CN112564912B - Method, system and device for establishing secure connection and electronic equipment - Google Patents

Method, system and device for establishing secure connection and electronic equipment Download PDF

Info

Publication number
CN112564912B
CN112564912B CN202011341971.4A CN202011341971A CN112564912B CN 112564912 B CN112564912 B CN 112564912B CN 202011341971 A CN202011341971 A CN 202011341971A CN 112564912 B CN112564912 B CN 112564912B
Authority
CN
China
Prior art keywords
private key
management server
security certificate
client
target website
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011341971.4A
Other languages
Chinese (zh)
Other versions
CN112564912A (en
Inventor
刘华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Cloud Network Technology Co Ltd
Original Assignee
Beijing Kingsoft Cloud Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Cloud Network Technology Co Ltd filed Critical Beijing Kingsoft Cloud Network Technology Co Ltd
Priority to CN202011341971.4A priority Critical patent/CN112564912B/en
Publication of CN112564912A publication Critical patent/CN112564912A/en
Priority to PCT/CN2021/123636 priority patent/WO2022111102A1/en
Application granted granted Critical
Publication of CN112564912B publication Critical patent/CN112564912B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Abstract

The invention provides a method, a system, a device and electronic equipment for establishing secure connection, wherein when receiving an access request of a target website sent by a client, a secure certificate is obtained from a management server in which the secure certificate of the target website and a private key of the secure certificate are stored, and the secure certificate is sent to the client; when the private key of the security certificate is required to be used for signature or decryption, a private key use request is sent to the management server, and the management server uses the private key of the security certificate to sign or decrypt the private key use request; and receiving a processing result returned by the management server, and establishing a secure connection with the client based on the processing result. In the method, the security certificate of the website and the private key of the security certificate are only stored in the management server, the security certificate and the private key do not need to be issued in advance, and when the client accesses the target website, the management server uses the security certificate and the private key to establish connection with the client, so that the leakage of the private key and the certificate is avoided, and the data security is improved.

Description

Method, system and device for establishing secure connection and electronic equipment
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a method, a system, an apparatus, and an electronic device for establishing a secure connection.
Background
HTTPS (Hyper Text Transfer Protocol over secure HTTP Protocol) is an HTTP channel targeted for security, and the security of the transmission process is ensured by transmission encryption and identity authentication on the basis of HTTP. The use of HTTPS complies with PKI (Public Key Infrastructure) requirements, requiring a provider of a service to provide a certificate and a corresponding private Key, and then establish a secure connection with a client. In practical application, after a Content Delivery Network (CDN) is used by a source station, an HTTPS connection established by a client-side homologous station is transferred from the source station to a CDN node, that is, the CDN node represents the source station to perform handshaking, so that a certificate and a private key of the source station need to be deployed on the CDN node, but because the number of CDN nodes is large, the number of an entire server is huge, and the certificate and the private key are stored in a cache server of each CDN node, the private key and the certificate are easily leaked, and further, data security of a user is threatened.
Disclosure of Invention
The invention aims to provide a method, a system, a device and electronic equipment for establishing secure connection, so as to reduce the risk of leakage of a private key and a certificate and further ensure the data security of a user.
In a first aspect, an embodiment of the present invention provides a method for establishing a secure connection, where the method includes: if an access request aiming at a target website sent by a client is received, a security certificate of the target website is obtained from a management server; the management server stores a security certificate of a target website and a private key corresponding to the security certificate; sending the security certificate to the client; when a private key corresponding to the security certificate is required to be used for signature or decryption, a private key use request is sent to the management server, so that the private key use request is signed or decrypted by the private key corresponding to the security certificate through the management server, and a processing result is returned; and receiving a processing result returned by the management server, and establishing a secure connection with the client based on the processing result.
In an optional embodiment, the access request of the target website carries a domain name of the target website; the step of acquiring the security certificate of the target website from the management server if the access request for the target website sent by the client is received includes: if an access request aiming at a target website sent by a client is received, extracting a domain name of the target website carried by the access request; sending the domain name of the target website to a management server; and receiving the security certificate of the target website returned by the management server according to the domain name of the target website.
In an optional embodiment, after the step of sending the security certificate to the client, the method further includes: receiving an encrypted premaster secret key obtained after a client encrypts a premaster secret key of the client by using a security certificate; the step of sending a private key use request to the management server when the private key corresponding to the security certificate is required to be used for signing or decrypting, so that the private key use request is signed or decrypted by the management server using the private key corresponding to the security certificate, includes: sending the encrypted premaster secret key to a management server so as to decrypt the encrypted premaster secret key by using a private key corresponding to the security certificate through the management server; the step of receiving the processing result returned by the management server and establishing the secure connection with the client based on the processing result includes: and receiving the decrypted premaster secret key returned by the management server, and establishing a secure connection with the client based on the premaster secret key.
In an optional embodiment, the private key use request carries a specified parameter; the step of sending the private key use request to the management server so as to sign or decrypt the private key use request by using the private key corresponding to the security certificate through the management server includes: sending a private key use request carrying the specified parameters to the management server, so that the management server uses a private key corresponding to the security certificate to sign the specified parameters, and returning signature information; the step of receiving the processing result returned by the management server and establishing the secure connection with the client based on the processing result includes: receiving signature information returned by the management server, and sending the signature information to the client so that the client can verify the signature information through the security certificate to obtain specified parameters; and establishing a secure connection with the client based on the specified parameters.
In an optional embodiment, the private key use request carries a target parameter included in the access request; the step of sending a private key use request to the management server to sign or decrypt the private key use request by using the private key corresponding to the security certificate through the management server includes: sending a private key use request to a management server, signing the private key use request by using a private key corresponding to a security certificate through the management server, generating a temporary public key based on a target parameter, calculating a shared key by combining the temporary public key and the target parameter, and returning signature information, the temporary public key and the shared key; the step of receiving the processing result returned by the management server and establishing the secure connection with the client based on the processing result includes: receiving signature information, a temporary public key and a shared key returned by the management server, and sending the signature information and the temporary public key to the client so that the client verifies the signature information through the security certificate, and generating the shared key based on the temporary public key and the target parameter after the signature verification is successful; and establishing a secure connection with the client based on the shared secret key.
In an optional implementation manner, before the step of obtaining the security certificate of the target website from the management server if the access request for the target website sent by the client is received, the method further includes: and authenticating the first certificate and the private key corresponding to the first certificate and the second certificate stored by the management server, and establishing a secure connection with the management server.
In a second aspect, an embodiment of the present invention provides a method for establishing a secure connection, where the method includes: if an access request aiming at a target website sent by a webpage server is received, sending a stored security certificate of the target website to the webpage server; the access request is sent to a webpage server by a client; receiving a private key use request sent by a webpage server, and using a private key corresponding to a stored security certificate to sign or decrypt the private key use request to obtain a processing result; and sending the processing result to a webpage server so that the webpage server establishes a secure connection with the client based on the processing result.
In an optional embodiment, the access request of the target website carries a domain name of the target website; the step of sending the stored security certificate of the target website to the web server if receiving the access request for the target website sent by the web server includes: according to the domain name of the target website carried in the received access request, searching the security certificate of the target website in the stored security certificate and the private key corresponding to the security certificate; and sending the searched security certificate to a webpage server.
In a third aspect, an embodiment of the present invention provides a system for establishing a secure connection, where the system includes: the management server and the webpage server are in communication connection; the management server is used for storing a security certificate of the website and a private key corresponding to the security certificate; the webpage server is used for acquiring a security certificate of the target website from the management server when receiving an access request aiming at the target website sent by the client and sending the acquired security certificate to the client; the webpage server is also used for sending a private key use request to the management server when a private key corresponding to the security certificate is required to be used for signature or decryption; the management server is used for receiving the private key use request, using a private key corresponding to the security certificate to sign or decrypt the private key use request, and sending a processing result to the webpage server; the webpage server is also used for establishing a secure connection with the client based on the received processing result.
In a fourth aspect, an embodiment of the present invention provides an apparatus for establishing a secure connection, where the apparatus includes: the certificate acquisition module is used for acquiring a security certificate of a target website from the management server if an access request aiming at the target website sent by the client is received; the management server stores a security certificate of a target website and a private key corresponding to the security certificate; the certificate sending module is used for sending the security certificate to the client so as to encrypt a premaster secret key of the client by using the security certificate through the client; the private key using module is used for sending a private key using request to the management server when a private key corresponding to the security certificate is required to be used for signature or decryption, so that the private key using request is signed or decrypted by the private key corresponding to the security certificate through the management server, and a processing result is returned; and the connection establishing module is used for receiving the processing result returned by the management server and establishing the safe connection with the client based on the processing result.
In a fifth aspect, an embodiment of the present invention provides an apparatus for establishing a secure connection, where the apparatus includes: the certificate determining module is used for sending the stored security certificate of the target website to the webpage server if receiving an access request aiming at the target website sent by the webpage server; the access request is sent to a webpage server by a client; the private key processing module is used for receiving a private key use request sent by the webpage server, and using a private key corresponding to the stored security certificate to sign or decrypt the private key use request to obtain a processing result; and the result returning module is used for sending the processing result to the webpage server so that the webpage server establishes a secure connection with the client based on the processing result.
In a sixth aspect, an embodiment of the present invention provides an electronic device, which includes a processor and a memory, where the memory stores machine-executable instructions capable of being executed by the processor, and the processor executes the machine-executable instructions to implement the method for establishing a secure connection according to the first aspect or the method for establishing a secure connection according to the second aspect.
In a seventh aspect, an embodiment of the present invention provides a machine-readable storage medium, which stores machine-executable instructions, and when the machine-executable instructions are called and executed by a processor, the machine-executable instructions cause the processor to implement the method for establishing a secure connection according to the first aspect or the method for establishing a secure connection according to the second aspect.
The embodiment of the invention brings the following beneficial effects:
according to the method, the system, the device and the electronic equipment for establishing the secure connection, if an access request aiming at a target website sent by a client is received, a security certificate of the target website is obtained from a management server which stores the security certificate of the target website and a private key corresponding to the security certificate; further sending the obtained security certificate to the client; when a private key corresponding to the security certificate is required to be used for signature or decryption, a private key use request is sent to the management server, so that the private key use request is signed or decrypted by the private key corresponding to the security certificate through the management server, and a processing result is returned; and then receiving a processing result returned by the management server, and establishing a secure connection with the client based on the processing result. In the method, the security certificate of the website and the private key of the security certificate are stored in the management server, the security certificate and the private key do not need to be issued in advance, and when the client accesses the target website, the client uses the security certificate and the private key in a real-time communication mode with the management server to establish connection with the client, so that the leakage of the private key and the certificate is avoided, and the security of user data is improved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the invention as set forth hereinafter.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a method for establishing a secure connection according to an embodiment of the present invention;
fig. 2 is a flowchart of another method for establishing a secure connection according to an embodiment of the present invention;
fig. 3 is a flowchart of another method for establishing a secure connection according to an embodiment of the present invention;
fig. 4 is a flowchart of another method for establishing a secure connection according to an embodiment of the present invention;
fig. 5 is a flowchart of another method for establishing a secure connection according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a system for establishing a secure connection according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an apparatus for establishing a secure connection according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of another apparatus for establishing a secure connection according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
HTTPS may implement encryption for HTTP requests and responses to ensure data integrity, privacy, and authentication. The use of HTTPS complies with PKI requirements, requiring a provider of a service to provide a certificate and a private key corresponding to the certificate, and then establish a secure connection with a client. In practical applications, after the CDN is used by the website, the HTTPS connection established between the client and the website is transferred from the source station to the CDN node, that is, the CDN node performs handshake on behalf of the source station, so that a certificate and a private key of the website need to be deployed on the CDN node, so that the CDN node completes SSL (Secure Sockets Layer)/TLS (Transport Layer Security) handshake. However, because the number of CDN nodes is large, the number of the entire servers is huge, and the certificate and the private key are stored in the cache server of each CDN node, the probability that the private key and the certificate are attacked becomes high, the risk of leakage exists, and the data security of the user is further threatened.
In the related art, a source station is required to send a certificate and a private key to a server (which is equivalent to the CDN node) so that the server performs SSL/TLS handshake with a client through the certificate and the private key, where the handshake process based on the RSA algorithm is as follows:
1. the client hello may be called a "client hello", that is, the client sends a domain Name access request to the Server, where the access request includes SNI (Server Name Indication) information, an encryption algorithm supported by the client, and the like.
2. The server hello may be referred to as "server hello", that is, after receiving the access request, the server gives the client response handshake information, including well-matched negotiated encryption algorithm, digital certificate, and the like, where the digital certificate is a public key and only includes a lot of information, such as an issuing authority of the certificate, expiration time, a public key of the server, a signature of a certificate certification authority of a third party, domain name information of the server, and the like.
3. The client analyzes the digital certificate, and firstly, whether a public key in the digital certificate is valid is verified, such as an issuing organization, expiration time and the like; if the abnormal condition is found, a warning box is popped up to prompt that the certificate has a problem, if the certificate has no problem, a pre-master key is randomly generated, the pre-master key is encrypted through a public key in the digital certificate, and the encrypted pre-master key is sent to the server.
4. The server decrypts the received encrypted premaster secret key by using the private key corresponding to the digital certificate to obtain the decrypted premaster secret key, and at the moment, the client and the server both have premaster secret keys which can jointly obtain a session secret key.
5. The client encrypts a message through the session key and sends the message to the server, and mainly verifies whether the server can normally receive the message encrypted by the client.
6. The server side also encrypts a message through the session key and transmits the message back to the client side, if the client side can normally receive the message, the SSL/TLS layer connection establishment is completed.
In the process of handshaking based on DH (Diffie-Hellman, key exchange), the first two steps are the same as the process of handshaking based on RSA algorithm, and the third step is that the server side signs the appointed parameters through the private key corresponding to the digital certificate and sends the signed information to the client side, so that the client side verifies the signed information through the digital certificate, and the client side obtains the appointed parameters after the verification is successful, thereby establishing the session key between the client side and the server side through the appointed parameters.
In the handshake process based on the TLS1.3 algorithm, a client sends a client hello, wherein the client hello mainly comprises a protocol version supported by the client, a session identifier, a cipher suite, a compression algorithm, an expansion message (key sharing, pre-shared keys, pre-shared key modes and the like) and a parameter to be encrypted; then the server replies a sever hello message, which comprises: the selected encryption suite sends the certificate to the client; signing the handshake message by using a private key corresponding to the certificate, and sending a result to the client; selecting parameters provided by a client to generate a temporary public key, and calculating a shared key for encrypting the HTTP message by combining the selected parameters; and the temporary public key generated by the server is sent to the client through a KeyShare message. After receiving the KeyShare message, the client uses the certificate public key to carry out signature verification, obtains a temporary public key of the server, and generates a shared key required by the session; the two parties encrypt and transmit the message by using the generated shared secret key, so that the message safety is ensured.
Generally speaking, for a customer with more stringent security requirements, it is not desirable to expose the private key to the CDN node, and if the security requirements are higher or the deployment conditions are more stringent, the customer may desire to not expose both the certificate and the private key to the CDN node.
Based on the above problems, embodiments of the present invention provide a method, a system, an apparatus, and an electronic device for establishing a secure connection, where the technology may be applied in an HTTPS access scenario, especially an SSL/TSL handshake scenario. To facilitate understanding of the embodiment, a method for establishing a secure connection disclosed in the embodiment of the present invention is first described in detail, where the method is applied to a web server, where the web server is equivalent to the CDN node, the web server is respectively in communication with a client and a management server, and the client may be a mobile terminal, such as a mobile phone, a tablet computer, an intelligent bracelet, or a computer; the management server may be a single physical server, and the management server may store a security certificate (corresponding to the digital certificate) of at least one website and a private key corresponding to the security certificate in advance.
As shown in fig. 1, the method for establishing a secure connection includes the following steps:
step S102, if an access request aiming at a target website sent by a client is received, a security certificate of the target website is obtained from a management server.
The target website is generally a website that a customer wants to access, and the target website can provide corresponding services for the customer, and specific services provided can be set according to research and development requirements of research and development personnel on the target website. In specific implementation, after receiving an access request for a target website sent by a client, a web server forwards the access request for the target website to a management server, or sends a certificate acquisition request to the management server based on the access request, so that the management server searches a security certificate of the target website from stored security certificates, and returns the searched security certificate of the target website to the web server.
In a specific implementation, when a user accesses a target website through a client, an HTTPS GET request (corresponding to the access request) is initiated to a web server. In the process of the HTTPS GET request, according to the SSL/TLS protocol, a "handshake" is first performed, and in the process of the SSL/TLS handshake, a specific format of an access request of a target website may be a client hello message.
And step S104, sending the security certificate to the client.
And after receiving the security certificate of the target website, the webpage server sends the security certificate to the client. In the SSL/TLS handshake process, the specific format of the security certificate sent by the web server to the client may be a server hello (server hello) message.
Step S106, when the private key corresponding to the security certificate is required to be used for signature or decryption, a private key use request is sent to the management server, so that the private key use request is signed or decrypted by the private key corresponding to the security certificate through the management server, and a processing result is returned.
When the webpage server establishes the secure connection with the client, the webpage server needs to use the private key corresponding to the secure certificate for signing or decrypting, so that the webpage server needs to send a private key use request to the management server, the private key use request can carry information needing to be signed or information needing to be decrypted, the management server uses the private key corresponding to the secure certificate to sign the information needing to be signed or decrypt the information needing to be decrypted, and a processing result is returned to the webpage server.
And step S108, receiving the processing result returned by the management server, and establishing the safe connection with the client based on the processing result.
And after receiving the processing result returned by the management server, the webpage server generates a session key based on the processing result, so that the secure connection with the client is established through the session key.
According to the method for establishing the secure connection, if an access request aiming at a target website sent by a client is received, a security certificate of the target website is obtained from a management server which stores the security certificate of the target website and a private key corresponding to the security certificate; further sending the obtained security certificate to the client; when a private key corresponding to the security certificate is required to be used for signature or decryption, a private key use request is sent to the management server, so that the private key use request is signed or decrypted by the private key corresponding to the security certificate through the management server, and a processing result is returned; and then receiving a processing result returned by the management server, and establishing a secure connection with the client based on the processing result. In the method, the security certificate of the website and the private key of the security certificate are stored in the management server, the security certificate and the private key do not need to be issued in advance, and when the client accesses the target website, the client uses the security certificate and the private key in a real-time communication mode with the management server to establish connection with the client, so that the leakage of the private key and the certificate is avoided, and the security of user data is improved.
The embodiment of the invention also provides another method for establishing the safe connection, which is realized on the basis of the method of the embodiment; the method mainly describes a specific process of acquiring a security certificate of a target website from a management server if an access request aiming at the target website sent by a client is received (realized by steps S204-S208), when a private key corresponding to the security certificate is required to be used for signature or decryption, a private key using request is sent to the management server, so that the private key using request is signed or decrypted by the private key corresponding to the security certificate through the management server, a specific process of returning a processing result is returned (realized by step S212), and a specific process of receiving the processing result returned by the management server and establishing a secure connection with the client based on the processing result (realized by step S214); as shown in fig. 2, the method comprises the steps of:
step S202, the stored first certificate and the private key corresponding to the first certificate are authenticated with the second certificate stored by the management server and the private key corresponding to the second certificate, and the secure connection with the management server is established.
The first certificate and the private key corresponding to the first certificate are used for proving the identity of the web server and are stored in the web server in advance; the second certificate and the private key corresponding to the second certificate are used for proving the identity of the management server and are stored in the management server in advance. When the safe connection between the web server and the management server is established, the web server is required to send the first certificate to the management server, the management server sends the second certificate to the web server for mutual authentication, and after the authentication is passed, the web server can encrypt session information through a private key corresponding to the first certificate so that the management server can decrypt the session information through a public key in the first certificate; the management server may also encrypt the session information through a private key corresponding to the second certificate, so that the web server decrypts through the public key in the second certificate.
Step S204, if an access request aiming at the target website sent by the client is received, extracting the domain name of the target website carried by the access request.
In a specific implementation, the access request of the target website may carry information such as a domain name and SNI information of the target website.
Step S206, the domain name of the target website is sent to the management server.
And step S208, receiving the security certificate of the target website returned by the management server according to the domain name of the target website.
When the management server receives the domain name of the target website, the security certificate corresponding to the domain name, that is, the security certificate of the target website, can be searched in the security certificate stored in the management server and the private key corresponding to the security certificate, and the searched security certificate is sent to the web server.
Step S210, sending the security certificate to the client, so that the client encrypts the premaster secret key of the client by using the security certificate.
After receiving the security certificate, the client verifies whether the public key in the security certificate is valid, such as an issuing organization, expiration time and the like, and if the public key is found to be abnormal, a warning box is popped up to prompt that the security certificate has a problem; if the certificate has no problem, a pre-master key is randomly generated, the pre-master key is encrypted through a public key in the security certificate, and the encrypted pre-master key is sent to the webpage server. The premaster secret is typically a 48-bit block of data that can be combined with the client and web server randomness, and a session key is randomly created in the web server using a pseudo-random function.
In specific implementation, when receiving the security certificate of the target website sent by the management server, the web server sends the security certificate to the client, and meanwhile, the received security certificate of the target website can be cached for a specified time, so that when other clients send access requests of the target website within the specified time, the access requests are directly returned to the client.
Step S212, receiving the encrypted premaster secret key sent by the client, and sending the encrypted premaster secret key to the management server, so that the management server decrypts the encrypted premaster secret key by using the private key corresponding to the security certificate.
And after receiving the encrypted premaster secret key sent by the client, the webpage server sends the encrypted premaster secret key to the management server, and the management server decrypts the encrypted premaster secret key by using a private key corresponding to the security certificate of the target website to obtain the decrypted premaster secret key.
Step S214, receiving the decrypted premaster secret key returned by the management server, and establishing a secure connection with the client based on the premaster secret key.
The webpage server stores the pre-master key after receiving the decrypted pre-master key returned by the management server, at the moment, the client and the webpage server have the same pre-master key and can jointly obtain a session key, and then the client encrypts a message through the session key and sends the message to the webpage server so as to verify whether the server can normally receive the encrypted message sent by the client; the web server also encrypts a message through the session key and transmits the message back to the client, if the client can normally receive the message, the SSL/TLS handshake is completed, that is, the secure connection between the web server and the client is established.
In a specific implementation, the above steps S204-S214 are logic inserted in the whole SSL/TLS handshake phase, where the SSL/TLS handshake phase is essentially to compute a symmetric key, the security certificate is to confirm the validity of the target website to the client, and the corresponding private key of the security certificate is to finally compute the symmetric key. In the handshake phase, the client initiates an HTTPS request (equivalent to the access request of the target website) to the web server, and the web server is used as a server and aims to agree with a symmetric key with the client in the whole handshake process; in the process of calculating the symmetric key, a private key signature or private key decryption mode and related information are needed to calculate some key information for final symmetric key generation, and the specific process is as follows: after receiving the security certificate, the client encrypts the randomly generated pre-master key by using the public key in the security certificate, and then sends the encrypted pre-master key to the web server, the web server encodes the encrypted pre-master key and the unique identifier of the related key by using a private protocol and then transmits the encoded pre-master key and the unique identifier of the related key to the management server, and the management server performs calculation (namely decrypts the encrypted pre-master key by using the private key corresponding to the security certificate to obtain the decrypted pre-master key) and then transmits the decrypted pre-master key back to the web server. And the webpage server receives the decrypted premaster secret key and establishes a secure connection with the client based on the premaster secret key. The above proprietary protocol is usually a set of self-defined protocol standards in an enterprise, and is only suitable for equipment products produced by the enterprise.
In the whole handshake process, the security certificate and the private key are stored through the management server instead of being issued and stored in the webpage server, so that on one hand, the management authority of the security certificate and the private key is given to the management server, the management is convenient, and therefore, a client can completely master the management of the security certificate and the private key; on the other hand, the possibility that the webpage server reveals the security certificate and the private key is also avoided.
According to the method for establishing the secure connection, the management server stores and manages the security certificate and the private key of the website, the web page server does not need to provide the security certificate and the private key to the web page server, and the web page server obtains the security certificate and the private key from the management server when using the security certificate and the private key, so that the security certificate and the private key are prevented from being leaked, and a client can completely control the management of the security certificate and the private key; meanwhile, the deployment of the webpage server is shorter and the safety is higher. In the method, the security certificate of the website and the private key of the security certificate are stored in the management server and do not need to be issued to the webpage server in advance, when the client accesses the target website, the webpage server uses the security certificate and the private key in a real-time communication mode with the management server to establish a secure connection with the client, so that the leakage of the private key and the certificate can be avoided, and the security of user data is improved.
The embodiment of the invention also provides another method for establishing the safe connection, which is realized on the basis of the method of the embodiment; the method mainly describes a specific process (realized by the following step S306) of sending a private key use request to a management server when a private key corresponding to a security certificate is required to be used for signing or decrypting the private key use request, and returning a processing result, and a specific process (realized by the following step S308) of receiving the processing result returned by the management server and establishing a secure connection with a client based on the processing result, wherein the private key use request is sent to the management server so as to be used by the management server for signing or decrypting the private key use request; as shown in fig. 3, the method comprises the steps of:
step S302, if an access request aiming at the target website sent by the client is received, the security certificate of the target website is obtained from the management server.
Step S304, sending the security certificate to the client.
Step S306, sending a private key using request carrying the specified parameters to the management server, so that the management server uses the private key corresponding to the security certificate to sign the specified parameters, and returning the signature information.
After the webpage server sends the security certificate to the client, a private key using request carrying the specified parameters is sent to the management server; and after receiving the private key use request, the management server signs the specified parameters by using the private key corresponding to the security certificate to obtain signature information and returns the signature information to the page server. The specified parameter may be a hellman parameter.
Step S308, receiving the signature information returned by the management server, and sending the signature information to the client so that the client can check the signature information through the security certificate to obtain the designated parameters; and establishing a secure connection with the client based on the specified parameters.
The webpage server sends the received signature information returned by the management server to the client, the client verifies the signature information by using the received security certificate, and the specified parameters are obtained after the verification is successful, so that the webpage server and the client both store the specified parameters, the webpage server and the client can establish a session key according to the specified parameters, and the secure connection between the webpage server and the client is also established.
According to the method for establishing the secure connection, the security certificate of the website and the private key of the security certificate are stored in the management server and do not need to be issued to the webpage server in advance, when the client accesses the target website, the webpage server uses the security certificate and the private key in a real-time communication mode with the management server to establish the secure connection with the client, so that the private key and the certificate can be prevented from being leaked, and the security of user data is improved.
The embodiment of the invention also provides another method for establishing the safe connection, which is realized on the basis of the method of the embodiment; the method mainly describes a specific process (realized by the following step S404) of sending a private key use request to a management server when a private key corresponding to a security certificate is required to be used for signing or decrypting the private key use request, and returning a processing result, and a specific process (realized by the following step S406) of receiving the processing result returned by the management server and establishing a secure connection with a client based on the processing result, wherein the private key use request is sent to the management server; as shown in fig. 4, the method includes the steps of:
step S402, if an access request aiming at a target website sent by a client is received, a security certificate of the target website is obtained from a management server, and the access request carries target parameters.
The target parameter is a parameter provided by the client for generating a session key between the client and the web server.
Step S404, sending the security certificate to the client, sending a private key use request carrying the target parameter to the management server, signing the private key use request by using the private key corresponding to the security certificate through the management server, generating a temporary public key based on the target parameter, calculating a shared key by combining the temporary public key and the target parameter, and returning signature information, the temporary public key and the shared key.
Step S406, receiving the signature information, the temporary public key and the shared key returned by the management server, and sending the signature information and the temporary public key to the client so that the client verifies the signature information through the security certificate, and after the signature verification is successful, generating the shared key based on the temporary public key and the target parameter; a secure connection is established with the client based on the shared key.
After the client generates the shared key, the client and the web server both store the shared key, and the client and the web server can perform a session according to the shared key.
According to the method for establishing the secure connection, the security certificate of the website and the private key of the security certificate are stored in the management server, the security certificate and the private key do not need to be issued in advance, when the client accesses the target website, the security certificate and the private key are used in a real-time communication mode with the management server, and the connection with the client is established, so that the private key and the certificate are prevented from being leaked, and the security of user data is improved.
With respect to the foregoing embodiment, another method for establishing a secure connection is further provided in the embodiments of the present invention, where the method is applied to a management server, and as shown in fig. 5, the method includes the following steps:
step S502, if receiving the access request aiming at the target website sent by the web server, sending the stored security certificate of the target website to the web server.
The access request is transmitted to the web server by the client, and the web server forwards the access request to the management server.
Step S504, receiving the private key use request sent by the web server, and using the private key corresponding to the stored security certificate to sign or decrypt the private key use request, so as to obtain a processing result.
Step S506, the processing result is sent to the web server, so that the web server establishes a secure connection with the client based on the processing result.
In specific implementation, the access request of the target website carries a domain name of the target website; the step S502 can be implemented by the following steps 10-11:
and step 10, searching the security certificate of the target website in the stored security certificate and the private key corresponding to the security certificate according to the domain name of the target website carried in the received access request.
And step 11, sending the searched security certificate to a webpage server.
According to the method for establishing the safe connection, if an access request aiming at a target website sent by a webpage server is received, a stored safety certificate of the target website is sent to the webpage server; the webpage server sends the received security certificate to the client; and then receiving a private key use request sent by the webpage server, using a private key corresponding to the stored security certificate to sign or decrypt the private key use request to obtain a processing result, and sending the processing result to the webpage server so that the webpage server establishes secure connection with the client based on the processing result. In the method, the security certificate of the website and the private key of the security certificate are stored in the management server, a webpage server does not need to issue the security certificate and the private key value in advance, and when the client accesses the target website, the webpage server uses the security certificate and the private key in a real-time communication mode with the management server to establish connection with the client, so that the leakage of the private key and the certificate is avoided, and the security of user data is improved.
Corresponding to the above method embodiment, an embodiment of the present invention further provides a system for establishing a secure connection, as shown in fig. 6, where the system includes: a management server 60 and a web server 61 which are in communication connection, wherein the web server 61 is also in communication connection with the client; the management server 60 is configured to store a security certificate of a website and a private key corresponding to the security certificate.
The web server 61 is configured to, upon receiving an access request for a target website sent by a client, acquire a security certificate of the target website from the management server 60, and send the acquired security certificate to the client.
The web server 61 is also configured to send a private key use request to the management server 60 when a signature or decryption needs to be performed using a private key corresponding to the security certificate.
The management server 60 is configured to receive the private key use request, sign or decrypt the private key use request using a private key corresponding to the security certificate, and send a processing result to the web server 61.
The web server 61 is also used to establish a secure connection with the client based on the received processing result. Upon receiving the processing result returned from the management server 60, the web server 61 generates a session key based on the processing result, and establishes a secure connection with the client using the session key.
The system for establishing a secure connection provided by the embodiment of the present invention has the same implementation principle and technical effect as the foregoing method embodiment, and for brief description, reference may be made to corresponding contents in the foregoing method embodiment for the part of the system embodiment that is not mentioned.
Corresponding to the method embodiments described in fig. 1 to fig. 4, an embodiment of the present invention provides an apparatus for establishing a secure connection, where the apparatus is disposed in a page server, and as shown in fig. 7, the apparatus includes:
a certificate acquiring module 70, configured to acquire a security certificate of a target website from a management server if an access request for the target website sent by a client is received; the management server stores a security certificate of the target website and a private key corresponding to the security certificate.
A certificate sending module 71, configured to send the security certificate to the client.
The private key using module 72 is configured to send a private key using request to the management server when a private key corresponding to the security certificate needs to be used for signing or decrypting, so that the management server uses the private key corresponding to the security certificate to sign or decrypt the private key using request, and returns a processing result.
And the connection establishing module 73 is used for receiving the processing result returned by the management server and establishing a secure connection with the client based on the processing result.
If an access request aiming at a target website sent by a client is received, the device for establishing the secure connection acquires a security certificate of the target website from a management server which stores the security certificate of the target website and a private key corresponding to the security certificate; further sending the obtained security certificate to the client; when a private key corresponding to the security certificate is required to be used for signature or decryption, a private key use request is sent to the management server, so that the private key use request is signed or decrypted by the private key corresponding to the security certificate through the management server, and a processing result is returned; and then receiving a processing result returned by the management server, and establishing a secure connection with the client based on the processing result. In the method, the security certificate of the website and the private key of the security certificate are stored in the management server, the security certificate and the private key do not need to be issued in advance, and when the client accesses the target website, the client uses the security certificate and the private key in a real-time communication mode with the management server to establish connection with the client, so that the leakage of the private key and the certificate is avoided, and the security of user data is improved.
Specifically, the access request of the target website carries a domain name of the target website; the certificate obtaining module 70 is configured to: if an access request aiming at a target website sent by a client is received, extracting a domain name of the target website carried by the access request; sending the domain name of the target website to a management server; and receiving the security certificate of the target website returned by the management server according to the domain name of the target website.
Further, the apparatus further includes a key receiving module, configured to: and receiving the encrypted pre-master key obtained by encrypting the pre-master key of the client by using the security certificate by the client. The private key using module 72 is configured to: sending the encrypted premaster secret key to a management server so as to decrypt the encrypted premaster secret key by using a private key corresponding to the security certificate through the management server; the connection establishing module 73 is configured to: and receiving the decrypted premaster secret key returned by the management server, and establishing a secure connection with the client based on the premaster secret key.
Specifically, the private key use request carries a specified parameter; the private key using module 72 is configured to: sending a private key use request carrying the specified parameters to a management server, so that the management server uses a private key corresponding to the security certificate to sign the specified parameters, and returning signature information; the connection establishing module 73 is configured to: and receiving the signature information returned by the management server, sending the signature information to the client so that the client can verify the signature information through the security certificate to obtain the designated parameters, and establishing security connection with the client based on the designated parameters.
Further, the private key use request carries a target parameter contained in the access request; the private key using module 72 is configured to: sending a private key use request to a management server, signing the private key use request by using a private key corresponding to a security certificate through the management server, generating a temporary public key based on a target parameter, calculating a shared key by combining the temporary public key and the target parameter, and returning signature information, the temporary public key and the shared key; the connection establishing module 73 is configured to: receiving signature information, a temporary public key and a shared key returned by the management server, and sending the signature information and the temporary public key to the client so that the client verifies the signature information through the security certificate, and after the signature verification is successful, generating the shared key based on the temporary public key and the target parameter; and establishing a secure connection with the client based on the shared secret key.
Further, the apparatus further includes an authentication module configured to: before the security certificate of the target website is acquired from the management server, the stored first certificate and the private key corresponding to the first certificate are authenticated with the second certificate stored by the management server and the private key corresponding to the second certificate, and the security connection with the management server is established.
The device for establishing a secure connection provided by the embodiment of the present invention has the same implementation principle and technical effect as the foregoing method embodiment, and for brief description, reference may be made to corresponding contents in the foregoing method embodiment for the part where the embodiment of the device is not mentioned.
Corresponding to the method embodiment described in fig. 5, another apparatus for establishing a secure connection is provided in an embodiment of the present invention, and is disposed in a management server, as shown in fig. 8, where the apparatus includes:
a certificate determination module 80, configured to send the stored security certificate of the target website to the web server if an access request for the target website sent by the web server is received; the access request is sent to the webpage server by the client.
And the private key processing module 81 is configured to receive a private key use request sent by the web server, and sign or decrypt the private key use request by using a private key corresponding to the stored security certificate to obtain a processing result.
And a result returning module 82, configured to send the processing result to the web server, so that the web server establishes a secure connection with the client based on the processing result.
The device for establishing the secure connection stores and manages the security certificate and the private key of the website by the management server, does not need to provide the security certificate and the private key for the webpage server, and is obtained from the management server by the webpage server when the security certificate and the private key are used, so that the leakage of the security certificate and the private key is avoided, and a client can completely control the management of the security certificate and the private key; meanwhile, the deployment of the webpage server is shorter and the safety is higher. In the method, the security certificate of the website and the private key of the security certificate are stored in the management server, the security certificate and the private key value do not need to be issued in advance to the webpage server, and when the client accesses the target website, the webpage server uses the security certificate and the private key in a real-time communication mode with the management server to establish connection with the client, so that the private key and the certificate are prevented from being leaked, and the security of user data is improved.
Specifically, the access request of the target website carries a domain name of the target website; the certificate determination module 80 is configured to: according to the domain name of the target website carried in the received access request, searching the security certificate of the target website in the stored security certificate and the private key corresponding to the security certificate; and sending the searched security certificate to a webpage server.
The implementation principle and the generated technical effect of the apparatus for establishing a secure connection provided by the embodiment of the present invention are the same as those of the above-mentioned method embodiment for establishing a secure connection, and for the sake of brief description, no mention is made in the apparatus embodiment, and reference may be made to the corresponding contents in the foregoing method embodiment.
An embodiment of the present invention further provides an electronic device, as shown in fig. 9, where the electronic device includes a processor 101 and a memory 100, where the memory 100 stores machine executable instructions that can be executed by the processor 101, and the processor 101 executes the machine executable instructions to implement the method for establishing a secure connection.
Further, the electronic device shown in fig. 9 further includes a bus 102 and a communication interface 103, and the processor 101, the communication interface 103, and the memory 100 are connected through the bus 102.
The Memory 100 may include a Random Access Memory (RAM) and a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 103 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used. The bus 102 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 9, but this does not indicate only one bus or one type of bus.
The processor 101 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 101. The Processor 101 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, or discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 100, and the processor 101 reads the information in the memory 100, and completes the steps of the method of the foregoing embodiment in combination with the hardware thereof.
An embodiment of the present invention further provides a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions, and when the machine-executable instructions are called and executed by a processor, the machine-executable instructions cause the processor to implement the method for establishing a secure connection.
The method, system, apparatus, and computer program product for establishing a secure connection provided in the embodiments of the present invention include a computer-readable storage medium storing a program code, where instructions included in the program code may be used to execute the method described in the foregoing method embodiments, and specific implementation may refer to the method embodiments, and will not be described herein again. The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium.
Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, an electronic device, or a network device) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (11)

1. A method of establishing a secure connection, the method comprising:
if an access request aiming at a target website sent by a client is received, a security certificate of the target website is obtained from a management server; the management server stores a security certificate of the target website and a private key corresponding to the security certificate;
sending the security certificate to the client;
when the private key corresponding to the security certificate is required to be used for signature or decryption, a private key use request is sent to the management server, so that the private key use request is signed or decrypted by the private key corresponding to the security certificate through the management server, and a processing result is returned;
receiving a processing result returned by the management server, and establishing a secure connection with the client based on the processing result;
the access request of the target website carries the domain name of the target website; the step of acquiring the security certificate of the target website from the management server if an access request aiming at the target website sent by the client is received comprises the following steps: if an access request aiming at a target website sent by the client is received, extracting a domain name of the target website carried by the access request; sending the domain name of the target website to the management server; and receiving the security certificate of the target website returned by the management server according to the domain name of the target website.
2. The method of claim 1, wherein after the step of sending the security certificate to the client, the method further comprises:
receiving an encrypted pre-master key obtained by encrypting a pre-master key of the client by using the security certificate by the client;
when the private key corresponding to the security certificate is required to be used for signing or decrypting, a private key use request is sent to the management server, so that the private key use request is signed or decrypted by the private key corresponding to the security certificate through the management server, and the method comprises the following steps:
sending the encrypted premaster secret key to the management server so as to decrypt the encrypted premaster secret key by using a private key corresponding to the security certificate through the management server;
the step of receiving the processing result returned by the management server and establishing the secure connection with the client based on the processing result comprises the following steps:
and receiving the decrypted premaster secret key returned by the management server, and establishing a secure connection with the client based on the premaster secret key.
3. The method according to claim 1, wherein the private key usage request carries specified parameters; the step of sending a private key use request to the management server so as to sign or decrypt the private key use request by using a private key corresponding to the security certificate through the management server includes:
sending a private key use request carrying the specified parameters to the management server, so that the management server uses a private key corresponding to the security certificate to sign the specified parameters, and returns signature information;
the step of receiving the processing result returned by the management server and establishing the secure connection with the client based on the processing result comprises the following steps:
receiving signature information returned by the management server, and sending the signature information to the client so that the client verifies the signature information through the security certificate to obtain the specified parameters;
and establishing a secure connection with the client based on the specified parameters.
4. The method according to claim 1, wherein the private key usage request carries a target parameter contained in the access request;
the step of sending a private key use request to the management server so as to sign or decrypt the private key use request by using a private key corresponding to the security certificate through the management server includes:
sending the private key use request to the management server, so that the private key corresponding to the security certificate is used by the management server to sign the private key use request, generating a temporary public key based on the target parameter, calculating a shared key by combining the temporary public key and the target parameter, and returning signature information, the temporary public key and the shared key;
the step of receiving the processing result returned by the management server and establishing the secure connection with the client based on the processing result comprises the following steps:
receiving signature information, the temporary public key and the shared key returned by the management server, and sending the signature information and the temporary public key to the client so that the client verifies the signature information through the security certificate, and after the verification is successful, generating the shared key based on the temporary public key and the target parameter;
establishing a secure connection with the client based on the shared key.
5. The method according to claim 1, wherein before the step of obtaining the security certificate of the target website from the management server if receiving the access request for the target website sent by the client, the method further comprises:
and authenticating with a second certificate stored by the management server and a private key corresponding to the second certificate through the stored first certificate and the private key corresponding to the first certificate, and establishing a secure connection with the management server.
6. A method of establishing a secure connection, the method comprising:
if an access request aiming at a target website sent by a webpage server is received, sending the stored security certificate of the target website to the webpage server; the access request is sent to the webpage server by a client;
receiving a private key use request sent by the webpage server, and using a stored private key corresponding to the security certificate to sign or decrypt the private key use request to obtain a processing result;
sending the processing result to the webpage server so that the webpage server establishes a secure connection with the client based on the processing result;
the access request of the target website carries the domain name of the target website; the step of sending the stored security certificate of the target website to the web server if the access request aiming at the target website sent by the web server is received comprises the following steps: according to the domain name of the target website carried in the received access request, searching a security certificate of the target website in a stored security certificate and a private key corresponding to the security certificate; and sending the searched security certificate to the webpage server.
7. A system for establishing a secure connection, the system comprising: the management server and the webpage server are in communication connection;
the management server is used for storing a security certificate of a website and a private key corresponding to the security certificate;
the webpage server is used for acquiring a security certificate of a target website from a management server when receiving an access request aiming at the target website sent by a client, and sending the acquired security certificate to the client;
the webpage server is also used for sending a private key use request to the management server when a private key corresponding to the security certificate is required to be used for signature or decryption;
the management server is used for receiving the private key use request, signing or decrypting the private key use request by using a private key corresponding to the security certificate, and sending a processing result to the webpage server;
the webpage server is further used for establishing a secure connection with the client based on the received processing result.
8. An apparatus for establishing a secure connection, the apparatus comprising:
the certificate acquisition module is used for acquiring a security certificate of a target website from a management server if an access request aiming at the target website sent by a client is received; the management server stores a security certificate of the target website and a private key corresponding to the security certificate;
the certificate sending module is used for sending the security certificate to the client;
the private key using module is used for sending a private key using request to the management server when the private key corresponding to the security certificate is required to be used for signature or decryption, so that the private key using request is signed or decrypted by using the private key corresponding to the security certificate through the management server, and a processing result is returned;
the connection establishing module is used for receiving a processing result returned by the management server and establishing a safe connection with the client based on the processing result;
the access request of the target website carries the domain name of the target website; the certificate acquisition module is used for extracting a domain name of a target website carried by an access request if the access request aiming at the target website sent by the client is received; sending the domain name of the target website to the management server; and receiving the security certificate of the target website returned by the management server according to the domain name of the target website.
9. An apparatus for establishing a secure connection, the apparatus comprising:
the certificate determining module is used for sending the stored security certificate of the target website to a webpage server if receiving an access request aiming at the target website sent by the webpage server; the access request is sent to the webpage server by a client;
the private key processing module is used for receiving a private key use request sent by the webpage server, and using a stored private key corresponding to the security certificate to sign or decrypt the private key use request to obtain a processing result;
the result returning module is used for sending the processing result to the webpage server so as to enable the webpage server to establish safe connection with the client based on the processing result;
the access request of the target website carries the domain name of the target website; the certificate determining module is used for searching a security certificate of the target website in a stored security certificate and a private key corresponding to the security certificate according to a domain name of the target website carried in the received access request; and sending the searched security certificate to the webpage server.
10. An electronic device comprising a processor and a memory, the memory storing machine executable instructions executable by the processor to perform the method of establishing a secure connection of any of claims 1 to 5 or the method of establishing a secure connection of claim 6.
11. A machine-readable storage medium having stored thereon machine-executable instructions which, when invoked and executed by a processor, cause the processor to carry out the method of establishing a secure connection of any of claims 1 to 5 or the method of establishing a secure connection of claim 6.
CN202011341971.4A 2020-11-24 2020-11-24 Method, system and device for establishing secure connection and electronic equipment Active CN112564912B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202011341971.4A CN112564912B (en) 2020-11-24 2020-11-24 Method, system and device for establishing secure connection and electronic equipment
PCT/CN2021/123636 WO2022111102A1 (en) 2020-11-24 2021-10-13 Method, system and apparatus for establishing secure connection, electronic device, and machine-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011341971.4A CN112564912B (en) 2020-11-24 2020-11-24 Method, system and device for establishing secure connection and electronic equipment

Publications (2)

Publication Number Publication Date
CN112564912A CN112564912A (en) 2021-03-26
CN112564912B true CN112564912B (en) 2023-03-24

Family

ID=75043803

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011341971.4A Active CN112564912B (en) 2020-11-24 2020-11-24 Method, system and device for establishing secure connection and electronic equipment

Country Status (2)

Country Link
CN (1) CN112564912B (en)
WO (1) WO2022111102A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112564912B (en) * 2020-11-24 2023-03-24 北京金山云网络技术有限公司 Method, system and device for establishing secure connection and electronic equipment
CN113346990B (en) * 2021-05-11 2022-12-23 科大讯飞股份有限公司 Secure communication method and system, and related equipment and device
CN113381855B (en) * 2021-06-11 2022-12-27 上海哔哩哔哩科技有限公司 Communication method and system
CN114090981B (en) * 2021-11-29 2023-04-07 深圳前海微众银行股份有限公司 Access method and device for remote host
CN115333748B (en) * 2022-07-26 2023-10-10 深圳市明源云科技有限公司 Anti-counterfeiting communication method, system, electronic equipment and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1533970A1 (en) * 2003-11-24 2005-05-25 Akamai Technologies, Inc. Method and system for secure content delivery
CN107707517A (en) * 2017-05-09 2018-02-16 贵州白山云科技有限公司 A kind of HTTPs handshake methods, device and system
CN108200104A (en) * 2018-03-23 2018-06-22 网宿科技股份有限公司 The method and system that a kind of progress SSL shakes hands
CN108234114A (en) * 2016-12-22 2018-06-29 中标软件有限公司 A kind of implementation method of the SSL based on hardware encryption algorithm

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9531691B2 (en) * 2011-12-16 2016-12-27 Akamai Technologies, Inc. Providing forward secrecy in a terminating TLS connection proxy
US8782774B1 (en) * 2013-03-07 2014-07-15 Cloudflare, Inc. Secure session capability using public-key cryptography without access to the private key
CN105991622A (en) * 2015-03-05 2016-10-05 阿里巴巴集团控股有限公司 Message authentication method and device
CN105871797A (en) * 2015-11-19 2016-08-17 乐视云计算有限公司 Handshake method, device and system of client and server
BR112018071151A2 (en) * 2016-04-15 2019-02-05 Qualcomm Inc Techniques for Managing Secure Content Transmissions on a Content Delivery Network
CN112564912B (en) * 2020-11-24 2023-03-24 北京金山云网络技术有限公司 Method, system and device for establishing secure connection and electronic equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1533970A1 (en) * 2003-11-24 2005-05-25 Akamai Technologies, Inc. Method and system for secure content delivery
CN108234114A (en) * 2016-12-22 2018-06-29 中标软件有限公司 A kind of implementation method of the SSL based on hardware encryption algorithm
CN107707517A (en) * 2017-05-09 2018-02-16 贵州白山云科技有限公司 A kind of HTTPs handshake methods, device and system
CN108200104A (en) * 2018-03-23 2018-06-22 网宿科技股份有限公司 The method and system that a kind of progress SSL shakes hands

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Information-Centric Networking (ICN) Research Challenges;D. Kutscher等;《IETF rfc7927》;20160731;全文 *

Also Published As

Publication number Publication date
WO2022111102A1 (en) 2022-06-02
CN112564912A (en) 2021-03-26

Similar Documents

Publication Publication Date Title
CN112564912B (en) Method, system and device for establishing secure connection and electronic equipment
WO2017045552A1 (en) Method and device for loading digital certificate in ssl or tls communication
JP4709815B2 (en) Authentication method and apparatus
WO2017084273A1 (en) Handshake method, device and system for client and server
CN111556025A (en) Data transmission method, system and computer equipment based on encryption and decryption operations
EP2173055A1 (en) A method, a system, a client and a server for key negotiating
CN111030814B (en) Secret key negotiation method and device
CN103763356A (en) Establishment method, device and system for connection of secure sockets layers
WO2010078755A1 (en) Method and system for transmitting electronic mail, wlan authentication and privacy infrastructure (wapi) terminal thereof
CN106941404B (en) Key protection method and device
CN110839240B (en) Method and device for establishing connection
CN113382002B (en) Data request method, request response method, data communication system, and storage medium
CN112165386B (en) Data encryption method and system based on ECDSA
CN115499250B (en) Data encryption method and device
CN115021932A (en) Authentication method for handshake process of TLCP protocol
CN110611679A (en) Data transmission method, device, equipment and system
CN109995723B (en) Method, device and system for DNS information interaction of domain name resolution system
CN116684093B (en) Identity authentication and key exchange method and system
CN105471896A (en) Agent method, device and system based on SSL (Secure Sockets Layer)
JP2014147039A (en) Cryptocommunication device, proxy server, cryptocommunication system, cryptocommunication program and proxy server program
CN115766119A (en) Communication method, communication apparatus, communication system, and storage medium
US20240064011A1 (en) Identity authentication method and apparatus, device, chip, storage medium, and program
KR101256114B1 (en) Message authentication code test method and system of many mac testserver
CN113221188B (en) AIS data evidence storage method, evidence obtaining method, device and storage medium
CN112822015B (en) Information transmission method and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant