and an agent system, which may be applied to, but not limited to, an encrypted communication environment based on an encrypted communication technology such as HTTPS/SSL, and in particular, may be applied to a client-side, a cache-side (e.g., a cache-side agent device, a cache server), and a server-side multi-party communication interaction scenario based on a cache technology in the environment. The communication method, the communication device and the proxy system will be described in detail below with specific embodiments.
In an optional embodiment, a communication method applicable to an agent device is provided, where the agent device to which the method is applied may specifically be an agent device at a cache end in the above scenario, and the agent device may be a forward agent, and in implementation, the forward agent may be disposed in a local area network where a client is located, and provides a cache agent function between the client and a server in an external network (e.g., an HTTPS server in the internet).
As shown in fig. 4, the communication method applied to the proxy device according to the embodiment of the present application may include:
The obtaining of the client request may be a request for obtaining corresponding content generated by a browser or other app of the user end device, such as specifically a request for obtaining a certain web page generated by the browser or other app of the user end device or a request for obtaining a certain data content in the page.
The client request at least comprises the network resource address of the target data to be obtained.
The client request may be, but is not limited to, an HTTPS request, and the network Resource address of the target data may be, but is not limited to, a URL (Uniform Resource Locator) address of a page corresponding to the target data.
The target website requested by the client refers to a website to which target data requested by the client belongs. The target network station may be characterized by its domain name, but is not limited thereto, and may also be characterized by the IP address of the server of the station to which the target network station belongs.
Preferably, in the case that the client requests a URL address carrying target data, domain name information may be extracted from the URL address, and the extracted domain name may be used to characterize the target website requested by the client.
The second digital certificate is a certificate declared as a target network station.
The digital certificate is a representation of an identity, and possesses the statement as a second digital certificate of the target network station, that is, represents an identity of a server corresponding to the target network station (that is, a server that carries and runs the target network station).
In a network environment, a network site corresponds to one or more physical servers, that is, one or more physical servers carry and operate one network site, but logically, a network site corresponds to one logical server, and the logical server corresponds to at least one physical server.
Correspondingly, in the issuing of the digital certificate for identity authentication, the CA organization may issue a digital certificate to a logical server corresponding to the network site by taking the network site as a unit, and declare the issued digital certificate as an issued object, i.e., the issued network site, so as to indicate the identity of the issued digital certificate (the network site or the logical server thereof).
In the embodiment of the application, after obtaining the client request and determining the target network station requested by the client, the proxy device obtains, according to the target network station, the second data certificate declared as the target network station, so as to implement that the proxy device at the cache performs identity impersonation on the server based on the second digital certificate, that is, the proxy device disguises the obtained second digital certificate as the server for providing the content service to communicate with the client.
Then, the agent device sends second certificate information of a second digital certificate to the client for identity verification of the client by the client, according to the requirement that the encrypted communication technology such as HTTPS/SSL limits the client to forcibly verify the certificate from the server.
Since the proxy device of the caching peer has the second digital certificate declared as the target network site, the client will accordingly preliminarily identify the proxy device as a server for providing the content service of the target network site.
Further, the client may verify the second digital certificate sent by the proxy device based on the root certificate issued by the trusted certificate issuing authority that the client holds, and when the verification passes, determine that the proxy device has a legitimate server identity for providing the required content service, and accordingly consider the proxy device as trusted (of course, if the verification fails, determine that the proxy device is not trusted).
The proxy device may feed back target data to the client based on a verification result obtained when the client verifies the second digital certificate, for example, specifically feed back the content of a certain webpage requested by the client to the client.
The target data fed back to the client by the proxy device may be specifically obtained from a cache device (e.g., a cache server) of the cache end, or may also be obtained by the proxy device from a server of the target network site, which will be described in detail later.
In an implementation, in order to ensure that the proxy device can pass the authentication of the client based on the second digital certificate, the same certificate issuing authority (such as the second certificate issuing authority described above) may be defined, and the second digital certificate may be issued to the proxy device and a root certificate for authenticating the second digital certificate may be issued to the client, so that for the client, the second digital certificate of the proxy device is issued by the certificate issuing authority approved by the client (client), and the client holds an authentication key (i.e., a public key provided in the root certificate) matching the signature information in the second digital certificate, thereby being able to pass the authentication of the proxy device.
In this embodiment, after obtaining the client request, the proxy device at the cache further obtains the second digital certificate of the target website declared as the client request, and based on the second digital certificate of the target website, the proxy device performs identity impersonation on the server, that is, the proxy device disguises as the server and the client to communicate based on the second digital certificate, thereby avoiding the problem that the proxy device is deemed as being untrustworthy and refuses to accept forwarded data due to lack of the certificate, and in addition, because the encryption communication technologies such as HTTPS/SSL do not require the server to perform identity verification on the client, the proxy device can adopt the client identity (disguised as the client) to take data from the server based on encryption communication and cache without limitation, thereby implementing a cache proxy technology suitable for an encryption communication environment, the purpose of optimizing network service in an encrypted communication environment can be achieved.
In practical applications, when a certificate issuing authority issues a digital certificate for a certain object, a pair of public keys and private keys are generated for the issued object, the public keys are carried in the certificate, and the private keys are held by the issued object in a private manner, so that even if the digital certificate of the certain object is acquired by other objects, the other objects cannot truly counterfeit the identity of the certificate owner because of lack of the private keys matched with the acquired certificate (in the public keys).
In order to implement identity impersonation of a server of a target network site by proxy equipment, in the present application, a second digital certificate declared to be the target network site and obtained by the proxy equipment is not a digital certificate (correspondingly referred to as a first digital certificate) that is truly issued by a superior CA (referred to as a first certificate issuing authority) where the server of the target network site is located, and a process of obtaining the second digital certificate by the proxy equipment and a principle that the proxy equipment can implement identity impersonation of a corresponding server based on the second digital certificate are specifically described below.
As shown in fig. 5, in step 403, according to the obtaining of the second digital certificate by the target network station, the method may further be implemented as:
In order to achieve the purpose of successfully counterfeiting the identity of the corresponding website server at the proxy device, the embodiment of the application provides a special second certificate issuing authority for issuing the digital certificate to the proxy device, wherein the second certificate issuing authority is different from a superior CA (i.e. a first certificate issuing authority) where the server of the website is located.
In practical applications, a cache server and a proxy device are usually configured in a local area network environment, so as to provide a cache service for a client in the local area network environment, and accordingly achieve the purpose of optimizing a network service.
Optionally, in an implementation, a second certificate issuing mechanism, such as an owned CA in the local area network shown in fig. 6, may be provided in the local area network including the client, the cache server, and the proxy device, so as to issue, to the proxy device, second digital certificates corresponding to different target network sites, respectively, for different target network sites requested by the client (the same client or different clients) in the local area network, and accordingly enable the proxy device to masquerade as a server of different target network sites to communicate with the client.
It is readily understood that the second certificate issuing authority is considered trusted in the local area network environment in which it is located.
Accordingly, the proxy device may maintain a certificate set (initially blank) for storing the second digital certificate corresponding to the corresponding website issued by the second certificate issuing authority for the proxy device, and optionally, may store the domain names of different websites and the corresponding relationship information of the second digital certificates thereof, that is, store the second digital certificates of different websites by using the domain names of the websites as an index. As shown in fig. 6, the certificate set may be maintained based on a self-signed library, where the self-signed library may be disposed in a physical machine where the agent device is located, or may be disposed in a different physical machine from the agent device.
After obtaining a client request of a client for requesting corresponding target data in a target network site, in order to spoof the server identity of the target network site, the proxy device may first query, using a domain name of the target network site as an index, from a local certificate set maintained by the proxy device, whether a second digital certificate corresponding to the target network site exists.
If the second digital certificate does not exist (for example, the client in the lan has not requested the target network station in history, and has not obtained and stored the second digital certificate corresponding to the target network station correspondingly, or has requested in history but has deleted or lost the stored second digital certificate of the target network station), the proxy device needs to temporarily apply for the second digital certificate corresponding to the target network station from the second certificate issuing authority.
The process of applying for the second digital certificate corresponding to the target network station by the proxy device may include:
1) acquiring a first digital certificate of a target network site from a target server where the target network site is located;
the first digital certificate of the target network site is a certificate applied by the server of the target network site from its superior CA, i.e., the first certificate issuing authority (such as the CA in the internet in fig. 6), which is the real certificate of the server of the target network site. The first digital certificate at least comprises a domain name of a target network site, a first public key and a first signature of the first public key, wherein the first public key is a public key in a pair of public key private keys signed and issued by a first certificate signing and issuing organization to a server, and the first signature is signature information obtained by the first certificate signing and issuing organization by utilizing the private key of the first certificate signing and issuing organization to sign the first public key.
The private key corresponding to the first public key is referred to as the first private key.
The first digital certificate is declared as the target network station based on the carried domain name of the target network station.
Optionally, the first digital certificate may also include any one or more of issuer (i.e., the first certificate issuing authority described above) information, validity period, and the like.
2) First certificate information of the first digital certificate is extracted.
At least the domain name of the target network station in the first digital certificate is extracted, and the valid period information can be extracted under the condition that the first digital certificate also comprises a valid period. Of course, without being limited thereto, other information may also be extracted, such as issuer information in the first digital certificate, and the like.
3) Sending a certificate application request including first certificate information to the second certificate issuing authority;
referring to fig. 6, in particular, a forward proxy in a local area network may send a certificate application request including first certificate information to an own CA in the same local area network.
In a matching manner, the certificate application request at least includes the domain name of the target network station, and in addition, in the case that the first digital certificate carries the validity period information, the certificate application request also includes validity period information, so that the second digital certificate applied for obtaining and the first digital certificate of the target network station keep the same validity period.
However, the content of the certificate application request is not limited to the above, and may depend on the information extracted from the first digital certificate, for example, the issuer information in the first digital certificate may also be included, so that the original issuer of the first digital certificate on which the request is based is noted in the second digital certificate obtained by the application.
4) And acquiring a second digital certificate issued by the second certificate issuing authority based on the first certificate information.
The second certificate issuing authority, such as the own CA in the local area network in fig. 6, issuing a second digital certificate for the agent device (applicant) based on the first certificate information, may include:
41) generating a pair of public and private keys for the proxy device: a second public key and a second private key;
the pair of public key and private key generated by the second certificate issuing authority for the agent device is different from the first public key in the first digital certificate and the corresponding first private key privately held by the server of the target network site.
Here, the public key and the private key generated by the second certificate issuing authority for the proxy device are referred to as a second public key and a second private key, respectively, to form a distinction from the first public key in the first digital certificate and the corresponding first private key.
42) Signing the second public key by using a private key of a second certificate issuing authority to obtain a second signature;
43) and writing the certificate information into the digital certificate to generate a second digital certificate.
The generated second digital certificate includes at least: the domain name of the target network station, the second public key, and a second signature of the second public key.
Optionally, any one or more of a validity period, a primary issuer of the first digital certificate based, and the like may be included, without limitation.
Wherein, the validity period recorded by the second digital certificate is consistent with the validity period in the first digital certificate based on the second digital certificate in the case of including the validity period.
See table 1 below for an example of a second digital certificate generated based on a first digital certificate:
TABLE 1
In this example, three network sites (characterized by domain names) are specifically provided: www.example.com, antenna-site.com, third-web.com, includes information such as "universal name" (i.e., domain name), "issuer," "validity period," "signature," and "public key" (the public key is not shown in table 1, but is replaced by an ellipsis) in its real certificate, i.e., the first digital certificate.
The proxy device, based on the first digital certificate of these network sites, also includes the second digital certificate (which may be understood as a self-signed certificate) applied from the second certificate issuing authority, and the common name and the validity period in the second digital certificate are respectively consistent with the common name and the validity period in the first digital certificate, and the issuer, the signature and the public key are changed, if the local area network has a CA, the original first public key (signed and issued by the superior CA where the website is located, namely the first certificate signing and issuing organization) is changed into the second public key (signed and issued by the second certificate signing and issuing organization), and correspondingly, the signature is changed from the original first signature (obtained by the first certificate signing and issuing organization signing the first public key by using the private key of the first certificate signing and issuing organization) into the second signature (obtained by the second certificate signing and issuing organization signing the second public key by using the private key of the second certificate signing and issuing organization).
If the second digital certificate corresponding to the target network station exists in the local certificate set maintained by the proxy equipment, the second digital certificate corresponding to the target network station can be directly obtained from the local certificate set.
As described above, in an implementation, at least one second digital certificate that has been (historically) issued to the proxy device by the second certificate issuing authority may be stored in the certificate set with the domain name of the target network station as an index, and different indexes correspond to the second digital certificates declared as different network stations, respectively. The second digital certificate corresponding to the target network station can be queried and obtained from the certificate collection based on the domain name of the target network station.
For example, in the local area network shown in fig. 6, the forward proxy may query and obtain the second digital certificate corresponding to the target network site from the local self-signed certificate repository based on the domain name of the target network site.
In order to comply with the requirements of the encryption communication technology such as HTTPS/SSL, etc., a certificate of a server for providing a content service needs to be forcibly verified at a client, and in a cache application, since a proxy device provides an intermediate cache proxy service between the client and the server, the client is essentially required to authenticate the proxy device and to identify the trusted server of the proxy device.
Based on the above consideration, in the present application, the second certificate issuing authority provides a second digital certificate issuing function facing the agent device, and also issues a root certificate of the second certificate issuing authority to each client (for example, each client in the same local area network as the agent device) that needs to use the agent device, where the root certificate carries a public key of the second certificate issuing authority, and taking the local area network shown in fig. 6 as an example, the self-owned CA may distribute the root certificate carrying the public key of the self-owned CA to the client machines in the domain; alternatively, the root certificate of the self-owned CA may be distributed and installed to the client machine in the local area network by means of Domain Policy (e.g., AD Domain management Policy of Windows architecture), Domain management Agent (Agent), etc.
In this way, after the client obtains the second digital certificate of the proxy device, the client can successfully verify the second public key in the certificate based on the root certificate of the second certificate issuing authority, and identify the proxy device as a trusted site server for providing the target network site based on the result of successful verification, and from the perspective of the proxy device, the client communicates with the server based on the second digital certificate.
The process of the client for carrying out identity authentication on the proxy equipment comprises the following steps: and decrypting the second signature by using the public key in the root certificate of the second certificate issuing authority, judging the consistency of the decryption result and the second public key, if the decryption result and the second public key are consistent, passing the verification, and if the decryption result and the second public key are inconsistent, failing to pass the verification.
In summary, in this embodiment, the second digital certificate obtained by the proxy device is declared as the target website, and the second digital certificate is a certificate issued by the second certificate issuing authority to the proxy device, and the proxy device holds the second digital certificate and a private key matched with a public key carried in the certificate (and accordingly has a real right to use the certificate and the matched private key), so that identity impersonation of the server of the target website can be achieved.
The present application mainly provides an applicable caching proxy technology for an encrypted communication environment, and therefore, in an optional implementation, before feeding back the target data to the client, the communication method applied to the proxy device may further include the following processing steps, as specifically shown in fig. 7:
and 701, establishing a second encryption channel with the client.
The operation of establishing the second encryption channel between the proxy device and the client may be performed after the client authenticates the proxy device, but is not limited thereto, and may also be performed before the client authenticates the proxy device.
Preferably, as shown in fig. 7, in order to reduce the processing complexity as much as possible, the operation of establishing the second encrypted channel may be performed only in a case where the client verifies the second digital certificate, that is, in a case where the identity of the client verification agent device is authentic, otherwise, the operation is not performed if the client verifies the second digital certificate without passing the verification (for example, the request of the client is intercepted by a device outside the local area network, and the device outside the local area network does not pass the identity verification of the client).
Optionally, establishing the second encryption channel between the proxy device and the client may be implemented through the following processing procedures:
1) the proxy equipment acquires the public key of the client and sends the public key in the second digital certificate to the client;
that is, the proxy device exchanges a public key with the requesting client for negotiation of a session key.
2) Performing key negotiation with the client based on the public key of the client to obtain a second session key;
in the key negotiation process, the proxy device and the client both encrypt the negotiated session key based on the public key of the other party and transmit the encrypted session key to the other party, and the other party decrypts the session key by using the private key of the other party to complete negotiation confirmation of the session key between the two parties, and finally obtain a second session key approved by the two parties, and accordingly complete establishment of a second encryption channel between the client and the proxy device, where the established second encryption channel may be, for example, the encrypted communication tunnel 2 shown in fig. 6.
Accordingly, in step 405, the target data is fed back to the client, which may be specifically implemented as:
and step 702, feeding back second encrypted data of the target data to the client based on the second encryption channel.
Specifically, the proxy device may encrypt target data corresponding to the client request by using a second session key obtained through negotiation with the client, for example, encrypt certain webpage data requested by the client, and obtain second encrypted data, and feed the second encrypted data back to the client.
The client can correspondingly decrypt the second encrypted data by using the second session key to obtain the target data.
Thus, encrypted communication based on trusted authentication between the client and the proxy device in the encrypted communication environment is completed.
In an alternative embodiment, referring to fig. 8, the above-mentioned communication method applied to the proxy device may further include, between step 401 and step 402:
optionally, the caching device may specifically be a caching server, such as a caching server connected to the forward proxy in the local area network of fig. 6.
The cache device obtains and caches the network data content, so that the cached content can be directly returned to the client when the subsequent client requests are hit. In an implementation, the cache device may locally cache different network data by using a network resource address corresponding to the network data as an index, for example, by using a URL address of a web page as an index, and cache individual web page data to a cache server, or the like.
In view of this, in the embodiment of the present application, after the proxy device obtains the client request, it may first query, based on the network resource address, such as a URL address, carried in the client request, whether the cache device in the local location has target data corresponding to the requested network resource address.
if so, the target data corresponding to the requested network resource address is directly obtained from the cache device at the local end, and the target data does not need to be obtained remotely from the server of the target network site to which the target data belongs.
For the local area network application scenario shown in fig. 6, in the case that target data requested by the client exists in the local cache server, the target data can be directly obtained from the cache server inside the local area network, and the target data does not need to be requested from an external network (e.g., an HTTPS server in the internet), which can correspondingly improve the network response rate.
And 803, if not, acquiring the target data from the target server where the target network station is located.
Otherwise, if the target data is not available (for example, the target data is not requested by each client in the local area network in history and is not cached correspondingly, or the target data is requested and cached in history but is cleared or lost), the proxy device needs to further obtain the requested target data from the target server of the target network site corresponding to the network resource address.
For an encrypted communication environment based on technologies such as HTTPS/SSL, since HTTPS/SSL does not require a server to authenticate a client, the proxy device may request target data from a target server with a client identity, that is, the proxy device masquerades as a client and a server to communicate, and the process may include:
1) forwarding the client request to a target server;
based on the characteristic that the client is limited to forcibly verify the certificate from the server by the encryption communication technologies such as HTTPS/SSL and the like, the target server feeds back the first digital certificate to the proxy equipment after receiving the client request forwarded by the proxy equipment.
2) Verifying the first digital certificate of the target network station fed back by the target server;
specifically, the proxy device may verify the first digital certificate of the target server based on the public key of the first certificate issuing authority. The process may include: and decrypting the first signature in the first digital certificate by using the public key of the first certificate issuing authority, comparing the decryption result with the first public key in the first digital certificate, if the decryption result is consistent with the first public key in the first digital certificate, passing the verification, and if the decryption result is inconsistent with the first public key in the first digital certificate, failing to pass the verification.
3) Establishing a first encryption channel with the target server based on the verification result passing the verification;
if the verification is passed, the target server is regarded as a trusted server for providing the target network site, and accordingly, the establishment of the encrypted channel can be carried out between the agent device and the target server.
Similar to the implementation of establishing the second encryption channel between the client and the proxy device, the process of establishing the first encryption channel between the proxy device and the target server may include:
31) acquiring a public key of a target server, and sending the public key of the proxy equipment to the target server;
that is, the proxy device performs public key exchange with the target server to facilitate negotiation of the session key.
The public key of the target server is the public key carried in the first digital certificate.
Optionally, the public key sent by the proxy device to the target server may be a public key declared by the proxy device to be carried in the second digital certificate of the target network station.
But not limited thereto, since the agent device may request data from the target server using the client identity (i.e., masquerading as a client) and the target server does not need to verify the client identity, the agent device may generate a pair of public and private keys based on a random number and transmit the public key thereof to the target server.
32) Carrying out key negotiation with the target server based on the public key of the target server to obtain a first session key;
in the key negotiation process, the proxy device and the target server both encrypt the negotiated session key based on the public key of the other party, and transmit the encrypted session key to the other party, and the other party decrypts the session key by using its own private key to complete negotiation confirmation of the session key between the two parties, so as to finally obtain the first session key authorized by the two parties, and accordingly complete establishment of the first encryption channel between the proxy device and the target server, where the established first encryption channel may be, for example, the encrypted communication tunnel 1 shown in fig. 6.
4) Obtaining first encrypted data of the target data by using a first encryption channel;
on the basis of completing the establishment of the first encryption channel, when the target server feeds back the target data to the proxy equipment, the target data is encrypted by using the first session key of the channel, and the encrypted first encryption data is fed back to the proxy equipment.
5) And decrypting the first encrypted data to obtain the target data.
The proxy equipment receives the first encrypted data fed back by the target server, decrypts the first encrypted data by using the first session key, and accordingly obtains the target data.
Thereafter, the proxy device may further forward the target data to the client based on a second encryption channel between the proxy device and the client to complete a response to the client request.
In addition, the target data obtained from the target server can be stored in a local cache device, such as a cache server, so as to support that when the client needs to request the target data again, the client can directly hit from the local cache without obtaining the target data remotely from the target server of the target network site. The data stored in the cache device, such as the web page data of each network site, may be maintained based on a predetermined policy, for example, periodically clearing the data in the cache server that is not requested for a set time period, or clearing the data with the lowest request frequency or lower than a threshold value within a set time period, etc.
Based on the processing procedures, the proxy equipment not only realizes credible encryption communication with the client based on identity counterfeiting of the website server, but also can request data from the website server by the client identity, thereby realizing data communication based on credible verification among the client, the proxy equipment and the website server in an encryption communication environment, realizing a cache proxy technology suitable for the encryption communication environment, solving the problems in the traditional technology and achieving the purpose of optimizing network service in encryption communication.
In an optional embodiment, as shown in fig. 9, in the case that the cache device has the target data, after the target data is obtained from the cache device, directly skipping to the step of feeding back the target data to the client;
and under the condition that the cache device does not have the target data, triggering the steps of determining a target network station requested by the client based on the network resource address and acquiring a second digital certificate according to the target network station, so that the target data is fed back to the client based on the verification result of the client on the second digital certificate.
Under the condition that the cache device has the target data, the proxy device of the cache end historically provides content service for the target data to a client (the client sending the request is the same client or different client) and correspondingly, the proxy device historically verified to be credible for the target data is indicated, under the condition, the content service for the target data is defaulted, the proxy device is credible in the local area network, so that the client does not perform identity verification on the proxy device at the client any more for the request of the client, and the step of feeding the target data back to the client by the proxy device is directly skipped. And under the condition that the cache device does not have the target data, the communication interaction process based on the identity authentication of the proxy device is normally executed.
When jumping to the step of feeding back the target data to the client, the encryption transmission of the target data may be specifically performed on the basis of establishing an encryption channel to ensure data security in the transmission process, or the proxy device may directly feed back the unencrypted target data (i.e., it is considered to be secure in the local area network) to the client instead of establishing the encryption channel between the client and the proxy device, without limitation.
In this embodiment, when the cache device has the target data, the default proxy device is trusted, and after the target data is obtained from the cache, the proxy device directly skips to perform the step of feeding back the target data to the client, so that the network response rate is further improved, and since the proxy device is trusted in the history verification for the requested target data, the communication security on the basis of identity trust is also ensured.
In an optional embodiment, after the agent device applies for obtaining the second digital certificate declared as the target network station from the second certificate issuing authority, the obtained second digital certificate may be further stored.
And storing the second digital certificate obtained by applying to a local certificate set.
For example, as shown in fig. 6, after the forward proxy applies for the second digital certificate corresponding to the target network site from the own CA of the local area network, the forward proxy may add and store the second digital certificate to the self-signed certificate repository by using the domain name of the target network site as an index.
Therefore, when a client in the local area network needs to request corresponding data content of a target network site, if a certain webpage in the target network site is requested, the proxy equipment can directly obtain a second digital certificate corresponding to the target network site from the local certificate set, and does not need to temporarily apply to a second certificate issuing authority based on a first digital certificate corresponding to the target network site, so that the network response rate can be further improved.
In an implementation, each second digital certificate in the local certificate set may be maintained based on a predetermined policy, for example, a certificate in the local certificate set that is not used for a set time period is periodically cleared, or a certificate with a lowest usage frequency or a lower usage frequency than a threshold value within a set time period is cleared, and so on.
In match with the communication method applied to the proxy device, an embodiment of the present application further discloses a communication method applied to the client device, and referring to fig. 10, the method may include:
When the client needs to obtain the target data from the network, a client request carrying the network resource address of the target data is generated and sent to the network.
For example, when a browser on a user terminal needs to obtain certain webpage data from a network, an HTTPS request carrying the URL address of the webpage is generated and sent to the network.
In client-server communication based on the caching technology, a client request sent by a client to a network is intercepted by proxy equipment of a caching end, and the proxy equipment responds to the intercepted client request by counterfeiting the identity of a server for providing content services.
In the encrypted communication environment, because the client is restricted by the encrypted communication technologies such as HTTPS/SSL to forcibly verify the certificate from the server to confirm that the identity of the server for providing the content service is authentic, after the proxy device intercepts the client request, the client correspondingly receives the second certificate information of the second digital certificate fed back by the proxy device.
Wherein the second digital certificate is: the declaration acquired locally by the proxy device from the proxy device is the certificate of the target network station to which the target data belongs, or the declaration applied by the second certificate issuing authority is the certificate of the target network station based on the first digital certificate of the target network station.
The first digital certificate is issued by a superior CA (certificate issuing authority) where the target network site is located.
The second certificate information of the second digital certificate at least comprises the domain name, the second public key and the second signature of the target network station. For more details of the second digital certificate, reference may be made to the above related description, and details are not repeated.
And after the second digital certificate is obtained, the client verifies the second digital certificate by using the public key in the root certificate issued by the second certificate issuing authority. For example, in fig. 6, the client verifies the second digital certificate provided to the agent with the public key in the root certificate issued by its own CA.
The process may include: and the client decrypts the second signature in the second digital certificate by using the public key in the root certificate issued by the second certificate issuing authority, and compares the decryption result with the second public key in the second digital certificate in a consistency manner, if the decryption result is consistent with the second public key in the second digital certificate, the verification is passed, the agent equipment is correspondingly considered to be credible, otherwise, if the decryption result is inconsistent with the second public key in the second digital certificate, the verification is not passed, and the agent equipment is correspondingly considered to be credible.
And 1004, obtaining target data fed back by the agent device based on the verification result passing the verification.
If the verification is passed, the target data fed back by the agent device can be further obtained, and the target data can be displayed on a client interface for a user to check, otherwise, if the verification is not passed, the target data fed back by the agent device (such as the agent device in the non-local area network, which correspondingly fails the trusted verification) can be refused to be received, so that the data security of the client device is ensured.
The present application mainly provides an applicable caching proxy technology oriented to an encrypted communication environment, so that, in an optional embodiment, matching with a communication method applied to a proxy device, the communication method applied to a client device may further include the following processing steps before obtaining target data fed back by the proxy device, as shown in fig. 11 in particular:
The operation of establishing the second encryption channel between the client and the proxy device may be performed after the client authenticates the proxy device, but is not limited thereto, and may also be performed before the client authenticates the proxy device.
Preferably, as shown in fig. 11, in order to reduce the processing complexity as much as possible, the operation of establishing the second encrypted channel may be performed only in a case where the client verifies the second digital certificate, that is, in a case where the identity of the client verification agent device is authentic, otherwise, the operation is not performed if the client verifies the second digital certificate without passing the verification (for example, the request of the client is intercepted by a device outside the local area network, and the device outside the local area network does not pass the identity verification of the client).
When a second encryption channel between the client and the proxy equipment is established, the client can exchange a public key with the proxy equipment to obtain a public key in a second digital certificate of the proxy equipment and send the public key of the client to the proxy equipment; and then, performing key negotiation with the proxy device based on the public key in the second digital certificate of the proxy device to obtain a second session key, thereby correspondingly realizing establishment of a second encryption channel.
Accordingly, in step 1004, obtaining target data fed back by the proxy device may specifically be implemented as:
specifically, second encrypted data may be obtained by encrypting, by the proxy device, the target data with the second session key.
The target data fed back by the proxy equipment is data obtained by the proxy equipment from local cache equipment or data remotely obtained from a target server of a target network site to which the target data belongs by using a client identity.
After the second encrypted data is obtained, the client decrypts the second encrypted data by using the second session key obtained by negotiation with the proxy device, and accordingly the required target data can be obtained.
An application example of the communication method of the present application is provided below, please refer to fig. 6 and fig. 12 in combination, in this example, as shown in fig. 6, an own CA is set in a local area network including a client, a cache server and a forward proxy, a self-signed certificate manager, a pre-reading engine and a loader are set in the forward proxy connected to the cache server, a corresponding self-signed certificate library is set for the forward proxy, and an internet end includes an HTTPS server for providing a website content service and a CA mechanism.
Referring to fig. 12, the devices on the lan side and the internet side shown in fig. 6 can implement data communication between the client and the server based on the caching technology through the following interaction flows:
1) an own certificate issuing authority (own CA) is established inside the local area network, and the own CA issues a root certificate carrying a public key of the own CA to each client in the local area network;
as shown in fig. 13, specifically, the root certificate of the self-owned CA may be distributed and installed to the client machines in the Domain by means of Domain Policy (e.g., AD Domain management Policy of Windows system), Domain management Agent (Agent), and the like;
2) receiving an HTTPS request of a client in a domain by a pre-reading engine of a forward proxy;
3) the self-signed certificate manager of the forward proxy searches whether a valid second digital certificate signed and issued by the self-owned CA exists in a local certificate bank according to the domain name in the HTTPS request; wherein:
a) if the certificate exists, the certificate issued by the self CA is directly used;
b) if the domain name does not exist, acquiring a real certificate (a first digital certificate) from a target server corresponding to the HTTPS request, extracting relevant certificate information as input of a certificate application, and applying for a second digital certificate of the domain name to an own CA; a second digital certificate issued by the self-owned CA is stored in the local certificate repository by using the domain name as an index, as shown in fig. 14 specifically;
4) the loader of the forward proxy establishes an SSL communication tunnel with the client in the domain through the handshake of a second digital certificate issued by the CA;
5) the client checks the certificate (namely, the second digital certificate) from the 'server' disguised by the forward proxy, and finds that the SSL communication tunnel can be successfully established through the verification of the self-owned CA root certificate;
6) and the forward proxy transmits target data corresponding to the HTTPS request to the client, wherein the target data obtained by the forward proxy can come from a cache or come from an HTTPS server.
Steps 4) -6) can be combined with FIG. 15.
When receiving an HTTPS request from an intra-domain client, the pre-fetch engine of the forward proxy performs hit processing on requested target data from the cache first, and if the requested target data can be hit, acquires the data from the cache server, as in step 61 in fig. 12), and if the requested target data cannot be hit, masquerades as a client to initiate a session to a remote HTTPS server, and acquires the target data from the HTTPS server, as in step 62 in the fig.).
It should be noted that, the process of authenticating the identity of the proxy device by the client and the process of acquiring the target data (from the local cache or from the server remotely) by the proxy device may not be limited to the execution sequence, and either process may be executed before the other process, or may be executed at the same time.
In summary, based on the method of the embodiment of the present application, for an originating source (client) and a destination (HTTPS server) of an HTTPS communication, an intermediate cache agent processing process is transparent and invisible, and the communication is not interrupted due to a trigger verification failure.
An embodiment of the present application further provides a communication device, where a structure of the communication device is shown in fig. 16, and the communication device may include:
a memory 1601 for storing at least one set of computer instructions;
the memory 1601 may include high speed random access memory and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
The set of instructions in memory 1601 may be embodied in the form of a computer program.
A processor 1602, configured to implement the communication method applied to the proxy device according to any of the above embodiments or implement the communication method applied to the client device according to any of the above embodiments by executing the instruction set stored in the memory.
The processor 1602 may be a Central Processing Unit (CPU), an application-specific integrated circuit (ASIC), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, etc.
Besides, the communication device may further include a communication interface, a communication bus, and the like. The memory, the processor and the communication interface communicate with each other via a communication bus.
The communication interface is used for communication between the communication device and other devices. The communication bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like, and may be divided into an address bus, a data bus, a control bus, and the like.
For a specific processing procedure implemented by the processor in the communication device through executing the instruction set, reference may be made to the relevant description of the above embodiments, and details are not described again.
In addition, an embodiment of the present application further provides a proxy system, as shown in fig. 17, where the proxy system includes:
a caching device 1701 for caching data of a network site;
the caching device 1701 may be a caching server.
A second certificate issuing entity 1702, configured to issue, to the caching device, a second digital certificate declared as a corresponding network site;
a proxy device 1703 configured to execute the communication method applied to the proxy device according to any one of the embodiments;
the caching device 1701, the second certificate issuing authority 1702 and the proxy device 1703 are integrally disposed on the same physical device or disposed on different physical devices in a distributed manner.
The proxy system can be used for providing a cache service between a client and a server in an encrypted communication environment so as to achieve the aim of optimizing network services in encrypted communication. For the processing procedure of providing the cache service between the client and the server in the encrypted communication environment, each component in the proxy system may specifically refer to the above-mentioned related description of the communication method applied to the proxy device and the client device, which is not described herein again.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other.
For convenience of description, the above system or apparatus is described as being divided into various modules or units by function, respectively. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present application may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments of the present application.
Finally, it is further noted that, herein, relational terms such as first, second, third, fourth, and the like may be used solely to distinguish one instance or operation from another instance or operation without necessarily requiring or implying any actual such relationship or order between such instances or operations. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (11)
1. A communication method is applied to a proxy device, and the method comprises the following steps:
obtaining a client request; the client request comprises a network resource address of target data;
determining a target network station requested by a client based on the network resource address;
acquiring a second digital certificate according to the target network station; the second digital certificate is a certificate declared as the target network station;
sending second certificate information of the second digital certificate to a client;
and feeding back the target data to the client based on a verification passing result when the client verifies the second digital certificate by using the root certificate of the second certificate issuing authority.
2. The method of claim 1, wherein obtaining, according to the target network station, the second digital certificate comprises:
determining whether a second digital certificate corresponding to the target network station is available in a locally stored certificate set;
in the event that presence is determined, obtaining the second digital certificate from the set of certificates;
and under the condition that the first digital certificate does not exist, acquiring a first digital certificate of the target network station, applying for a second digital certificate declared as the target network station from a second certificate issuing authority based on the first digital certificate, wherein the first digital certificate is issued by the first certificate issuing authority.
3. The method of claim 2, the applying for the second digital certificate from a second certificate issuing authority declared as the target network site based on the first digital certificate, comprising:
acquiring a first digital certificate of the target network station from a target server where the target network station is located;
extracting first certificate information of the first digital certificate;
sending a certificate application request including the first certificate information to the second certificate issuing authority;
acquiring a second digital certificate issued by the second certificate issuing authority based on the first certificate information;
the first certificate information comprises a domain name of the target network station, a first public key and a first signature of the first public key, and the second certificate information comprises the domain name of the target network station, a second public key and a second signature of the second public key; the second certificate issuing authority is established in a local area network where the proxy equipment is located.
4. The method of claim 1, further comprising, prior to feeding back the target data to a client:
establishing a second encryption channel with the client;
the feeding back the target data to the client comprises:
and feeding back second encrypted data of the target data to the client based on the second encryption channel.
5. The method of claim 1, further comprising, between the obtaining a client request and the determining a target network site requested by a client based on the network resource address:
determining whether a cache device is provided with the target data corresponding to the network resource address;
if yes, obtaining the target data from the cache device:
and if not, acquiring the target data from the target server where the target network site is located.
6. The method of claim 5, wherein:
under the condition that the cache equipment has the target data, after the target data is obtained from the cache equipment, skipping to the step of feeding back the target data to the client;
and under the condition that the cache equipment does not have the target data, triggering the steps of determining a target network station requested by the client based on the network resource address and acquiring a second digital certificate according to the target network station, so that the target data is fed back to the client based on the verification passing result of the client to the second digital certificate.
7. The method of claim 1, further comprising, after applying for the second digital certificate declared to the target network site from a second certificate issuing authority:
storing the second digital certificate.
8. A communication method applied to a client device comprises the following steps:
sending a client request including a network resource address of the target data to the network;
obtaining second certificate information of a second digital certificate fed back by the proxy equipment based on the client request; the second digital certificate is: the declaration acquired locally by the proxy equipment from the proxy equipment is a certificate of the target network site or a first digital certificate of the target network site corresponding to the network resource address, and the declaration applied by a second certificate issuing authority is a certificate of the target network site, wherein the first digital certificate is issued by the first certificate issuing authority;
verifying the second digital certificate by using a root certificate issued by the second certificate issuing authority;
and obtaining target data fed back by the agent equipment based on the verification result passing the verification.
9. The method of claim 8, prior to obtaining the target data fed back by the proxy device, further comprising:
establishing a second encryption channel with the proxy equipment;
the obtaining of the target data fed back by the agent device includes:
obtaining second encryption data fed back by the agent device based on the second encryption channel;
and decrypting the second encrypted data to obtain the target data.
10. A communication device, comprising:
a memory for storing at least one set of computer instructions;
a processor for implementing the method of any one of claims 1 to 7, or for implementing the method of any one of claims 8 to 9, by executing a set of instructions stored on the memory.
11. A proxy system, comprising:
the cache device is used for caching data of the network station;
the second certificate issuing mechanism is used for issuing a second digital certificate declared as a corresponding network site to the cache equipment;
a proxy device for performing the communication method according to any one of claims 1 to 7;
the caching device, the second certificate issuing authority and the proxy device are arranged on the same physical device in an integrated mode or are arranged on different physical devices in a scattered mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010460944.2A CN111526161A (en) | 2020-05-27 | 2020-05-27 | Communication method, communication equipment and proxy system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010460944.2A CN111526161A (en) | 2020-05-27 | 2020-05-27 | Communication method, communication equipment and proxy system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111526161A true CN111526161A (en) | 2020-08-11 |
Family
ID=71912885
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010460944.2A Pending CN111526161A (en) | 2020-05-27 | 2020-05-27 | Communication method, communication equipment and proxy system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111526161A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111934870A (en) * | 2020-09-22 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Method, apparatus, device and medium for updating root certificate in block chain network |
| CN114024712A (en) * | 2021-09-29 | 2022-02-08 | 苏州浪潮智能科技有限公司 | Authentication method, authentication device, computer equipment and storage medium |
| CN114143010A (en) * | 2021-11-25 | 2022-03-04 | 上海派拉软件股份有限公司 | Digital certificate acquisition method, device, terminal, system and storage medium |
| CN114143082A (en) * | 2021-11-30 | 2022-03-04 | 北京天融信网络安全技术有限公司 | Encryption communication method, system and device |
| CN114157432A (en) * | 2021-11-25 | 2022-03-08 | 上海派拉软件股份有限公司 | Digital certificate acquisition method, device, electronic equipment, system and storage medium |
| CN115314274A (en) * | 2022-08-01 | 2022-11-08 | 北京天空卫士网络安全技术有限公司 | Method and device for accessing server |
| CN116346396A (en) * | 2022-12-15 | 2023-06-27 | 北京航星永志科技有限公司 | Digital certificate distribution method, device, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104270379A (en) * | 2014-10-14 | 2015-01-07 | 北京蓝汛通信技术有限责任公司 | HTTPS proxy forwarding method and device based on transmission control protocol |
| WO2017218013A1 (en) * | 2016-06-17 | 2017-12-21 | Anchorfree Inc. | Secure personal server system and method |
| CN108011888A (en) * | 2017-12-15 | 2018-05-08 | 东软集团股份有限公司 | A kind of method, apparatus and storage medium, program product for realizing certificate reconstruct |
| CN108337249A (en) * | 2018-01-19 | 2018-07-27 | 论客科技(广州)有限公司 | A kind of data safe transmission method, system and device |
| CN108924147A (en) * | 2018-07-17 | 2018-11-30 | 中国联合网络通信集团有限公司 | Method, server and the communication terminal that communication terminal digital certificate is signed and issued |
| CN109257365A (en) * | 2018-10-12 | 2019-01-22 | 深信服科技股份有限公司 | A kind of information processing method, device, equipment and storage medium |
| CN110768940A (en) * | 2018-07-27 | 2020-02-07 | 深信服科技股份有限公司 | Ciphertext data management and control method, system and related device based on HTTPS protocol |
-
2020
- 2020-05-27 CN CN202010460944.2A patent/CN111526161A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104270379A (en) * | 2014-10-14 | 2015-01-07 | 北京蓝汛通信技术有限责任公司 | HTTPS proxy forwarding method and device based on transmission control protocol |
| WO2017218013A1 (en) * | 2016-06-17 | 2017-12-21 | Anchorfree Inc. | Secure personal server system and method |
| CN108011888A (en) * | 2017-12-15 | 2018-05-08 | 东软集团股份有限公司 | A kind of method, apparatus and storage medium, program product for realizing certificate reconstruct |
| CN108337249A (en) * | 2018-01-19 | 2018-07-27 | 论客科技(广州)有限公司 | A kind of data safe transmission method, system and device |
| CN108924147A (en) * | 2018-07-17 | 2018-11-30 | 中国联合网络通信集团有限公司 | Method, server and the communication terminal that communication terminal digital certificate is signed and issued |
| CN110768940A (en) * | 2018-07-27 | 2020-02-07 | 深信服科技股份有限公司 | Ciphertext data management and control method, system and related device based on HTTPS protocol |
| CN109257365A (en) * | 2018-10-12 | 2019-01-22 | 深信服科技股份有限公司 | A kind of information processing method, device, equipment and storage medium |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111934870A (en) * | 2020-09-22 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Method, apparatus, device and medium for updating root certificate in block chain network |
| CN111934870B (en) * | 2020-09-22 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Method, apparatus, device and medium for updating root certificate in block chain network |
| CN114024712A (en) * | 2021-09-29 | 2022-02-08 | 苏州浪潮智能科技有限公司 | Authentication method, authentication device, computer equipment and storage medium |
| CN114024712B (en) * | 2021-09-29 | 2023-08-04 | 苏州浪潮智能科技有限公司 | Authentication method, authentication device, computer equipment and storage medium |
| CN114143010A (en) * | 2021-11-25 | 2022-03-04 | 上海派拉软件股份有限公司 | Digital certificate acquisition method, device, terminal, system and storage medium |
| CN114157432A (en) * | 2021-11-25 | 2022-03-08 | 上海派拉软件股份有限公司 | Digital certificate acquisition method, device, electronic equipment, system and storage medium |
| CN114143082A (en) * | 2021-11-30 | 2022-03-04 | 北京天融信网络安全技术有限公司 | Encryption communication method, system and device |
| CN114143082B (en) * | 2021-11-30 | 2023-10-13 | 北京天融信网络安全技术有限公司 | Encryption communication method, system and device |
| CN115314274A (en) * | 2022-08-01 | 2022-11-08 | 北京天空卫士网络安全技术有限公司 | Method and device for accessing server |
| CN116346396A (en) * | 2022-12-15 | 2023-06-27 | 北京航星永志科技有限公司 | Digital certificate distribution method, device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10848318B2 (en) | System for authenticating certificate based on blockchain network, and method for authenticating certificate based on blockchain network by using same | |
| CN111526161A (en) | Communication method, communication equipment and proxy system | |
| US11128477B2 (en) | Electronic certification system | |
| CN109088889B (en) | SSL encryption and decryption method, system and computer readable storage medium | |
| US8275984B2 (en) | TLS key and CGI session ID pairing | |
| CN109561066B (en) | Data processing method and device, terminal and access point computer | |
| US9537861B2 (en) | Method of mutual verification between a client and a server | |
| US7032110B1 (en) | PKI-based client/server authentication | |
| US7231526B2 (en) | System and method for validating a network session | |
| US8340283B2 (en) | Method and system for a PKI-based delegation process | |
| US20030188156A1 (en) | Using authentication certificates for authorization | |
| US20100217975A1 (en) | Method and system for secure online transactions with message-level validation | |
| US20100017596A1 (en) | System and method for managing authentication cookie encryption keys | |
| US20080022085A1 (en) | Server-client computer network system for carrying out cryptographic operations, and method of carrying out cryptographic operations in such a computer network system | |
| CN105577612B (en) | Identity authentication method, third-party server, merchant server and user terminal | |
| US20180007010A1 (en) | Splitting an SSL Connection Between Gateways | |
| KR20070078051A (en) | Imx session control and authentication | |
| US10257171B2 (en) | Server public key pinning by URL | |
| US8566581B2 (en) | Secure inter-process communications | |
| WO2005069531A1 (en) | Establishing a secure context for communicating messages between computer systems | |
| CN113225352B (en) | Data transmission method and device, electronic equipment and storage medium | |
| US20170317836A1 (en) | Service Processing Method and Apparatus | |
| CN111786996B (en) | Cross-domain synchronous login state method and device and cross-domain synchronous login system | |
| CN112118242A (en) | Zero trust authentication system | |
| JP4608929B2 (en) | Authentication system, server authentication program, and client authentication program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200811 |