CN115529129A - Encrypted communication method and device and computer equipment - Google Patents

Encrypted communication method and device and computer equipment Download PDF

Info

Publication number
CN115529129A
CN115529129A CN202211197467.0A CN202211197467A CN115529129A CN 115529129 A CN115529129 A CN 115529129A CN 202211197467 A CN202211197467 A CN 202211197467A CN 115529129 A CN115529129 A CN 115529129A
Authority
CN
China
Prior art keywords
key
server
client
target
negotiation information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211197467.0A
Other languages
Chinese (zh)
Inventor
杨路江
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Pudong Development Bank Co Ltd
Original Assignee
Shanghai Pudong Development Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Pudong Development Bank Co Ltd filed Critical Shanghai Pudong Development Bank Co Ltd
Priority to CN202211197467.0A priority Critical patent/CN115529129A/en
Publication of CN115529129A publication Critical patent/CN115529129A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Abstract

The application relates to an encrypted communication method, an encrypted communication device, a computer device, a storage medium and a computer program product. The encryption communication method comprises the following steps: receiving an encrypted communication request sent by a client; selecting a supported target password suite from the initial password suite and generating server side key negotiation information; sending the target password suite and the server side key negotiation information to the client side, wherein the target password suite and the server side key negotiation information are used for indicating the client side and the server side to carry out key negotiation to obtain a target key; and carrying out encrypted communication with the client through the target key. By adopting the method, the server can provide a plurality of server public keys for the client, the client can randomly generate the client public key to perform key agreement, and randomly select a key exchange algorithm to process one server public key, so that the randomness of the key generation process is improved, the difficulty of cracking a target key finally used is greatly increased, and the information safety is ensured.

Description

Encrypted communication method and device and computer equipment
Technical Field
The present application relates to the field of network encryption communication technologies, and in particular, to an encryption communication method, apparatus, computer device, storage medium, and computer program product.
Background
With the rapid popularization of the internet, the importance of communication security is increasing. At present, most encrypted communication adopts TLS/SSL communication protocol, and the TLS/SSL communication protocol can provide data integrity protection, data confidentiality protection and identity authentication functions for data communication.
However, the existing method for performing encryption communication by adopting the TLS/SSL communication protocol has low security, and an unauthorized third party can easily steal a secret key when the client communicates with the server, so as to illegally access the server and crack data stored by the server, which threatens the data security of a user and reduces the security performance of a secure transmission service and a remote access service.
Disclosure of Invention
In view of the foregoing, it is desirable to provide an encrypted communication method, apparatus, computer device, storage medium, and computer program product capable of improving the security of encrypted communication.
In a first aspect, the present application provides an encrypted communication method, applied to a server, including:
receiving an encrypted communication request sent by a client, wherein the encrypted communication request carries an initial password suite;
selecting a supported target password suite from the initial password suite and generating server-side key negotiation information; the server side key negotiation information carries at least one encryption certificate;
sending the target password suite and the server side key negotiation information to the client side, wherein the target password suite and the server side key negotiation information are used for indicating the client side and the server side to carry out key negotiation to obtain a target key;
and carrying out encrypted communication with the client through the target key.
In one embodiment, the sending the target password suite and the server-side key agreement information to the client, where the target password suite and the server-side key agreement information are used to instruct the client to perform key agreement with the server to obtain a target key, includes:
sending the target password suite and the server-side key negotiation information to the client, wherein the target password suite and the server-side key negotiation information are used for instructing the client to determine at least one encryption certificate and signature information from the server-side key negotiation information, verifying the server-side key negotiation information based on the signature information, determining a server-side public key based on any one encryption certificate, generating client-side key negotiation information based on the server-side public key and the client-side public key, and sending the client-side key negotiation information to the server;
receiving the client key negotiation information sent by the client;
and obtaining the client public key according to the client key negotiation information, and determining the target key according to the client public key.
In one embodiment, the obtaining the client public key according to the client key agreement information and determining the target key according to the client public key includes:
and decrypting the client key negotiation information according to at least one server private key corresponding to the encrypted certificate to obtain the client public key, and determining the target key according to the client public key.
In a second aspect, the present application further provides an encrypted communication method, applied to a client, including:
sending an encrypted communication request to a server, wherein the encrypted communication request carries an initial password suite;
receiving a target password suite and server key negotiation information sent by the server, and performing key negotiation with the server according to the server key negotiation information and the target password suite to obtain a target key; the target password suite is one of the initial password suites selected by the server, and the server key negotiation information carries at least one encryption certificate;
and carrying out encryption communication with the server side through the target secret key.
In one embodiment, the performing, according to the server-side key agreement information and the target password suite, key agreement with the server to obtain a target key includes:
determining the target key according to the server key negotiation information and the target password suite, generating client key negotiation information according to the server key negotiation information and a client public key, and sending the client key negotiation information to the server, wherein the client key negotiation information is used for indicating the server to decrypt the client key negotiation information according to a server private key corresponding to at least one encryption certificate to obtain the client public key, and determining the target key according to the client public key; the client public key is randomly generated for the client.
In one embodiment, the generating client key agreement information according to the server key agreement information and the client public key includes:
determining at least one encryption certificate and signature information according to the server side key negotiation information;
verifying the server side key negotiation information based on the signature information;
and determining a server public key based on any one of the encrypted certificates, and generating the client key agreement information based on the server public key and the client public key.
In a third aspect, the present application further provides an encrypted communication system, including a server and a client;
the server is used for:
receiving an encrypted communication request sent by the client, wherein the encrypted communication request carries an initial password suite;
selecting a supported target password suite from the initial password suite and generating server side key negotiation information; the server side key negotiation information carries at least one encryption certificate;
sending the target password suite and the server side key negotiation information to the client side, wherein the target password suite and the server side key negotiation information are used for indicating the client side and the server side to carry out key negotiation to obtain a target key;
receiving client key negotiation information sent by the client, and negotiating with the server according to the client key negotiation information to obtain the target key;
carrying out encrypted communication with the client through the target key;
the client is used for:
sending the encrypted communication request to a server, wherein the encrypted communication request carries an initial password suite;
receiving a target password suite and server key negotiation information sent by the server, and performing key negotiation with the server according to the server key negotiation information and the target password suite to obtain a target key;
carrying out encryption communication with the server through the target secret key;
and generating client key negotiation information according to the server key negotiation information and the client public key, and sending the client key negotiation information to the server, wherein the client key negotiation information is used for indicating the server and the client to negotiate to generate a target key.
In a fourth aspect, the application also provides a computer device. The computer device comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the encryption communication method of any embodiment when executing the computer program.
In a fourth aspect, the present application further provides a computer-readable storage medium. The computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the encrypted communication method according to any of the embodiments described above.
In a fifth aspect, the present application further provides a computer program product. The computer program product comprises a computer program, and when executed by a processor, the computer program product implements the encrypted communication method according to any of the embodiments.
According to the encryption communication method, the device, the computer equipment, the storage medium and the computer program product, the server can provide a plurality of server public keys for the client, the client can randomly generate one client public key, and a key exchange algorithm is randomly selected to process one server public key to perform key negotiation, so that the randomness of a key generation process is improved, the difficulty of cracking a target key finally used is greatly increased, the target key obtained after final negotiation is higher in security, and the target key is less prone to being cracked by a third party; therefore, the security of encrypted communication is greatly improved, and the information security is ensured.
Drawings
FIG. 1 is a diagram of an application environment of a method of encrypted communication in one embodiment;
fig. 2 is a flowchart illustrating an encrypted communication method according to a first embodiment;
FIG. 3 is a flow chart illustrating a method of encrypted communication in a second embodiment;
fig. 4 is a flowchart illustrating an encrypted communication method according to a third embodiment;
fig. 5 is a flowchart illustrating an encrypted communication method according to a fourth embodiment;
fig. 6 is a flowchart illustrating an encryption communication method according to a fifth embodiment;
FIG. 7 is a flow diagram of an encrypted communication system in one embodiment;
FIG. 8 is a diagram of an internal structure of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clearly understood, the present application is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad application.
The encryption communication method provided by the embodiment of the application can be applied to the application environment shown in fig. 1. Where client 104 communicates with server 102 over a network. The data storage system may store data that the server 102 needs to process.
The server 102 receives an encrypted communication request sent by the client 104, wherein the encrypted communication request carries an initial password suite; the server 102 selects a supported target password suite from the initial password suite and generates server key negotiation information; the server side key negotiation information carries at least one encryption certificate; the server 102 sends the target password suite and the server key negotiation information to the client 104, and the target password suite and the server key negotiation information are used for indicating the client 104 and the server 102 to perform key negotiation to obtain a target key; the client 104 performs encrypted communication with the server 102 through the target key. The client 104 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, and the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart car-mounted devices, and the like. The portable wearable device can be a smart watch, a smart bracelet, a head-mounted device, and the like. The server 102 may be implemented by a stand-alone server or a server cluster composed of a plurality of servers. Client 104 and server 102 may be connected directly or indirectly through wired or wireless communication, such as through a network connection.
For another example, the encryption communication method is applied to the client 104, and the client 104 sends an encryption communication request to the server 102, where the encryption communication request carries an initial password suite; the client 104 receives the target password suite and the server key negotiation information sent by the server 102, and performs key negotiation with the server 102 according to the server key negotiation information and the target password suite to obtain a target key; the target password suite is one of initial password suites selected by the server, and the server key negotiation information carries at least one encryption certificate; the client 104 performs encrypted communication with the server 102 through the target key. It will be appreciated that the memory may be a separate storage device, or the memory may be located on the server, or the memory may be located on another terminal.
In one embodiment, an encrypted communication method is provided, and this embodiment is illustrated by applying the encrypted communication method to the server 102. As shown in fig. 2, the encryption communication method includes:
step 202, receiving an encrypted communication request sent by a client, wherein the encrypted communication request carries an initial password suite.
The encrypted communication request may be a request sent by the client 104 for performing data encrypted communication with the server 102, for example, the encrypted communication request may be a handshake authentication request based on Secure Socket Layer (SSL), and the connection mode corresponding to the encrypted communication request is SSL connection.
The initial cipher suite is a plurality of cipher suites supported by the client 104. The initial cipher suite may be a cipher suite that supports a cryptographic algorithm. The initial cipher suite may include a national commercial asymmetric cipher algorithm, various key exchange algorithms, a digest algorithm, and a foreign standard symmetric cipher algorithm.
In this embodiment, the server 102 receives a request for data encryption communication sent by the client 104, and obtains all the password suites supported by the client 104 at the same time.
Step 204, selecting a supported target password suite from the initial password suite and generating server-side key negotiation information; the server side key negotiation information carries at least one encryption certificate.
The target password suite refers to one password suite selected by the server 102 from all initial password suites supported by the client 104, and the target password suite is supported by the server 102.
The encrypted certificate is a digital certificate of authenticity issued by the certificate issuing authority to identify the service 102. Each encryption certificate includes an encrypted public and private key pair, and the public and private key pair uniquely identifies the service end 102 and is bound with identity information of the service end 102. It can be understood that the server-side key negotiation information carries at least one server-side public key corresponding to the server 102.
The server side key negotiation information refers to a data packet containing at least one encryption certificate, and it can also be understood that the server side key negotiation information refers to a data packet containing at least one server side public key.
As an example, the server public key may be a server public key required by an ECC key exchange algorithm, or may be a server public key required by a DH key exchange algorithm.
In this embodiment, the server 102 selects one of all the password suites supported by the client 104 as a target password suite, and generates server key agreement information including a plurality of encryption certificates for integrating at least one server public key corresponding to the server 102.
And step 206, sending the target password suite and the server-side key negotiation information to the client, wherein the target password suite and the server-side key negotiation information are used for instructing the client and the server to perform key negotiation to obtain a target key.
Key agreement refers to the agreement between two or more communicating parties to establish a session key in common.
The target key refers to a session key established by the server 102 and the client 104.
As an example, the server 102 may generate server key agreement information according to an encryption certificate containing a server public key required by an ECC key exchange algorithm and an encryption certificate containing a server public key required by a DH key exchange algorithm, the client 104 randomly selects a server public key corresponding to an encryption certificate after receiving the server key agreement information, when an encryption certificate containing a server public key required by an ECC key exchange algorithm is selected, the client 104 implements key agreement with the server 102 by using any suitable ECC key exchange algorithm, and when an encryption certificate containing a server public key required by a DH key exchange algorithm is selected, the client 104 implements key agreement with the server 102 by using the DH key exchange algorithm.
In this embodiment, the server 102 sends the supported target password suite and the server key negotiation information including the at least one server public key to the client 104, and the server 102 and the client 104 determine the target key after negotiation according to the target password suite and the at least one server public key supported by the server 102, so as to perform an encryption session.
And step 208, carrying out encrypted communication with the client through the target key.
In this embodiment, the server 102 and the client 104 perform an encryption session through a target key obtained after negotiation.
In the above encryption communication method, the server 102 receives an encryption communication request from the client 104, selects a supported cipher suite from multiple initial cipher suites supported by the client 104 as a target cipher suite, and sends server key negotiation information and the target cipher suite, which carry at least one encryption certificate, to the client 104, so that the client 104 can perform key negotiation with the server 102 by using the target cipher suite and a server public key corresponding to any one encryption certificate to obtain a target key, and the server 102 performs an encryption session with the client 104 by using the target key. Through the setting, the server 102 can provide a plurality of server public keys for the client 104, and the client 104 can randomly select one server public key to perform key agreement, so that the randomness of the key generation process is improved, and a target key obtained by final agreement is higher in security and is more difficult to crack by a third party.
As shown in fig. 3, in some alternative embodiments, step 206 includes:
step 2062, sending the target password suite and the server side key negotiation information to the client side, wherein the target password suite and the server side key negotiation information are used for indicating the client side to determine at least one encryption certificate and signature information from the server side key negotiation information, verifying the server side key negotiation information based on the signature information, determining a server side public key based on any one encryption certificate, generating client side key negotiation information based on the server side public key and the client side public key, and sending the client side key negotiation information to the server side.
Step 2064, receiving the client key negotiation information sent by the client.
Step 2066, obtaining the client public key according to the client key negotiation information, and determining the target key according to the client public key.
The signature information may be a signature certificate of the server 102, and is used to perform signature encryption on the information of the server 102 to ensure validity and non-repudiation of the information sent by the server 102. After receiving the target cipher suite and the server-side key agreement information, the client 104 verifies the signature information by using the signature public key of the server-side 102 according to the signature information of the server-side 102, and if the verification is passed, further randomly selects an encryption certificate, extracts the server-side public key corresponding to the selected encryption certificate to encrypt the client-side public key, and generates client-side key agreement information.
The client key negotiation information refers to a data packet containing the client public key encrypted by the server public key.
Further, the server 102 receives the client key agreement information sent by the client 104, acquires the client public key from the client key agreement information, and determines the target key of the server 102 according to the client public key.
In this embodiment, the server 102 sends the target password suite and the server key negotiation information to the client 104, so that the client 104 can determine a server public key according to at least one encryption certificate included in the target password suite and the server key negotiation information, encrypt the client public key according to the determined server public key, generate client key negotiation information, and send the client key negotiation information to the server 102, and then the server 102 obtains a client key from the client key negotiation information and determines a target key of the server 102 according to the client public key. Through the setting, the server 102 and the client 104 can complete key negotiation, obtain the target key and perform encryption communication, so that the security of data transmission is enhanced, and the possibility that data is stolen or lost due to the fact that the target key is cracked by a third party is reduced.
In some alternative embodiments, step 2066 comprises:
and decrypting the client key negotiation information according to the server private key corresponding to the at least one encryption certificate to obtain a client public key, and determining a target key according to the client public key.
Specifically, the server 102 may obtain server private keys corresponding to all encryption certificates included in the server key agreement information, decrypt the client key agreement information in sequence until decryption is successful, obtain a client public key included in the client key agreement information, and generate a target key according to the successfully decrypted server private key and the decrypted client public key.
In this embodiment, the server 102 decrypts the client key agreement information by using its own server private key, thereby improving the security in the key agreement process.
In one embodiment, an encrypted communication method is provided, and this embodiment is exemplified by the application of the encrypted communication method to the client 104. As shown in fig. 4, the encryption communication method includes:
step 402, sending an encrypted communication request to a server, wherein the encrypted communication request carries an initial password suite.
The encrypted communication request may be issued by the client 104 in accordance with the user's instructions.
The initial cipher suite is a plurality of cipher suites supported by the client 104. The initial cipher suite may be a cipher suite that supports a cryptographic algorithm. The initial cipher suite may include a national commercial asymmetric cipher algorithm, various key exchange protocols, a digest algorithm, and a foreign standard symmetric cipher algorithm.
As an example, the client 104 stores a supported password suite list in advance, the password suite list includes a plurality of password suites, and in step 402, the client 104 extracts a preset number of password suites from the password suite list as initial password suites and sends an encrypted communication request including the initial password suites to the server 102.
In this embodiment, the client 104 attaches a plurality of cipher suites supported by the client 104 to the encrypted communication request according to an instruction of the user, and sends the encrypted communication request to the server 102.
Step 404, receiving a target password suite and server key negotiation information sent by a server, and performing key negotiation with the server according to the server key negotiation information and the target password suite to obtain a target key; the target password suite is one of initial password suites selected by the server, and the server key negotiation information carries at least one encryption certificate.
In this embodiment, after receiving the target password suite and the server-side key agreement information, the client 104 uses the target password suite and performs key agreement with the server 102 according to the server-side key agreement information to obtain a target key.
And 406, carrying out encrypted communication with the server side through the target key.
In this embodiment, the client 104 and the server 102 perform an encryption session by using a target key obtained after negotiation.
In some alternative embodiments, step 404 includes:
generating client key negotiation information according to the server key negotiation information and the client public key, and sending the client key negotiation information to the server, wherein the client key negotiation information is used for instructing the server to decrypt the client key negotiation information according to a server private key corresponding to at least one encryption certificate to obtain a client public key, and determining a target key according to the client public key; the client public key is randomly generated for the client.
As an example, the client 104 randomly generates a random number as a client public key, and generates client negotiation information according to the client public key and at least one server public key carried in the server key negotiation information.
In this embodiment, the client 104 randomly generates a client key, and randomly performs key negotiation with the server 102 by using the server key negotiation information and the client key, so that the finally obtained target key has higher randomness and higher cracking difficulty, and the security of encrypted communication between the client 104 and the server 102 is enhanced.
As shown in fig. 5, in some optional embodiments, generating the client key agreement information according to the server key agreement information and the client public key includes:
step 502, determining at least one encryption certificate and signature information according to the server side key negotiation information.
And step 504, verifying the server side key negotiation information based on the signature information.
Step 506, determining a server public key based on any one of the encrypted certificates, and generating client key agreement information based on the server public key and the client public key.
The client 104 determines at least one encryption certificate and signature information carried by the server from the server key agreement information, and further verifies the server key agreement information according to the signature information.
As an example, the client 104 verifies the signature information of the server 102 by using, for example, the signature public key of the server 102, and if the verification is passed, further randomly selects one encryption certificate of the server 102, and extracts the server public key corresponding to the selected encryption certificate to encrypt the randomly generated client public key, thereby obtaining the client key agreement information.
In an embodiment, after receiving the server-side key agreement information, the client 104 first checks the validity of the encryption certificate carried in the server-side key agreement information: such as verifying the integrity of the cryptographic certificate, whether the domain name to be resolved is in the cryptographic certificate, etc. If the check fails, the server 102 and the client 104 are prompted to fail in key agreement, and if the check succeeds, the step 502 is continuously executed.
In this embodiment, after the client 104 performs identity verification on the server 102 according to signature information carried in the server key agreement information, an encryption certificate is randomly extracted from the server key agreement information, a server public key corresponding to the encryption certificate is obtained, and the server public key is used to encrypt a client public key generated randomly, so as to obtain client key agreement information. Through the setting, after the server-side key agreement information received by the client 104 is ensured to come from the server 102, the final client-side key agreement information can be randomly generated, the cracking difficulty of the information in the key agreement process is improved, and the information safety is ensured.
As shown in fig. 6, in this embodiment, the encrypted communication method includes:
step 602, the client 104 sends an encrypted communication request to the server 102.
Step 604, the server 102 acquires the initial password suite supported by the client 104 from the encrypted communication request, and picks out a target password suite from the initial password suite.
Step 606, the server 102 generates server key agreement information according to the at least one encryption certificate, and sends the server key agreement information and the target password suite to the client 104.
Step 608, the client 104 acquires the signature information according to the server key agreement information, verifies the signature information by using the signature public key of the issuing organization corresponding to the signature information, and determines whether the verification is successful; if successful, continue to perform step 610; if not, go to step 620.
Step 610, the client 104 picks out the server public key required by the ECC key exchange algorithm from the server key negotiation information.
Step 612, the client 104 randomly generates at least one random number as a client public key and also generates a corresponding client private key, and generates a target key of the client according to the server public key and the client private key by adopting any suitable ECC key exchange algorithm, and then encrypts the client public key by the server public key to obtain client key agreement information.
Step 614, the client 104 sends the client key agreement information to the server 102.
In step 616, the server 102 obtains the server private keys corresponding to all the encrypted certificates, decrypts the client key negotiation information in sequence until obtaining the client public key, and generates the target server private key according to the client public key and the server private key successfully decrypted.
Step 618, the client 104 and the server 102 perform encrypted communication by using the target key.
And step 620, prompting the client 104 and the server 102 that the key agreement fails.
In the encryption communication method, the client 104 sends a plurality of cipher suites supported by the client to the server 102 for selection, the server 102 then sends the selected cipher suites and at least one encryption certificate containing a corresponding public and private key pair to the client, the client randomly selects a server public key corresponding to the encryption certificate to encrypt a randomly generated client public key and sends the encrypted client public key to the server 102, the server 102 decrypts the client public key by using all server private keys corresponding to the encryption certificates and generates a server target key according to the successfully decrypted server private key and the decrypted client public key, and then the server 102 encrypts and communicates with the client 104 by using the target public key.
It should be understood that, although the steps in the flowcharts related to the embodiments as described above are sequentially displayed as indicated by arrows, the steps are not necessarily performed sequentially as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the embodiments described above may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the execution order of the steps or stages is not necessarily sequential, but may be rotated or alternated with other steps or at least a part of the steps or stages in other steps.
Based on the same inventive concept, the embodiment of the present application further provides an encryption communication apparatus for implementing the encryption communication method. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme described in the above method, so specific limitations in one or more embodiments of the encryption communication device provided below may refer to the limitations on the encryption communication method in the foregoing, and details are not described here.
In one embodiment, as shown in fig. 7, there is provided an encrypted communication system 700 comprising: a server 102 and a client 104, wherein:
the server 102 is configured to:
receiving an encrypted communication request sent by a client 104, wherein the encrypted communication request carries an initial password suite;
selecting a supported target password suite from the initial password suite and generating server side key negotiation information; the server side key negotiation information carries at least one encryption certificate;
sending the target password suite and the server-side key negotiation information to the client 104, wherein the target password suite and the server-side key negotiation information are used for indicating the client 104 and the server 102 to perform key negotiation to obtain a target key;
encrypted communication with the client 104 via the target key;
the client 104 is configured to:
sending an encrypted communication request to the server 102, wherein the encrypted communication request carries an initial password suite;
receiving a target password suite and server key negotiation information sent by the server 102, and performing key negotiation with the server according to the server key negotiation information and the target password suite to obtain a target key;
and carrying out encrypted communication with the service end 102 through the target key.
In some optional embodiments, the server 102 is further configured to:
sending a target password suite and server side key negotiation information to a client side, wherein the target password suite and the server side key negotiation information are used for indicating the client side to determine at least one encryption certificate and signature information from the server side key negotiation information, verifying the server side key negotiation information based on the signature information, determining a server side public key based on any one encryption certificate, generating client side key negotiation information based on the server side public key and the client side public key, and sending the client side key negotiation information to the server side;
receiving client key negotiation information sent by a client;
and obtaining a client public key according to the client key negotiation information, and determining a target key according to the client public key.
In some optional embodiments, the server 102 is further configured to:
and decrypting the client key negotiation information according to the server private key corresponding to the at least one encryption certificate to obtain a client public key, and determining a target key according to the client public key.
In some optional embodiments, the client 104 is further configured to:
generating client key negotiation information according to the server key negotiation information and the client public key, and sending the client key negotiation information to the server, wherein the client key negotiation information is used for instructing the server to decrypt the client key negotiation information according to a server private key corresponding to at least one encryption certificate to obtain a client public key, and determining a target key according to the client public key; the client public key is randomly generated for the client.
In some optional embodiments, the client 104 is further configured to:
determining at least one encryption certificate and signature information according to the server side key negotiation information;
verifying the server side key negotiation information based on the signature information;
and determining a server public key based on any one encryption certificate, and generating client key negotiation information based on the server public key and the client public key.
In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 8. The computer apparatus includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input device. The processor, the memory and the input/output interface are connected by a system bus, and the communication interface, the display unit and the input device are connected by the input/output interface to the system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operating system and the computer program to run on the non-volatile storage medium. The input/output interface of the computer device is used for exchanging information between the processor and an external device. The communication interface of the computer device is used for communicating with an external terminal in a wired or wireless manner, and the wireless manner can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement an encrypted communication method. The display unit of the computer device is used for forming a visual picture and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the configuration shown in fig. 8 is a block diagram of only a portion of the configuration associated with the present application, and is not intended to limit the computing device to which the present application may be applied, and that a particular computing device may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, which computer program, when executed by a processor, may carry out the steps of:
receiving an encrypted communication request sent by a client, wherein the encrypted communication request carries an initial password suite;
selecting a supported target password suite from the initial password suite and generating server side key negotiation information; the server side key negotiation information carries at least one encryption certificate;
sending the target password suite and the server side key negotiation information to the client side, wherein the target password suite and the server side key negotiation information are used for indicating the client side and the server side to carry out key negotiation to obtain a target key;
and carrying out encrypted communication with the client through the target key.
In some optional embodiments, sending the target password suite and the server-side key agreement information to the client, where the target password suite and the server-side key agreement information are used to instruct the client to perform key agreement with the server to obtain a target key, and the method includes:
sending a target password suite and server-side key negotiation information to a client, wherein the target password suite and the server-side key negotiation information are used for indicating the client to determine at least one encryption certificate and signature information from the server-side key negotiation information, verifying the server-side key negotiation information based on the signature information, determining a server-side public key based on any one encryption certificate, generating client-side key negotiation information based on the server-side public key and the client-side public key, and sending the client-side key negotiation information to the server;
receiving client key negotiation information sent by a client;
and obtaining a client public key according to the client key negotiation information, and determining a target key according to the client public key.
In some optional embodiments, obtaining the client public key according to the client key agreement information, and determining the target key according to the client public key includes:
and decrypting the client key negotiation information according to the server private key corresponding to the at least one encryption certificate to obtain a client public key, and determining a target key according to the client public key.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, which when executed by a processor may carry out the steps of:
sending an encrypted communication request to a server, wherein the encrypted communication request carries an initial password suite;
receiving a target password suite and server key negotiation information sent by a server, and performing key negotiation with the server according to the server key negotiation information and the target password suite to obtain a target key; the target password suite is one of initial password suites selected by the server, and the server key negotiation information carries at least one encryption certificate;
and carrying out encrypted communication with the server through the target key.
In some optional embodiments, performing key negotiation with the server according to the server key negotiation information and the target password suite to obtain the target key includes:
generating client key negotiation information according to the server key negotiation information and the client public key, and sending the client key negotiation information to the server, wherein the client key negotiation information is used for instructing the server to decrypt the client key negotiation information according to a server private key corresponding to at least one encryption certificate to obtain a client public key, and determining a target key according to the client public key; the client public key is randomly generated for the client.
In some optional embodiments, generating the client key agreement information according to the server key agreement information and the client public key includes:
determining at least one encryption certificate and signature information according to the server side key negotiation information;
verifying the server side key negotiation information based on the signature information;
and determining a server public key based on any one encryption certificate, and generating client key negotiation information based on the server public key and the client public key.
In one embodiment, a computer program product is provided, comprising a computer program which when executed by a processor performs the steps of:
receiving an encrypted communication request sent by a client, wherein the encrypted communication request carries an initial password suite;
selecting a supported target password suite from the initial password suite and generating server-side key negotiation information; the server side key negotiation information carries at least one encryption certificate;
sending the target password suite and the server side key negotiation information to the client side, wherein the target password suite and the server side key negotiation information are used for indicating the client side and the server side to carry out key negotiation to obtain a target key;
and carrying out encrypted communication with the client through the target key.
In some optional embodiments, the sending a target password suite and server-side key negotiation information to the client, where the target password suite and the server-side key negotiation information are used to instruct the client and the server to perform key negotiation to obtain a target key, includes:
sending a target password suite and server side key negotiation information to a client side, wherein the target password suite and the server side key negotiation information are used for indicating the client side to determine at least one encryption certificate and signature information from the server side key negotiation information, verifying the server side key negotiation information based on the signature information, determining a server side public key based on any one encryption certificate, generating client side key negotiation information based on the server side public key and the client side public key, and sending the client side key negotiation information to the server side;
receiving client key negotiation information sent by a client;
and obtaining a client public key according to the client key negotiation information, and determining a target key according to the client public key.
In some optional embodiments, obtaining the client public key according to the client key agreement information, and determining the target key according to the client public key includes:
and decrypting the client key negotiation information according to the server private key corresponding to the at least one encryption certificate to obtain a client public key, and determining a target key according to the client public key.
In one embodiment, a computer program product is provided, comprising a computer program which when executed by a processor performs the steps of:
sending an encrypted communication request to a server, wherein the encrypted communication request carries an initial password suite;
receiving a target password suite and server key negotiation information sent by a server, and performing key negotiation with the server according to the server key negotiation information and the target password suite to obtain a target key; the target password suite is one of initial password suites selected by the server, and the server key negotiation information carries at least one encryption certificate;
and carrying out encrypted communication with the server through the target key.
In some optional embodiments, performing key agreement with the server according to the server key agreement information and the target cipher suite to obtain the target key includes:
generating client key negotiation information according to the server key negotiation information and the client public key, sending the client key negotiation information to the server, wherein the client key negotiation information is used for instructing the server to decrypt the client key negotiation information according to a server private key corresponding to at least one encryption certificate to obtain a client public key, and determining a target key according to the client public key; the client public key is randomly generated for the client.
In some optional embodiments, generating the client key agreement information according to the server key agreement information and the client public key includes:
determining at least one encryption certificate and signature information according to the server side key negotiation information;
verifying the server side key negotiation information based on the signature information;
and determining a server public key based on any one encryption certificate, and generating client key negotiation information based on the server public key and the client public key.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), magnetic Random Access Memory (MRAM), ferroelectric Random Access Memory (FRAM), phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the various embodiments provided herein may be, without limitation, general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, or the like.
All possible combinations of the technical features in the above embodiments may not be described for the sake of brevity, but should be considered as being within the scope of the present disclosure as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application should be subject to the appended claims.

Claims (10)

1. An encryption communication method is applied to a server side, and comprises the following steps:
receiving an encrypted communication request sent by a client, wherein the encrypted communication request carries an initial password suite;
selecting a supported target password suite from the initial password suite and generating server-side key negotiation information; the server side key negotiation information carries at least one encryption certificate;
sending the target password suite and the server side key negotiation information to the client side, wherein the target password suite and the server side key negotiation information are used for indicating the client side and the server side to carry out key negotiation to obtain a target key;
and carrying out encrypted communication with the client through the target key.
2. The method according to claim 1, wherein the sending the target password suite and the server-side key agreement information to the client, the target password suite and the server-side key agreement information being used to instruct the client to perform key agreement with the server to obtain a target key, includes:
sending the target password suite and the server-side key negotiation information to the client, wherein the target password suite and the server-side key negotiation information are used for instructing the client to determine at least one encryption certificate and signature information from the server-side key negotiation information, verifying the server-side key negotiation information based on the signature information, determining a server-side public key based on any one encryption certificate, generating client-side key negotiation information based on the server-side public key and the client-side public key, and sending the client-side key negotiation information to the server;
receiving the client key negotiation information sent by the client;
and obtaining the client public key according to the client key negotiation information, and determining the target key according to the client public key.
3. The method of claim 2, wherein the obtaining the client public key according to the client key agreement information and determining the target key according to the client public key comprises:
and decrypting the client key negotiation information according to at least one server private key corresponding to the encrypted certificate to obtain the client public key, and determining the target key according to the client public key.
4. An encryption communication method applied to a client includes:
sending an encrypted communication request to a server, wherein the encrypted communication request carries an initial password suite;
receiving a target password suite and server key negotiation information sent by the server, and performing key negotiation with the server according to the server key negotiation information and the target password suite to obtain a target key; the target password suite is one of the initial password suites selected by the server, and the server key negotiation information carries at least one encryption certificate;
and carrying out encryption communication with the server side through the target secret key.
5. The method of claim 4, wherein performing key agreement with the server according to the server key agreement information and the target password suite to obtain a target key comprises:
determining the target key according to the server key negotiation information and the target password suite, generating client key negotiation information according to the server key negotiation information and a client public key, and sending the client key negotiation information to the server, wherein the client key negotiation information is used for indicating the server to decrypt the client key negotiation information according to a server private key corresponding to at least one encryption certificate to obtain the client public key, and determining the target key according to the client public key; the client public key is randomly generated for the client.
6. The method of claim 5, wherein generating client key agreement information according to the server key agreement information and a client public key comprises:
determining at least one encryption certificate and signature information according to the server side key negotiation information;
verifying the server side key negotiation information based on the signature information;
and determining a server public key based on any one of the encryption certificates, and generating the client key negotiation information based on the server public key and the client public key.
7. An encryption communication system is characterized by comprising a server side and a client side;
the server is used for:
receiving an encrypted communication request sent by the client, wherein the encrypted communication request carries an initial password suite;
selecting a supported target password suite from the initial password suite and generating server-side key negotiation information; the server side key negotiation information carries at least one encryption certificate;
sending the target password suite and the server side key negotiation information to the client side, wherein the target password suite and the server side key negotiation information are used for indicating the client side and the server side to carry out key negotiation to obtain a target key;
receiving client key negotiation information sent by the client, and negotiating with the server according to the client key negotiation information to obtain the target key;
carrying out encrypted communication with the client through the target key;
the client is used for:
sending the encrypted communication request to a server, wherein the encrypted communication request carries an initial password suite;
receiving a target password suite and server key negotiation information sent by the server, and performing key negotiation with the server according to the server key negotiation information and the target password suite to obtain a target key;
carrying out encrypted communication with the server through the target key;
and generating client key negotiation information according to the server key negotiation information and the client public key, and sending the client key negotiation information to the server, wherein the client key negotiation information is used for indicating the server and the client to negotiate to generate a target key.
8. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor when executing the computer program implements the steps of the cryptographic communication method of any one of claims 1 to 3 or the cryptographic communication method of any one of claims 4 to 6.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the encryption communication method of any one of claims 1 to 3 or the encryption communication method of any one of claims 4 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, carries out the steps of the cryptographic communication method of any one of claims 1 to 3 or the cryptographic communication method of any one of claims 4 to 6.
CN202211197467.0A 2022-09-29 2022-09-29 Encrypted communication method and device and computer equipment Pending CN115529129A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211197467.0A CN115529129A (en) 2022-09-29 2022-09-29 Encrypted communication method and device and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211197467.0A CN115529129A (en) 2022-09-29 2022-09-29 Encrypted communication method and device and computer equipment

Publications (1)

Publication Number Publication Date
CN115529129A true CN115529129A (en) 2022-12-27

Family

ID=84700625

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211197467.0A Pending CN115529129A (en) 2022-09-29 2022-09-29 Encrypted communication method and device and computer equipment

Country Status (1)

Country Link
CN (1) CN115529129A (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009076811A1 (en) * 2007-12-14 2009-06-25 Huawei Technologies Co., Ltd. A method, a system, a client and a server for key negotiating
US9923923B1 (en) * 2014-09-10 2018-03-20 Amazon Technologies, Inc. Secure transport channel using multiple cipher suites

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009076811A1 (en) * 2007-12-14 2009-06-25 Huawei Technologies Co., Ltd. A method, a system, a client and a server for key negotiating
US9923923B1 (en) * 2014-09-10 2018-03-20 Amazon Technologies, Inc. Secure transport channel using multiple cipher suites

Similar Documents

Publication Publication Date Title
JP7257561B2 (en) computer-implemented method, host computer, computer-readable medium
CN109088889B (en) SSL encryption and decryption method, system and computer readable storage medium
US20190074968A1 (en) Method, apparatus and system for data encryption and decryption
CN109756500B (en) Anti-quantum computation HTTPS communication method and system based on multiple asymmetric key pools
CN110519260B (en) Information processing method and information processing device
US9673975B1 (en) Cryptographic key splitting for offline and online data protection
US10061914B2 (en) Account recovery protocol
WO2017097041A1 (en) Data transmission method and device
CN111130803B (en) Method, system and device for digital signature
WO2019020051A1 (en) Method and apparatus for security authentication
WO2016123264A1 (en) Methods for secure credential provisioning
US9178881B2 (en) Proof of device genuineness
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
CN109861813B (en) Anti-quantum computing HTTPS communication method and system based on asymmetric key pool
CN110445840B (en) File storage and reading method based on block chain technology
CN110138548B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol
CN101335754B (en) Method for information verification using remote server
CN110380845B (en) Quantum secret communication alliance chain transaction method, system and equipment based on group symmetric key pool
JP6756056B2 (en) Cryptographic chip by identity verification
CN111971929A (en) Secure distributed key management system
CN109347923B (en) Anti-quantum computing cloud storage method and system based on asymmetric key pool
TW201223225A (en) Method for personal identity authentication utilizing a personal cryptographic device
CN110365472B (en) Quantum communication service station digital signature method and system based on asymmetric key pool pair
CN109299618B (en) Quantum-resistant computing cloud storage method and system based on quantum key card
CN114513345A (en) Information transmission system, user device and information security hardware module

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination