CN112637177B - Data encryption transmission method, device, equipment and medium - Google Patents

Data encryption transmission method, device, equipment and medium Download PDF

Info

Publication number
CN112637177B
CN112637177B CN202011498967.9A CN202011498967A CN112637177B CN 112637177 B CN112637177 B CN 112637177B CN 202011498967 A CN202011498967 A CN 202011498967A CN 112637177 B CN112637177 B CN 112637177B
Authority
CN
China
Prior art keywords
data
client
server
packet
symmetric key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011498967.9A
Other languages
Chinese (zh)
Other versions
CN112637177A (en
Inventor
黄友俊
李星
吴建平
宋文亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CERNET Corp
Original Assignee
CERNET Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CERNET Corp filed Critical CERNET Corp
Priority to CN202011498967.9A priority Critical patent/CN112637177B/en
Publication of CN112637177A publication Critical patent/CN112637177A/en
Application granted granted Critical
Publication of CN112637177B publication Critical patent/CN112637177B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures

Abstract

The present disclosure provides a data encryption transmission method, wherein data is transmitted by a proxy server based on a QUIC protocol, and the method comprises the following steps: receiving a TCP data request packet sent by a client for accessing WEB application for the first time, and forwarding the TCP data request packet to a server; receiving a first data response packet and a config-encapsulated data packet returned by a server, adding QUIC information to the first data response packet, generating a second data response packet, and forwarding the config-encapsulated data packet and the second data response packet to a client; receiving first service data which are sent by a client and encrypted through a first communication public key and a first symmetric key, and forwarding the first service data to a server; and receiving second service data which is sent by the server and encrypted by the second communication public key and the second symmetric key, and forwarding the second service data to the client. The disclosure also provides a data encryption transmission device, an electronic device and a readable storage medium.

Description

Data encryption transmission method, device, equipment and medium
Technical Field
The present disclosure relates to the field of internet technologies, and in particular, to a data encryption transmission method, apparatus, device, and medium.
Background
With the continuous development of Internet technology, web applications are in endless, the requirements of users in the selection of many similar web applications are continuously improved, and currently, mainstream web applications should improve the interaction speed as much as possible on the premise of ensuring safety and stability to meet the requirements of users. On the aspect of improving the performance of the web application, the application layer can be selected to realize multi-path transmission by using HTTP2.0, and the physical layer can be used for solving the problems of network congestion and the last kilometer by using the CDN. At the transport layer, TCP is mainly used at present, but becomes a bottleneck limiting the performance of web applications due to the problems of TCP itself.
TCP, as a transmission control protocol, has the advantages of security, stable traffic, and teaching the transmission sequence of packets, but has the disadvantages of low efficiency and time-consuming connection. Although UDP is less secure and may have the problem of dropping or sending packets first, it is simpler and has higher transmission efficiency, and can greatly reduce the delay.
Disclosure of Invention
In view of the above, the present disclosure provides a data encryption transmission method, apparatus, device and medium.
One aspect of the present disclosure provides a data encryption transmission method, where the data is transmitted based on a proxy server of a QUIC protocol, including: receiving a TCP data request packet sent by a client accessing WEB application for the first time, and forwarding the TCP data request packet to a server; receiving a first data response packet and a config-encapsulated data packet returned by the server, adding QUIC information to the first data response packet, generating a second data response packet, and forwarding the config-encapsulated data packet and the second data response packet to the client; receiving first service data which are sent by the client and encrypted through a first communication public key and a first symmetric key, and forwarding the first service data to the server, wherein the first communication public key and the first symmetric key are obtained by the client through calculation according to the config-encapsulated data packet; and receiving second service data which is sent by the server and encrypted through a second communication public key and a second symmetric key, and forwarding the second service data to the client, wherein the second service data is response data of the server to the first service data.
According to the embodiment of the disclosure, after receiving first service data, the server calculates a third symmetric key according to the data packet encapsulated by the config and solves a first communication public key; and judging whether the third symmetric key and the first symmetric key are encrypted equally, and if so, decrypting the first service data by adopting the third symmetric key and the first communication public key.
According to the embodiment of the disclosure, after receiving second service data, the client calculates a fourth symmetric key according to the data packet encapsulated by the config and solves a second communication public key; and judging whether the encryption of the fourth symmetric key is equal to that of the second symmetric key, and if so, decrypting the second service data by adopting the fourth symmetric key and a second communication public key.
According to the embodiment of the disclosure, if the fourth symmetric key is encrypted with the second symmetric key, before the client and the server are not disconnected, the second symmetric key is used for encrypting and encrypting the service data.
According to an embodiment of the present disclosure, the method further comprises: and caching the data packet encapsulated by the config at the client.
According to an embodiment of the present disclosure, the method further comprises: when the client is disconnected with the server and needs to communicate again, the client acquires the cached data packet packaged by the config, calculates a new symmetric key according to the data packet packaged by the config and the random number generated by the client, and encrypts service data by using the new symmetric key.
According to the embodiment of the disclosure, the QUIC protocol-based proxy server forwards the data sent by the client to the server through an HTTP proxy.
Another aspect of the present disclosure provides a data encryption transmission apparatus, including: the client, the proxy server based on the QUIC protocol and the server, wherein the proxy server based on the QUIC protocol comprises: the first receiving module is used for receiving a TCP data request packet sent by a client for accessing a WEB application for the first time and forwarding the TCP data request packet to a server; the second receiving module is used for receiving the first data response packet and the config-encapsulated data packet returned by the server, adding QUIC information into the data response packet, generating a second data response packet, and forwarding the config-encapsulated data packet and the second data response packet to the client; a third receiving module, configured to receive first service data, which is sent by the client and encrypted by using a first communication public key and a first symmetric key, and forward the first service data to the server, where the first communication public key and the first symmetric key are obtained by the client through calculation according to the config-encapsulated data packet; and the fourth receiving module is configured to receive second service data, which is sent by the server and encrypted by using a second communication public key and a second symmetric key, and forward the second service data to the client, where the second service data is response data of the server to the first service data.
Another aspect of the present disclosure provides an electronic device including: one or more processors; memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of the embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically shows a system architecture diagram for implementing a data encryption transmission method according to an embodiment of the present disclosure;
fig. 2 schematically shows a flow chart of a data encryption transmission method according to an embodiment of the present disclosure;
figure 3 schematically illustrates a process diagram of 0RTT encrypted transmissions, in accordance with an embodiment of the present disclosure;
FIG. 4 schematically illustrates a block diagram of a QUIC protocol based proxy server in accordance with an embodiment of the present disclosure;
fig. 5 schematically shows a block diagram of an electronic device adapted to implement the above described method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In carrying out the concepts of the present disclosure, applicants have discovered that: the performance of the web application at a transmission layer can be effectively improved by adding a QUIC agent in front of the web application, and the method can be used for realizing 0RTT encrypted transmission.
Fig. 1 schematically shows a system architecture diagram for implementing a data encryption transmission method according to an embodiment of the present disclosure.
As shown in fig. 1, at least one QUIC protocol-based proxy server 102 is required to be configured between the client 101 and the server 103, and the QUIC protocol-based proxy server 102 can be used to receive the request sent by the front-end client 101 and proxy the back-end server 103.
It should be noted that the number of clients, QUIC protocol-based proxy servers and servers in the system is arbitrary and can be set according to actual requirements. The method provided by the present embodiment is described in detail with the system architecture.
Fig. 2 schematically shows a flow chart of a data encryption transmission method according to an embodiment of the present disclosure.
As shown in fig. 2, the method may include operations S201 to S204, for example.
In operation S201, a TCP data request packet sent by a client accessing a WEB application for the first time is received, and the TCP data request packet is forwarded to a server.
According to the embodiment of the disclosure, the proxy server 102 based on the QUIC protocol receives the TCP data request packet sent by the client 101 and forwards the TCP data request packet to the server 103, and the server 103 responds to the TCP data request packet to generate a first response data packet. The server 103 also generates a data packet encapsulated according to config for use in generating a symmetric key in subsequent data transmission. The packet may be a packet containing a { p, g, Kpub } triple. The proxy server 102 based on the QUIC protocol can forward the data sent by the client 101 to the server 103 through the HTTP proxy.
In operation S202, the first data response packet and the config-encapsulated data packet returned by the server are received, the QUIC information is added to the first data response packet, a second data response packet is generated, and the config-encapsulated data packet and the second data response packet are forwarded to the client.
According to the embodiment of the present disclosure, the QUIC protocol based proxy server 102 generates QUIC information, adds the QUIC information and the config-encapsulated packet to the first packet, and generates the second packet. The QUIC protocol based proxy server 102 may add the QUIC information and config encapsulated packet to the header of the first packet. The QUIC information may be, for example, alt-svc: quic ═ ″: 443'; ma 2592000; v-46, 44, 43, 39 ".
In operation S203, first service data encrypted by a first communication public key and a first symmetric key sent by the client is received and forwarded to the server, where the first communication public key and the first symmetric key are calculated by the client according to a config-encapsulated data packet.
According to the embodiment of the disclosure, after the client 101 receives the second response data packet containing the QUIC information sent by the QUIC protocol-based proxy server 102, the client knows that the resource can be requested using the QUIC protocol. When traffic data is transmitted later, the request is transmitted using the QUIC protocol. Sending the request using the QUIC protocol specifically includes: and the client calculates to obtain a first symmetric key and a first communication public key according to the config-encapsulated data packet, and encrypts the first service data by adopting the first symmetric key and the first communication public key. The first symmetric key may be calculated using the DH algorithm.
In operation S204, second service data encrypted by the second communication public key and the second symmetric key and sent by the server is received and forwarded to the client, where the second service data is response data of the server to the first service data.
According to the embodiment of the present disclosure, after receiving the first service data, the server 103 first calculates a third symmetric key according to the config-encapsulated data packet and solves the first communication public key. And judging whether the third symmetric key and the first symmetric key are encrypted equally, if so, decrypting the first service data by adopting the third symmetric key and the first communication public key to obtain the first service data, responding according to the information contained in the first service data, and generating second service data. Then, a new second communication public key and a second symmetric key are calculated for encryption, and second service data are encrypted by using the second communication public key and the second symmetric key for encryption and then sent to the QUIC protocol-based proxy server 102. And the proxy server 102 based on the QUIC protocol forwards the second service data to the client 101, after the client 101 receives the second service data, the fourth symmetric key is calculated according to the data packet packaged by config and the second communication public key is solved, whether the encryption of the fourth symmetric key and the encryption of the second symmetric key are equal or not is judged, and if the encryption of the fourth symmetric key and the encryption of the second symmetric key are equal, the fourth symmetric key and the second communication public key are adopted to decrypt the second service data, so that the second service data is obtained. At this point, the encrypted transmission of the data is completed.
According to an embodiment of the present disclosure, the data encryption transmission method further includes: if the fourth symmetric key is equal to the second symmetric key, the second symmetric key is used to encrypt the encrypted service data before the client 101 and the server 103 are not disconnected. That is, K may be used for communication some time thereafter 2 And making a communication symmetric key.
According to the embodiment of the present disclosure, the data encryption transmission method further includes: and caching the config encapsulated data packet at the client. When the client is disconnected with the server and needs to communicate again, the client acquires the cached config-encapsulated data packet, calculates a new symmetric key according to the config-encapsulated data packet and the random number generated by the client, and encrypts service data by using the new symmetric key.
In order to further clearly describe the data encryption transmission method provided by the embodiment of the present disclosure, a specific 0RTT encryption transmission process is listed below for explanation.
Fig. 3 schematically illustrates a process diagram of 0RTT encrypted transmission according to an embodiment of the present disclosure.
As shown in fig. 3, first, a user request of TCP http is sent by a client (client); the response message of the server (server) is added to QUIC information through a proxy server based on QUIC protocol and encapsulated with config containing { p, g, K pub A packet of triples. After receiving the key, the client calculates a symmetric key by using the calculated public key, prepares service data1, sets an encryption function Enc (key, data), and combines the following tuples D 1 Sending to server;
D 1 ={K c_pub ,Enc(K 1 ,data1)}
server receives D 1 Post-computation symmetric key, certificate K1' andk of client 1 Equal, and use K 1 ' decryption ciphertext Enc (K) 1 Data1) gets the plaintext data. Before server prepares data2, new public communication key K is calculated n_pub And a new communication symmetric key K 2 And sending the next tuple to the client;
D 2 ={K n_pub ,Enc(K 2 ,data2)}
d for client to receive server 2 Then, K is solved n_pub Calculating a new communication key K 2 ' and prove K 2 ’=K 2 Using K 2 ' get data 2. After a while, the communication can use K 2 And making a communication symmetric key.
When the client disconnects from the server for a period of time (session gap), the client previously owns the config tuple { p, g, K ] of the server by caching or writing into the disk pub When communication with server is needed again, directly pass through { p, g, K } pub And (4) calculating a symmetric key by using the random number private key generated by the user and then directly sending data.
After receiving the encrypted data of the client, the server recalculates a new 'safe symmetric key', and then the new 'safe symmetric key' can be used as the symmetric key until disconnection for encrypted transmission.
According to the data encryption transmission method provided by the embodiment of the disclosure, the data transmission proxy between the front-end client and the back-end server is realized through the proxy server based on the QUIC protocol, and the QUIC information is added into the response packet of the data to inform the client that the web server accessed by the client can support the QUIC protocol, so that the client requests to access the web service by adopting the QUIC protocol, and the performance of the web application in a transmission layer can be effectively improved. And moreover, the data packet encapsulated by the config in the response packet of the data enables the client to encrypt the data directly according to the data packet encapsulated by the config and the random number generated by the client in the data encryption process, and the server can decrypt the data quickly, so that the efficiency of data transmission is improved, and the delay performance can be greatly reduced.
Based on the same inventive concept, the disclosed embodiment provides a data encryption transmission device, which comprises a client, a proxy server based on a QUIC protocol and a server, for example.
FIG. 4 schematically shows a block diagram of a QUIC protocol based proxy server according to an embodiment of the present disclosure.
As shown in FIG. 4, the QUIC protocol-based proxy server 400 may be configured, for example, to: a first receiving module 410, a second receiving module 420, a third receiving module 430 and a fourth receiving module 440.
The first receiving module 410 is configured to receive a TCP data request packet sent by a client accessing a WEB application for the first time, and forward the TCP data request packet to a server.
The second receiving module 420 is configured to receive the first data response packet and the config-encapsulated data packet returned by the server, add the QUIC information to the data response packet, generate a second data response packet, and forward the config-encapsulated data packet and the second data response packet to the client.
The third receiving module 430 is configured to receive the first service data, which is sent by the client and encrypted by the first communication public key and the first symmetric key, and forward the first service data to the server, where the first communication public key and the first symmetric key are calculated by the client according to the config-encapsulated data packet.
The fourth receiving module 440 is configured to receive second service data, which is sent by the server and encrypted by the second communication public key and the second symmetric key, and forward the second service data to the client, where the second service data is response data of the server to the first service data.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be implemented at least partly as a computer program module, which when executed, may perform a corresponding function.
For example, any plurality of the first receiving module 410, the second receiving module 420, the third receiving module 430 and the fourth receiving module 440 may be combined into one module/unit/sub-unit to be implemented, or any one of the modules/units/sub-units may be split into a plurality of modules/units/sub-units. Alternatively, at least part of the functionality of one or more of these modules/units/sub-units may be combined with at least part of the functionality of other modules/units/sub-units and implemented in one module/unit/sub-unit. According to an embodiment of the present disclosure, at least one of the first receiving module 410, the second receiving module 420, the third receiving module 430, and the fourth receiving module 440 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware, and firmware, or in a suitable combination of any of them. Alternatively, at least one of the first receiving module 410, the second receiving module 420, the third receiving module 430 and the fourth receiving module 440 may be at least partially implemented as a computer program module, which may perform a corresponding function when executed.
It should be noted that, the data encryption transmission device part in the embodiment of the present disclosure corresponds to the data encryption transmission method part in the embodiment of the present disclosure, and the specific implementation details and the technical effects thereof are also the same, and are not described herein again.
Fig. 5 schematically shows a block diagram of an electronic device adapted to implement the above described method according to an embodiment of the present disclosure. The electronic device shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 5, an electronic device 500 according to an embodiment of the present disclosure includes a processor 501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. The processor 501 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 501 may also include onboard memory for caching purposes. Processor 501 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the disclosure.
In the RAM503, various programs and data necessary for the operation of the electronic apparatus 500 are stored. The processor 501, the ROM 502, and the RAM503 are connected to each other by a bus 504. The processor 501 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 502 and/or the RAM 503. Note that the programs may also be stored in one or more memories other than the ROM 502 and the RAM 503. The processor 501 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, electronic device 500 may also include an input/output (I/O) interface 505, input/output (I/O) interface 505 also being connected to bus 504. The electronic device 500 may also include one or more of the following components connected to the I/O interface 505: an input portion 503 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted on the storage section 508 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program, when executed by the processor 501, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be embodied in the device/apparatus/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement a method according to an embodiment of the disclosure.
According to an embodiment of the present disclosure, the computer readable storage medium may be a non-volatile computer readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to embodiments of the present disclosure, a computer-readable storage medium may include ROM 502 and/or RAM503 and/or one or more memories other than ROM 502 and RAM503 described above.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the disclosure, and these alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (10)

1. A data encryption transmission method, wherein the data is transmitted based on a proxy server of a QUIC protocol, and the method comprises the following steps:
receiving a TCP data request packet sent by a client accessing WEB application for the first time, and forwarding the TCP data request packet to a server;
receiving a first data response packet and a config-encapsulated data packet returned by the server, adding QUIC information to the first data response packet, generating a second data response packet, and forwarding the config-encapsulated data packet and the second data response packet to the client;
receiving first service data which are sent by the client and encrypted through a first communication public key and a first symmetric key, and forwarding the first service data to the server, wherein the first communication public key and the first symmetric key are obtained by the client through calculation according to the config-encapsulated data packet;
and receiving second service data which is sent by the server and encrypted through a second communication public key and a second symmetric key, and forwarding the second service data to the client, wherein the second service data is response data of the server to the first service data.
2. The data encryption transmission method according to claim 1, wherein after receiving the first service data, the server calculates a third symmetric key according to the config-encapsulated data packet and solves the first communication public key;
and judging whether the third symmetric key and the first symmetric key are equal in encryption, and if so, decrypting the first service data by adopting the third symmetric key and a first communication public key.
3. The data encryption transmission method according to claim 1, wherein after receiving the second service data, the client calculates a fourth symmetric key according to the data packet encapsulated by the config and resolves a second communication public key;
and judging whether the encryption of the fourth symmetric key is equal to that of the second symmetric key, and if so, decrypting the second service data by adopting the fourth symmetric key and a second communication public key.
4. The data encryption transmission method according to claim 3, wherein if the fourth symmetric key is equal to the second symmetric key, the second symmetric key is used to encrypt the service data before the client and the server are disconnected.
5. The data encryption transmission method according to claim 1, the method further comprising:
and caching the data packet encapsulated by the config at the client.
6. The data encryption transmission method according to claim 5, the method further comprising:
when the client and the server need to communicate again after being disconnected, the client acquires the cached config-encapsulated data packet, calculates a new symmetric key according to the config-encapsulated data packet and the random number generated by the client, and encrypts service data by using the new symmetric key.
7. The data encryption transmission method according to claim 1, wherein the proxy server based on QUIC protocol forwards the data sent by the client to the server through HTTP proxy.
8. A data encryption transmission apparatus comprising:
the client, the proxy server based on the QUIC protocol and the server, wherein the proxy server based on the QUIC protocol comprises:
the first receiving module is used for receiving a TCP data request packet sent by a client for accessing a WEB application for the first time and forwarding the TCP data request packet to a server;
the second receiving module is used for receiving the first data response packet and the config-encapsulated data packet returned by the server, adding QUIC information into the data response packet, generating a second data response packet, and forwarding the config-encapsulated data packet and the second data response packet to the client;
a third receiving module, configured to receive first service data, which is sent by the client and encrypted by using a first communication public key and a first symmetric key, and forward the first service data to the server, where the first communication public key and the first symmetric key are obtained by the client through calculation according to the config-encapsulated data packet;
and the fourth receiving module is configured to receive second service data, which is sent by the server and encrypted by using a second communication public key and a second symmetric key, and forward the second service data to the client, where the second service data is response data of the server to the first service data.
9. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 7.
CN202011498967.9A 2020-12-17 2020-12-17 Data encryption transmission method, device, equipment and medium Active CN112637177B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011498967.9A CN112637177B (en) 2020-12-17 2020-12-17 Data encryption transmission method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011498967.9A CN112637177B (en) 2020-12-17 2020-12-17 Data encryption transmission method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN112637177A CN112637177A (en) 2021-04-09
CN112637177B true CN112637177B (en) 2022-09-27

Family

ID=75316605

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011498967.9A Active CN112637177B (en) 2020-12-17 2020-12-17 Data encryption transmission method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN112637177B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112887433B (en) * 2021-04-12 2021-07-27 网络通信与安全紫金山实验室 Cloud access edge service method and system based on QUIC protocol
CN113132394B (en) * 2021-04-22 2023-02-03 中国建设银行股份有限公司 Request processing system, method and device, storage medium and electronic equipment
CN113596027B (en) * 2021-07-29 2023-09-12 上海淇玥信息技术有限公司 Data encryption transmission method and device and electronic equipment
CN116962509B (en) * 2023-09-20 2024-02-27 联通在线信息科技有限公司 Network proxy method and network proxy system based on quic protocol

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9961055B1 (en) * 2014-12-18 2018-05-01 Amazon Technologies, Inc. Inaccessibility of data to server involved in secure communication
CN108476133A (en) * 2015-12-11 2018-08-31 亚马逊科技有限公司 The key carried out by the believable third party in part exchanges
US10778812B1 (en) * 2019-05-09 2020-09-15 Alibaba Group Holding Limited Data encapsulation conversion and transmission

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2272235B1 (en) * 2008-03-25 2018-05-30 Alcatel Lucent Methods and entities using ipsec esp to support security functionality for udp-based oma enablers
CN107979590B (en) * 2017-11-02 2020-01-17 财付通支付科技有限公司 Data sharing method, client, server, computing device and storage medium
US11025601B2 (en) * 2018-12-04 2021-06-01 Citrix Systems, Inc. System and apparatus for enhanced QOS, steering and policy enforcement for HTTPS traffic via intelligent inline path discovery of TLS terminating node

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9961055B1 (en) * 2014-12-18 2018-05-01 Amazon Technologies, Inc. Inaccessibility of data to server involved in secure communication
CN108476133A (en) * 2015-12-11 2018-08-31 亚马逊科技有限公司 The key carried out by the believable third party in part exchanges
US10778812B1 (en) * 2019-05-09 2020-09-15 Alibaba Group Holding Limited Data encapsulation conversion and transmission

Also Published As

Publication number Publication date
CN112637177A (en) 2021-04-09

Similar Documents

Publication Publication Date Title
CN112637177B (en) Data encryption transmission method, device, equipment and medium
US11038854B2 (en) Terminating SSL connections without locally-accessible private keys
WO2019237796A1 (en) Resource acquisition method and apparatus, resource distribution method and apparatus, and resource downloading method and apparatus, and device and storage medium
US7961624B2 (en) System and method for providing bandwidth signaling across cryptographic boundaries in a network
US10298615B2 (en) Splicing into an active TLS session without a certificate or private key
US11469896B2 (en) Method for securing the rendezvous connection in a cloud service using routing tokens
US8909939B1 (en) Distribution of cryptographic host keys in a cloud computing environment
JP2019528604A (en) System and method for virtual multipath data transport
US20170171166A1 (en) Anti-hotlinking method and electronic device
US20120324090A1 (en) Resource control method, apparatus, and system in peer-to-peer network
CN111771366B (en) Method for encrypting a data stream with negotiable and adaptable encryption levels
CN102801810A (en) Method for hiding URL (Uniform Resource Locator) in content delivery network
CN111262694A (en) TEE-based security proxy re-encryption method
US20190306221A1 (en) Adaptive encryption in checkpoint recovery of file transfers
US11748455B2 (en) Digital rights management systems and methods using efficient messaging architectures
US11271968B2 (en) Zero round trip time transmission for anticipatory request messages
US20130024543A1 (en) Methods for generating multiple responses to a single request message and devices thereof
CN114448875A (en) Managing network services using multi-path protocols
US20230144993A1 (en) Decryption of perfect forward secrecy (pfs) and non-pfs sessions
KR101991731B1 (en) Operating method of server and peer
CN116827619A (en) Method, apparatus and computer readable medium for preventing HTTP amplification attacks
CN114500399A (en) Data transmission method, apparatus, medium and product
KR20220071859A (en) Method for offloading secure connection setup into network interface card, and a network interface card, and a computer-readable recording medium
JP2023535011A (en) quantum streaming
Kavitha et al. A Novel Encryption Based Framework for Cloud Databases

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20211209

Address after: 100084 Beijing Haidian District Zhongguancun East Road 1 hospital Qinghua science and Technology Park 8 Building B block seal building

Applicant after: CERNET Co.,Ltd.

Address before: 100084 B1001-C 8, building 1, Zhongguancun East Road, Haidian District, Beijing, 2.

Applicant before: NEXT GENERATION INTERNET MAJOR APPLICATION TECHNOLOGY (BEIJING) ENGINEERING RESEARCH CENTER Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant