CN113904767A - System for establishing communication based on SSL - Google Patents
System for establishing communication based on SSL Download PDFInfo
- Publication number
- CN113904767A CN113904767A CN202111157821.2A CN202111157821A CN113904767A CN 113904767 A CN113904767 A CN 113904767A CN 202111157821 A CN202111157821 A CN 202111157821A CN 113904767 A CN113904767 A CN 113904767A
- Authority
- CN
- China
- Prior art keywords
- ssl
- client
- certificate
- security
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 63
- 238000000034 method Methods 0.000 claims abstract description 25
- 230000008569 process Effects 0.000 claims abstract description 19
- 239000000284 extract Substances 0.000 claims abstract description 7
- 238000012795 verification Methods 0.000 claims description 11
- 230000008676 import Effects 0.000 claims description 7
- 238000012216 screening Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 description 7
- 238000011161 development Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000007547 defect Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the technical field of communication, and particularly relates to a system for establishing communication based on SSL, which comprises: the system comprises an information protection module, an SSL security server, a service terminal, a client and an encryption chip; the encryption chip is arranged at the client side, and when the encryption chip is called by the client side, the encryption chip is matched with the corresponding service terminal security certificate and is given to the client side. The method has the advantages that the security gateway or the bridge captures SSL encrypted data, captures a handshake process of an SSL protocol, extracts an X.509 certificate chain, verifies the legality of the X.509 certificate chain transmitted in the extracted handshake process according to the related standards of PKI and a trusted certificate list provided by a user, allows SSL connection of the certificate chain to pass through, and filters and prevents SSL connection of the certificate chain from illegal.
Description
Technical Field
The invention belongs to the technical field of communication, and particularly relates to a system for establishing communication based on SSL.
Background
In order to prevent the user data from being stolen when the user data passes through an untrusted network area, the communication data of the user and a website (such as an online bank, a security website and the like) encrypted by using an SSL protocol are encrypted by the SSL protocol. But encryption only prevents data from being stolen during transmission, and the identity of the other end (visited website) in communication with the user is not verified. For example, the other end communicating with the user may be a malicious web site masquerading as an internet banking web site. Such entities that fraudulently obtain user confidential data (including user names, passwords, etc.) by masquerading as trusted websites are collectively referred to as phishing websites. Since the data is encrypted, the traditional firewall has no control over these phishing websites. Due to the trust of high-strength encryption of the SSL protocol and the lack of professional knowledge of the SSL protocol, an ordinary user often cannot judge whether an SSL certificate provided by an accessed website is legal or not, and an event that personal confidential data is cheated by a phishing website occurs occasionally. Therefore, there is a security defect that a phishing site disguised as a trusted site cannot be filtered.
Patent publication No. CN101436933B discloses an HTTPS encrypted access method, including the steps of: establishing a special encryption SSL channel between a client and HTTPS proxy equipment; establishing a universal encryption SSL channel between the client and the HTTPS agent equipment; performing loop-back processing on an HTTPS message sent to the HTTPS agent equipment by a browser through the universal encryption SSL channel; and sending the HTTPS message after the loop returning to the HTTPS agent device through the special encryption SSL channel. The patent can realize that a user calls a special cryptographic algorithm through the browser to perform security access, and meets the requirement of performing security access on the application browser in specific fields such as government affairs.
Patent publication No. CN102948131B discloses a system and method for split proxying Secure Socket Layer (SSL) communications across intermediaries deployed between a client and a server. The method includes establishing, by a server-side intermediary, an SSL session with a server, the client-side intermediary may establish a second SSL session with the client using SSL configuration information received from the server-side intermediary, the two intermediaries may communicate via a third SSL session, the server-side intermediary may decrypt data received from the server using a session key of the first SSL session, the server-side intermediary may transmit data encrypted using a session key of the third SSL session to the client-side intermediary via the third SSL session, the client-side intermediary may decrypt the encrypted data using the session key of the third SSL session, and the client-side intermediary may transmit data encrypted using the session key of the second SSL session to the client.
Patent publication No. CN102948131B discloses an SSL communication method based on hardware cryptographic algorithm, which includes: the client sends a request to the server, sends a communication protocol version list supported by the client and an encryption algorithm list supported by the client, and generates a first random number; the server side sends a response and a server side certificate after receiving the request, wherein the server side certificate is stored in the encryption chip, confirms the used communication protocol version and the encryption mode, and generates a second random number and sends the second random number to the client side; the client takes out the public key from the server certificate, sends a third random number encrypted by the public key, and sends a code change notification and a client handshake end notification, wherein the client handshake end notification is a hash value of all the previously sent contents and is used for verifying by the server; and the server side decrypts the sent encrypted data by using the private key, verifies the data and generates a working key. The patent greatly improves the safety and reliability of the communication system.
However, the above prior art still has the following problems:
1. the prior art can not filter phishing websites disguised as credible websites, so that personal confidential data is cheated by the phishing websites.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a system for establishing communication based on SSL, which is used for solving the problem that the prior art cannot filter phishing websites disguised as credible websites, so that personal confidential data is cheated by the phishing websites.
In order to solve the technical problems, the invention adopts the following technical scheme:
a system for establishing communication based on SSL comprises an information protection module, an SSL security server, a service terminal, a client and an encryption chip;
the encryption chip is arranged at the client, and when the encryption chip is called by the client, the encryption chip matches with the corresponding service terminal security certificate and gives the client;
after the client side obtains the security certificate, the client side encrypts the communication information once and stores the communication information to the information protection module;
the client security certificate stored by the information protection module is a public key certificate;
the SSL security server is used for verifying the client security certificate, and negotiates a communication private key with the client after the SSL security server passes the verification of the client security certificate;
the SSL security server transmits the communication private key to the information protection module, the information protection module performs matching verification on the communication private key, after the verification is passed, the information protection module transmits the communication information to the service terminal, and the service terminal performs decoding through the communication private key;
the SSL security server and the service terminal are in the same communication network.
Furthermore, the information protection module also comprises a security gateway, and the service terminal is in access connection with the client through the security gateway;
the security gateway captures SSL encrypted data, and can freely import a trusted X.509 certificate list;
the security gateway intercepts a handshake process of an SSL protocol and extracts an X.509 certificate chain transmitted in the handshake process;
and the security gateway verifies the legality of the certificate chain according to the PKI relevant standard and the trusted certificate list provided by the user, and filters and prevents illegal SSL connection of the certificate chain.
Further, the security gateway filters the SSL packets according to the following rules:
filterRule={dir=0,count=1,dstport=443}&&{dir=0,count=3,off_set=0,feature=0x16};
in the screening rule: { dir ═ 0, count ═ 1, dstport ═ 443} denotes that the destination port number of the 1 st packet from the client to the server is 443; { dir ═ 0, count ═ 3, off _ set ═ 0, feature ═ 0X16} indicates that the application layer payload offset of the 3 rd packet from the client to the server is 0, and the 3 rd packet is filled with fingerprint information 0X16 starting from the first byte.
Further, the security gateway can import or delete the trusted X.509 certificate list by itself.
Further, the security gateway can capture the normal information of the client accessing the service terminal through the information protection module and the information copy of the phishing information.
Further, when the security gateway passes the validity of the certificate chain according to the PKI relevant standard and the trusted certificate list provided by the user, the security gateway automatically cuts off the SSL connection with the service terminal.
Compared with the prior art, the invention has the following beneficial effects:
1. the security gateway or the bridge captures SSL encrypted data, captures a handshake process of an SSL protocol, extracts an X.509 certificate chain, verifies the legality of the X.509 certificate chain transmitted in the extracted handshake process according to a PKI relevant standard and a trusted certificate list provided by a user, allows the SSL connection with the legal certificate chain to pass through, and filters and prevents the SSL connection with the illegal certificate chain;
2. under the support of the information protection module, the safe storage of the certificate is realized, the device certificate is prevented from being illegally modified, the safety of the private key of the device is ensured, the SSL encryption communication is adopted, the data is prevented from being stolen by an illegal user, and the safe transmission of the information on the Internet is ensured; namely, use security, integrality and customer's data security in the perfect electronic payment process of SSL agreement, realize characteristics such as the simple, practical and attentive of electronic transaction, reach three easy, promptly: easy use, easy maintenance and easy development;
3. and when the legality of the certificate chain is not verified by the security gateway according to the PKI related standard and the trusted certificate list provided by the user, the security gateway automatically cuts off the SSL connection with the service terminal.
Drawings
FIG. 1 is a schematic diagram of an embodiment of a system for establishing communication based on SSL according to the present invention;
FIG. 2 is a diagram illustrating information processing of an embodiment of a system for establishing communication based on SSL according to the present invention;
FIG. 3 is a diagram illustrating message encryption in an embodiment of a system for establishing communication based on SSL according to the present invention;
reference numerals in the drawings of the specification include:
the system comprises an information protection module 1, an SSL security server 2, a service terminal 3, a client 4, a security gateway 5 and an encryption chip 6.
Detailed Description
In order that those skilled in the art can better understand the present invention, the following technical solutions are further described with reference to the accompanying drawings and examples.
Examples
As shown in fig. 1-3, a system for establishing communication based on SSL of the present invention includes an information protection module 1, an SSL secure server 2, a service terminal 3, a client 4, and an encryption chip 6;
the encryption chip 6 is arranged on the client 4, and when the encryption chip 6 is called by the client 4, the encryption chip 6 matches with the corresponding security certificate of the service terminal 3 and gives the security certificate to the client 4;
after the client 4 acquires the security certificate, the communication information is encrypted for one time and then is stored in the information protection module 1;
the client 4 security certificate stored in the information protection module 1 is a public key certificate;
the SSL security server 2 is used for verifying the security certificate of the client 4, and the SSL security server 2 negotiates a communication private key with the client 4 after the security certificate of the client 4 passes verification;
the SSL security server 2 transmits the communication private key to the information protection module 1, the information protection module 1 performs matching verification on the communication private key, after the verification is passed, the information protection module 1 transmits the communication information to the service terminal 3, and the service terminal 3 performs decoding through the communication private key;
the information protection module 122 is disposed on the client 4, and is configured to match out a corresponding client certificate to the client 4 when being invoked by the client 4, that is, the information protection module 122 is responsible for securely providing the client certificate to the client 4.
The encryption chip 6 processes the information as follows:
s1, dividing the message into small segments, then compressing each segment, the compression algorithm needs to negotiate with the communication object;
s2, a message authentication code is added to each compressed segment, in order to ensure integrity and perform authentication of data, and tampering can be recognized by attaching the MAC value of the message. Meanwhile, in order to prevent replay attack, when the message authentication code is calculated, the number of the segment, the algorithm of the one-way hash function and the shared key used by the message authentication code are required to be negotiated and decided with a communication object;
the compressed segment plus the message authentication code are encrypted together by a symmetric cipher S3. The encryption uses a CBC mode, an initialization vector IV of the CBC is generated through a master secret, and an algorithm of a symmetric cipher and a shared key need to be negotiated;
and S4, adding the data type, version number and compressed length to the encrypted data to form a header, so as to obtain the final communication encrypted data.
The information protection module 1 is a physical certificate repository in which a plurality of private keys, corresponding public keys, and public key certificates corresponding to the public keys are stored. The private key, the public key and the public key certificate are stored in the HSM, so that external attack and tampering can be effectively prevented. Hsm (hardware security module) is a dedicated cryptographic processor designed specifically for protecting the cryptographic key lifecycle. The HSM securely manages, processes, and maintains encryption keys in a reliable and tamper-resistant device.
The SSL security server 2 is used for verifying the certificate of the client 4, negotiating a communication private key with the client 4 after the verification is passed, then the SSL security server 2 and the client 4 adopt the communication private key for communication, transmitting the communication data of the client to the encryption chip 6 for processing, and feeding back the data processed by the encryption chip 6 to the client 4. Wherein the SSL secure server 2 is in the same communication network as the cryptographic chip 6. The certificate verification is a link in the SSL protocol process, and the principle is that after the SSL security server 2 obtains the certificate of the client, the certificate is compared with the certificate in the trust certificate bank of the information protection module 1, and if the client certificate or the issuer of the client certificate exists in the trust certificate bank of the information protection module 1, the verification is passed.
SSL (Secure Sockets Layer) is a security protocol that provides security and data integrity for network communications, and encrypts network connections at the transport Layer. The SSL protocol is divided into two parts: handshake Protocol (Handshake Protocol) and Record Protocol (Record Protocol). The handset Protocol is used for negotiating a key, and most contents of the Protocol are how two communication parties use the handset Protocol to safely negotiate a key; record Protocol defines the format of the transmission. The SSL protocol establishes an encryption channel between two computers, establishes SSL connection to ensure that data is not stolen or tampered in the transmission process, and ensures the confidentiality, integrity and reliability of confidential information. The SSL protocol provides services mainly including: authenticating the user and the server to ensure that the data is sent to the correct client and server; encrypting data to prevent data from being stolen midway; maintaining the integrity of the data and ensuring that the data is not changed in the transmission process;
the SSL secure server 2 is in the same communication network as the service terminal 3.
The information protection module 1 also comprises a security gateway 5, and the service terminal 3 is in access connection with the client 4 through the security gateway 5;
the security gateway 5 captures SSL encrypted data, and the security gateway 5 can freely import a trusted X.509 certificate list;
the security gateway 5 intercepts the handshake process of the SSL protocol and extracts the x.509 certificate chain transmitted in the handshake process;
the security gateway 5 verifies the legitimacy of the certificate chain according to the PKI-related standards and the list of trusted certificates provided by the user, filters and prevents illegal SSL connections of the certificate chain.
The screening rule of the security gateway 5 for the SSL packet is as follows:
filterRule={dir=0,count=1,dstport=443}&&{dir=0,count=3,off_set=0,feature=0x16};
in the screening rule: { dir ═ 0, count ═ 1, dstport ═ 443} denotes that the destination port number of the 1 st packet from the client to the server is 443; { dir ═ 0, count ═ 3, off _ set ═ 0, feature ═ 0X16} indicates that the application layer payload offset of the 3 rd packet from the client to the server is 0, and the 3 rd packet is filled with fingerprint information 0X16 starting from the first byte.
The security gateway 5 or the bridge captures the SSL encrypted data, captures the handshake process of the SSL protocol, and extracts the x.509 certificate chain. And verifying the legality of the X.509 certificate chain transmitted by the extracted handshake process according to related standards of PKI and a trusted certificate list provided by a user, wherein the security gateway 5 or the bridge allows SSL connections with legal certificate chains to pass through, and filters and prevents SSL connections with illegal certificate chains.
The security gateway 5 or the network bridge is arranged between the user internet terminal and the network link of the accessed website, and data of internal users accessing the external network accessing the normal website or the phishing website through the SSL encryption tunnel need to pass through the security gateway 5 or the network bridge. The security gateway 5 can capture SSL encrypted data, capture a handshake process of an SSL protocol, extract a certificate chain of the handshake process of the SSL protocol, verify the validity of the extracted certificate chain according to related standards of PKI and a trusted certificate list provided by a user, allow SSL connection with the legal certificate chain to pass through by the security gateway 5 or a bridge, filter and prevent SSL connection with the illegal certificate chain, thereby allowing network connection between an end user and a trusted website and cutting off the connection between the end user and the phishing website. In the method, an administrator can import or delete the trusted certificate list on the gateway or the bridge
Security gateway 5 may import or delete a trusted list of x.509 certificates on its own.
The security gateway 5 can capture the normal information of the client 4 accessing the service terminal 3 through the information protection module 1 and the information copy of the phishing information.
When the security gateway 5 does not verify the legality of the certificate chain according to the PKI related standard and the trusted certificate list provided by the user, the security gateway 5 automatically cuts off the SSL connection with the service terminal 3.
The master password is calculated depending on the following information:
preparing a main password;
a client random number;
a server random number;
when using RSA public key cryptography, the client sends the encrypted preliminary master cryptogram to the server together with the ClientKeyExchange message.
When using DH key exchange, the client sends the public value of DH to the server together when sending a ClientKeyExchange message. Based on this value, the client and server will each generate a preliminary master password.
When computing the primary password from the preliminary primary password, a pseudo-random number generator is used that is a combination of two one-way hash functions (MD5 and SHA-1). Two one-way hash functions are used to improve security.
For the RSA key exchange algorithm, the pre-master-key itself is a random number, and the three random numbers are added to the random number in the hello message, and finally a symmetric key is derived by a key derivation device.
The pre-master exists in that the SSL protocol does not trust that each host can generate completely random numbers, if the random numbers are not random, the pre-master secret can be guessed, and only the pre-master secret is not suitable for being used as a key, so a new random factor must be introduced, keys generated by the client and the server together with the three random numbers of the pre-master secret cannot be easily guessed, one pseudo-random can be completely non-random, but three pseudo-random are very close to random, and the increase of the randomness is larger when one degree of freedom is added.
Under the support of the information protection module 1, the secure storage of the certificate is realized, the device certificate is prevented from being illegally modified, and the security of the private key of the device is ensured. SSL encryption communication is adopted, so that data is prevented from being stolen by illegal users, and the information is ensured to be safely transmitted on the Internet; namely, use security, integrality and customer's data security in the perfect electronic payment process of SSL agreement, realize characteristics such as the simple, practical and attentive of electronic transaction, reach three easy, promptly: easy use, easy maintenance and easy development. Meanwhile, by integrating SSL and HSM, data security from the device to the transmission process is realized. The Security Provider who can also self-define accord with Java Security Provider standard realizes SSL safety communication protocol, accord with current standard, make the scheme easy to use, safety, the developer just can let ordinary non-SSL communication client APP realize the encryption communication based on information protection module 1 in simple several steps, accomplish the safe transmission of data fast, realize quick development, Security gateway 5 in the information protection module 1 can be according to PKI relevant standard and the credible certificate list that the user provided to the legality of certificate chain, filter and prevent the illegal SSL of certificate chain and connect, cut off the connection of end user and phishing website.
Finally, the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, and all of them should be covered in the claims of the present invention.
Claims (6)
1. A system for establishing communication based on SSL is characterized by comprising an information protection module (1), an SSL security server (2), a service terminal (3), a client (4) and an encryption chip (6);
the encryption chip (6) is arranged on the client (4), and when the encryption chip (6) is called by the client (4), the encryption chip (6) matches with the corresponding security certificate of the service terminal (3) and gives the security certificate to the client (4);
after the client (4) acquires the security certificate, encrypting the communication information for one time and then storing the communication information to the information protection module (1);
the client (4) security certificate stored in the information protection module (1) is a public key certificate;
the SSL security server (2) is used for verifying the security certificate of the client (4), and the SSL security server (2) negotiates a communication private key with the client (4) after the security certificate of the client (4) is verified;
the SSL security server (2) transmits a communication private key to the information protection module (1), the information protection module (1) performs matching verification on the communication private key, after the verification is passed, the information protection module (1) transmits communication information to the service terminal (3), and the service terminal (3) decodes the communication private key;
the SSL security server (2) and the service terminal (3) are in the same communication network.
2. The system for establishing communication based on SSL as recited in claim 1, wherein: the information protection module (1) further comprises a security gateway (5), and the service terminal (3) is in access connection with the client (4) through the security gateway (5);
the security gateway (5) captures SSL encrypted data, and the security gateway (5) is free to import a trusted list of X.509 certificates;
the security gateway (5) intercepts the handshake process of the SSL protocol and extracts the X.509 certificate chain transmitted in the handshake process;
and the security gateway (5) verifies the legality of the certificate chain according to the PKI relevant standard and the trusted certificate list provided by the user, and filters and prevents illegal SSL connection of the certificate chain.
3. The system for establishing communication based on SSL as recited in claim 2, wherein: the security gateway (5) has the following screening rules for the SSL data packets:
filterRule={dir=0,count=1,dstport=443}&&{dir=0,count=3,off_set=0,feature=0x16};
in the screening rule: { dir ═ 0, count ═ 1, dstport ═ 443} denotes that the destination port number of the 1 st packet from the client to the server is 443; { dir ═ 0, count ═ 3, off _ set ═ 0, feature ═ 0X16} indicates that the application layer payload offset of the 3 rd packet from the client to the server is 0, and the 3 rd packet is filled with fingerprint information 0X16 starting from the first byte.
4. The system for establishing communication based on SSL as recited in claim 3, wherein: the security gateway (5) can import or delete the trusted X.509 certificate list by itself.
5. The system for establishing communication based on SSL as recited in claim 4, wherein: the security gateway (5) can capture normal information and information copy of phishing information of a client (4) accessing the service terminal (3) through the information protection module (1).
6. The system for establishing communication based on SSL as recited in claim 5, wherein: and when the security gateway (5) does not verify the legality of the certificate chain according to the PKI related standard and the trusted certificate list provided by the user, the security gateway (5) automatically cuts off the SSL connection with the service terminal (3).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111157821.2A CN113904767A (en) | 2021-09-29 | 2021-09-29 | System for establishing communication based on SSL |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111157821.2A CN113904767A (en) | 2021-09-29 | 2021-09-29 | System for establishing communication based on SSL |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113904767A true CN113904767A (en) | 2022-01-07 |
Family
ID=79189691
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111157821.2A Pending CN113904767A (en) | 2021-09-29 | 2021-09-29 | System for establishing communication based on SSL |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113904767A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114415881A (en) * | 2022-01-24 | 2022-04-29 | 东北大学 | Meta-universe skiing system with real-time cloud-linked elements in ski field environment |
| CN114499897A (en) * | 2022-04-14 | 2022-05-13 | 成都边界元科技有限公司 | Self-adaptive verification method and verification system for SM2 security certificate |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101026599A (en) * | 2007-01-19 | 2007-08-29 | 深圳市深信服电子科技有限公司 | Method for guarding phishing website based on gateway, bridge |
| CN105119894A (en) * | 2015-07-16 | 2015-12-02 | 上海慧银信息科技有限公司 | Communication system and communication method based on hardware safety module |
| US20160112193A1 (en) * | 2013-05-23 | 2016-04-21 | Tendyron Corporation | Method and system for backing up private key of electronic signature token |
| CN106209775A (en) * | 2016-06-24 | 2016-12-07 | 深圳信息职业技术学院 | The application type recognition methods of a kind of SSL encryption network flow and device |
| CN108377190A (en) * | 2018-02-14 | 2018-08-07 | 飞天诚信科技股份有限公司 | A kind of authenticating device and its working method |
-
2021
- 2021-09-29 CN CN202111157821.2A patent/CN113904767A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101026599A (en) * | 2007-01-19 | 2007-08-29 | 深圳市深信服电子科技有限公司 | Method for guarding phishing website based on gateway, bridge |
| US20160112193A1 (en) * | 2013-05-23 | 2016-04-21 | Tendyron Corporation | Method and system for backing up private key of electronic signature token |
| CN105119894A (en) * | 2015-07-16 | 2015-12-02 | 上海慧银信息科技有限公司 | Communication system and communication method based on hardware safety module |
| CN106209775A (en) * | 2016-06-24 | 2016-12-07 | 深圳信息职业技术学院 | The application type recognition methods of a kind of SSL encryption network flow and device |
| CN108377190A (en) * | 2018-02-14 | 2018-08-07 | 飞天诚信科技股份有限公司 | A kind of authenticating device and its working method |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114415881A (en) * | 2022-01-24 | 2022-04-29 | 东北大学 | Meta-universe skiing system with real-time cloud-linked elements in ski field environment |
| CN114415881B (en) * | 2022-01-24 | 2024-02-09 | 东北大学 | Meta universe skiing system with real-time cloud linking of elements in skiing field environment |
| CN114499897A (en) * | 2022-04-14 | 2022-05-13 | 成都边界元科技有限公司 | Self-adaptive verification method and verification system for SM2 security certificate |
| CN114499897B (en) * | 2022-04-14 | 2022-08-02 | 成都边界元科技有限公司 | Self-adaptive verification method and verification system for SM2 security certificate |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8904178B2 (en) | System and method for secure remote access | |
| US8037295B2 (en) | Hardware-bonded credential manager method and system | |
| US7584505B2 (en) | Inspected secure communication protocol | |
| US7039713B1 (en) | System and method of user authentication for network communication through a policy agent | |
| CN104702611B (en) | A kind of device and method for protecting Secure Socket Layer session key | |
| US20130227286A1 (en) | Dynamic Identity Verification and Authentication, Dynamic Distributed Key Infrastructures, Dynamic Distributed Key Systems and Method for Identity Management, Authentication Servers, Data Security and Preventing Man-in-the-Middle Attacks, Side Channel Attacks, Botnet Attacks, and Credit Card and Financial Transaction Fraud, Mitigating Biometric False Positives and False Negatives, and Controlling Life of Accessible Data in the Cloud | |
| CN111740844A (en) | SSL communication method and device based on hardware cryptographic algorithm | |
| CN111756529B (en) | Quantum session key distribution method and system | |
| CN109600226A (en) | TLS protocol session key recovery method based on random number implicit negotiation | |
| CN112637136A (en) | Encrypted communication method and system | |
| CN113806772A (en) | Information encryption transmission method and device based on block chain | |
| TW201537937A (en) | Unified identity authentication platform and authentication method thereof | |
| CN105119894A (en) | Communication system and communication method based on hardware safety module | |
| CN113411187A (en) | Identity authentication method and system, storage medium and processor | |
| CN113904767A (en) | System for establishing communication based on SSL | |
| CN116886288A (en) | Quantum session key distribution method and device | |
| JP5186648B2 (en) | System and method for facilitating secure online transactions | |
| CN108737087B (en) | Protection method for mailbox account password and computer readable storage medium | |
| CN115333779A (en) | Method and device for verifying data and electronic equipment | |
| Shojaie et al. | Enhancing EAP-TLS authentication protocol for IEEE 802.11 i | |
| JP2005516471A (en) | Protecting data traffic in a mobile network environment | |
| Bozkurt et al. | Exploring the Vulnerabilities and Countermeasures of SSL/TLS Protocols in Secure Data Transmission Over Computer Networks | |
| Nguyen et al. | Secure end-to-end mobile payment system | |
| CN114244569B (en) | SSL VPN remote access method, system and computer equipment | |
| CN114531235B (en) | Communication method and system for end-to-end encryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |