CN118199870A

CN118199870A - Data communication method, device, equipment and storage medium

Info

Publication number: CN118199870A
Application number: CN202410355118.XA
Authority: CN
Inventors: 许春磊; 侯志军; 彭景�; 崔永祺
Original assignee: China Electronics Technology Network Security Technology Co ltd
Current assignee: China Electronics Technology Network Security Technology Co ltd
Priority date: 2024-03-27
Filing date: 2024-03-27
Publication date: 2024-06-14

Abstract

The application discloses a data communication method, a device, equipment and a storage medium, which are applied to a preset national Security Socket Layer (SSL) client, and relate to the technical field of information security, and the method comprises the following steps: sending client hello information to a preset fort server for handshake and receiving returned reply information; if a certificate application request sent by a preset fort server is obtained in the process of receiving the reply information, returning the client certificate information; if not, directly returning the client key exchange information to enable the client key exchange information and the preset fort server to change the encryption format based on the client key exchange information; after the modification is finished, a first modification ending signal is sent to a preset fort server, a second modification ending signal sent by the preset fort server after the modification is finished is received, verification is carried out, so that a corresponding handshake flow is finished, and communication is carried out based on the obtained target symmetric key. Thus, the reliability and the safety of communication are effectively improved.

Description

Data communication method, device, equipment and storage medium

Technical Field

The present invention relates to the field of information security technologies, and in particular, to a data communication method, apparatus, device, and storage medium.

Background

With the continuous development of IT (Information Technology ) systems of enterprises and institutions, the number of data center system devices is rapidly increased, the deployment area of the devices is wide, the operation and maintenance monitoring difficulty is high, and a large risk is brought to the safety of the information system. In order to realize remote operation and maintenance of the devices such as the internal server by the operation and maintenance personnel, an SSL (Security Socket Layer, secure socket layer protocol based) VPN (Virtual Private Network ) system is generally used to open a private channel for accessing an external network into the internal network of the enterprise, and then the operation and maintenance of the target server are performed by using the fort machine. The SSL VPN system and the fort machine cooperate to realize the remote operation and maintenance service of the user. In related cryptographic applications, the fort usually needs to use a cryptographic module to provide services such as encryption and decryption, the conventional cryptographic module is a special cryptographic card, the cryptographic card is inserted on a system motherboard, and is connected with a CPU (centralprocessingunit ) through a PCIE (PERIPHERAL COMPONENT INTERCONNECT EXPRESS, a high-speed serial computer expansion bus standard) bus, and the cryptographic module needs to provide a certain function of key management besides providing cryptographic operation capability, so as to ensure security of keys.

However, the current mainstream SSL channels are all implemented based on RFC (Request For Comments ) standards of IETF (THEINTERNET ENGINEERING TASK Force, internet engineering task Force), supporting international general algorithms, SSL certificates usually use RSA algorithm (asymmetric encryption algorithm proposed by Ron Rivest, ADI SHAMIR, leonard Adleman) (2048 bits), and along with the rapid development of cryptography, the improvement of factorization, it has been proved that attacks on RSA algorithm are possible; while longer keys mean that more data must be sent back and forth to verify the connection, including higher CPU occupancy, memory occupancy, network consumption, etc. The third party SSL VPN system and the fort machine are poor in use reliability in cooperation, and the fact that the SSL VPN fails can directly influence the remote operation and maintenance users to use the fort machine. The external password card of the fort machine is connected with the fort machine CPU through an external bus, so that the universal bus bandwidth in a CPU chip is occupied when password service is provided, and the exposed surface is increased, so that the fort machine is easy to be physically attacked by buses; the extra hardware cipher card has lower reliability and also increases the hardware cost.

Disclosure of Invention

Accordingly, the present invention is directed to a data communication method, apparatus, device, and storage medium, which can effectively improve the reliability and security of communication and reduce the communication cost. The specific scheme is as follows:

In a first aspect, the present application provides a data communication method applied to a preset national security SSL client, including:

sending corresponding client greeting information to a preset fort server which adopts a preset JvSE embedded password module to provide password service for handshake, and receiving reply information returned by the preset fort server; the reply information comprises corresponding key exchange parameter information;

If a certificate application request sent by the preset fort server is obtained in the process of receiving the reply information, corresponding client certificate information is returned to the preset fort server;

If the certificate application request is not acquired in the process of receiving the reply information, corresponding client key exchange information is directly returned to the preset fort server so that the client key exchange information and the preset fort server can carry out encryption format modification based on the client key exchange information;

And after finishing the modification, sending a corresponding first modification ending signal to the preset fort server, receiving a second modification ending signal sent by the preset fort server after finishing the modification, verifying to finish a corresponding handshake process, and communicating based on the obtained target symmetric key.

Optionally, the handshake is performed by sending corresponding client hello information to a preset fort server that provides cryptographic services using a preset JvSE embedded cryptographic module, including:

The corresponding client hello information is sent to a preset fort server which is internally provided with a national security SSL VPN and adopts a preset JvSE embedded password module to provide password service to carry out handshake; the preset JvSE embedded password module in the preset fort server and the local chip are integrated into a whole.

Optionally, if, in the process of receiving the reply message, a certificate application request sent by the preset fort server is obtained, corresponding client certificate information is returned to the preset fort server, including:

if a certificate application request sent by the preset fort server is obtained in the process of receiving the reply information, judging that the preset fort server starts bidirectional authentication;

And returning corresponding client certificate information and certificate verification information to the preset fort server so that the preset fort server verifies whether the preset national secret SSL client is a certificate legal holder based on the certificate verification information.

Optionally, after the corresponding client certificate information is returned to the preset fort server, the method further includes:

and sending the corresponding client key exchange information to the preset fort server.

Optionally, the receiving the reply message returned by the preset fort server includes:

Receiving reply information which is returned by the preset fort server and comprises corresponding certificate information and the key exchange parameter information; wherein the certificate information comprises a corresponding encryption certificate and a signature certificate.

Optionally, the returning, to the preset fort server, corresponding client key exchange information includes:

and if the target national cipher suite is currently selected, sending a premaster secret key encrypted based on the public key in the encryption certificate to the preset fort server as client key exchange information.

Optionally, the communicating based on the obtained target symmetric key includes:

and encrypting and decrypting the communication data based on the obtained target symmetric key to complete corresponding data communication operation.

In a second aspect, the present application provides a data communication apparatus applied to a preset national security SSL client, including:

The greeting information sending module is used for carrying out handshake by sending corresponding client greeting information to a preset fort server which adopts a preset JvSE embedded password module to provide password service, and receiving reply information returned by the preset fort server; the reply information comprises corresponding key exchange parameter information;

The first information sending module is used for returning corresponding client certificate information to the preset fort server if a certificate application request sent by the preset fort server is obtained in the process of receiving the reply information;

The second information sending module is used for directly returning corresponding client key exchange information to the preset fort server if the certificate application request is not acquired in the process of receiving the reply information, so that the second information sending module and the preset fort server can change the encryption format based on the client key exchange information;

The communication proceeding module is used for transmitting a corresponding first change ending signal to the preset fort server after the change is completed, receiving a second change ending signal transmitted by the preset fort server after the change is completed, verifying to complete a corresponding handshake flow, and communicating based on the obtained target symmetric key.

In a third aspect, the present application provides an electronic device, comprising:

a memory for storing a computer program;

and a processor for executing the computer program to implement the steps of the data communication method described above.

In a fourth aspect, the present application provides a computer readable storage medium storing a computer program which when executed by a processor performs the steps of the aforementioned data communication method.

In the application, corresponding client greeting information is sent to a preset fort server for providing password service by adopting a preset JvSE embedded password module to carry out handshake, and reply information returned by the preset fort server is received; the reply information comprises corresponding key exchange parameter information; if a certificate application request sent by the preset fort server is obtained in the process of receiving the reply information, corresponding client certificate information is returned to the preset fort server; if the certificate application request is not acquired in the process of receiving the reply information, corresponding client key exchange information is directly returned to the preset fort server so that the client key exchange information and the preset fort server can carry out encryption format modification based on the client key exchange information; and after finishing the modification, sending a corresponding first modification ending signal to the preset fort server, receiving a second modification ending signal sent by the preset fort server after finishing the modification, verifying to finish a corresponding handshake process, and communicating based on the obtained target symmetric key. That is, the fort machine of the application adopts the preset JvSE embedded cryptographic module to provide cryptographic service, thus solving the occupation of the general bus bandwidth in the CPU chip. Meanwhile, the embedded design solves the safety risk brought by an external connection mode, and the reliability of the embedded type safety protection device is enhanced. And the security of the application is higher than that of the international RSA algorithm commonly used in the existing method by carrying out national security SSL data communication, and the application has more advantages in the aspects of transmission speed, transmission time, CPU occupation, memory occupation, network consumption and the like. That is, the application can effectively improve the reliability and safety of communication and reduce the communication cost.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.

FIG. 1 is a flow chart of a data communication method provided by the application;

FIG. 2 is a schematic diagram of a specific data communication flow provided by the present application;

FIG. 3 is a schematic diagram of the working principle of cryptographic operation of a preset fort server provided by the present application;

FIG. 4 is a schematic block diagram illustrating a key block boundary of JvSE according to the present application;

FIG. 5 is a block diagram of a JvSE cryptographic module hardware component provided by the present application;

FIG. 6 is a flowchart of a specific data communication method according to the present application;

Fig. 7 is a schematic structural diagram of a data communication device according to the present application;

fig. 8 is a block diagram of an electronic device according to the present application.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

The current mainstream SSL channels are realized based on RFC standards of the IETF organization, an international general algorithm is supported, an RSA algorithm (2048 bits) is usually used for SSL certificates, and along with the rapid development of the cryptography, the improvement of factorization is added, so that the RSA algorithm attack is proved to be possible; while longer keys mean that more data must be sent back and forth to verify the connection, including higher CPU occupancy, memory occupancy, network consumption, etc. The third party SSL VPN system and the fort machine are poor in use reliability in cooperation, and the fact that the SSL VPN fails can directly influence the remote operation and maintenance users to use the fort machine. The external password card of the fort machine is connected with the fort machine CPU through an external bus, so that the universal bus bandwidth in a CPU chip is occupied when password service is provided, and the exposed surface is increased, so that the fort machine is easy to be physically attacked by buses; the extra hardware cipher card has lower reliability and also increases the hardware cost. Therefore, the application provides a data communication scheme which can effectively improve the reliability and the safety of communication and reduce the communication cost.

Referring to fig. 1, the embodiment of the invention discloses a data communication method applied to a preset national security SSL client, comprising the following steps:

step S11, a preset fort server which adopts a preset JvSE embedded password module to provide password service is sent with corresponding client greeting information to carry out handshake, and reply information returned by the preset fort server is received; the reply message includes corresponding key exchange parameter information.

Specifically, in this embodiment, as shown in fig. 2, the handshake is performed by sending corresponding client hello information to a preset fort server that provides a cryptographic service by using a preset JvSE embedded cryptographic module, including: the corresponding client hello information is sent to a preset fort server which is internally provided with a national security SSL VPN and adopts a preset JvSE embedded password module to provide password service to carry out handshake; wherein JvSE, namely JavaSE is an abbreviation of Java Standard Edtion, and translated into Chinese is a Java standard edition and is also a core of Java; and the preset JvSE embedded password module in the preset fort server and the local chip are integrated into a whole. Thus, the reliability of communication is improved.

In this embodiment, regarding the preset fort server, the cryptographic operation working principle shown in fig. 3 is combined. The national security SSL security channel function of the preset fort server is jointly realized by Loongson 3A5000, jvSE embedded type password modules, hardware drivers, national security SSL protocols and the like. The system architecture of the fort secret operation is from top to bottom: application layer software, device drivers, module hardware layers. The specific working principle is as follows: the upper layer application calls the hardware driver interface, and the hardware driver is responsible for managing and scheduling hardware resources of each part on the cryptographic module after receiving the interface call of the application layer software, so as to complete specific cryptographic service. And the JvSE embedded type cryptographic module adopts a single-chip fusion architecture design, is directly embedded into an LS3A5000 processor of the Loongson, and the SM2/SM3/SM4 cryptographic algorithm and the random number generation of the preset fort server are realized through the JvSE embedded type cryptographic module.

Further, referring to fig. 4, regarding the JvSE embedded cryptographic module, the fort machine uses an LS3a5000 platform JvSE based embedded cryptographic module to provide basic hardware support such as high-performance cryptographic services. The general LS3A5000 processor CPU architecture system and the JvSE cryptographic module architecture system are mutually independent, are physically isolated from each other, and respectively run in different environments (general domain and security domain). The processor running in the general domain does not have the access right of JvSE cryptographic modules, and only realizes the single downward sending of the security service command of the cryptographic modules through the special security driver and the special interface. And JvSE after receiving the command, the password module actively reads the security service data, actively writes back to the storage space of the general domain after performing security service processing in the security domain, and provides high-performance password service capability and security protocol service capability for the system. Wherein, the interface includes: management channels, data channels, and security control signals. The management channel interface: LS3A5000CPU configures corresponding data to the register of the secure SE cipher module through the control channel, and realizes the issuing of the secure command and the reading of the command execution state. The data channel interface: high-speed DWA (Data Warehouse Appliance, data warehouse equipment) dedicated channels for cryptographic module security processing. The encryption and decryption operation, signature verification operation and integrity operation of the cryptographic module are all completed through the data channel. The high-speed DWA channel has the ability to access all the data, program address space of the Loongson processor. The interrupt and safety control signals: the password module interrupts the state signal in real time, and the password module safely starts a control signal for the Loongson processor.

Meanwhile, regarding the JvSE embedded cryptographic module, referring to fig. 5, the JvSE embedded cryptographic module integrates a plurality of modules, and there are mainly 3 types: the system comprises a main control unit, a password operation unit and other auxiliary functional modules of system functions. Regarding the master control unit: the 32-bit CPU processor core integrated in the JvSE embedded cryptographic module is mainly responsible for management and scheduling of module resources, loading of a complete security algorithm, scheduling of tasks, protocol processing and the like. The cK810 adopts an architecture and a micro-architecture of autonomous design, has the advantages of expandable instructions, configurable hardware resources, re-synthesis, easy hand integration and the like, and has excellent performance in low-power consumption design and power management. Regarding the cryptographic operation unit: the system comprises a symmetric cipher operation sub-module and an asymmetric cipher operation sub-module, which mainly provide cipher operation functions and support SM4 cipher operation, SM3 hash operation, SM2 public key cipher operation and the like. Symmetric cryptographic operation submodule: the symmetric cryptographic algorithm engine is a special processor adopting a VLIW system architecture, supports SM3 and SM4 algorithms, and has higher performance. An asymmetric cryptographic operator module: the asymmetric engine is designed based on a MIPS programmable architecture (Microprocessor without interlocked PIPED STAGES architecture, a processor architecture adopting a simplified instruction set) and supports operations such as SM2 signature verification, encryption and decryption, key negotiation and the like. Regarding the data/control processing unit: and carrying, analyzing, calling and data processing of the hardware logic level high-speed service package of the symmetric cipher service and the asymmetric cipher service are realized. Carrying, analyzing, scheduling and processing of a cipher service data packet are realized, and thousands of cycles of an embedded CPU of the secure SE cipher module are consumed for interrupt processing. When processing high-speed service flow data, a high-speed pure hardware flow control mechanism based on a linked list is designed on a framework, so that the service flow flows orderly at a high speed under the condition of no software intervention, thereby obtaining higher data transmission efficiency and reducing working power consumption. Meanwhile, management information interaction between the LS3A5000 processor and the JvSE cryptographic module is realized, and high-speed data path configuration information issuing is supported. In this way, the preset fort server communicates through the data channel established by the national security SSL protocol, thereby ensuring the communication security.

Specifically, in this embodiment, the receiving the reply message returned by the preset fort server includes: receiving reply information which is returned by the preset fort server and comprises corresponding certificate information and the key exchange parameter information; wherein the certificate information comprises a corresponding encryption certificate and a signature certificate. Since the Client Hello message first sent by the Client includes the corresponding encryption suite and the random number. Therefore, after receiving the handshake request, that is, the Client Hello message, the preset fort server selects an appropriate encryption suite in combination with its own certificate to return to the Client, and generates a random number to send together, where the generation of the random number is implemented by the JvSE embedded cryptographic module (LS 3a 5000).

And then, the preset fort server side continuously sends a Certificate message to the client side, wherein the Certificate message comprises a double Certificate, namely a signature Certificate and an encryption Certificate, and the encryption Certificate is placed in front of the signature Certificate. And the preset fort server side sends SERVER KEY Exchange messages according to the selected handshake protocol. If the ECC_Sm4_Sm3 suite is selected, the message contains the signature of the server on the random numbers of the two parties and the encryption certificate of the server. The information is sent to the preset national security SSL client as a reply message.

Step S12, if a certificate application request sent by the preset fort server is obtained in the process of receiving the reply information, corresponding client certificate information is returned to the preset fort server.

In this embodiment, as shown in fig. 2, if the preset fort server opens the bidirectional authentication, the preset fort server will continue to send CERTIFICATE REQUEST messages, that is, certificate application requests to the client. That is, after the corresponding client certificate information is returned to the preset fort server, the method further includes: and sending corresponding client key Exchange information, namely CLIENT KEY Exchange to the preset fort server.

Specifically, in this embodiment, if, during receiving the reply message, a certificate application request sent by the preset fort server is obtained, corresponding client certificate information is returned to the preset fort server, including: if a certificate application request sent by the preset fort server is obtained in the process of receiving the reply information, judging that the preset fort server starts bidirectional authentication; and returning corresponding client certificate information, namely CERTIFICATE VERIFY and certificate verification information to the preset fort server so that the preset fort server verifies whether the preset national secret SSL client is a certificate legal holder based on the certificate verification information.

Step S13, if the certificate application request is not obtained in the process of receiving the reply information, corresponding client key exchange information is directly returned to the preset fort server so that the client key exchange information and the preset fort server can carry out encryption format modification based on the client key exchange information.

Specifically, in this embodiment, it should be understood that after the preset national security SSL client receives the reply message, if the certificate application request is received, a CLIENT CERTIFICATE message is first replied to the preset fort server, and if not, this step is skipped.

Further, the returning the corresponding client key exchange information to the preset fort server includes: and if the target national cipher suite is currently selected, sending a premaster secret key encrypted based on the public key in the encryption certificate to the preset fort server as client key exchange information. Wherein the target country secret set is an ECC_Sb4_Sm3 set.

Step S14, through sending a corresponding first change end signal to the preset fort machine server after the change is completed, receiving a second change end signal sent by the preset fort machine server after the change is completed, verifying to complete a corresponding handshake flow, and communicating based on the obtained target symmetric key.

Specifically, in this embodiment, the preset fort server and the preset national security SSL client each send corresponding end signals, i.e., finished messages, to the other party after the password specification change message is completed, so as to verify whether the key exchange process is successful or not, and verify the integrity of the handshake process. The process of the SSL handshake is finished, and the two parties of the protocol can encrypt and decrypt the communication data by using the negotiated symmetric key.

That is, the communication based on the obtained target symmetric key may specifically include: and encrypting and decrypting the communication data based on the obtained target symmetric key to complete corresponding data communication operation.

It should be understood that, regarding the cryptographic techniques used in the national dense SSL handshake protocol of the present embodiment, the cryptographic techniques used in the national dense SSL recording protocol are shown in table one and table two, respectively.

List one

Watch II

Cryptographic techniques	Action
		Symmetric cipher-SM 4 (CBC mode)	Ensuring confidentiality of fragments
Message authentication code	Ensuring segment integrity and authentication
		Authentication encryption	Ensuring segment integrity and confidentiality and authentication

In this embodiment, functions such as encryption/decryption, digital signature/verification, key management, true random number generation, etc. used by the national security SSL handshake protocol and the recording protocol of the preset fort server are implemented by using JvSE embedded cryptographic modules (LS 3a 5000). The application layer SSL protocol calls a hardware driver interface, the hardware driver is responsible for sending data to the JvSE embedded cryptographic module through an AXI (Advanced eXtensible Interface, advanced expansion interface, a bus protocol) bus interface, after a host sends a request to the cryptographic module in an entry processing module of the JvSE embedded cryptographic module, a CK810 receives an interrupt signal from the host, the CK810 enters an interrupt processing program, and simultaneously, the requested command data enters a storage area of an interface chip accessible by the CK 810. In the interrupt processing program, the CK810 reads and analyzes command data, and delivers the analysis result to the subtask management module for task processing. The task management module performs specific command operations such as data encryption and decryption, hash operation, random number generation, and the like. After the task execution is finished, whether successful or not, the processing result is transmitted to the sub-interface command processing module. In the egress processing module, the CK810 receives the processing result of the task management module, writes the processing result into a corresponding storage area of the interface chip, and then triggers the interface chip to issue an interrupt to the host, so that a driver on the host side reads the processing result from the chip and submits the processing result to the process of the subtask request.

It can be understood that the SSL protocol of the cryptographic algorithm has the advantage that it provides connection security, and has three main aspects: tunnel protection based on the national cipher symmetry algorithm: after the initial handshake negotiates the communication protection algorithm (SM 4) and the working key, symmetric encryption is performed for data encryption using the SM4 packet algorithm. Security of key agreement: the working key is negotiated under the protection of SM2 asymmetric encryption algorithm, so as to ensure the legitimacy of the identities of the two communication parties. Information integrity protection: the session protection additional HMAC value (Hash-based Message Authentication Code, key-dependent Hash operation message authentication code) is used for checking the message integrity, so that the data can be ensured not to be modified or damaged in the transmission process, the connection reliability is ensured, and the SSL connection mainly uses a cryptographic Hash function (SM 3) for HMAC calculation.

In summary, the embodiment adopts the national security SSL channel to avoid the dependence on the international algorithm, so that the communication safety is better ensured. And the preset fort server adopts JvSE embedded cryptographic modules, and the built-in chip-level integrated design is realized, so that the CPU on-chip universal bus bandwidth is not occupied, and only the special safety bus bandwidth is required. Compared with the plug-in and separation type implementation scheme, the module-level integrated design can reduce the hardware cost, the development cost, the hardware debugging cost and the maintenance cost. By adopting a physical isolation mode, the internal security processing process and key parameters of the security processor are safe and invisible, and the system application can only interact with the security processor through a special API (Application Programming Interface ), thereby effectively realizing the control of security authority and preventing illegal security operation and man-in-the-middle attack. That is, the embodiment provides the cryptographic operation capability for the national security SSL VPN module built in the fort machine through the JvSE embedded cryptographic module, does not need to be externally connected with a cryptographic card or a third party SSL VPN system, improves the reliability, ensures the security and the autonomous controllability of the data channel, and provides a channel security technical method for remote operation and maintenance and other scenes.

Therefore, in the embodiment of the application, the corresponding client greeting information is sent to the preset fort machine server which adopts the preset JvSE embedded password module to provide password service to handshake, and the reply information returned by the preset fort machine server is received; the reply information comprises corresponding key exchange parameter information; if a certificate application request sent by the preset fort server is obtained in the process of receiving the reply information, corresponding client certificate information is returned to the preset fort server; if the certificate application request is not acquired in the process of receiving the reply information, corresponding client key exchange information is directly returned to the preset fort server so that the client key exchange information and the preset fort server can carry out encryption format modification based on the client key exchange information; and after finishing the modification, sending a corresponding first modification ending signal to the preset fort server, receiving a second modification ending signal sent by the preset fort server after finishing the modification, verifying to finish a corresponding handshake process, and communicating based on the obtained target symmetric key. That is, the fort machine of the application adopts the preset JvSE embedded cryptographic module to provide cryptographic service, thus solving the occupation of the general bus bandwidth in the CPU chip. Meanwhile, the embedded design solves the safety risk brought by an external connection mode, and the reliability of the embedded type safety protection device is enhanced. And the security of the application is higher than that of the international RSA algorithm commonly used in the existing method by carrying out national security SSL data communication, and the application has more advantages in the aspects of transmission speed, transmission time, CPU occupation, memory occupation, network consumption and the like. That is, the application can effectively improve the reliability and safety of communication and reduce the communication cost.

Referring to fig. 6, the embodiment of the invention discloses a data communication method applied to a preset national security SSL client, comprising:

Step S21, a preset fort server which is provided with password service by adopting a preset JvSE embedded password module and is provided with password service sends corresponding client greeting information to handshake, and receives reply information returned by the preset fort server; the reply information comprises corresponding key exchange parameter information; and the preset JvSE embedded password module in the preset fort server and the local chip are integrated into a whole.

Step S22, if a certificate application request sent by the preset fort server is obtained in the process of receiving the reply information, corresponding client certificate information is returned to the preset fort server.

Step S23, if the certificate application request is not obtained in the process of receiving the reply information, corresponding client key exchange information is directly returned to the preset fort server so that the client key exchange information and the preset fort server can carry out encryption format modification based on the client key exchange information.

Step S24, through sending a corresponding first change end signal to the preset fort server after the change is completed, receiving a second change end signal sent by the preset fort server after the change is completed, verifying to complete a corresponding handshake flow, and communicating based on the obtained target symmetric key.

For the specific process from step S21 to step S24, reference may be made to the corresponding content disclosed in the foregoing embodiment, and no further description is given here.

Therefore, in the embodiment of the application, the SSL VPN module is built in the preset fort server, so that the adverse effect caused by the combination with the third party SSL VPN system in the existing method is solved, and the reliability of communication is improved.

Referring to fig. 7, the embodiment of the application also correspondingly discloses a data communication device, which is applied to a preset national density SSL client, and comprises:

The greeting information sending module 11 is configured to send corresponding client greeting information to a preset fort server that uses a preset JvSE embedded cryptographic module to provide cryptographic services for handshake, and receive reply information returned by the preset fort server; the reply information comprises corresponding key exchange parameter information;

The first information sending module 12 is configured to, if a certificate application request sent by the preset fort server is obtained in the process of receiving the reply information, return corresponding client certificate information to the preset fort server;

the second information sending module 13 is configured to directly return corresponding client key exchange information to the preset fort server if the certificate application request is not acquired in the process of receiving the reply information, so that the second information sending module and the preset fort server perform encryption format modification based on the client key exchange information;

The communication proceeding module 14 is configured to perform verification by sending a corresponding first modification end signal to the preset fort server after modification is completed, and receiving a second modification end signal sent by the preset fort server after modification is completed, so as to complete a corresponding handshake procedure, and perform communication based on the obtained target symmetric key.

The more specific working process of each module may refer to the corresponding content disclosed in the foregoing embodiment, and will not be described herein.

In some specific embodiments, the greeting information sending module 11 may specifically include:

the greeting information sending unit is used for carrying out handshake by sending corresponding client greeting information to a preset fort server which is internally provided with a national security SSL VPN and provides password service by adopting a preset JvSE embedded password module; the preset JvSE embedded password module in the preset fort server and the local chip are integrated into a whole.

In some specific embodiments, the first information sending module 12 may specifically include:

The bidirectional authentication starting judging unit is used for judging that the preset fort server starts bidirectional authentication if a certificate application request sent by the preset fort server is acquired in the process of receiving the reply information;

the first information sending unit is used for returning corresponding client certificate information and certificate verification information to the preset fort server so that the preset fort server verifies whether the preset national secret SSL client is a certificate legal holder based on the certificate verification information.

In some specific embodiments, the data communication apparatus may specifically further include:

and the client key exchange information sending unit is used for sending the corresponding client key exchange information to the preset fort server.

a reply information receiving unit, configured to receive reply information including corresponding certificate information and the key exchange parameter information returned by the preset fort server; wherein the certificate information comprises a corresponding encryption certificate and a signature certificate.

In some specific embodiments, the second information sending module 13 may specifically include:

And the second information sending unit is used for sending the premaster secret key encrypted based on the public key in the encrypted certificate to the preset fort server as client key exchange information if the target national secret set is selected currently.

In some embodiments, the communication performing module 14 may specifically include:

And the communication proceeding unit is used for encrypting and decrypting the communication data based on the obtained target symmetric key so as to complete corresponding data communication operation.

Further, the embodiment of the present application further discloses an electronic device, and fig. 8 is a block diagram of an electronic device 20 according to an exemplary embodiment, where the content of the diagram is not to be considered as any limitation on the scope of use of the present application.

Fig. 8 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. Wherein the memory 22 is configured to store a computer program that is loaded and executed by the processor 21 to implement the relevant steps of the data communication method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.

In this embodiment, the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein; the input/output interface 25 is used for acquiring external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application requirement, which is not limited herein.

The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon may include an operating system 221, a computer program 222, and the like, and the storage may be temporary storage or permanent storage.

The operating system 221 is used to manage and control various hardware devices on the electronic device 20, and the computer program 222, which may be WindowsServer, netware, unix, linux. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the data communication method performed by the electronic device 20 disclosed in any of the previous embodiments.

Further, the application also discloses a computer readable storage medium for storing a computer program; wherein the computer program, when executed by a processor, implements the previously disclosed data communication method. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.

In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.

Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.

Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

The foregoing has outlined rather broadly the more detailed description of the application in order that the detailed description of the application that follows may be better understood, and in order that the present principles and embodiments may be better understood; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims

1. A data communication method, applied to a preset national security SSL client, comprising:

2. The data communication method according to claim 1, wherein the handshaking by sending corresponding client hello information to a preset fort server providing a cryptographic service using a preset JvSE embedded cryptographic module comprises:

3. The data communication method according to claim 1, wherein if a certificate application request sent by the preset fort server is obtained in the process of receiving the reply message, returning corresponding client certificate information to the preset fort server includes:

4. The data communication method according to claim 1, wherein after the corresponding client certificate information is returned to the preset fort server, further comprising:

5. The method of claim 1, wherein receiving the reply message returned by the preset fort server comprises:

6. The method of claim 5, wherein the returning the corresponding client key exchange information to the preset fort server comprises:

7. The data communication method according to any one of claims 1 to 6, wherein the communicating based on the obtained target symmetric key includes:

8. A data communication apparatus, for use in a preset national security SSL client, comprising:

9. An electronic device, comprising:

a memory for storing a computer program;

A processor for executing the computer program to implement the data communication method of any one of claims 1 to 7.

10. A computer readable storage medium for storing a computer program which, when executed by a processor, implements the data communication method according to any one of claims 1 to 7.