TW202404303A - A supervision system and method on end-to-end encrypted messaging - Google Patents

A supervision system and method on end-to-end encrypted messaging Download PDF

Info

Publication number
TW202404303A
TW202404303A TW111125889A TW111125889A TW202404303A TW 202404303 A TW202404303 A TW 202404303A TW 111125889 A TW111125889 A TW 111125889A TW 111125889 A TW111125889 A TW 111125889A TW 202404303 A TW202404303 A TW 202404303A
Authority
TW
Taiwan
Prior art keywords
message
instant messaging
chat room
server
key
Prior art date
Application number
TW111125889A
Other languages
Chinese (zh)
Other versions
TWI794126B (en
Inventor
蘇嚮權
梁俊安
吳治東
鄭維元
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW111125889A priority Critical patent/TWI794126B/en
Application granted granted Critical
Publication of TWI794126B publication Critical patent/TWI794126B/en
Publication of TW202404303A publication Critical patent/TW202404303A/en

Links

Images

Landscapes

  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A supervision system and method on end-to-end encrypted massaging are provided. The method includes, generating a monitoring account for monitoring a chat room interface including a plurality of instant messaging terminals and a certificate for adding the monitoring account to the chat room interface, wherein member of the chat room interface incudes instant messaging terminals and the monitoring account; encrypting messages sent by the chat room interface, transmitting the encrypted messages and transmitting a key exchange information of the instant massaging terminals, obtaining keys after an end-to-end exchange operation, using the keys to decrypt the encrypted message, and sending an alarm information according to the decrypted message.

Description

端對端加密通訊監管系統及其方法End-to-end encrypted communication supervision system and method thereof

本發明是有關於一種通訊監管系統及其方法,且特別是有關於一種端對端加密通訊監管系統及其方法。The present invention relates to a communication supervision system and a method thereof, and in particular, to an end-to-end encrypted communication supervision system and a method thereof.

目前現有之通訊監控技術大致上可分成兩種:直接透過伺服器端取得通訊資訊,或者配合額外的監控軟體安裝於用戶終端,即時偵測終端的應用視窗並直接擷取輸入框資訊後上傳至監控伺服器。Currently, existing communication monitoring technologies can be roughly divided into two types: obtaining communication information directly through the server, or installing additional monitoring software on the user terminal to detect the terminal's application window in real time and directly capture the input box information and upload it to Monitor the server.

上述兩種通訊監控技術顯見之缺點有:伺服器必須可直接取得通訊資訊或將解密金鑰紀錄於伺服器中,大大降低了通訊系統的安全性;且安裝額外的監控軟體會影響用戶使用的體驗,並且於終端中可能有其他可繞過或強制關閉監控軟體的方式;擷取輸入框資訊後上傳至監控伺服器亦須將資訊加密保護,以避免監控的通訊資訊皆被第三方攔截竊聽。The obvious shortcomings of the above two communication monitoring technologies are: the server must be able to directly obtain communication information or record the decryption key in the server, which greatly reduces the security of the communication system; and the installation of additional monitoring software will affect the user's ability to use it. experience, and there may be other ways to bypass or forcibly close the monitoring software in the terminal; after capturing the input box information and uploading it to the monitoring server, the information must also be encrypted and protected to prevent the monitored communication information from being intercepted and eavesdropped by a third party. .

為提升通訊安全,現今主流服務皆開始採用端對端加密技術,避免伺服器端儲存通訊資訊或解密金鑰,因此如何同時保持端對端加密的安全性,並可針對通訊資訊進行監管即成為企業即時通訊服務應用的一大挑戰。In order to improve communication security, today's mainstream services have begun to adopt end-to-end encryption technology to prevent the server from storing communication information or decryption keys. Therefore, how to maintain the security of end-to-end encryption and monitor communication information at the same time becomes a problem. A major challenge for enterprise instant messaging service applications.

本發明提供一種端對端加密通訊監管系統及其方法,可在不破壞端對端加密通訊之安全性的前提下,進行即時通訊監控。The present invention provides an end-to-end encrypted communication monitoring system and a method thereof, which can monitor instant messaging without destroying the security of end-to-end encrypted communication.

本發明的一種端對端加密通訊監管系統,包括多個即時通訊終端、憑證認證伺服器、即時通訊伺服器以及監管伺服器。該些即時通訊終端包括至少一被監控對象。憑證認證伺服器產生用以監控該些即時通訊終端的聊天室介面的監控帳號以及將監控帳號加入聊天室介面的憑證,其中聊天室介面的成員包括該些即時通訊終端以及監控帳號。即時通訊伺服器分別通訊連接該些即時通訊終端以及憑證認證伺服器,監管伺服器分別通訊連接憑證認證伺服器以及即時通訊伺服器。其中,即時通訊終端對聊天室介面的訊息進行加密,即時通訊伺服器傳送經加密後的訊息並且傳送該些即時通訊終端的金鑰交換資訊至該些即時通訊終端以及監管伺服器,該些即時通訊終端以及監管伺服器利用金鑰交換資訊進行端對端金鑰交換運算後取得的金鑰對訊息進行解密,並且監管伺服器依據經解密後的訊息發出告警資訊。An end-to-end encrypted communication supervision system of the present invention includes a plurality of instant messaging terminals, a certificate authentication server, an instant messaging server and a supervision server. The instant messaging terminals include at least one monitored object. The certificate authentication server generates a monitoring account for monitoring the chat room interface of the instant messaging terminals and a certificate for adding the monitoring account to the chat room interface, where the members of the chat room interface include the instant messaging terminals and the monitoring account. The instant messaging server communicates with the instant messaging terminals and the certificate authentication server respectively, and the supervision server communicates with the certificate authentication server and the instant messaging server respectively. Among them, the instant messaging terminal encrypts the messages in the chat room interface, the instant messaging server sends the encrypted messages and sends the key exchange information of the instant messaging terminals to the instant messaging terminals and the supervision server. The communication terminal and the supervision server use the key exchange information to perform end-to-end key exchange operations to decrypt the message, and the supervision server issues alarm information based on the decrypted message.

在本發明的一實施例中,上述的端對端加密通訊監管系統,其中監管伺服器至少包括安全模組以及分析決策模組,其中安全模組用以儲存聊天室介面的成員的金鑰交換資訊以及金鑰,且監控帳號在聊天室介面處於隱藏狀態。In an embodiment of the present invention, in the above-mentioned end-to-end encrypted communication supervision system, the supervision server at least includes a security module and an analysis and decision-making module, wherein the security module is used to store the key exchange of members of the chat room interface. Information and keys, and the monitoring account is hidden in the chat room interface.

在本發明的一實施例中,上述的端對端加密通訊監管系統,其中分析決策模組以HTTP長連接(Long Pulling)的方式同步接收聊天室介面傳送的訊息,利用安全模組儲存的金鑰對聊天室介面的訊息進行解密,且分析決策模組更用以判斷經解密後的訊息是否包括高風險關鍵字,以於經解密後的訊息包括高風險關鍵字時發出告警資訊,並且分析決策模組更用以傳送鎖定訊號至即時通訊伺服器,以令即時通訊伺服器將至少一被監控對象以及包括高風險關鍵字的訊息進行鎖定操作,並且經由即時通訊伺服器傳送訊號至至少一被監控對象以令至少一被監控對象執行刪除包括高風險關鍵字的訊息的操作。In an embodiment of the present invention, in the above-mentioned end-to-end encrypted communication monitoring system, the analysis and decision-making module synchronously receives the messages transmitted by the chat room interface in the form of HTTP long pulling, and uses the funds stored in the security module to The key is used to decrypt the message in the chat room interface, and the analysis and decision-making module is further used to determine whether the decrypted message includes high-risk keywords, so as to issue an alarm message when the decrypted message includes high-risk keywords, and analyze The decision-making module is further used to send a locking signal to the instant messaging server, so that the instant messaging server locks at least one monitored object and messages including high-risk keywords, and sends the signal to at least one through the instant messaging server. The monitored object is configured to cause at least one monitored object to perform an operation of deleting messages including high-risk keywords.

在本發明的一實施例中,上述的端對端加密通訊監管系統,其中在監控帳號加入聊天室介面之後,聊天室介面的成員更利用金鑰交換資訊重新進行端對端金鑰交換運算以取得新的金鑰,且利用新的金鑰對訊息進行加密,其中,即時通訊伺服器傳送經加密後的訊息並且傳送金鑰交換資訊至該些即時通訊終端以及監管伺服器,其中,該些即時通訊終端以及監管伺服器利用金鑰交換資訊進行端對端金鑰交換運算後取得的新的金鑰對訊息進行解密,並且監管伺服器依據經解密後的訊息發出告警資訊。In an embodiment of the present invention, in the above-mentioned end-to-end encrypted communication monitoring system, after the monitoring account is added to the chat room interface, the members of the chat room interface further use the key exchange information to re-perform the end-to-end key exchange operation to Obtain a new key and use the new key to encrypt the message. The instant messaging server sends the encrypted message and sends the key exchange information to the instant messaging terminals and the supervision server. Among them, the instant messaging server The instant messaging terminal and the supervision server use the key exchange information to perform an end-to-end key exchange operation and decrypt the message with a new key, and the supervision server issues an alarm information based on the decrypted message.

在本發明的一實施例中,上述的端對端加密通訊監管系統,其中監管伺服器更用以即時驗證憑證,以於憑證有效時,即時通訊伺服器將經加密後的訊息以及將金鑰交換資訊傳送至監管伺服器。In an embodiment of the present invention, in the above-mentioned end-to-end encrypted communication monitoring system, the monitoring server is further used to verify the certificate in real time, so that when the certificate is valid, the instant messaging server will send the encrypted message and the key The exchange information is sent to the supervision server.

本發明的一種端對端加密通訊監管方法,包括:產生用以監控包括多個即時通訊終端的聊天室介面的監控帳號以及將監控帳號加入聊天室介面的憑證,其中聊天室介面的成員包括該些即時通訊終端以及監控帳號,該些即時通訊終端包括至少一被監控對象;對聊天室介面的訊息進行加密;傳送經加密後的訊息並且傳送該些即時通訊終端的金鑰交換資訊;利用金鑰交換資訊進行端對端金鑰交換運算後取得的金鑰對訊息進行解密;以及依據經解密後的訊息發出告警資訊。An end-to-end encrypted communication supervision method of the present invention includes: generating a monitoring account for monitoring a chat room interface including multiple instant messaging terminals and a certificate for adding the monitoring account to the chat room interface, wherein the members of the chat room interface include the some instant messaging terminals and monitoring accounts, these instant messaging terminals include at least one monitored object; encrypting messages in the chat room interface; transmitting encrypted messages and transmitting key exchange information of these instant messaging terminals; utilizing funds The key exchange information is used to decrypt the message with the key obtained after performing end-to-end key exchange operation; and alarm information is issued based on the decrypted message.

在本發明的一實施例中,上述的端對端加密通訊監管方法,其中方法更包括儲存聊天室介面的成員的金鑰交換資訊以及金鑰,且監控帳號在聊天室介面處於隱藏狀態。In an embodiment of the present invention, the above-mentioned end-to-end encrypted communication monitoring method further includes storing key exchange information and keys of members of the chat room interface, and the monitoring account is hidden in the chat room interface.

在本發明的一實施例中,上述的端對端加密通訊監管方法,其中利用金鑰對訊息進行解密,並且依據經解密後的訊息發出告警資訊的步驟中更包括:以HTTP長連接(Long Pulling)的方式同步接收聊天室介面傳送的訊息,利用儲存的金鑰對聊天室介面的訊息進行解密;判斷經解密後的訊息是否包括高風險關鍵字,以於經解密後的訊息包括高風險關鍵字時發出告警資訊;以及將至少一被監控對象以及包括高風險關鍵字的訊息進行鎖定操作,並且傳送訊號至至少一被監控對象,以令至少一被監控對象執行刪除包括高風險關鍵字的訊息的操作。In an embodiment of the present invention, the above-mentioned end-to-end encrypted communication monitoring method, in which the key is used to decrypt the message, and the step of sending the alarm information based on the decrypted message further includes: using HTTP long connection (Long connection) Pulling) method to simultaneously receive the messages sent by the chat room interface, and use the stored key to decrypt the messages in the chat room interface; determine whether the decrypted messages include high-risk keywords, so as to ensure that the decrypted messages include high-risk keywords. issuing an alarm message when a keyword is used; and locking at least one monitored object and messages containing high-risk keywords, and sending a signal to at least one monitored object to cause at least one monitored object to delete messages containing high-risk keywords message operations.

在本發明的一實施例中,上述的端對端加密通訊監管方法,其中該方法更包括:在監控帳號加入聊天室介面之後,聊天室介面的成員更利用金鑰交換資訊重新進行端對端金鑰交換運算以取得新的金鑰,且利用新的金鑰對訊息進行加密;傳送經加密後的訊息並且傳送金鑰交換資訊;利用金鑰交換資訊進行端對端金鑰交換運算後取得的新的金鑰對訊息進行解密;以及依據經解密後的訊息發出告警資訊。In an embodiment of the present invention, the above-mentioned end-to-end encrypted communication monitoring method further includes: after the monitoring account is added to the chat room interface, the members of the chat room interface further use the key exchange information to conduct the end-to-end communication monitoring again. Key exchange operation to obtain a new key, and use the new key to encrypt the message; transmit the encrypted message and transmit the key exchange information; use the key exchange information to perform end-to-end key exchange operation and obtain Use the new key to decrypt the message; and issue alarm information based on the decrypted message.

在本發明的一實施例中,上述的端對端加密通訊監管方法,其中傳送經加密後的該訊息並且傳送該金鑰交換資訊的步驟中更包括:即時驗證憑證,以於憑證有效時,傳送經加密後的訊息並且傳送金鑰交換資訊。In an embodiment of the present invention, the above-mentioned end-to-end encrypted communication supervision method, wherein the step of transmitting the encrypted message and transmitting the key exchange information further includes: real-time verification of the certificate, so that when the certificate is valid, Send encrypted messages and send key exchange information.

基於上述,本發明提供一種端對端加密通訊監管系統及其方法,可在不破壞端對端加密通訊之安全性的前提下,進行即時通訊監控,且於加入監控帳號時可驗證監控帳號的有效性,避免中間人試圖假冒監控帳號進行竊密,並且可視需求於系統運行中加入監控事件,通過設定監控對象與監控事件之效期,從而避免監控權限遭到濫用。Based on the above, the present invention provides an end-to-end encrypted communication monitoring system and method, which can monitor instant messaging without destroying the security of end-to-end encrypted communication, and can verify the identity of the monitoring account when adding the monitoring account. Effectiveness prevents intermediaries from trying to impersonate monitoring accounts to steal secrets. Monitoring events can be added to system operation as needed, and the validity period of monitoring objects and monitoring events can be set to avoid abuse of monitoring rights.

為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above-mentioned features and advantages of the present invention more obvious and easy to understand, embodiments are given below and described in detail with reference to the accompanying drawings.

圖1是依照本發明的一實施例的一種端對端加密通訊監管系統的示意圖。Figure 1 is a schematic diagram of an end-to-end encrypted communication monitoring system according to an embodiment of the present invention.

請參照圖1所示,端對端加密通訊監管系統10主要包括憑證認證伺服器100、即時通訊伺服器200、監管伺服器300以及多個即時通訊終端400。Referring to FIG. 1 , the end-to-end encrypted communication supervision system 10 mainly includes a certificate authentication server 100 , an instant messaging server 200 , a supervision server 300 and a plurality of instant messaging terminals 400 .

其中,即時通訊終端400包括至少一被監控對象。為便於描述,將圖1的其中一即時通訊終端稱為被監控對象500。即時通訊終端400可具有處理單元(如:處理器但不限於此)、耦接於處理單元的通訊單元(例如:支援行動網路、藍牙或WiFi等各類通訊協定的收發器)及耦接於處理單元的儲存單元(例如:可移動隨機存取記憶體、快閃記憶體或硬碟等但不限於此)等運行即時通訊終端400的必要構件。在本實施例中,即時通訊終端400之間可透過即時通訊伺服器200進行端對端金鑰交換,並透過即時通訊伺服器200將經即時通訊終端400加密後的訊息進行傳送,並且經端對端金鑰交換運算後的金鑰可用以解密此經加密後的訊息。如此,即時通訊終端400可提供用戶之間於一聊天室介面中互相傳送訊息並且對訊息進行加密及解密以即時通訊的功能,並且即時通訊終端400可儲存此訊息或對此訊息進行刪除。Among them, the instant messaging terminal 400 includes at least one monitored object. For convenience of description, one of the instant messaging terminals in Figure 1 is called the monitored object 500. The instant messaging terminal 400 may have a processing unit (such as a processor but is not limited thereto), a communication unit coupled to the processing unit (such as a transceiver that supports various communication protocols such as mobile network, Bluetooth or WiFi) and a coupling Necessary components for running the instant messaging terminal 400 are stored in the storage unit of the processing unit (such as removable random access memory, flash memory or hard disk, but not limited to this). In this embodiment, the instant messaging terminals 400 can perform end-to-end key exchange through the instant messaging server 200, and the messages encrypted by the instant messaging terminals 400 can be transmitted through the instant messaging server 200, and through the end-to-end The key after the peer key exchange operation can be used to decrypt the encrypted message. In this way, the instant messaging terminal 400 can provide users with the function of sending messages to each other in a chat room interface and encrypting and decrypting the messages for instant messaging, and the instant messaging terminal 400 can store the message or delete the message.

即時通訊伺服器200分別通訊連接即時通訊終端400以及憑證認證伺服100。在一實施例中,即時通訊伺服器200可具有處理單元(如:處理器但不限於此)、耦接於處理單元的通訊單元(例如:支援行動網路、藍牙或WiFi等各類通訊協定的收發器)及耦接於處理單元的儲存單元(例如:可移動隨機存取記憶體、快閃記憶體或硬碟等但不限於此)等運行即時通訊伺服器200的必要構件。The instant messaging server 200 communicates with the instant messaging terminal 400 and the certificate authentication server 100 respectively. In one embodiment, the instant messaging server 200 may have a processing unit (such as a processor but is not limited thereto), a communication unit coupled to the processing unit (for example, supporting various communication protocols such as mobile network, Bluetooth or WiFi). transceiver) and a storage unit coupled to the processing unit (such as removable random access memory, flash memory or hard disk, but not limited to these) and other necessary components for running the instant messaging server 200 .

即時通訊終端400將包括被監控對象500的聊天室介面傳送的訊息進行加密,且即時通訊伺服器200可將經即時通訊終端400加密後的訊息以及將即時通訊終端400進行端對端金鑰交換運算的金鑰交換資訊傳送至即時通訊終端400以及傳送至監管伺服器300。在一實施例中,在即時通訊伺服器200將監控帳號加入聊天室介面之後,監控帳號可作為聊天室介面的隱藏的成員,而此聊天室介面的成員會重新進行端對端金鑰交換運算以取得新的金鑰,且利用新的金鑰對訊息進行加密,並且即時通訊伺服器200傳送經加密後的訊息以及金鑰交換資訊至即時通訊終端400以及監管伺服器300。The instant messaging terminal 400 encrypts the messages sent by the chat room interface including the monitored object 500, and the instant messaging server 200 can encrypt the messages encrypted by the instant messaging terminal 400 and perform end-to-end key exchange with the instant messaging terminal 400. The calculated key exchange information is sent to the instant messaging terminal 400 and to the supervision server 300 . In one embodiment, after the instant messaging server 200 adds the monitoring account to the chat room interface, the monitoring account can be used as a hidden member of the chat room interface, and the members of this chat room interface will re-perform the end-to-end key exchange operation. A new key is obtained, and the message is encrypted using the new key, and the instant messaging server 200 sends the encrypted message and key exchange information to the instant messaging terminal 400 and the supervision server 300 .

監管伺服器300分別通訊連接憑證認證伺服器100以及即時通訊伺服器200。在一實施例中,監管伺服器300可具有處理單元(如:處理器但不限於此)、耦接於處理單元的通訊單元(例如:支援行動網路、藍牙或WiFi等各類通訊協定的收發器)及耦接於處理單元的儲存單元(例如:可移動隨機存取記憶體、快閃記憶體或硬碟等但不限於此)等運行監管伺服器300的必要構件。The supervision server 300 communicates with the certificate authentication server 100 and the instant messaging server 200 respectively. In one embodiment, the monitoring server 300 may have a processing unit (such as a processor but is not limited thereto), a communication unit coupled to the processing unit (such as a communication unit that supports various communication protocols such as mobile network, Bluetooth or WiFi). Transceivers) and storage units (such as removable random access memory, flash memory or hard disks, but not limited to these) coupled to the processing unit are necessary components for running the supervision server 300 .

具體而言,監管伺服器300可包括安全模組310以及分析決策模組320。其中安全模組310可儲存聊天室介面的成員的金鑰交換資訊以及金鑰,聊天室介面的成員可包括被監控對象500、監控帳號以及其他參與聊天室的即時通訊終端400,且監控帳號於聊天室介面時處於隱藏狀態,而被監控對象500及其他即時通訊終端400可直接顯示於聊天室介面而不需被隱藏。其中,監管伺服器300可即時驗證憑證,以於憑證有效時,即時通訊伺服器200將經加密後的訊息以及將即時通訊終端400、被監控對象500、監控帳號的金鑰交換資訊傳送至即時通訊終端400以及監管伺服器300。Specifically, the supervision server 300 may include a security module 310 and an analysis and decision-making module 320. The security module 310 can store the key exchange information and keys of the members of the chat room interface. The members of the chat room interface can include monitored objects 500, monitoring accounts, and other instant messaging terminals 400 participating in the chat room, and the monitoring accounts are in The chat room interface is in a hidden state, and the monitored object 500 and other instant messaging terminals 400 can be directly displayed on the chat room interface without being hidden. Among them, the supervision server 300 can verify the certificate in real time, so that when the certificate is valid, the instant messaging server 200 will send the encrypted message and the key exchange information of the instant messaging terminal 400, the monitored object 500, and the monitoring account to the real-time Communication terminal 400 and supervision server 300.

在監控帳號加入聊天室介面之後,聊天室介面的成員(包括即時通訊終端400、被監控對象500、監控帳號)利用金鑰交換資訊重新進行該端對端金鑰交換運算以取得新的金鑰,且利用新的金鑰對訊息進行加密,即時通訊伺服器200傳送經加密後的訊息並且傳送金鑰交換資訊至即時通訊終端400以及監管伺服器300。After the monitoring account joins the chat room interface, the members of the chat room interface (including the instant messaging terminal 400, the monitored object 500, and the monitoring account) use the key exchange information to re-perform the end-to-end key exchange operation to obtain a new key. , and uses the new key to encrypt the message. The instant messaging server 200 sends the encrypted message and sends the key exchange information to the instant messaging terminal 400 and the supervision server 300 .

如此,即時通訊終端400以及監管伺服器300可利用金鑰交換資訊進行端對端金鑰交換運算後取得的新的金鑰對聊天室介面傳送的訊息進行解密,並且監管伺服器300會依據經解密後的訊息發出告警資訊。In this way, the instant messaging terminal 400 and the supervision server 300 can use the key exchange information to perform the end-to-end key exchange operation and obtain the new key to decrypt the message sent by the chat room interface, and the supervision server 300 will decrypt the message according to the experience. The decrypted message sends an alert message.

更詳細來說,監管伺服器300的分析決策模組320以HTTP長連接(Long Pulling)的方式同步接收聊天室介面傳送的訊息,利用安全模組310儲存的金鑰對聊天室介面中傳送的訊息進行解密,且分析決策模組320可判斷經解密後的訊息是否包括高風險關鍵字,以於經解密後的訊息包括高風險關鍵字時發出告警資訊,例如可通過向端對端加密通訊監管系統10的管理者發送郵件或傳送簡訊等方式發出告警資訊。In more detail, the analysis and decision-making module 320 of the supervision server 300 synchronously receives the messages sent by the chat room interface in the form of HTTP long connection (Long Pulling), and uses the key stored in the security module 310 to compare the messages sent in the chat room interface. The message is decrypted, and the analysis and decision-making module 320 can determine whether the decrypted message includes high-risk keywords, so as to issue an alarm message when the decrypted message includes high-risk keywords, for example, by end-to-end encrypted communication The administrator of the supervision system 10 sends the alarm information by sending an email or sending a text message.

此外,監管伺服器300的分析決策模組320可傳送鎖定訊號至即時通訊伺服器200,以令即時通訊伺服器200將被監控對象500以及包括高風險關鍵字的訊息進行鎖定操作,並且經由即時通訊伺服器200傳送訊號至被監控對象500,以令被監控對象500執行刪除包括高風險關鍵字的訊息的操作。In addition, the analysis and decision-making module 320 of the supervision server 300 can send a locking signal to the instant messaging server 200, so that the instant messaging server 200 locks the monitored object 500 and messages including high-risk keywords, and through real-time The communication server 200 sends a signal to the monitored object 500, so that the monitored object 500 performs an operation of deleting messages including high-risk keywords.

圖2是依照本發明的一實施例的監控帳號憑證申請與管控的流程圖。Figure 2 is a flow chart of monitoring account credential application and management according to an embodiment of the present invention.

請參考圖2所示,於步驟S201中,產生憑證與金鑰。具體而言,產生申請憑證與憑證所需的公私鑰,以及參與端對端加密所需金鑰協商的公私鑰(此公鑰即提供即時通訊終端400進行金鑰交換所需之金鑰交換資訊),需要說明的是,進行端對端金鑰交換運算主要是以即時通訊終端400(例如對應監控帳號的即時通訊終端400)的私鑰與對方(即聊天室介面的其他成員,例如被監控對象500)於金鑰交換資訊中之公鑰來進行運算,經運算後可得出的金鑰,並且用此金鑰對訊息進行加密,同理對方也可反過來運用其私鑰與對應監控帳號的即時通訊終端400提供之金鑰交換資訊進行運算,以得出相同之金鑰,用以對此訊息進行解密。Please refer to Figure 2. In step S201, a certificate and a key are generated. Specifically, the public and private keys required to apply for certificates and certificates are generated, as well as the public and private keys required to participate in the key negotiation required for end-to-end encryption (this public key provides the key exchange information required for the instant messaging terminal 400 to perform key exchange. ), it should be noted that the end-to-end key exchange operation mainly uses the private key of the instant messaging terminal 400 (for example, the instant messaging terminal 400 corresponding to the monitoring account) and the other party (i.e., other members of the chat room interface, such as the monitored one) Object 500) performs operations on the public key in the key exchange information. After the operation, the key can be obtained, and this key is used to encrypt the message. In the same way, the other party can also use its private key and corresponding monitoring in turn. The key exchange information provided by the instant messaging terminal 400 of the account is calculated to obtain the same key for decrypting the message.

於步驟S202中,申請監管專屬之憑證與監控帳號。也即是說,端對端加密通訊監管系統10向憑證認證伺服器100申請此次監控事件專屬的憑證與監控帳號,此次監控事件可包括被監控對象、監控期限、申請監控的原因或者其他事項,本發明並不以此為限。In step S202, apply for a supervision-specific certificate and monitoring account. That is to say, the end-to-end encrypted communication monitoring system 10 applies to the certificate authentication server 100 for a certificate and monitoring account exclusive to this monitoring event. This monitoring event may include the monitored object, monitoring period, reason for applying for monitoring, or other matters, the present invention is not limited thereto.

於步驟S203中,憑證認證伺服器100建立監控帳號與設定權限。於步驟S204中,開通監控帳號。監管伺服器300收到憑證認證伺服器100傳送的憑證與IP資訊後,需使用此憑證與IP資訊向即時通訊伺服器200開通監控帳號。In step S203, the certificate authentication server 100 creates a monitoring account and sets permissions. In step S204, a monitoring account is opened. After receiving the certificate and IP information sent by the certificate authentication server 100, the monitoring server 300 needs to use the certificate and IP information to open a monitoring account with the instant messaging server 200.

於步驟S205中,產生隨機亂數要求簽章。即時通訊伺服器200向監管伺服器300要求進行簽章與驗證,驗證方法可利用但不限於產生隨機亂數以提供監管伺服器300進行簽章。監管伺服器300透過安全模組310進行簽章後回傳給即時通訊伺服器200。In step S205, a random number is generated to require signature. The instant messaging server 200 requests the supervision server 300 for signature and verification. The verification method may use but is not limited to generating random numbers to provide the supervision server 300 with the signature. The supervision server 300 signs the signature through the security module 310 and sends it back to the instant messaging server 200 .

於步驟S206中,憑證認證伺服器(Certificate Authority, CA)100驗證憑證的有效性。即時通訊伺服器200將憑證傳送至憑證認證伺服器100進行有效性查詢,若憑證有效且憑證中記載之監控帳號的資訊為即時通訊伺服器200中已註冊之有效帳號,則憑證認證伺服器100進行簽章驗證。In step S206, the certificate authentication server (Certificate Authority, CA) 100 verifies the validity of the certificate. The instant messaging server 200 sends the certificate to the certificate authentication server 100 for validity query. If the certificate is valid and the information of the monitoring account recorded in the certificate is a valid account registered in the instant messaging server 200, the certificate authentication server 100 Perform signature verification.

於步驟S207中,開通監控帳號並且鎖定IP與API使用權限。倘若監控帳號通過驗證後,即時通訊伺服器200開通監管帳號,將此監控帳號連線IP,並且設定監控帳號的API使用權限。In step S207, a monitoring account is opened and IP and API usage rights are locked. If the monitoring account passes the verification, the instant messaging server 200 opens the monitoring account, connects the monitoring account to the IP, and sets the API usage rights of the monitoring account.

於步驟S208中,註冊端對端加密所需的金鑰交換資訊。於監控帳號開通成功後,監管伺服器300可向即時通訊伺服器200註冊參與端對端加密所需的金鑰交換資訊,金鑰交換資訊包含安全模組310儲存的金鑰交換公鑰,且使用數位憑證進行簽章。在一實施例中,監管伺服器300完成帳號開通後,於每次與即時通訊伺服器200通訊時,仍須即時驗證憑證的有效性。倘若憑證認證伺服器100發現監管伺服器300所持有之憑證已失效或被註銷時,即傳送訊號至即時通訊伺服器200,以將監控帳號退出所有聊天室介面並將此憑證設為失效。In step S208, key exchange information required for end-to-end encryption is registered. After the monitoring account is successfully opened, the supervision server 300 can register with the instant messaging server 200 the key exchange information required to participate in end-to-end encryption. The key exchange information includes the key exchange public key stored in the security module 310, and Use digital credentials to sign. In one embodiment, after the supervision server 300 completes the account opening, it still needs to verify the validity of the certificate in real time every time it communicates with the instant messaging server 200 . If the certificate authentication server 100 finds that the certificate held by the monitoring server 300 has expired or been canceled, it will send a signal to the instant messaging server 200 to log out the monitoring account from all chat room interfaces and set the certificate to be invalid.

圖3是依照本發明的一實施例的參與聊天室與重新金鑰交換的流程圖。Figure 3 is a flow chart of chat room participation and re-key exchange according to an embodiment of the present invention.

請參考圖3所示,於本實施例中,即時通訊伺服器200會將監控帳號加入被監控對象所參與的聊天室介面,在監控帳號加入聊天室介面之後,聊天室介面的成員(包括即時通訊終端400、被監控對象500、監控帳號)重新進行端對端金鑰協商/交換,使監控帳號可對聊天室介面中傳送的訊息進行解密,詳細流程如下。Please refer to Figure 3. In this embodiment, the instant messaging server 200 will add the monitoring account to the chat room interface in which the monitored object participates. After the monitoring account is added to the chat room interface, the members of the chat room interface (including real-time The communication terminal 400, the monitored object 500, and the monitoring account) re-perform end-to-end key negotiation/exchange so that the monitoring account can decrypt the messages transmitted in the chat room interface. The detailed process is as follows.

於步驟S301中,即時通訊伺服器200依據該次監控事件申請的被監控對象,將監控帳號加入包括被監控對象的相關聊天室中,並標註成員類別為監控帳號。In step S301, the instant messaging server 200 adds the monitoring account to the relevant chat room including the monitored object based on the monitored object applied for in the monitoring event, and marks the member category as the monitoring account.

於步驟S302中,即時通訊伺服器200將監控帳號的數位憑證與金鑰交換所需的公鑰同步傳送至即時通訊終端400。In step S302, the instant messaging server 200 synchronously transmits the digital certificate of the monitoring account and the public key required for key exchange to the instant messaging terminal 400.

於步驟S303中,即時通訊伺服器200將相關聊天室的成員異動資訊同步傳送至即時通訊終端400,當同步到新成員為監控帳號時,即時通訊終端400將監控帳號於相關聊天室的介面中進行隱藏。In step S303, the instant messaging server 200 synchronously transmits the member change information of the relevant chat room to the instant messaging terminal 400. When the new member is synchronized as a monitoring account, the instant messaging terminal 400 will monitor the account in the interface of the relevant chat room. To hide.

於步驟S304中,即時通訊伺服器200將相關聊天室中已協商的金鑰的狀態設為失效(在一般端對端加密通訊系統中,即時通訊伺服器200並未持有相關聊天室的金鑰資訊,僅協助管理金鑰的狀態,故僅透過將金鑰的狀態設為失效並同步傳送至即時通訊終端400)。In step S304, the instant messaging server 200 sets the status of the negotiated key in the relevant chat room to invalid (in a general end-to-end encrypted communication system, the instant messaging server 200 does not hold the key of the relevant chat room). The key information only assists in managing the status of the key, so it only sets the status of the key to invalid and synchronously transmits it to the instant messaging terminal 400).

於步驟S305中,即時通訊終端400收到金鑰失效的狀態後,需重新檢驗聊天室中所有成員的合法性,若該成員為監控帳號,則需確認其金鑰交換資訊之數位簽章是否正確,以確保監控帳號不被中間人假冒。In step S305, after receiving the status that the key is invalid, the instant messaging terminal 400 needs to re-check the legitimacy of all members in the chat room. If the member has a monitoring account, it needs to confirm whether the digital signature of the key exchange information is valid. Correct to ensure that monitoring accounts are not impersonated by middlemen.

於步驟S306中,即時通訊終端400重新進行金鑰協商,以端對端加密方式協商聊天室的金鑰後將重新協商的金鑰交換資訊傳送至聊天室中所有成員,包含監控帳號。In step S306, the instant messaging terminal 400 re-negotiates the key, negotiates the key of the chat room in an end-to-end encryption manner, and then transmits the renegotiated key exchange information to all members in the chat room, including the monitoring account.

於步驟S307中,監管伺服器300向即時通訊伺服器200同步傳送已重新協商的金鑰交換資訊,並儲存於安全模組310中,可作為於訊息同步與後續解密之用。In step S307, the supervision server 300 synchronously transmits the renegotiated key exchange information to the instant messaging server 200, and stores it in the security module 310, which can be used for message synchronization and subsequent decryption.

上述提及之金鑰協商的方法,包括但不限於群組金鑰交換方式,或可透過一對一成對交換金鑰的方式進行所有聊天室成員與監控帳號的端對端加密通訊,惟需透過數位簽章的驗證方式以確保交換對象未被中間人取代。The key negotiation methods mentioned above include, but are not limited to, group key exchange, or one-to-one key exchange for end-to-end encrypted communication between all chat room members and monitoring accounts. However, Digital signature verification is required to ensure that the exchange object has not been replaced by an intermediary.

在上述參與聊天室與重新金鑰交換的流程之後,端對端加密通訊監管方法更包括監管與資料保護的流程。具體流程如下。After the above process of participating in chat rooms and re-key exchange, the end-to-end encrypted communication monitoring method also includes the process of supervision and data protection. The specific process is as follows.

監管伺服器300透過分析決策模組320,以(HTTP長連接 Long Pulling)之方式向即時通訊伺服器200即時同步傳送包括被監控對象的相關聊天室的訊息。The monitoring server 300 uses the analysis and decision-making module 320 to synchronously transmit the information of the relevant chat room including the monitored object to the instant messaging server 200 in real time in a (HTTP Long Pulling) manner.

分析決策模組320利用安全模組310所儲存的聊天室金鑰將此訊息進行解密,以取得經解密後的訊息。分析決策模組320可整合文字解析與決策方法,包含但不限於如自然語言處理(Natural Language Precessing,NLP)、關鍵字比對、基於規則系統(Rule-Base System)或AI機器學習等方式,對經解密後的訊息進行自動化的分析,以判斷經解密後的訊息中是否包含高風險的關鍵字或機密資料。The analysis and decision-making module 320 decrypts the message using the chat room key stored in the security module 310 to obtain the decrypted message. The analysis and decision-making module 320 can integrate text analysis and decision-making methods, including but not limited to natural language processing (NLP), keyword comparison, rule-based system (Rule-Base System) or AI machine learning, etc. Automatically analyze the decrypted message to determine whether the decrypted message contains high-risk keywords or confidential information.

倘若分析決策模組320判斷經解密後的訊息中包含高風險的關鍵字或機密資料時,可標註訊息並且發出告警資訊通知系統管理人員,並同時傳送鎖定訊號至即時通訊伺服器200,以鎖定重要資料。If the analysis and decision-making module 320 determines that the decrypted message contains high-risk keywords or confidential information, it can mark the message and send an alarm message to notify the system administrator, and at the same time send a locking signal to the instant messaging server 200 to lock it. Important information.

即時通訊伺服器200將被標註訊息的存取權限進行鎖定,避免即時通訊終端400再次取得被標註訊息,並傳送訊號至即時通訊終端400,由即時通訊終端400進行其本地端訊息的銷毀,避免包含高風險的關鍵字或機密資料的訊息外流。除鎖定訊息存取權限外,即時通訊伺服器200可進行相關帳號之停權,儲存可疑的聊天室對話訊息。分析決策模組320僅可儲存已被標註的訊息,而經端對端加密通訊監管系統10判斷為包含高風險的關鍵字或機密資料的訊息,即立刻刪除。The instant messaging server 200 locks the access rights of the marked messages to prevent the instant messaging terminal 400 from obtaining the marked messages again, and sends a signal to the instant messaging terminal 400, and the instant messaging terminal 400 destroys its local messages to avoid Exfiltration of messages containing high-risk keywords or confidential information. In addition to locking message access rights, the instant messaging server 200 can suspend related accounts and store suspicious chat room conversation messages. The analysis and decision-making module 320 can only store marked messages, and messages that are determined to contain high-risk keywords or confidential information by the end-to-end encrypted communication monitoring system 10 will be deleted immediately.

圖4是依照本發明的一實施例的端對端加密通訊監管方法的流程圖。Figure 4 is a flow chart of an end-to-end encrypted communication supervision method according to an embodiment of the present invention.

於步驟S401中,憑證認證伺服器100產生用以監控包括多個即時通訊終端400的聊天室介面的監控帳號以及將監控帳號加入聊天室介面的憑證,其中聊天室介面的成員包括多個即時通訊終端400以及監控帳號。In step S401, the certificate authentication server 100 generates a monitoring account for monitoring a chat room interface including multiple instant messaging terminals 400 and a certificate for adding the monitoring account to the chat room interface, where members of the chat room interface include multiple instant messaging users. Terminal 400 and monitoring account.

於步驟S402中,即時通訊終端400對聊天室介面的訊息進行加密,即時通訊伺服器200傳送經加密後的訊息並且傳送即時通訊終端400的金鑰交換資訊至即時通訊終端400以及監管伺服器300。其中即時通訊終端包括至少一被監控對象。具體而言,在監控帳號加入聊天室介面之後,聊天室介面的成員重新進行端對端金鑰交換以產生新的金鑰,並且監管伺服器300即時驗證憑證,以於憑證有效時,即時通訊伺服器200傳送經加密後的訊息以及重新進行端對端金鑰交換運算所需的新的金鑰交換資訊至即時通訊終端400以及監管伺服器300。In step S402, the instant messaging terminal 400 encrypts the message in the chat room interface, the instant messaging server 200 sends the encrypted message and sends the key exchange information of the instant messaging terminal 400 to the instant messaging terminal 400 and the supervision server 300 . The instant messaging terminal includes at least one monitored object. Specifically, after the monitoring account joins the chat room interface, the members of the chat room interface re-exchange the end-to-end key to generate a new key, and the supervision server 300 verifies the certificate in real time, so that when the certificate is valid, the instant messaging The server 200 sends the encrypted message and the new key exchange information required for re-executing the end-to-end key exchange operation to the instant messaging terminal 400 and the supervision server 300 .

於步驟S403中,即時通訊終端400以及監管伺服器300利用新的金鑰交換資訊進行端對端金鑰交換運算後取得的新的金鑰對訊息進行解密,並且依據解密後的訊息發出告警資訊。詳細而言,監管伺服器300判斷經解密後的訊息是否包括高風險關鍵字,以於經解密後的訊息包括高風險關鍵字時發出告警資訊。於一實施例中,監管伺服器300的分析決策模組320可透過電子郵件、簡訊、或其他方式發出告警資訊,以通知系統管理者,並且可於收到告警資訊後對訊息的標註內容進行確認,若為誤判,系統管理者再修改被監控對象500的帳號停權與訊息之存取限制。In step S403, the instant messaging terminal 400 and the supervision server 300 decrypt the message using the new key obtained after performing end-to-end key exchange operation on the new key exchange information, and send out alarm information based on the decrypted message. . Specifically, the monitoring server 300 determines whether the decrypted message includes high-risk keywords, so as to issue an alarm message when the decrypted message includes high-risk keywords. In one embodiment, the analysis and decision-making module 320 of the supervision server 300 can send out alarm information via email, SMS, or other means to notify the system administrator, and can mark the message after receiving the alarm information. Confirm, if it is a misjudgment, the system administrator will modify the account suspension and message access restrictions of the monitored object 500.

於步驟S404中,即時通訊伺服器200將被監控對象500以及包括高風險關鍵字的訊息進行鎖定操作以限制訊息的存取,避免繼續同步傳送此訊息至聊天室介面的其他即時通訊終端400,並針對被監控對象500進行停權,限制其登入帳號與收發訊息,並且傳送訊號至被監控對象500,以令被監控對象500於其本地端刪除包括高風險關鍵字的訊息。In step S404, the instant messaging server 200 locks the monitored object 500 and messages containing high-risk keywords to limit access to the messages and prevents them from continuing to synchronously send this message to other instant messaging terminals 400 in the chat room interface. The monitored object 500 is disabled, restricted from logging into the account and sending and receiving messages, and sends a signal to the monitored object 500 to cause the monitored object 500 to delete messages containing high-risk keywords locally.

基於上述,本發明提供一種端對端加密通訊監管系統及其方法,可在不破壞端對端加密通訊之安全性的前提下,進行即時通訊監控,且於加入監控帳號時可驗證監控帳號的有效性,避免中間人試圖假冒監控帳號進行竊密,並且可視需求於系統運行中加入監控事件,通過設定監控對象與監控事件之效期,從而避免監控權限遭到濫用。Based on the above, the present invention provides an end-to-end encrypted communication monitoring system and method, which can monitor instant messaging without destroying the security of end-to-end encrypted communication, and can verify the identity of the monitoring account when adding the monitoring account. Effectiveness prevents intermediaries from trying to impersonate monitoring accounts to steal secrets. Monitoring events can be added to system operation as needed, and the validity period of monitoring objects and monitoring events can be set to avoid abuse of monitoring rights.

雖然本揭露已以實施例揭露如上,然其並非用以限定本揭露,任何所屬技術領域中具有通常知識者,在不脫離本揭露的精神和範圍內,當可作些許的更動與潤飾,故本揭露的保護範圍當視後附的申請專利範圍所界定者為準。Although the disclosure has been disclosed above through embodiments, they are not intended to limit the disclosure. Anyone with ordinary knowledge in the technical field may make slight changes and modifications without departing from the spirit and scope of the disclosure. Therefore, The scope of protection of this disclosure shall be determined by the scope of the appended patent application.

10:端對端加密通訊監管系統 100:憑證認證伺服器 200:即時通訊伺服器 300:監管伺服器 400:即時通訊終端 500:被監控對象 S201、S202、S203、S204、S205、S206、S207、S208、S301、S302、S303、S304、S305、S306、S307、S401、S402、S403、S404:步驟 10: End-to-end encrypted communication supervision system 100:Certificate authentication server 200: Instant messaging server 300:Supervision server 400: Instant messaging terminal 500: Monitored object S201, S202, S203, S204, S205, S206, S207, S208, S301, S302, S303, S304, S305, S306, S307, S401, S402, S403, S404: Steps

圖1是依照本發明的一實施例的一種端對端加密通訊監管系統的示意圖。 圖2是依照本發明的一實施例的監控帳號憑證申請與管控的流程圖。 圖3是依照本發明的一實施例的參與聊天室與重新金鑰交換的流程圖。 圖4是依照本發明的一實施例的端對端加密通訊監管方法的流程圖。 Figure 1 is a schematic diagram of an end-to-end encrypted communication monitoring system according to an embodiment of the present invention. Figure 2 is a flow chart of monitoring account credential application and management according to an embodiment of the present invention. Figure 3 is a flow chart of chat room participation and re-key exchange according to an embodiment of the present invention. Figure 4 is a flow chart of an end-to-end encrypted communication supervision method according to an embodiment of the present invention.

S401、S402、S403、S404:步驟 S401, S402, S403, S404: steps

Claims (10)

一種端對端加密通訊監管系統,包括: 多個即時通訊終端,該些即時通訊終端包括至少一被監控對象; 憑證認證伺服器,該憑證認證伺服器產生用以監控包括該些即時通訊終端的聊天室介面的監控帳號以及將該監控帳號加入該聊天室介面的憑證,其中該聊天室介面的成員包括該些即時通訊終端以及該監控帳號; 即時通訊伺服器,分別通訊連接該些即時通訊終端以及該憑證認證伺服器;以及 監管伺服器,分別通訊連接該憑證認證伺服器以及該即時通訊伺服器, 其中,該些即時通訊終端對該聊天室介面的訊息進行加密,該即時通訊伺服器傳送經加密後的該訊息並且傳送該些即時通訊終端的金鑰交換資訊至該些即時通訊終端以及該監管伺服器, 其中,該些即時通訊終端以及該監管伺服器利用該金鑰交換資訊進行端對端金鑰交換運算後取得的金鑰對該訊息進行解密,並且該監管伺服器依據經解密後的該訊息發出告警資訊。 An end-to-end encrypted communication supervision system, including: Multiple instant messaging terminals, including at least one monitored object; A certificate authentication server that generates a monitoring account for monitoring the chat room interface including the instant messaging terminals and a certificate for adding the monitoring account to the chat room interface, where the members of the chat room interface include the Instant messaging terminal and the monitoring account; The instant messaging server communicates and connects the instant messaging terminals and the certificate authentication server respectively; and The supervision server communicates with the certificate authentication server and the instant messaging server respectively. Among them, the instant messaging terminals encrypt the messages in the chat room interface, the instant messaging server transmits the encrypted messages and transmits the key exchange information of the instant messaging terminals to the instant messaging terminals and the supervisor. server, Among them, the instant messaging terminals and the supervision server use the key exchange information to perform end-to-end key exchange operations to decrypt the message, and the supervision server sends out a message based on the decrypted message. Alarm information. 如請求項1所述的端對端加密通訊監管系統,其中該監管伺服器至少包括安全模組以及分析決策模組,其中該安全模組用以儲存該聊天室介面的該成員的該金鑰交換資訊以及該金鑰,且該監控帳號在該聊天室介面處於隱藏狀態。The end-to-end encrypted communication monitoring system as described in claim 1, wherein the monitoring server at least includes a security module and an analysis and decision-making module, wherein the security module is used to store the key of the member of the chat room interface Information and the key are exchanged, and the monitoring account is hidden in the chat room interface. 如請求項2所述的端對端加密通訊監管系統,其中該分析決策模組以HTTP長連接(Long Pulling)的方式同步接收該聊天室介面傳送的該訊息,利用該安全模組儲存的該金鑰對該聊天室介面的該訊息進行解密,且該分析決策模組更用以判斷該經解密後的該訊息是否包括高風險關鍵字,以於該經解密後的該訊息包括該高風險關鍵字時發出該告警資訊, 其中該分析決策模組更用以傳送鎖定訊號至該即時通訊伺服器,以令該即時通訊伺服器將該至少一被監控對象以及包括該高風險關鍵字的訊息進行鎖定操作,並且經由該即時通訊伺服器傳送訊號至該至少一被監控對象以令該至少一被監控對象執行刪除包括該高風險關鍵字的訊息的操作。 The end-to-end encrypted communication monitoring system as described in request item 2, wherein the analysis and decision-making module synchronously receives the message sent by the chat room interface in the form of HTTP long connection (Long Pulling), and uses the security module to store the message. The key is used to decrypt the message in the chat room interface, and the analysis and decision-making module is further used to determine whether the decrypted message includes high-risk keywords, so that the decrypted message includes the high-risk keyword. This warning message is issued when the keyword is entered. The analysis and decision-making module is further used to send a locking signal to the instant messaging server, so that the instant messaging server locks the at least one monitored object and the message including the high-risk keyword, and through the real-time messaging server The communication server sends a signal to the at least one monitored object to cause the at least one monitored object to perform an operation of deleting messages including the high-risk keyword. 如請求項1所述的端對端加密通訊監管系統,其中在該監控帳號加入該聊天室介面之後,該聊天室介面的該成員更利用該金鑰交換資訊重新進行該端對端金鑰交換運算以取得新的金鑰,且利用該新的金鑰對該訊息進行加密, 其中,該即時通訊伺服器傳送經加密後的該訊息並且傳送該金鑰交換資訊至該些即時通訊終端以及該監管伺服器, 其中,該些即時通訊終端以及該監管伺服器利用該金鑰交換資訊進行該端對端金鑰交換運算後取得的該新的金鑰對該訊息進行解密,並且該監管伺服器依據經解密後的該訊息發出該告警資訊。 The end-to-end encrypted communication monitoring system as described in claim 1, wherein after the monitoring account joins the chat room interface, the member of the chat room interface further uses the key exchange information to re-perform the end-to-end key exchange. Calculate to obtain a new key, and use the new key to encrypt the message, Wherein, the instant messaging server sends the encrypted message and sends the key exchange information to the instant messaging terminals and the supervision server, Among them, the instant messaging terminals and the supervision server use the key exchange information to perform the end-to-end key exchange operation and obtain the new key to decrypt the message, and the supervision server decrypts the message based on the decrypted key. The message sends the alarm information. 如請求項4所述的端對端加密通訊監管系統,其中該監管伺服器更用以即時驗證該憑證,以於該憑證有效時,該即時通訊伺服器將經加密後的該訊息以及將該金鑰交換資訊傳送至該監管伺服器。The end-to-end encrypted communication supervision system as described in request item 4, wherein the supervision server is further used to verify the certificate in real time, so that when the certificate is valid, the instant messaging server will encrypt the message and the Key exchange information is sent to the custody server. 一種端對端加密通訊監管方法,包括: 產生用以監控包括多個即時通訊終端的聊天室介面的監控帳號以及將該監控帳號加入該聊天室介面的憑證,其中該聊天室介面的成員包括該些即時通訊終端以及該監控帳號,該些即時通訊終端包括至少一被監控對象; 對該聊天室介面的訊息進行加密; 傳送經加密後的該訊息並且傳送該些即時通訊終端的金鑰交換資訊; 利用該金鑰交換資訊進行端對端金鑰交換運算後取得的金鑰對該訊息進行解密;以及 依據經解密後的該訊息發出告警資訊。 An end-to-end encrypted communication supervision method, including: Generate a monitoring account for monitoring a chat room interface including multiple instant messaging terminals and a certificate for adding the monitoring account to the chat room interface, where the members of the chat room interface include the instant messaging terminals and the monitoring account. The instant messaging terminal includes at least one monitored object; Encrypt messages in the chat room interface; Send the encrypted message and send the key exchange information of the instant messaging terminals; Decrypt the message using the key obtained after performing an end-to-end key exchange operation on the key exchange information; and Alarm information is issued based on the decrypted message. 如請求項6所述的端對端加密通訊監管方法,其中該方法更包括: 儲存該聊天室介面的該成員的該金鑰交換資訊以及該金鑰,且該監控帳號在該聊天室介面處於隱藏狀態。 The end-to-end encrypted communication supervision method as described in request item 6, wherein the method further includes: The key exchange information and the key of the member of the chat room interface are stored, and the monitoring account is hidden in the chat room interface. 如請求項7所述的端對端加密通訊監管方法,其中利用該金鑰對該訊息進行解密,並且依據經解密後的該訊息發出該告警資訊的步驟中更包括: 以HTTP長連接(Long Pulling)的方式同步接收該聊天室介面傳送的該訊息,利用該儲存的該金鑰對該聊天室介面的該訊息進行解密, 判斷該經解密後的該訊息是否包括高風險關鍵字,以於該經解密後的該訊息包括該高風險關鍵字時發出該告警資訊,以及 傳送鎖定訊號,以令將該至少一被監控對象以及包括該高風險關鍵字的該訊息進行鎖定操作,並且傳送訊號至該至少一被監控對象,以令該至少一被監控對象執行刪除包括該高風險關鍵字的訊息的操作。 As for the end-to-end encrypted communication supervision method described in claim 7, the step of using the key to decrypt the message, and issuing the alarm information based on the decrypted message further includes: Synchronously receive the message sent by the chat room interface in the form of HTTP long pulling, and use the stored key to decrypt the message in the chat room interface, Determine whether the decrypted message includes the high-risk keyword, so as to issue the alert information when the decrypted message includes the high-risk keyword, and Send a lock signal to cause the at least one monitored object and the message including the high-risk keyword to be locked, and send a signal to the at least one monitored object to cause the at least one monitored object to delete the message including the Actions on messages for high-risk keywords. 如請求項6所述的端對端加密通訊監管方法,其中該方法更包括: 在該監控帳號加入該聊天室介面之後,該聊天室介面的成員更利用該金鑰交換資訊重新進行該端對端金鑰交換運算以取得新的金鑰,且利用該新的金鑰對該訊息進行加密; 傳送經加密後的該訊息並且傳送該金鑰交換資訊; 利用該金鑰交換資訊進行該端對端金鑰交換運算後取得的該新的金鑰對該訊息進行解密;以及 依據經解密後的該訊息發出該告警資訊。 The end-to-end encrypted communication supervision method as described in request item 6, wherein the method further includes: After the monitoring account joins the chat room interface, the members of the chat room interface further use the key exchange information to re-perform the end-to-end key exchange operation to obtain a new key, and use the new key to Messages are encrypted; transmit the encrypted message and transmit the key exchange information; Decrypt the message using the new key obtained after performing the end-to-end key exchange operation using the key exchange information; and The alarm information is issued based on the decrypted message. 如請求項9所述的端對端加密通訊監管方法,其中該傳送經加密後的該訊息並且傳送該金鑰交換資訊的步驟中更包括: 即時驗證該憑證,以於該憑證有效時,傳送經加密後的該訊息並且傳送該金鑰交換資訊。 The end-to-end encrypted communication supervision method as described in claim 9, wherein the step of transmitting the encrypted message and transmitting the key exchange information further includes: Verify the certificate immediately to send the encrypted message and send the key exchange information when the certificate is valid.
TW111125889A 2022-07-11 2022-07-11 A supervision system and method on end-to-end encrypted messaging TWI794126B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW111125889A TWI794126B (en) 2022-07-11 2022-07-11 A supervision system and method on end-to-end encrypted messaging

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW111125889A TWI794126B (en) 2022-07-11 2022-07-11 A supervision system and method on end-to-end encrypted messaging

Publications (2)

Publication Number Publication Date
TWI794126B TWI794126B (en) 2023-02-21
TW202404303A true TW202404303A (en) 2024-01-16

Family

ID=86689407

Family Applications (1)

Application Number Title Priority Date Filing Date
TW111125889A TWI794126B (en) 2022-07-11 2022-07-11 A supervision system and method on end-to-end encrypted messaging

Country Status (1)

Country Link
TW (1) TWI794126B (en)

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6574661B1 (en) * 1997-09-26 2003-06-03 Mci Communications Corporation Integrated proxy interface for web based telecommunication toll-free network management using a network manager for downloading a call routing tree to client
US7131003B2 (en) * 2003-02-20 2006-10-31 America Online, Inc. Secure instant messaging system
US9325676B2 (en) * 2012-05-24 2016-04-26 Ip Ghoster, Inc. Systems and methods for protecting communications between nodes
CN106100980A (en) * 2016-07-29 2016-11-09 黄亮 Instant messaging communication means end to end and device
CN109039871A (en) * 2018-08-31 2018-12-18 国鼎网络空间安全技术有限公司 The End to End Encryption system and method for instant communication software based on container
CN109639680B (en) * 2018-12-14 2021-06-29 杭州安司源科技有限公司 Ternary equal instant communication identity authentication and authority control method
CN114301979A (en) * 2021-12-17 2022-04-08 北京航空航天大学杭州创新研究院 Ad hoc network encrypted communication monitoring system and method based on Zabbix

Also Published As

Publication number Publication date
TWI794126B (en) 2023-02-21

Similar Documents

Publication Publication Date Title
CN106104562B (en) System and method for securely storing and recovering confidential data
US8059818B2 (en) Accessing protected data on network storage from multiple devices
US7885413B2 (en) Hidden link dynamic key manager for use in computer systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data
US10820198B2 (en) Providing low risk exceptional access with verification of device possession
US8984611B2 (en) System, apparatus and method for securing electronic data independent of their location
US20140129836A1 (en) Information distribution system and program for the same
US8583943B2 (en) Method and system for providing data field encryption and storage
US20070055893A1 (en) Method and system for providing data field encryption and storage
CN104361267A (en) Software authorization and protection device and method based on asymmetric cryptographic algorithm
CN105103488A (en) Policy enforcement with associated data
US9112886B2 (en) Method and system for providing centralized data field encryption, and distributed storage and retrieval
JPH07325785A (en) Network user identifying method, ciphering communication method, application client and server
CN108768613A (en) A kind of ciphertext password method of calibration based on multiple encryption algorithms
JP2022542095A (en) Hardened secure encryption and decryption system
US8401183B2 (en) Method and system for keying and securely storing data
TW202231014A (en) Message transmitting system, user device and hardware security module for use therein
CN115473655B (en) Terminal authentication method, device and storage medium for access network
CN111698203A (en) Cloud data encryption method
CN116340331A (en) Large instrument experimental result evidence-storing method and system based on blockchain
TWI794126B (en) A supervision system and method on end-to-end encrypted messaging
CN110474873B (en) Electronic file access control method and system based on knowledge range encryption
JP7433620B1 (en) Communication method, communication device and computer program
US20230177209A1 (en) Distributed Communication Network
CN116663037A (en) Encrypted medical record safety sharing and key management method based on alliance chain
JP2016038845A (en) User authentication system, authentication server, user authentication method and program