CN111835688A - Traffic fast forwarding method and system based on SSL/TLS protocol - Google Patents

Traffic fast forwarding method and system based on SSL/TLS protocol Download PDF

Info

Publication number
CN111835688A
CN111835688A CN201910324087.0A CN201910324087A CN111835688A CN 111835688 A CN111835688 A CN 111835688A CN 201910324087 A CN201910324087 A CN 201910324087A CN 111835688 A CN111835688 A CN 111835688A
Authority
CN
China
Prior art keywords
client
server
ssl
tls
fast forwarding
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910324087.0A
Other languages
Chinese (zh)
Other versions
CN111835688B (en
Inventor
宋磊
李传宏
闫露
郭志川
韩陆超
刘磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Scv Technology Co ltd
Institute of Acoustics CAS
Original Assignee
Beijing Scv Technology Co ltd
Institute of Acoustics CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Scv Technology Co ltd, Institute of Acoustics CAS filed Critical Beijing Scv Technology Co ltd
Priority to CN201910324087.0A priority Critical patent/CN111835688B/en
Publication of CN111835688A publication Critical patent/CN111835688A/en
Application granted granted Critical
Publication of CN111835688B publication Critical patent/CN111835688B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/12Shortest path evaluation
    • H04L45/121Shortest path evaluation by minimising delays
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/12Shortest path evaluation
    • H04L45/125Shortest path evaluation based on throughput or bandwidth
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of network information security, and particularly relates to a traffic fast forwarding method based on an SSL/TLS protocol, which comprises the following steps: receiving a client hello message sent by a client, modifying the client hello message, and recording a client random number; forwarding the modified client hello message to a server; obtaining a greeting message of a server according to the modified greeting message of the client; sending a server hello message to a data acquisition device, recording protocol version information and encryption suite information in the server hello message, and a server random number; the client, the data acquisition unit and the server establish SSL/TLS protocol connection through mutual authentication; judging whether the current connection supports fast forwarding or not according to a judgment criterion for supporting fast forwarding of SSL/TLS traffic; the method greatly improves the performance of the acquisition system and reduces the transmission delay of the acquisition system.

Description

Traffic fast forwarding method and system based on SSL/TLS protocol
Technical Field
The invention belongs to the technical field of network information security, and particularly relates to a traffic fast forwarding method based on an SSL/TLS protocol.
Background
The SSL/TLS protocol, namely a Secure Socket Layer/transport Layer Security protocol (SSL/TLS protocol), is the most widely used Secure communication protocol at present, operates on a reliable transport Layer protocol and under various application Layer protocols, and establishes a Secure connection between a client and a server to prevent messages of both communication parties from being intercepted, tampered and forged, thereby providing Security services such as confidentiality, integrity, privacy, authentication and the like for data communication on the internet. SSL/TLS is a layered protocol that includes: the recording layer protocol of the bottom layer, the change encryption description protocol of the upper layer, the alarm protocol and the handshake protocol. The flow of the SSL/TLS protocol can be divided into two phases: an SSL/TLS connection establishment phase and a data transmission phase. The client and the server complete the establishment of SSL/TLS connection through handshake messages, and then the application layer data is transmitted safely in a ciphertext mode. The transmission of the ciphertext data depends on the lower reliable transmission layer protocol.
The widespread use of SSL/TLS protocols greatly meets the user's requirements for network communication security, but also poses problems. Due to the adoption of the SSL/TLS protocol, transmitted application layer data is encrypted, which brings great problems to network supervision and flow audit. In response to these problems, techniques for collecting network data in plain text have been developed. A plaintext acquisition system serving as a legal intermediate is serially accessed between a traditional client and a traditional server, and in an SSL/TLS connection establishment stage, handshake messages of the client and the server are modified to establish SSL/TLS connection with the client and the server respectively. The two SSL/TLS connections have the same key, specifically comprising a symmetric key and a message authentication code key. The plaintext acquisition system has all the keys of the two connections, so that ciphertext data transmitted by the client and the server can be decrypted, and the aim of acquiring plaintext data is fulfilled.
Aiming at the situation that ciphertext data audit needs to be carried out, the existing solutions are divided into three types: first, as shown in fig. 1, a data collector is serially connected between a client and a server as a TLS proxy server, and TLS connections are respectively established with the client and the server, and the two TLS connections are independent of each other. And after the data acquisition unit acquires the ciphertext data, the ciphertext data is decrypted, and after the plaintext is extracted, the data is encrypted and sent to the opposite terminal. This solution is easy to implement, but it also presents problems: after the data acquisition unit acquires the data, the data needs to be decrypted into a plaintext and then encrypted into a ciphertext to be sent to the opposite end, which obviously increases transmission delay and reduces TLS throughput rate.
In the second solution, as shown in fig. 2, the data collector is not connected in series between the client and the server, but directly collects ciphertext data of both communication parties. The data acquisition unit is trusted by the server and holds the private key of the server, so that the premaster secret key can be acquired through handshake messages of two communication parties, and the shared secret key of the two communication parties is calculated, so that ciphertext data transmitted by the two communication parties can be decrypted to acquire a plaintext. The method is simple to implement, but the method must master the private key of the server, so that the applicability of the scheme is limited.
A third solution, as shown in figure 3 below, is a plaintext acquisition method based on the man-in-the-middle principle. The data collector is used as a legal intermediate person and is connected in series between the client and the server, a connection is respectively established with the client and the server by modifying handshake messages of two communication parties in an SSL handshake stage, the two connections have the same key, and the collector holds the key, so that the decryption of ciphertext data of the two communication parties can be realized. The scheme does not need to decrypt and encrypt the ciphertext data, so that the scheme has obvious advantages in corresponding time and throughput rate compared with a scheme of a man-in-the-middle agent, but has the following problems: when the content of the data in the ciphertext needs to be checked, for example, the protocol analysis needs to be performed or the plaintext data needs to be modified, the scheme is useless.
Disclosure of Invention
The invention aims to solve the defects of the existing flow fast forwarding method, and provides a flow fast forwarding method based on an SSL/TLS protocol, which is based on a clear text acquisition system of a legal man-in-the-middle principle, and a data acquisition unit directly forwards ciphertext data through a fast forwarding channel for connection supporting fast forwarding by a judgment criterion supporting SSL/TLS flow fast forwarding; for the connection which does not support fast forwarding, the data acquisition unit forwards the encrypted data by adopting a conventional forwarding channel, so that the performance of the acquisition system is improved, and the transmission delay of the acquisition system is reduced.
In order to achieve the above object, the present invention provides a traffic fast forwarding method based on SSL/TLS protocol, which includes:
receiving a client hello message sent by a client, modifying the client hello message, and recording a client random number;
forwarding the modified client hello message to a server;
obtaining a greeting message of a server according to the modified greeting message of the client;
sending a server hello message to a data acquisition device, recording protocol version information and encryption suite information in the server hello message, and a server random number;
the client, the data acquisition unit and the server establish SSL/TLS protocol connection through mutual authentication;
judging whether the current connection supports fast forwarding or not according to a judgment criterion for supporting fast forwarding of SSL/TLS traffic; if the current connection supports fast forwarding, the ciphertext data is forwarded to the client or the server through the fast forwarding channel; and if the current connection does not support quick forwarding, forwarding the encrypted data to the client or the server through a conventional forwarding channel.
As one of the improvements of the above technical solution, the receiving a client hello message sent by a client and modifying the client hello message specifically includes:
receiving a client hello message sent by a client, deleting encryption suite information which does not adopt an RSA (Ron Rivest, AdiSomir and Leonard Adleman) key exchange algorithm, obtaining a modified client hello message, and recording a client random number; wherein the modified client hello message comprises: with encryption suite information using the RSA key exchange algorithm.
As one of the improvements of the above technical solution, the obtaining a hello message of a server specifically includes:
recording the modified encryption suite list information and the supported version number list information of the client hello message, and selecting the previous and supported encryption suite information and the supported version number information as the server hello message.
As one improvement of the technical scheme, the client, the data acquisition device and the server have the same session key, and the key is generated by the client random number, the server random number and the pre-master secret in the client key exchange message through a pseudo-random function; the random number generated by the client, referred to in the SSL/TLS protocol standard as the pre-master secret.
As an improvement of the above technical solution, the establishing the SSL/TLS protocol connection specifically includes:
judging whether the current connection supports fast forwarding or not according to a judgment criterion for supporting fast forwarding of SSL/TLS traffic;
if the hello message of the server side contains encryption suite information with the stream password and has version number information currently supported, establishing SSL/TLS protocol connection, wherein the connection supports fast forwarding, and adding a flag bit to the connection for marking; wherein the currently supported version number information includes: SSL v3.0, TLS v1.0, TLS v1.1 or TLS v 1.2;
if the hello message of the server side contains the encryption suite information with the packet cipher in the CBC mode and has the version number information currently supported, establishing SSL/TLS protocol connection which supports fast forwarding and adding a flag bit to mark the connection; wherein the currently supported version number information includes: TLS v1.1 or TLS v 1.2;
if the greeting message of the server side contains the encryption suite information with the AEAD password and has the version number information currently supported, establishing SSL/TLS protocol connection which supports fast forwarding and adding a flag bit to the connection for marking; wherein the currently supported version number information includes: TLS v 1.2;
if the server hello message contains encryption suite information with a stream password, a CBC mode block password or an AEAD password and has version number information which is not supported currently, the SSL/TLS connection established currently does not support fast forwarding.
As an improvement of the above technical solution, the determining, based on the criterion of supporting fast forwarding of SSL/TLS traffic, whether the current connection supports fast forwarding specifically includes:
if the current connection has a flag bit, the current connection supports fast forwarding, decrypts ciphertext data, decrypts plaintext data, calculates a Message Authentication Code (MAC) of the plaintext data, analyzes the plaintext data after confirming that the plaintext data is correct, and simultaneously forwards the ciphertext data to a client or a server through a fast forwarding channel;
if the current connection has no flag bit, the current connection does not support fast forwarding, the ciphertext data is decrypted to decrypt plaintext data, the Message Authentication Code (MAC) of the plaintext data is calculated, the plaintext data is analyzed, the message authentication code MAC of the analyzed plaintext data is calculated, the analyzed plaintext data and the message authentication code MAC thereof are encrypted, and the encrypted data is forwarded to the client or the server through a conventional forwarding channel.
Based on the above method for fast forwarding traffic, the present invention further provides a system for fast forwarding traffic based on SSL/TLS protocol, where the system includes:
the receiving module is used for receiving the client hello message sent by the client, modifying the client hello message and recording the client random number;
the forwarding module is used for forwarding the modified client hello message to the server;
the acquisition module is used for acquiring the greeting message of the server side according to the modified greeting message of the client side;
the data acquisition module is used for sending the server hello message to the data acquisition device, recording protocol version information and encryption suite information in the server hello message, and recording the server random number;
the judging module is used for judging whether the current connection supports the fast forwarding according to the judging criterion of supporting the fast forwarding of the SSL/TLS flow; if the current connection supports fast forwarding, the ciphertext data is forwarded to the client or the server through the fast forwarding channel; and if the current connection does not support fast forwarding, forwarding the encrypted data to the client or the server through a conventional forwarding channel.
The invention also provides computer equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the flow fast forwarding method when executing the computer program.
The present invention also provides a computer-readable storage medium storing a computer program, which, when executed by a processor, causes the processor to execute the above-mentioned traffic fast forwarding method.
Compared with the prior art, the invention has the beneficial effects that:
the method is based on a plaintext acquisition system of a legal man-in-the-middle principle, and a data acquisition unit directly forwards ciphertext data through a fast forwarding channel for connection supporting fast forwarding through a judgment criterion supporting fast forwarding of SSL/TLS flow; for the connection which does not support fast forwarding, the data acquisition unit forwards the encrypted data by adopting a conventional forwarding channel, so that the performance of the acquisition system is improved, and the transmission delay of the acquisition system is reduced.
Drawings
FIG. 1 is a flow chart of a traffic fast forwarding method based on SSL/TLS protocol according to the present invention;
FIG. 2 is a flow chart of fast forwarding and conventional forwarding in a traffic fast forwarding method based on SSL/TLS protocol according to the present invention;
FIG. 3 is a flow chart of fast forwarding in a traffic fast forwarding method based on SSL/TLS protocol of FIG. 2;
fig. 4 is a flowchart of conventional forwarding in a traffic fast forwarding method based on SSL/TLS protocol of fig. 2.
Detailed Description
The invention will now be further described with reference to the accompanying drawings.
Example 1.
As shown in fig. 1, the present invention provides a traffic fast forwarding method based on SSL/TLS protocol, where a client and a server complete the establishment of SSL/TLS connection through handshake messages (messages used in connection establishment phase, where the messages are interactive between the client and the server, such as client hello message, server hello message, client key exchange message, etc., and based on a judgment criterion supporting SSL/TLS traffic fast forwarding, and when a data collector is required to forward ciphertext data, the data collector directly forwards the ciphertext data to the client or the server through a fast forwarding channel for the current connection supporting fast forwarding according to the judgment criterion supporting SSL/TLS traffic fast forwarding; for the connection which does not support the quick forwarding, the data acquisition unit forwards the encrypted data to the client or the server through the conventional forwarding channel, so that the throughput performance of the acquisition system is greatly improved, and the data transmission delay is reduced.
The invention provides a traffic fast forwarding method based on an SSL/TLS protocol, which specifically comprises the following steps:
a data connection establishment stage:
step 1) receiving a client hello message sent by a client, modifying the message and recording a client random number; the client hello message is; in the process of establishing the SSL/TLS protocol connection, a first message is sent to a server by a client;
specifically, receiving a client hello message sent by a client, deleting encryption suite information which does not adopt RSA (Ron Rivest, Adi Shamir, Leonard Adleman) key exchange algorithm, obtaining a modified client hello message, and recording a client random number; wherein the modified client hello message comprises: with encryption suite information calculated using the RSA key exchange algorithm.
Step 2) forwarding the modified client hello message to a server;
step 3) obtaining a greeting message of the server according to the modified greeting message of the client; specifically, recording the modified encryption suite list information and the supported version number list information of the client hello message, and selecting the former and supported encryption suite information and the supported version number information as the server hello message;
step 4) sending a service-side hello message to a data acquisition device, and recording protocol version information and encryption suite information in the service-side hello message and a service-side random number;
step 5) the client, the data acquisition unit and the server establish SSL/TLS protocol connection after mutual authentication; specifically, whether the current connection supports fast forwarding is judged according to a judgment criterion for supporting fast forwarding of SSL/TLS traffic;
if the hello message of the server side contains encryption suite information with the stream password and has version number information currently supported, establishing SSL/TLS protocol connection, wherein the connection supports fast forwarding, and adding a flag bit to the connection for marking; wherein the currently supported version number information includes: SSL v3.0, TLS v1.0, TLS v1.1 or TLS v 1.2;
if the hello message of the server side contains the encryption suite information with the packet cipher in the CBC mode and has the version number information currently supported, establishing SSL/TLS protocol connection which supports fast forwarding and adding a flag bit to mark the connection; wherein the currently supported version number information includes: TLS v1.1 or TLS v 1.2;
if the greeting message of the server side contains the encryption suite information with the AEAD password and has the version number information currently supported, establishing SSL/TLS protocol connection which supports fast forwarding and adding a flag bit to the connection for marking; wherein the currently supported version number information includes: TLS v 1.2;
if the server hello message contains encryption suite information with a stream password, a CBC mode block password or an AEAD password and has version number information which is not supported currently, the SSL/TLS connection established currently does not support fast forwarding.
The client, the data collector and the server have the same session key, and the key is generated by the client random number, the server random number and the pre-master secret in the client key exchange message through a pseudo-random function; the random number generated by the client, referred to in the SSL/TLS protocol standard as the pre-master secret.
And (3) a data transmission stage:
step 6) judging whether the current connection supports fast forwarding or not according to a judgment criterion supporting fast forwarding of SSL/TLS traffic; if the current connection supports fast forwarding, the ciphertext data is forwarded to the client or the server through the fast forwarding channel; and if the current connection does not support quick forwarding, forwarding the encrypted data to the client or the server through a conventional forwarding channel.
Specifically, as shown in fig. 2, if the current connection has a flag bit, the current connection supports fast forwarding, decrypts ciphertext data, decrypts plaintext data, calculates a message authentication code, i.e., an mac (media authentication code), of the plaintext data, analyzes the plaintext data after confirming that the plaintext data is correct, and simultaneously forwards the ciphertext data to the client or the server through a fast forwarding channel; wherein, if the plaintext data is confirmed to be incorrect, the plaintext data is tampered, the current connection is terminated, the ciphertext data is not forwarded continuously,
if the current connection has no flag bit, the current connection does not support fast forwarding, the ciphertext data is decrypted, the plaintext data is decrypted, the Message Authentication Code (MAC) of the plaintext data is calculated, the plaintext data is analyzed, the message authentication code MAC of the analyzed plaintext data is calculated, the analyzed plaintext data and the message authentication code MAC thereof are encrypted, and the encrypted data is forwarded to the client or the server through a conventional forwarding channel.
Example 2.
Embodiment 2 of the present invention further provides a traffic fast forwarding system based on SSL/TLS protocol, where the system includes:
the receiving module is used for receiving the client hello message sent by the client, modifying the client hello message and recording the client random number;
the forwarding module is used for forwarding the modified client hello message to the server;
the acquisition module is used for acquiring the greeting message of the server side according to the modified greeting message of the client side;
the data acquisition module is used for sending the server hello message to the data acquisition device, recording protocol version information and encryption suite information in the server hello message, and recording the server random number;
the judging module is used for judging whether the current connection supports the fast forwarding according to the judging criterion of supporting the fast forwarding of the SSL/TLS flow; if the current connection supports fast forwarding, the ciphertext data is forwarded to the client or the server through the fast forwarding channel; and if the current connection does not support quick forwarding, forwarding the encrypted data to the client or the server through a conventional forwarding channel.
The receiving module specifically includes:
a receiving unit, configured to receive a client hello message sent by a client;
a deleting unit, configured to delete encryption suite information that does not adopt an RSA (Ron Rivest, Adi Shamir, Leonard Adleman) key exchange algorithm;
the acquisition unit is used for acquiring the modified client greeting message and recording the client random number; wherein the modified client hello message comprises: with encryption suite information using the RSA key exchange algorithm.
The acquisition module specifically includes:
the acquisition unit is used for recording the list information of the encrypted suite of the modified client hello message and the list information of the supported version number;
and the server side acquisition unit is used for selecting the previous and supported encryption suite information and the supported version number information as the server side greeting message.
The client, the data collector and the server have the same session key, and the key is generated by the client random number, the server random number and the pre-master secret in the client key exchange message through a pseudorandom function. The random number generated by the client is called pre-master secret in the SSL/TLS protocol standard.
The establishing the SSL/TLS protocol connection specifically includes:
judging whether the current connection supports fast forwarding or not according to a judgment criterion for supporting fast forwarding of SSL/TLS traffic;
if the hello message of the server side contains encryption suite information with the stream password and has version number information currently supported, establishing SSL/TLS protocol connection, wherein the connection supports fast forwarding, and adding a flag bit to the connection for marking; wherein the currently supported version number information includes: SSL v3.0, TLS v1.0, TLS v1.1 or TLS v 1.2;
if the hello message of the server side contains the encryption suite information with the packet cipher in the CBC mode and has the version number information currently supported, establishing SSL/TLS protocol connection which supports fast forwarding and adding a flag bit to mark the connection; wherein the currently supported version number information includes: TLS v1.1 or TLS v 1.2;
if the greeting message of the server side contains the encryption suite information with the AEAD password and has the version number information currently supported, establishing SSL/TLS protocol connection which supports fast forwarding and adding a flag bit to the connection for marking; wherein the currently supported version number information includes: TLS v 1.2;
if the server hello message contains encryption suite information with a stream password, a CBC mode block password or an AEAD password and has version number information which is not supported currently, the SSL/TLS connection established currently does not support fast forwarding.
The judging module specifically comprises:
as shown in fig. 3 and 4, if the current connection has a flag bit, the current connection supports fast forwarding, decrypts ciphertext data, decrypts plaintext data, calculates a message authentication code, i.e., mac (message authentication code), of the plaintext data, analyzes the plaintext data after confirming that the plaintext data is correct, and simultaneously forwards ciphertext data to a client or a server through a fast forwarding channel;
if the current connection has no flag bit, the current connection does not support fast forwarding, the ciphertext data is decrypted, the plaintext data is decrypted, the Message Authentication Code (MAC) of the plaintext data is calculated, the plaintext data is analyzed, the message authentication code MAC of the analyzed plaintext data is calculated, the analyzed plaintext data and the message authentication code MAC thereof are encrypted, and the encrypted data is forwarded to the client or the server through a conventional forwarding channel.
Example 3.
Embodiment 3 of the present invention also provides a computer device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and the processor implements the method of embodiment 1 when executing the computer program.
Example 4.
Embodiment 4 of the present invention also provides a computer-readable storage medium storing a computer program which, when executed by a processor, causes the processor to execute the method of embodiment 1 described above.
Finally, it should be noted that the above embodiments are only used for illustrating the technical solutions of the present invention and are not limited. Although the present invention has been described in detail with reference to the embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (9)

1. A traffic fast forwarding method based on SSL/TLS protocol is characterized in that the method comprises the following steps:
receiving a client hello message sent by a client, modifying the client hello message, and recording a client random number;
forwarding the modified client hello message to a server;
obtaining a greeting message of a server according to the modified greeting message of the client;
sending a server hello message to a data acquisition device, recording protocol version information and encryption suite information in the server hello message, and a server random number;
judging whether the current connection supports fast forwarding or not according to a judgment criterion for supporting fast forwarding of SSL/TLS traffic; if the current connection supports fast forwarding, the ciphertext data is forwarded to the client or the server through the fast forwarding channel; and if the current connection does not support quick forwarding, forwarding the encrypted data to the client or the server through a conventional forwarding channel.
2. The SSL/TLS protocol-based traffic fast forwarding method as claimed in claim 1, wherein the receiving and modifying the client hello message sent by the client specifically comprises:
receiving a client hello message sent by a client, deleting encryption suite information which does not adopt an RSA key exchange algorithm, obtaining the modified client hello message, and recording a client random number; wherein the modified client hello message comprises: with encryption suite information using the RSA key exchange algorithm.
3. The SSL/TLS protocol-based traffic fast forwarding method as claimed in claim 1, wherein said obtaining the server hello message specifically comprises:
recording the modified encryption suite list information and the supported version number list information of the client hello message, and selecting the previous and supported encryption suite information and the supported version number information as the server hello message.
4. The SSL/TLS protocol-based traffic fast-forwarding method according to claim 1, wherein the client, the data collector, and the server have the same session key.
5. The SSL/TLS protocol-based traffic fast forwarding method as claimed in claim 1, wherein the establishing SSL/TLS protocol connection specifically includes:
judging whether the current connection supports fast forwarding or not according to a judgment criterion for supporting fast forwarding of SSL/TLS traffic;
if the hello message of the server side contains encryption suite information with the stream password and has version number information currently supported, establishing SSL/TLS protocol connection, wherein the connection supports fast forwarding, and adding a flag bit to the connection for marking; wherein the currently supported version number information includes: SSL v3.0, TLS v1.0, TLS v1.1 or TLS v 1.2;
if the hello message of the server side contains the encryption suite information with the packet cipher in the CBC mode and has the version number information currently supported, establishing SSL/TLS protocol connection which supports fast forwarding and adding a flag bit to mark the connection; wherein the currently supported version number information includes: TLS v1.1 or TLS v 1.2;
if the greeting message of the server side contains the encryption suite information with the AEAD password and has the version number information currently supported, establishing SSL/TLS protocol connection which supports fast forwarding and adding a flag bit to the connection for marking; wherein the currently supported version number information includes: TLS v 1.2;
if the server hello message contains encryption suite information with a stream password, a CBC mode block password or an AEAD password and has version number information which is not supported currently, the SSL/TLS connection established currently does not support fast forwarding.
6. The SSL/TLS protocol-based traffic fast forwarding method as claimed in claim 5, wherein the determining criteria for supporting SSL/TLS traffic fast forwarding specifically includes:
if the current connection has the zone bit, the current connection supports fast forwarding, the ciphertext data is decrypted to obtain plaintext data, the message authentication code of the plaintext data is calculated, the plaintext data is analyzed after the plaintext data is confirmed to be correct, and the ciphertext data is forwarded to the client or the server through the fast forwarding channel;
if the current connection has no flag bit, the current connection does not support fast forwarding, the ciphertext data is decrypted to decrypt plaintext data, the message authentication code of the plaintext data is calculated, the plaintext data is analyzed again, the message authentication code MAC of the analyzed plaintext data is calculated, the analyzed plaintext data and the message authentication code MAC thereof are encrypted, and the encrypted data is forwarded to the client or the server through a conventional forwarding channel.
7. A traffic fast forwarding system based on SSL/TLS protocol, the system comprising:
the receiving module is used for receiving the client hello message sent by the client, modifying the client hello message and recording the client random number;
the forwarding module is used for forwarding the modified client hello message to the server;
the acquisition module is used for acquiring the greeting message of the server side according to the modified greeting message of the client side;
the data acquisition module is used for sending the server hello message to the data acquisition device, recording protocol version information and encryption suite information in the server hello message, and recording the server random number;
the judging module is used for judging whether the current connection supports the fast forwarding according to the judging criterion of supporting the fast forwarding of the SSL/TLS flow; if the current connection supports fast forwarding, the ciphertext data is forwarded to the client or the server through the fast forwarding channel; and if the current connection does not support quick forwarding, forwarding the encrypted data to the client or the server through a conventional forwarding channel.
8. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1-6 when executing the computer program.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, causes the processor to carry out the method of any one of claims 1-6.
CN201910324087.0A 2019-04-22 2019-04-22 Traffic fast forwarding method and system based on SSL/TLS protocol Active CN111835688B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910324087.0A CN111835688B (en) 2019-04-22 2019-04-22 Traffic fast forwarding method and system based on SSL/TLS protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910324087.0A CN111835688B (en) 2019-04-22 2019-04-22 Traffic fast forwarding method and system based on SSL/TLS protocol

Publications (2)

Publication Number Publication Date
CN111835688A true CN111835688A (en) 2020-10-27
CN111835688B CN111835688B (en) 2021-07-30

Family

ID=72911482

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910324087.0A Active CN111835688B (en) 2019-04-22 2019-04-22 Traffic fast forwarding method and system based on SSL/TLS protocol

Country Status (1)

Country Link
CN (1) CN111835688B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630387A (en) * 2021-07-21 2021-11-09 北京景安云信科技有限公司 Method for realizing user name and password replacement in MySQL protocol authentication process based on proxy
CN115567503A (en) * 2022-12-07 2023-01-03 华信咨询设计研究院有限公司 HTTPS protocol analysis method based on flow analysis

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10122703B2 (en) * 2014-09-30 2018-11-06 Citrix Systems, Inc. Federated full domain logon
CN109347809A (en) * 2018-09-25 2019-02-15 北京计算机技术及应用研究所 A kind of application virtualization safety communicating method towards under autonomous controllable environment
CN109600226A (en) * 2019-01-25 2019-04-09 中国人民解放军国防科技大学 TLS protocol session key recovery method based on random number implicit negotiation

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10122703B2 (en) * 2014-09-30 2018-11-06 Citrix Systems, Inc. Federated full domain logon
CN109347809A (en) * 2018-09-25 2019-02-15 北京计算机技术及应用研究所 A kind of application virtualization safety communicating method towards under autonomous controllable environment
CN109600226A (en) * 2019-01-25 2019-04-09 中国人民解放军国防科技大学 TLS protocol session key recovery method based on random number implicit negotiation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
董海韬等: "适用于网络内容审计的SSL/TLS保密数据高效明文采集方法", 《计算机应用》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630387A (en) * 2021-07-21 2021-11-09 北京景安云信科技有限公司 Method for realizing user name and password replacement in MySQL protocol authentication process based on proxy
CN115567503A (en) * 2022-12-07 2023-01-03 华信咨询设计研究院有限公司 HTTPS protocol analysis method based on flow analysis
CN115567503B (en) * 2022-12-07 2023-03-21 华信咨询设计研究院有限公司 HTTPS protocol analysis method based on flow analysis

Also Published As

Publication number Publication date
CN111835688B (en) 2021-07-30

Similar Documents

Publication Publication Date Title
US10091240B2 (en) Providing forward secrecy in a terminating TLS connection proxy
US7899185B2 (en) Real privacy management authentication system
US7131003B2 (en) Secure instant messaging system
EP3633949B1 (en) Method and system for performing ssl handshake
CN101997679A (en) Encrypted message negotiation method, equipment and network system
JP2017536776A (en) Method and system for collecting clear text of network confidential data
Lam et al. Securing SDN southbound and data plane communication with IBC
US20200059786A1 (en) End-to-end security for roaming 5g-nr communications
CN111835688B (en) Traffic fast forwarding method and system based on SSL/TLS protocol
CN111262694A (en) TEE-based security proxy re-encryption method
CN112187757A (en) Multilink privacy data circulation system and method
CN109951378B (en) File encryption transmission and sharing method in instant messaging
EP3085008B1 (en) Providing forward secrecy in a terminating tls connection proxy
JPH06318939A (en) Cipher communication system
KR20140091221A (en) Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof
CN112217862A (en) Data communication method, device, terminal equipment and storage medium
US20230108261A1 (en) Management, diagnostics, and security for network communications
CN115766119A (en) Communication method, communication apparatus, communication system, and storage medium
CN111245601B (en) Communication negotiation method and device
US20240163661A1 (en) Methods, systems, and computer readable media for securing sensitive data to be transmitted in 5g and subsequent generation networks
CN112163171B (en) Data chaining method based on terminal signature
CN116684169A (en) Application layer data security transmission method and system based on network identity
CN117749855A (en) Secure data transmission method, system, terminal and computer program product
Yang et al. Design of mVoIP service based authentication system
CN114386054A (en) Control method, system and medium for message storage processing and security authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant