WO2010124549A1 - Method, apparatus and system for obtaining public key - Google Patents

Method, apparatus and system for obtaining public key Download PDF

Info

Publication number
WO2010124549A1
WO2010124549A1 PCT/CN2010/071521 CN2010071521W WO2010124549A1 WO 2010124549 A1 WO2010124549 A1 WO 2010124549A1 CN 2010071521 W CN2010071521 W CN 2010071521W WO 2010124549 A1 WO2010124549 A1 WO 2010124549A1
Authority
WO
WIPO (PCT)
Prior art keywords
public key
dns
domain
dns server
key
Prior art date
Application number
PCT/CN2010/071521
Other languages
French (fr)
Chinese (zh)
Inventor
沈烁
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2010124549A1 publication Critical patent/WO2010124549A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Definitions

  • the present invention relates to the field of communications, and in particular, to a method, apparatus, and system for obtaining a public key.
  • DKIM Domain Key Identified Mail
  • each domain such as ABC.com
  • the message such as email
  • the receiver uses the public key of the domain to verify the signature in the message to confirm that the message is indeed from the domain. If the receiver does not have the public key of the domain, you need to use the DNS (Domain Name System) Request message to obtain the public key of the domain from the DNS server.
  • DNS Domain Name System
  • DNS packets are usually transmitted using UDP (User Datagram Protocol). Therefore, when the receiver does not have the public key of the domain, it needs to establish a UDP connection with the DNS server and obtain the public key of the domain through the UDP packet.
  • UDP User Datagram Protocol
  • a method of obtaining a public key comprising:
  • a device for obtaining a public key comprising:
  • a sending module configured to send a DNS request packet to the DNS server by establishing a TCP connection established by the connection module, requesting to obtain a public key of the first domain;
  • a receiving module configured to receive a DNS response message from the DNS server by establishing a TCP connection established by the connection module, where the DNS response message carries the public key of the first domain;
  • the obtaining module is configured to obtain a public key of the first domain according to the DNS response packet received by the receiving module.
  • a system for obtaining a public key comprising:
  • a first device configured to establish a TCP connection with the DNS server, send a DNS request message to the DNS server, request to acquire a public key of the first domain, and receive a DNS response message from the DNS server to obtain the The public key of the first domain carried in the DNS response packet;
  • the DNS server is configured to send, by using the TCP connection, a DNS response packet to the first device after receiving the DNS request packet, where the DNS response packet carries the public key of the first domain.
  • a method of obtaining a public key comprising:
  • a device for obtaining a public key comprising:
  • a sending module configured to send a DNS request packet to the DNS server by establishing a communication connection established by the connection module, requesting to acquire a public key of the first domain;
  • the public key is a key using a short key system;
  • a receiving module configured to receive a DNS response message from the DNS server by establishing a communication connection established by the connection module, where the DNS response message carries the public key of the first domain;
  • the obtaining module is configured to obtain a public key of the first domain according to the DNS response packet received by the receiving module.
  • a system for obtaining a public key comprising:
  • a first device configured to establish a communication connection with the DNS server, send a DNS request message to the DNS server, request to obtain a public key of the first domain, and receive a DNS response message from the DNS server to obtain the The public key of the first domain carried in the DNS response packet;
  • the public key is a key using a short key system;
  • the DNS server is configured to send a DNS response packet to the first device after receiving the DNS request packet, where the DNS response packet carries the public key of the first domain.
  • the method, the device and the system for obtaining a public key provided by the embodiment of the present invention can solve the problem that the public key of the domain cannot be obtained through the UDP packet in the prior art because the length of the public key of the domain is too long.
  • FIG. 1 is a schematic diagram of an application scenario according to an embodiment of the present invention.
  • FIG. 2 is a flowchart of a method for obtaining a public key according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of an apparatus for acquiring a public key according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a sending module 310 in an apparatus for acquiring a public key according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of a system for obtaining a public key according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of still another application scenario according to an embodiment of the present invention.
  • FIG. 7 is a flowchart of still another method for obtaining a public key according to an embodiment of the present invention.
  • Figure 8 (a) shows the format of the Question option in the DNS request message
  • Figure 8 (b) shows the format of the Query Name field in the Question option.
  • FIG. 9 is a schematic diagram of another apparatus for obtaining a public key according to an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of another sending module 910 in an apparatus for acquiring a public key according to an embodiment of the present disclosure
  • FIG. 11 is a schematic diagram of another system for obtaining a public key according to an embodiment of the present invention.
  • the domain ABC.com has a key pair X1/X2 (public/private key).
  • X1/X2 public/private key
  • the domain ABC.com sends a message (such as an email) to the user P, the message carries the signature.
  • This signature is generated by domain ABC.com using its own private key X2.
  • the domain ABC.com can use the RSA key or other key systems, which is not limited here.
  • user P After receiving the packet, user P needs to verify the signature to confirm that the packet is indeed from the domain ABC.com. For example, the user P can use the public key X1 corresponding to the private key X2 to sign the signature in the positive message. If the user P does not have the public key X1, the user needs to send a DNS request packet to the DNS server to request the public key X1.
  • a UDP connection is not established between the user P and the DNS server, and a TCP (Transfer Control Protocol) connection is directly established, and the user P connects to the DNS server through the TCP connection.
  • Send the above DNS request message the domain ABC.con can use the RSA key, and other key systems can be used. Therefore, after receiving the packet from the domain ABC.com, the user P can carry the packet. Signature, knowing which key system ABC.com uses to generate the signature. Therefore, the DNS request packet sent by the user P to the DNS server may carry the type identifier of the public key requested to be obtained.
  • the DNS server After receiving the DNS request packet, the DNS server sends a DNS Response (Response) message to the user P based on the TCP connection.
  • the DNS response message carries the public key X1 of the domain ABC.com.
  • the DNS response packet may carry a resource record of the text (TXT) type of the public key X1 (RR, Resource Record, when the DNS request packet carries the type identifier of the public key obtained by the request, the DNS server may also be based on the type The public key of the corresponding type is carried in the DNS response packet and sent to the user P.
  • the user P communicates with the DNS server via TCP. Therefore, even if the length of the public key X1 exceeds the packet length specified by the protocol, the DNS server can pass the public key X1 through multiple TCP packets. Send to the user.
  • the user P can receive the TCP packets in sequence according to the sequence number of the packets carried in the TCP packets, and obtain the public key X1. Therefore, in the prior art, the problem that the public key of the domain is too long to obtain the public key through the UDP packet is solved.
  • FIG. 2 is a flowchart of a method for obtaining a public key according to an embodiment of the present invention. As shown in FIG. 2, the method includes:
  • the public key may be an RSA key, or other secrets may be used.
  • the key of the key system which is not limited here;
  • the DNS request packet sent to the DNS server may further carry the type identifier of the public key of the first domain that is requested to be obtained. In this way, the DNS server can carry the corresponding type of public key in the DNS response message.
  • the DNS response packet may carry a TXT type resource record of the public key.
  • the public key of the first domain is obtained according to the TXT type resource record of the first domain public key carried in the received DNS response message.
  • FIG. 3 is a schematic diagram of an apparatus for obtaining a public key according to an embodiment of the present invention. As shown in FIG. 3, the apparatus includes:
  • Establishing a connection module 300 configured to establish a TCP connection with the DNS server
  • the sending module 310 is configured to send a DNS request packet to the DNS server to establish a public key of the first domain by establishing a TCP connection established by the connection module 300.
  • the public key may be an RSA key
  • the key may be a key of another key system, which is not limited herein;
  • the receiving module 320 is configured to receive a DNS response from the DNS server by establishing a TCP connection established by the connection module 300, and the DNS response
  • the message is the response of the DNS server to the DNS request message, and the DNS response message carries the public key of the first domain;
  • the obtaining module 330 is configured to obtain the public key of the first domain according to the DNS response packet received by the receiving module 320.
  • the sending module 310 may further include:
  • the identifier unit 311 is configured to: carry the type identifier of the public key of the first domain in the DNS request packet, and send, by the sending unit 312, the DNS request for sending the type identifier of the public key of the first domain to the DNS server. .
  • the DNS response packet may carry a TXT type resource record of the public key.
  • the obtaining module 330 is configured to use the TXT type of the first domain public key carried in the DNS response packet received by the receiving module 320. Resource record, get the public key of the first domain.
  • FIG. 5 is a schematic diagram of a system for obtaining a public key according to an embodiment of the present invention. As shown in FIG. 5, the system includes a first device and a DNS server, where:
  • the first device is configured to establish a TCP connection with the DNS server, send a DNS request message to the DNS server, request to obtain the public key of the first domain, and receive a DNS response from the DNS server.
  • the packet obtains the public key of the first domain carried in the DNS response packet.
  • the public key may be an RSA key, or a key of another key system, and is not used here. limited;
  • the DNS server is configured to send a DNS response packet to the first device by using the TCP connection after receiving the DNS request packet, where the DNS response packet carries the public key of the first domain.
  • the method, device, and system for obtaining a public key provided by the foregoing embodiments of the present invention, because a UDP connection is not established with a DNS server, but is performed based on TCP, so even if the length of the public key of the domain exceeds the protocol The specified packet length can also obtain the public key of the domain through multiple TCP packets. Therefore, in the prior art, the problem that the public key of the domain is too long to obtain the public key through the UDP packet is solved.
  • domain ABC.com has a key pair Y1/Y2 (public/private key) and Z1/Z2 (public/private key), and when domain ABC.com sends a message to user Q (such as electronic In the case of a mail, a signature is generated using the private key of one of the keys, and is carried in the text.
  • the domain ABC.com uses the key pair to generate a signature for the private key Y2 in Y1/Y2 and carries it in the message sent to user Q.
  • the key system used by the domain ABC.com is the short key system (also known as the short key algorithm).
  • a short key can be understood as a key whose key length can be carried by a single UDP message and has a security strength greater than 80 and a bit strength greater than 0.1.
  • per bit strength refers to the ratio of the security strength of the key to the length of the key.
  • the security strength of a given length of key is usually referred to as the amount of work required to break the key.
  • Table 1 The security strength and strength per bit of RSA keys of different lengths are shown in Table 1: Table 1
  • ECDSA ⁇ liptic Curve Digital Signature Algorithm
  • Lattice-Based Public-Key Cryptography Lattice-Based Public-Key Cryptography
  • Password password-based public key cryptosystem
  • Y1/Y2 and Z1/Z2 can be any one of the short key systems, which is not limited herein.
  • the user Q After receiving the message, the user Q needs to verify the signature to confirm that the message is indeed from the domain ABC.com. For example, the user Q can use the public key Y1 corresponding to the private key Y2 to sign the signature in the positive message. If the user Q does not have the public key Y1, the DNS server needs to send a DNS request packet to request the public key Y1.
  • a UDP connection can be established between the user Q and the DNS server, and the user Q sends the DNS request packet to the DNS server through the UDP connection;
  • the TCP connection can also be established between the user Q and the DNS server, and the user Q connects through the TCP.
  • the above-mentioned DNS request packet is sent to the DNS server.
  • other communication connections may be used, which is not limited herein.
  • the domain ABC.com has two pairs of public/private key pairs. Therefore, after receiving the packet from the domain ABC.com, the user Q can learn the signature carried in the packet.
  • the domain ABC.com uses which key system to generate the signature. Therefore, the DNS request packet sent by the user Q to the DNS server may carry the type identifier of the public key requested to be obtained. For example, if the key pair Y1/Y2 is in the ECDSA key system, the DNS request message sent by the user Q to the DNS server carries the type identifier of the key system. This prevents the DNS server from sending another key pair Z1/Z2's public key Z1 to user Q, or both Y1 and Z1 to user Q.
  • the DNS server After receiving the DNS request message, the DNS server sends a DNS response message to the user Q based on the communication connection, and the DNS response message carries the public key Y1 of the domain ABC.com.
  • the DNS response packet may carry a resource record of the type of the public key ⁇ 1.
  • the DNS server may also carry the public key of the corresponding type in the DNS response packet according to the type identifier of the public key carried in the DNS request packet, and send the message to the user Q. .
  • the length of the public key is not established regardless of whether the UDP connection or the TCP connection is established between the user Q and the DNS server. Will exceed the length of the message as specified in the agreement. Therefore, in the prior art, the problem that the public key of the domain is too long to obtain the public key through the UDP packet is solved.
  • FIG. 7 is a flowchart of still another method for obtaining a public key according to an embodiment of the present invention. As shown in FIG. 7, the method includes:
  • the communication connection may be a UDP connection, a TCP connection, or another communication connection, which is not limited herein;
  • the public key is a key that uses a short key system.
  • the DNS request packet sent to the DNS server may also carry the type identifier of the public key of the first domain that is requested to be obtained.
  • the DNS server can carry the corresponding type of public key in the DNS response message.
  • the DNS response packet may carry a TXT type resource record of the public key.
  • the public key of the first domain is obtained according to the TXT type resource record of the first domain public key carried in the received DNS response message.
  • the Question option in the DNS request packet carries the type identifier of the public key of the first domain.
  • the type identifier of the public key of the first domain in this embodiment may be carried in the Query Name field.
  • ecdsa represents the public key of ecdsa type
  • "Beijing” is the selector identifier
  • “_domainkey” is the DKIM identifier
  • “ABC.com” is the domain name.
  • count is a count bit, indicating the number of bits between the current count bit and the next count bit.
  • Figure 8 (a) and Figure 8 (b) only show an alternative representation of the type identification of the public key in the DNS request message.
  • the manner of expressing the type identifier of the public key in the DNS request packet in this embodiment is not limited thereto.
  • FIG. 9 is a schematic diagram of another apparatus for obtaining a public key according to an embodiment of the present invention. As shown in FIG. 9, the apparatus includes:
  • the connection module 900 is configured to establish a communication connection with the DNS server.
  • the communication connection may be a UDP connection, a TCP connection, or another communication connection, which is not limited herein;
  • the sending module 910 is configured to send a DNS request packet to the DNS server to establish a public key of the first domain by establishing a communication connection established by the connection module 900.
  • the public key is a short key system.
  • the receiving module 920 is configured to receive a DNS response message from the DNS server by establishing a communication connection established by the connection module 900, where the DNS response message is a response of the DNS server to the DNS request message, where the DNS response message is carried.
  • the obtaining module 930 is configured to obtain the public key of the first domain according to the DNS response packet received by the receiving module 920.
  • the sending module 910 may further include:
  • the identifier unit 911 is configured to: carry the type identifier of the public key of the first domain in the DNS request packet, and send, by the sending unit 912, the DNS request for sending the type identifier of the public key of the first domain to the DNS server. .
  • the DNS response packet may carry a TXT type resource record of the public key.
  • the obtaining module 930 is configured to obtain the public key of the first domain according to the resource record of the TXT type of the first domain public key carried in the DNS response message received by the receiving module 920.
  • FIG. 11 is a schematic diagram of another system for obtaining a public key according to an embodiment of the present invention. As shown in FIG. 11, the system includes a first device and a DNS server, where:
  • the first device is configured to establish a communication connection with the DNS server, send a DNS request packet to the DNS server, and request to obtain the public key of the first domain; receive the DNS response packet from the DNS server, and obtain the DNS response packet.
  • the public key is a key using a short key system
  • the communication connection may be a UDP connection, a TCP connection, or another communication connection, where Not limited;
  • the DNS server is configured to send a DNS response packet to the first device after receiving the DNS request packet, where the DNS response packet carries the public key of the first domain.
  • the method, device and system for obtaining a public key provided by the above embodiment of the present invention, because of the public key transmitted between the DNS server and the short key system, the UDP is established between the DNS server and the DNS server.
  • the connection is still a TCP connection, and the length of the public key does not exceed the length of the packet specified by the protocol. Therefore, in the prior art, the problem that the public key of the domain is too long to obtain the public key through the UDP packet is solved.
  • the embodiments of the present invention can be implemented by means of software plus a necessary general hardware platform, and of course, can also be implemented by hardware.
  • the technical solution of the embodiment of the present invention may be embodied in the form of a software product, where the computer software product may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes a plurality of instructions for making a A computer device, or server, or other network device, performs the methods described in various embodiments of the present invention or in some portions of the embodiments.

Abstract

The present invention relates to the field of communications. A method for obtaining public key is disclosed. The method includes: by establishing a Transmission Control Protocol (TCP) connection with a Domain Name System (DNS) server, sending a DNS request message to the DNS server through the connection in order to request the public key of a first domain; receiving a DNS response message from the DNS server through the connection, and obtaining the public key of the first domain according to the public key of the first domain carried in the response message. An apparatus and system for obtaining public key are also disclosed.

Description

获取公钥的方法、 装置和系统 本申请要求于 2009 年 4 月 29 日提交中国专利局、 申请号为 200910106932.3、 发明名称为 "获取公钥的方法、 装置和系统" 的中国专 利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域 本发明涉及通信领域, 特别涉及获取公钥的方法、 装置和系统。  Method, device and system for obtaining a public key. The present application claims priority to a Chinese patent application filed on April 29, 2009, the Chinese Patent Office, Application No. 200910106932.3, entitled "Method, Apparatus and System for Obtaining Public Keys" The entire contents of which are incorporated herein by reference. TECHNICAL FIELD The present invention relates to the field of communications, and in particular, to a method, apparatus, and system for obtaining a public key.
背景技术 Background technique
DKIM ( Domain Key Identified Mail, 域名密钥识别邮件)是一种新兴 的电子邮件验证标准, 被广泛应用于防止电子邮件欺作、 防止垃圾邮件、 防止网络钓鱼等领域。 DKIM (Domain Key Identified Mail) is an emerging e-mail verification standard that is widely used to prevent e-mail fraud, prevent spam, and prevent phishing.
在 DKIM方案中, 每个域(如 ABC.com )都拥有自己的公钥 /私钥对, 在由该域发出的报文(如电子邮件) 中, 携带利用该域自己的私钥生成的 签名。 接收者接收到报文后, 利用该域的公钥来验证报文中的签名, 以确 认该报文确实是来自该域的。如果接收者没有该域的公钥,则需要通过 DNS ( Domain Name System, 域名系统 ) Request (请求 )报文, 到 DNS服 务器获取该域的公钥。  In the DKIM scheme, each domain (such as ABC.com) has its own public/private key pair, and in the message (such as email) sent by the domain, it is generated by using the domain's own private key. signature. After receiving the message, the receiver uses the public key of the domain to verify the signature in the message to confirm that the message is indeed from the domain. If the receiver does not have the public key of the domain, you need to use the DNS (Domain Name System) Request message to obtain the public key of the domain from the DNS server.
实际的应用中, DNS 报文通常都是使用 UDP ( User Datagram Protocol, 用户数据 4艮协议)来进行传输的。 因此, 当上述接收者没有该域 的公钥时, 需要与上述 DNS服务器建立 UDP连接, 通过 UDP报文, 获取 到该域的公钥。  In actual applications, DNS packets are usually transmitted using UDP (User Datagram Protocol). Therefore, when the receiver does not have the public key of the domain, it needs to establish a UDP connection with the DNS server and obtain the public key of the domain through the UDP packet.
但是在现有技术中, DKIM仅支持 RSA密钥体系, 而为提高保密度, RSA密钥通常都很长。 当某个域的 RSA公钥长度过长, 以至于超出 UDP 报文规定的长度时,上述接收者就无法通过 UDP报文获取到这个域的 RSA 公钥。 发明内容 有鉴于此, 本发明的实施例提供了以下方案: However, in the prior art, DKIM only supports the RSA key system, and to increase the density, the RSA key is usually very long. When the length of the RSA public key of a domain is too long, the receiver cannot obtain the RSA public key of the domain through UDP packets. SUMMARY OF THE INVENTION In view of this, embodiments of the present invention provide the following solutions:
一种获取公钥的方法, 该方法包括:  A method of obtaining a public key, the method comprising:
与域名系统 DNS服务器建立传输控制协议 TCP连接; 通过该 TCP连 接, 向所述 DNS服务器发送 DNS请求报文, 请求获取第一域的公钥; 并 且,还通过该 TCP连接,接收来自该 DNS服务器的 DNS响应报文;其中, DNS响应报文携带所述第一域的公钥; 根据该 DNS响应报文, 获取第一 域的公钥。  Establishing a transmission control protocol TCP connection with the domain name system DNS server; sending, by the TCP connection, a DNS request message to the DNS server, requesting to acquire a public key of the first domain; and receiving, by the TCP connection, the DNS server from the DNS server a DNS response message, wherein the DNS response message carries the public key of the first domain; and the public key of the first domain is obtained according to the DNS response message.
一种获取公钥的装置, 该装置包括:  A device for obtaining a public key, the device comprising:
建立连接模块, 用于与 DNS服务器建立 TCP连接;  Establish a connection module for establishing a TCP connection with the DNS server;
发送模块, 用于通过建立连接模块建立的 TCP连接, 向 DNS服务器发 送 DNS请求报文, 请求获取第一域的公钥;  a sending module, configured to send a DNS request packet to the DNS server by establishing a TCP connection established by the connection module, requesting to obtain a public key of the first domain;
接收模块, 用于通过建立连接模块建立的 TCP连接, 接收来自 DNS服 务器的 DNS响应报文, 该 DNS响应报文中携带第一域的公钥;  a receiving module, configured to receive a DNS response message from the DNS server by establishing a TCP connection established by the connection module, where the DNS response message carries the public key of the first domain;
获取模块, 用于根据接收模块接收到的 DNS响应报文, 获取第一域的 公钥。  The obtaining module is configured to obtain a public key of the first domain according to the DNS response packet received by the receiving module.
一种获取公钥的系统, 该系统包括:  A system for obtaining a public key, the system comprising:
第一设备, 用于与 DNS服务器建立 TCP连接, 通过该 TCP连接, 向 DNS服务器发送 DNS请求报文, 请求获取第一域的公钥; 并且, 接收来 自 DNS服务器的 DNS响应报文,获取该 DNS响应报文中携带的所述第一 域的公钥;  a first device, configured to establish a TCP connection with the DNS server, send a DNS request message to the DNS server, request to acquire a public key of the first domain, and receive a DNS response message from the DNS server to obtain the The public key of the first domain carried in the DNS response packet;
DNS服务器, 用于在接收到上述 DNS请求报文之后, 通过上述 TCP 连接, 向第一设备发送 DNS响应报文, 该 DNS响应报文携带所述第一域 的公钥。  The DNS server is configured to send, by using the TCP connection, a DNS response packet to the first device after receiving the DNS request packet, where the DNS response packet carries the public key of the first domain.
一种获取公钥的方法, 该方法包括:  A method of obtaining a public key, the method comprising:
与 DNS服务器建立通信连接; 通过该通信连接, 向该 DNS服务器发送 DNS请求报文,请求获取第一域的公钥;该公钥为采用短密钥体系的密钥; 通过该通信连接,接收来自 DNS服务器的 DNS响应报文; 该 DNS响应报 文携带第一域的公钥; 根据该 DNS响应报文, 获取第一域的公钥。 Establishing a communication connection with the DNS server; sending the DNS server to the DNS server through the communication connection A DNS request message, requesting to obtain a public key of the first domain; the public key is a key using a short key system; receiving a DNS response message from the DNS server through the communication connection; the DNS response message carries the first The public key of the domain; according to the DNS response packet, the public key of the first domain is obtained.
一种获取公钥的装置, 该装置包括:  A device for obtaining a public key, the device comprising:
建立连接模块, 用于与 DNS服务器建立通信连接;  Establishing a connection module for establishing a communication connection with the DNS server;
发送模块, 用于通过建立连接模块建立的通信连接, 向 DNS服务器发 送 DNS请求报文,请求获取第一域的公钥;该公钥为采用短密钥体系的密 钥;  a sending module, configured to send a DNS request packet to the DNS server by establishing a communication connection established by the connection module, requesting to acquire a public key of the first domain; the public key is a key using a short key system;
接收模块, 用于通过建立连接模块建立的通信连接, 接收来自 DNS服 务器的 DNS响应报文, 该 DNS响应报文中携带第一域的公钥;  a receiving module, configured to receive a DNS response message from the DNS server by establishing a communication connection established by the connection module, where the DNS response message carries the public key of the first domain;
获取模块, 用于根据接收模块接收到的 DNS响应报文, 获取第一域的 公钥。  The obtaining module is configured to obtain a public key of the first domain according to the DNS response packet received by the receiving module.
一种获取公钥的系统, 该系统包括:  A system for obtaining a public key, the system comprising:
第一设备,用于与 DNS服务器建立通信连接,通过该通信连接,向 DNS 服务器发送 DNS请求报文,请求获取第一域的公钥; 并且,接收来自 DNS 服务器的 DNS响应报文, 获取该 DNS响应报文中携带的第一域的公钥; 该公钥为采用短密钥体系的密钥;  a first device, configured to establish a communication connection with the DNS server, send a DNS request message to the DNS server, request to obtain a public key of the first domain, and receive a DNS response message from the DNS server to obtain the The public key of the first domain carried in the DNS response packet; the public key is a key using a short key system;
DNS服务器, 用于在接收到 DNS请求报文之后, 通过上述通信连接, 向第一设备发送 DNS响应报文, 该 DNS响应报文携带第一域的公钥。  The DNS server is configured to send a DNS response packet to the first device after receiving the DNS request packet, where the DNS response packet carries the public key of the first domain.
采用本发明的实施例提供的获取公钥的方法、 装置和系统, 能够解决现 有技术中由于域的公钥长度过长,而无法通过 UDP报文获取到公钥的问题。  The method, the device and the system for obtaining a public key provided by the embodiment of the present invention can solve the problem that the public key of the domain cannot be obtained through the UDP packet in the prior art because the length of the public key of the domain is too long.
附图说明 图 1为本发明实施例的一个应用场景示意图; BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic diagram of an application scenario according to an embodiment of the present invention;
图 2为本发明实施例提供的一种获取公钥的方法流程图;  2 is a flowchart of a method for obtaining a public key according to an embodiment of the present invention;
图 3为本发明实施例提供的一种获取公钥的装置示意图;  3 is a schematic diagram of an apparatus for acquiring a public key according to an embodiment of the present invention;
图 4为本发明实施例提供的一种获取公钥的装置中发送模块 310的示意 图; FIG. 4 is a schematic diagram of a sending module 310 in an apparatus for acquiring a public key according to an embodiment of the present invention; Figure
图 5为本发明实施例提供的一种获取公钥的系统示意图;  FIG. 5 is a schematic diagram of a system for obtaining a public key according to an embodiment of the present invention;
图 6为本发明实施例的又一个应用场景示意图;  FIG. 6 is a schematic diagram of still another application scenario according to an embodiment of the present invention;
图 7为本发明实施例提供的又一种获取公钥的方法流程图;  FIG. 7 is a flowchart of still another method for obtaining a public key according to an embodiment of the present invention;
图 8 ( a )为 DNS请求报文中的 Question选项的格式;  Figure 8 (a) shows the format of the Question option in the DNS request message;
图 8 ( b )为 Question选项中 Query Name域的格式;  Figure 8 (b) shows the format of the Query Name field in the Question option.
图 9为本发明实施例提供的又一种获取公钥的装置示意图;  FIG. 9 is a schematic diagram of another apparatus for obtaining a public key according to an embodiment of the present invention;
图 10为本发明实施例提供的又一种获取公钥的装置中发送模块 910的 示意图;  FIG. 10 is a schematic diagram of another sending module 910 in an apparatus for acquiring a public key according to an embodiment of the present disclosure;
图 11为本发明实施例提供的又一种获取公钥的系统示意图。  FIG. 11 is a schematic diagram of another system for obtaining a public key according to an embodiment of the present invention.
具体实施方式 为使本发明实施例的目的、 技术方案及优点更加清楚明白, 以下参照附 图, 对本发明实施例作进一步地伴细说明。 DETAILED DESCRIPTION OF THE EMBODIMENTS In order to make the objects, the technical solutions and the advantages of the embodiments of the present invention more clearly, the embodiments of the present invention will be further described with reference to the accompanying drawings.
为便于说明, 下面简单结合一个实际应用中较常见的场景, 具体介绍本 发明的几个实施例。  For ease of explanation, several embodiments of the present invention are specifically described below in combination with a more common scenario in practical applications.
如图 1所示,域 ABC.com拥有密钥对 X1/X2(公钥 /私钥),当域 ABC.com 向用户 P发送报文(如电子邮件) 时, 报文中携带有签名, 该签名是域 ABC.com利用自己的私钥 X2生成的。 在本场景中, 域 ABC. com可以采 用 RSA密钥, 也可以采用其他密钥体系, 此处不做限定。  As shown in Figure 1, the domain ABC.com has a key pair X1/X2 (public/private key). When the domain ABC.com sends a message (such as an email) to the user P, the message carries the signature. This signature is generated by domain ABC.com using its own private key X2. In this scenario, the domain ABC.com can use the RSA key or other key systems, which is not limited here.
用户 P接收到报文后, 需要对该签名进行验证, 以确认该报文确实是来 自域 ABC.com的。 例如, 用户 P可以利用与私钥 X2相对应的公钥 X1来 3 正报文中的签名。 如果用户 P没有公钥 X1, 则需要向 DNS服务器发送 DNS请求报文, 以请求获取该公钥 X1。  After receiving the packet, user P needs to verify the signature to confirm that the packet is indeed from the domain ABC.com. For example, the user P can use the public key X1 corresponding to the private key X2 to sign the signature in the positive message. If the user P does not have the public key X1, the user needs to send a DNS request packet to the DNS server to request the public key X1.
有别于现有技术中的方案, 在本场景中, 用户 P与 DNS服务器之间不 建立 UDP连接, 而直接建立 TCP ( Transfer Control Protocol, 传输控制 协议)连接,用户 P通过 TCP连接向 DNS服务器发送上述 DNS请求报文。 可选的, 本场景中, 由于域 ABC.con可以采用 RSA密钥, 也可以采用 其他密钥体系, 因此, 用户 P接收到来自域 ABC.com的报文后, 可以通过 报文中携带的签名, 获知域 ABC.com是利用哪一个密钥体系生成签名。从 而, 用户 P发送给 DNS服务器的 DNS请求报文中, 可以携带请求获取的 公钥的类型标识。 Different from the solution in the prior art, in this scenario, a UDP connection is not established between the user P and the DNS server, and a TCP (Transfer Control Protocol) connection is directly established, and the user P connects to the DNS server through the TCP connection. Send the above DNS request message. Optionally, in this scenario, the domain ABC.con can use the RSA key, and other key systems can be used. Therefore, after receiving the packet from the domain ABC.com, the user P can carry the packet. Signature, knowing which key system ABC.com uses to generate the signature. Therefore, the DNS request packet sent by the user P to the DNS server may carry the type identifier of the public key requested to be obtained.
DNS服务器收到该 DNS请求报文后, 基于上述 TCP连接, 向用户 P 发送 DNS Response (响应)报文,该 DNS响应报文中携带了域 ABC.com 的公钥 X1。 例如, 该 DNS响应报文中可以携带公钥 X1的文本( TXT )类 型的资源记录(RR, Resource Record 当 DNS请求报文携带请求获取 的公钥的类型标识时, DNS服务器还可以根据该类型标识, 将相应类型的 公钥携带在 DNS响应报文中, 发送给用户 P。  After receiving the DNS request packet, the DNS server sends a DNS Response (Response) message to the user P based on the TCP connection. The DNS response message carries the public key X1 of the domain ABC.com. For example, the DNS response packet may carry a resource record of the text (TXT) type of the public key X1 (RR, Resource Record, when the DNS request packet carries the type identifier of the public key obtained by the request, the DNS server may also be based on the type The public key of the corresponding type is carried in the DNS response packet and sent to the user P.
至此,用户 P就获取到了域 ABC.com的公钥 X1。然后就能够利用获取 到的公钥 X1来^ i正报文中的签名。  At this point, User P has obtained the public key X1 of the domain ABC.com. Then, the obtained public key X1 can be used to verify the signature in the message.
本场景中,由于用户 P与 DNS服务器之间 ^^于 TCP进行通信,因此, 即使公钥 X1 的长度超过了协议规定的报文长度, DNS服务器也能通过多 个 TCP报文将公钥 X1发送给用户。用户 P能够按照 TCP报文中携带的报 文序号, 按顺序接收这些 TCP报文, 获取到公钥 X1。 从而解决了现有技 术中由于域的公钥长度过长, 而无法通过 UDP报文获取到公钥的问题。  In this scenario, the user P communicates with the DNS server via TCP. Therefore, even if the length of the public key X1 exceeds the packet length specified by the protocol, the DNS server can pass the public key X1 through multiple TCP packets. Send to the user. The user P can receive the TCP packets in sequence according to the sequence number of the packets carried in the TCP packets, and obtain the public key X1. Therefore, in the prior art, the problem that the public key of the domain is too long to obtain the public key through the UDP packet is solved.
图 2为本发明实施例提供的一种获取公钥的方法流程图, 如图 2所示, 该方法包括:  FIG. 2 is a flowchart of a method for obtaining a public key according to an embodiment of the present invention. As shown in FIG. 2, the method includes:
200, 与 DNS月良务器建立 TCP连接;  200, establishing a TCP connection with the DNS server;
210, 通过 200中建立的 TCP连接, 向 DNS服务器发送 DNS请求报 文, 以请求获取第一域的公钥; 在本实施例中, 该公钥可以是 RSA密钥, 也可以是采用其他密钥体系的密钥, 此处不做限定;  210. Send a DNS request packet to the DNS server to obtain the public key of the first domain by using the TCP connection established in 200. In this embodiment, the public key may be an RSA key, or other secrets may be used. The key of the key system, which is not limited here;
220, 通过 200中建立的 TCP连接, 接收来自 DNS服务器的 DNS响 应报文,该 DNS响应报文是 DNS服务器对上述 DNS请求报文的响应,该 DNS响应报文中携带第一域的公钥;  And receiving a DNS response packet from the DNS server, where the DNS response packet is a response of the DNS server to the DNS request packet, where the DNS response packet carries the public key of the first domain. ;
230, 根据接收到的 DNS响应报文, 获取第一域的公钥。 可选的, 本实施例中, 向 DNS服务器发送的 DNS请求报文中还可以携 带请求获取的第一域的公钥的类型标识。 这样, DNS服务器就能够将相应 类型的公钥携带在 DNS响应报文中。 230. Obtain a public key of the first domain according to the received DNS response packet. Optionally, in this embodiment, the DNS request packet sent to the DNS server may further carry the type identifier of the public key of the first domain that is requested to be obtained. In this way, the DNS server can carry the corresponding type of public key in the DNS response message.
又一可选的, 本实施例中, DNS响应报文中可以携带公钥的 TXT类型 的资源记录。 此时, 根据接收到的 DNS 响应报文中携带的第一域公钥的 TXT类型的资源记录, 获取第一域的公钥。  Alternatively, in this embodiment, the DNS response packet may carry a TXT type resource record of the public key. At this time, the public key of the first domain is obtained according to the TXT type resource record of the first domain public key carried in the received DNS response message.
图 3为本发明实施例提供的一种获取公钥的装置示意图, 如图 3所示, 该装置包括:  FIG. 3 is a schematic diagram of an apparatus for obtaining a public key according to an embodiment of the present invention. As shown in FIG. 3, the apparatus includes:
建立连接模块 300, 用于与 DNS服务器建立 TCP连接;  Establishing a connection module 300, configured to establish a TCP connection with the DNS server;
发送模块 310, 用于通过建立连接模块 300建立的 TCP连接, 向 DNS 服务器发送 DNS请求报文, 以请求获取第一域的公钥; 在本实施例中, 该 公钥可以 RSA密钥, 也可以是采用其他密钥体系的密钥, 此处不做限定; 接收模块 320, 用于通过建立连接模块 300建立的 TCP连接, 接收来 自 DNS月良务器的 DNS响应 4艮文, 该 DNS响应 4艮文是 DNS月良务器对上述 DNS请求报文的响应, 该 DNS响应报文中携带第一域的公钥;  The sending module 310 is configured to send a DNS request packet to the DNS server to establish a public key of the first domain by establishing a TCP connection established by the connection module 300. In this embodiment, the public key may be an RSA key, The key may be a key of another key system, which is not limited herein; the receiving module 320 is configured to receive a DNS response from the DNS server by establishing a TCP connection established by the connection module 300, and the DNS response The message is the response of the DNS server to the DNS request message, and the DNS response message carries the public key of the first domain;
获取模块 330, 用于根据接收模块 320接收到的 DNS响应报文, 获取 第一域的公钥。  The obtaining module 330 is configured to obtain the public key of the first domain according to the DNS response packet received by the receiving module 320.
可选的, 如图 4所示, 发送模块 310还可以包括:  Optionally, as shown in FIG. 4, the sending module 310 may further include:
标识单元 311, 用于在 DNS请求报文中携带第一域的公钥的类型标识; 发送单元 312, 用于向 DNS服务器发送上述携带第一域的公钥的类型 标识的 DNS请求 4艮文。  The identifier unit 311 is configured to: carry the type identifier of the public key of the first domain in the DNS request packet, and send, by the sending unit 312, the DNS request for sending the type identifier of the public key of the first domain to the DNS server. .
可选的, DNS响应报文中可以携带公钥的 TXT类型的资源记录, 此时, 获取模块 330用于根据接收模块 320接收到的 DNS响应报文中携带的第 一域公钥的 TXT类型的资源记录, 获取第一域的公钥。  Optionally, the DNS response packet may carry a TXT type resource record of the public key. In this case, the obtaining module 330 is configured to use the TXT type of the first domain public key carried in the DNS response packet received by the receiving module 320. Resource record, get the public key of the first domain.
图 5为本发明实施例提供的一种获取公钥的系统示意图, 如图 5所示, 该系统包括第一设备和 DNS服务器, 其中:  FIG. 5 is a schematic diagram of a system for obtaining a public key according to an embodiment of the present invention. As shown in FIG. 5, the system includes a first device and a DNS server, where:
第一设备,用于与 DNS服务器建立 TCP连接,向 DNS服务器发送 DNS 请求报文, 以请求获取第一域的公钥; 接收来自 DNS服务器的 DNS响应 报文, 获取该 DNS响应报文中携带的第一域的公钥; 在本实施例中, 该公 钥可以是 RSA密钥, 也可以是采用其他密钥体系的密钥, 此处不做限定;The first device is configured to establish a TCP connection with the DNS server, send a DNS request message to the DNS server, request to obtain the public key of the first domain, and receive a DNS response from the DNS server. The packet obtains the public key of the first domain carried in the DNS response packet. In this embodiment, the public key may be an RSA key, or a key of another key system, and is not used here. limited;
DNS服务器, 用于在接收到上述 DNS请求报文之后, 通过上述 TCP 连接, 向第一设备发送 DNS响应报文, 该 DNS响应报文携带第一域的公 钥。 The DNS server is configured to send a DNS response packet to the first device by using the TCP connection after receiving the DNS request packet, where the DNS response packet carries the public key of the first domain.
采用上述本发明的实施例提供的获取公钥的方法、 装置和系统, 由于与 DNS服务器之间并不建立 UDP连接, 而是基于 TCP进行通信, 因此, 即 使域的公钥的长度超过了协议规定的报文长度, 也能通过多个 TCP报文获 取到域的公钥。 从而解决了现有技术中由于域的公钥长度过长, 而无法通 过 UDP报文获取到公钥的问题。  The method, device, and system for obtaining a public key provided by the foregoing embodiments of the present invention, because a UDP connection is not established with a DNS server, but is performed based on TCP, so even if the length of the public key of the domain exceeds the protocol The specified packet length can also obtain the public key of the domain through multiple TCP packets. Therefore, in the prior art, the problem that the public key of the domain is too long to obtain the public key through the UDP packet is solved.
下面, 再通过实际应用中较常见的另一个场景, 具体介绍本发明的另外 几个实施例。  In the following, another embodiment of the present invention will be specifically described by another scenario which is more common in practical applications.
如图 6所示, 域 ABC.com拥有密钥对 Y1/Y2 (公钥 /私钥) 以及 Z1/Z2 (公钥 /私钥), 当域 ABC.com向用户 Q发送报文(如电子邮件)时, 利用 其中一对密钥中的私钥生成了签名, 携带在 文中。 例如, 域 ABC.com利 用密钥对 Y1/Y2中的私钥 Y2生成了签名, 并携带在发送给用户 Q的报文 中。 在本场景中, 域 ABC.com采用的密钥体系是短密钥体系(也可以称为 短密钥算法)。  As shown in Figure 6, domain ABC.com has a key pair Y1/Y2 (public/private key) and Z1/Z2 (public/private key), and when domain ABC.com sends a message to user Q (such as electronic In the case of a mail, a signature is generated using the private key of one of the keys, and is carried in the text. For example, the domain ABC.com uses the key pair to generate a signature for the private key Y2 in Y1/Y2 and carries it in the message sent to user Q. In this scenario, the key system used by the domain ABC.com is the short key system (also known as the short key algorithm).
在本申请中, 短密钥可以理解为密钥长度能够由单个 UDP报文承载、 而且安全强度大于 80、 每比特强度大于 0.1的密钥。 此处, "每比特强度" 是指是密钥的安全强度( Security Strength )和密钥长度的比值。 一个给定 长度的密钥的安全强度通常指是指攻破这一密钥所需要的工作量。 以 RSA 密钥体系为例,不同长度的 RSA密钥的安全强度和每比特强度如表 1所示: 表 1  In the present application, a short key can be understood as a key whose key length can be carried by a single UDP message and has a security strength greater than 80 and a bit strength greater than 0.1. Here, "per bit strength" refers to the ratio of the security strength of the key to the length of the key. The security strength of a given length of key is usually referred to as the amount of work required to break the key. Take the RSA key system as an example. The security strength and strength per bit of RSA keys of different lengths are shown in Table 1: Table 1
密钥长度(比特) 安全强度 每比特强度  Key length (bits) security strength per bit strength
1024 80 0.078 1024 80 0.078
2048 112 0.0552048 112 0.055
3072 128 0.042 较为常见的短密钥体系例如: 椭圆曲线数字签名算法 ECDSA (曰 liptic Curve Digital Signature Algorithm )、基于格的公钥密码系统( Lattice-Based Public-Key Cryptography )、 基于口令的公钥密码系统(Password-Based Public-Key cryptography )、 基于身份的公钥密码系统 ( Identity-Based Public-Key Cryptography Using Pairing )等等。 当然, 其他符合上述要求 的密钥也可以理解为短密钥。 此处不做限定。 在本场景中, 密钥对 Y1/Y2 以及 Z1/Z2均可以为短密钥体系中的任意一种密钥, 此处不做限定。 3072 128 0.042 The more common short key systems are: ECDSA (曰liptic Curve Digital Signature Algorithm), Lattice-Based Public-Key Cryptography, password-based public key cryptosystem (Password) -Based Public-Key Cryptography Using Identity-Based Public-Key Cryptography Using Pairing. Of course, other keys that meet the above requirements can also be understood as short keys. There is no limit here. In this scenario, the key pair Y1/Y2 and Z1/Z2 can be any one of the short key systems, which is not limited herein.
用户 Q接收到报文后, 需要对该签名进行验证, 以确认该报文确实是来 自域 ABC.com的。 例如, 用户 Q可以利用与私钥 Y2相对应的公钥 Y1来 3 正报文中的签名。 如果用户 Q没有公钥 Y1, 则需要向 DNS服务器发送 DNS请求报文, 以请求获取该公钥 Y1。  After receiving the message, the user Q needs to verify the signature to confirm that the message is indeed from the domain ABC.com. For example, the user Q can use the public key Y1 corresponding to the private key Y2 to sign the signature in the positive message. If the user Q does not have the public key Y1, the DNS server needs to send a DNS request packet to request the public key Y1.
在本场景中, 用户 Q与 DNS服务器之间可以建立 UDP连接, 用户 Q 通过 UDP连接向 DNS服务器发送上述 DNS请求报文;用户 Q与 DNS服 务器之间也可以建立 TCP连接,用户 Q通过 TCP连接向 DNS服务器发送 上述 DNS请求报文; 当然, 还可以是其他通信连接, 此处不做限定。 当用 户 Q与 DNS服务器之间建立 TCP连接时, 具体的过程可以参照上述图 1 中用户 P与 DNS服务器通信的过程, 此处就不再赘述了。  In this scenario, a UDP connection can be established between the user Q and the DNS server, and the user Q sends the DNS request packet to the DNS server through the UDP connection; the TCP connection can also be established between the user Q and the DNS server, and the user Q connects through the TCP. The above-mentioned DNS request packet is sent to the DNS server. Of course, other communication connections may be used, which is not limited herein. When a TCP connection is established between the user Q and the DNS server, the specific process may refer to the process in which the user P communicates with the DNS server in FIG. 1 , and details are not described herein.
可选的, 在本场景中, 由于域 ABC.com拥有两对公钥 /私钥对, 因此, 用户 Q接收到来自域 ABC.com的报文后, 可以通过报文中携带的签名, 获知域 ABC.com是利用哪一个密钥体系生成签名。 从而, 用户 Q发送给 DNS服务器的 DNS请求报文中, 可以携带请求获取的公钥的类型标识。 例如, 假设密钥对 Y1/Y2采用的是 ECDSA密钥体系, 则用户 Q发送给 DNS服务器的 DNS请求报文中, 就携带有该密钥体系的类型标识。 这样 就能避免 DNS服务器将另一密钥对 Z1/Z2的公钥 Z1发送给用户 Q, 或者 是将 Y1和 Z1都发给用户 Q。  Optionally, in this scenario, the domain ABC.com has two pairs of public/private key pairs. Therefore, after receiving the packet from the domain ABC.com, the user Q can learn the signature carried in the packet. The domain ABC.com uses which key system to generate the signature. Therefore, the DNS request packet sent by the user Q to the DNS server may carry the type identifier of the public key requested to be obtained. For example, if the key pair Y1/Y2 is in the ECDSA key system, the DNS request message sent by the user Q to the DNS server carries the type identifier of the key system. This prevents the DNS server from sending another key pair Z1/Z2's public key Z1 to user Q, or both Y1 and Z1 to user Q.
DNS服务器收到该 DNS请求报文后,基于上述通信连接, 向用户 Q发 送 DNS响应报文, 该 DNS响应报文中携带了域 ABC.com的公钥 Y1。 例 如,该 DNS响应报文中可以携带公钥 Υ1的 ΤΧΤ类型的资源记录。当 DNS 请求报文携带请求获取的公钥的类型标识时, DNS服务器还可以根据 DNS 请求报文中携带的公钥的类型标识,将相应类型的公钥携带在 DNS响应报 文中, 发送给用户 Q。 After receiving the DNS request message, the DNS server sends a DNS response message to the user Q based on the communication connection, and the DNS response message carries the public key Y1 of the domain ABC.com. For example, the DNS response packet may carry a resource record of the type of the public key Υ1. When DNS When the request packet carries the type identifier of the public key to be obtained, the DNS server may also carry the public key of the corresponding type in the DNS response packet according to the type identifier of the public key carried in the DNS request packet, and send the message to the user Q. .
至此, 用户 Q就获取到了域 ABC.com的公钥 Y1。 然后就能够利用获 取到的公钥 Υ1来^ i正报文中的签名。  At this point, User Q has obtained the public key Y1 of the domain ABC.com. Then, the obtained public key Υ1 can be used to verify the signature in the message.
本场景中, 由于用户 Q与 DNS服务器之间传递的 ^^于短密钥体系的 公钥, 因此, 不管用户 Q和 DNS服务器之间建立的是 UDP连接还是 TCP 连接, 公钥的长度都不会超过协议规定的报文长度。 从而解决了现有技术 中由于域的公钥长度过长, 而无法通过 UDP报文获取到公钥的问题。  In this scenario, because the public key of the short key system is passed between the user Q and the DNS server, the length of the public key is not established regardless of whether the UDP connection or the TCP connection is established between the user Q and the DNS server. Will exceed the length of the message as specified in the agreement. Therefore, in the prior art, the problem that the public key of the domain is too long to obtain the public key through the UDP packet is solved.
图 7为本发明实施例提供的又一种获取公钥的方法流程图,如图 7所示, 该方法包括:  FIG. 7 is a flowchart of still another method for obtaining a public key according to an embodiment of the present invention. As shown in FIG. 7, the method includes:
700, 与 DNS服务器建立通信连接; 在本实施例中, 该通信连接可以是 UDP连接, 也可以是 TCP连接, 还可以是其他通信连接, 此处不做限定;  And establishing a communication connection with the DNS server. In this embodiment, the communication connection may be a UDP connection, a TCP connection, or another communication connection, which is not limited herein;
710,通过 700中建立的通信连接,向 DNS服务器发送 DNS请求报文, 以请求获取第一域的公钥; 在本实施例中, 该公钥为采用短密钥体系的密 钥;  710. Send a DNS request packet to the DNS server to obtain the public key of the first domain by using the communication connection established in the 700. In this embodiment, the public key is a key that uses a short key system.
720, 通过 700中建立的 TCP连接, 接收来自 DNS服务器的 DNS响 应报文,该 DNS响应报文是 DNS服务器对上述 DNS请求报文的响应,该 DNS响应报文中携带第一域的公钥;  720. Receive, by using the TCP connection established in the 700, a DNS response packet from the DNS server, where the DNS response packet is a response of the DNS server to the DNS request packet, where the DNS response packet carries the public key of the first domain. ;
730, 根据接收到的 DNS响应报文, 获取第一域的公钥。  730. Obtain a public key of the first domain according to the received DNS response packet.
可选的, 本实施例中, 向 DNS服务器发送的 DNS请求报文中还可以携 带请求获取的第一域的公钥的类型标识。 这样, DNS服务器就能够将相应 类型的公钥携带在 DNS响应报文中。  Optionally, in this embodiment, the DNS request packet sent to the DNS server may also carry the type identifier of the public key of the first domain that is requested to be obtained. In this way, the DNS server can carry the corresponding type of public key in the DNS response message.
又一可选的, 本实施例中, DNS响应报文中可以携带公钥的 TXT类型 的资源记录。 此时, 根据接收到的 DNS 响应报文中携带的第一域公钥的 TXT类型的资源记录, 获取第一域的公钥。  Alternatively, in this embodiment, the DNS response packet may carry a TXT type resource record of the public key. At this time, the public key of the first domain is obtained according to the TXT type resource record of the first domain public key carried in the received DNS response message.
可选的, 可以在 DNS请求报文中的 Question (问题)选项携带该第一 域的公钥的类型标识。 如图 8 ( a ) 所示, Question选项中有三个域, 分别是 Query Name, Query Type以及 Query Class。 可以在 Query Name域中携带本实施例中 第一域的公钥的类型标识。 例如, 可以在 Query Name域中携带如下信息: ecdsa.Beijing._domainkey.ABC.com。 其中, "ecdsa" 代表 ecdsa类型公 钥, "Beijing" 为选择器标识, "_domainkey"为 DKIM标识, "ABC.com" 为域名。 具体的, 可以参考图 8 ( b )所示的格式。 其中, count为计数位, 表示在当前 count位和下一 count位之间的比特数。 Optionally, the Question option in the DNS request packet carries the type identifier of the public key of the first domain. As shown in Figure 8 (a), there are three fields in the Question option, namely Query Name, Query Type, and Query Class. The type identifier of the public key of the first domain in this embodiment may be carried in the Query Name field. For example, you can carry the following information in the Query Name field: ecdsa.Beijing._domainkey.ABC.com. Among them, "ecdsa" represents the public key of ecdsa type, "Beijing" is the selector identifier, "_domainkey" is the DKIM identifier, and "ABC.com" is the domain name. Specifically, reference may be made to the format shown in FIG. 8(b). Where count is a count bit, indicating the number of bits between the current count bit and the next count bit.
当然, 图 8 ( a )和图 8 ( b )仅示出了 DNS请求报文中公钥的类型标识 一种可选的表示方式。本实施例中 DNS请求报文中公钥的类型标识的表示 方式并不局限于此。  Of course, Figure 8 (a) and Figure 8 (b) only show an alternative representation of the type identification of the public key in the DNS request message. The manner of expressing the type identifier of the public key in the DNS request packet in this embodiment is not limited thereto.
图 9为本发明实施例提供的又一种获取公钥的装置示意图,如图 9所示, 该装置包括:  FIG. 9 is a schematic diagram of another apparatus for obtaining a public key according to an embodiment of the present invention. As shown in FIG. 9, the apparatus includes:
建立连接模块 900, 用于与 DNS服务器建立通信连接; 在本实施例中, 该通信连接可以是 UDP连接, 也可以是 TCP连接, 还可以是其他通信连 接, 此处不做限定;  The connection module 900 is configured to establish a communication connection with the DNS server. In this embodiment, the communication connection may be a UDP connection, a TCP connection, or another communication connection, which is not limited herein;
发送模块 910, 用于通过建立连接模块 900建立的通信连接, 向 DNS 服务器发送 DNS请求报文, 以请求获取第一域的公钥; 在本实施例中, 该 公钥为采用短密钥体系的密钥;  The sending module 910 is configured to send a DNS request packet to the DNS server to establish a public key of the first domain by establishing a communication connection established by the connection module 900. In this embodiment, the public key is a short key system. Key
接收模块 920, 用于通过建立连接模块 900建立的通信连接, 接收来自 DNS服务器的 DNS响应报文,该 DNS响应报文是 DNS服务器对上述 DNS 请求报文的响应, 该 DNS响应报文中携带第一域的公钥;  The receiving module 920 is configured to receive a DNS response message from the DNS server by establishing a communication connection established by the connection module 900, where the DNS response message is a response of the DNS server to the DNS request message, where the DNS response message is carried. The public key of the first domain;
获取模块 930, 用于根据接收模块 920接收到的 DNS响应报文, 获取 第一域的公钥。  The obtaining module 930 is configured to obtain the public key of the first domain according to the DNS response packet received by the receiving module 920.
可选的, 如图 10所示, 发送模块 910还可以包括:  Optionally, as shown in FIG. 10, the sending module 910 may further include:
标识单元 911, 用于在 DNS请求报文中携带第一域的公钥的类型标识; 发送单元 912, 用于向 DNS服务器发送上述携带第一域的公钥的类型 标识的 DNS请求 4艮文。  The identifier unit 911 is configured to: carry the type identifier of the public key of the first domain in the DNS request packet, and send, by the sending unit 912, the DNS request for sending the type identifier of the public key of the first domain to the DNS server. .
可选的, DNS响应报文中可以携带公钥的 TXT类型的资源记录, 此时, 获取模块 930用于根据接收模块 920接收到的 DNS响应报文中携带的第 一域公钥的 TXT类型的资源记录, 获取第一域的公钥。 Optionally, the DNS response packet may carry a TXT type resource record of the public key. The obtaining module 930 is configured to obtain the public key of the first domain according to the resource record of the TXT type of the first domain public key carried in the DNS response message received by the receiving module 920.
图 11为本发明实施例提供的又一种获取公钥的系统示意图, 如图 11所 示, 该系统包括第一设备和 DNS服务器, 其中:  FIG. 11 is a schematic diagram of another system for obtaining a public key according to an embodiment of the present invention. As shown in FIG. 11, the system includes a first device and a DNS server, where:
第一设备,用于与 DNS服务器建立通信连接,向 DNS服务器发送 DNS 请求报文, 以请求获取第一域的公钥; 接收来自 DNS服务器的 DNS响应 报文, 获取该 DNS响应报文中携带的第一域的公钥; 在本实施例中, 该公 钥是采用短密钥体系的密钥; 上述通信连接可以是 UDP 连接, 也可以是 TCP连接, 还可以是其他通信连接, 此处不做限定;  The first device is configured to establish a communication connection with the DNS server, send a DNS request packet to the DNS server, and request to obtain the public key of the first domain; receive the DNS response packet from the DNS server, and obtain the DNS response packet. In the embodiment, the public key is a key using a short key system; the communication connection may be a UDP connection, a TCP connection, or another communication connection, where Not limited;
DNS服务器, 用于在接收到上述 DNS请求报文之后, 通过上述通信连 接, 向第一设备发送 DNS响应报文, 该 DNS响应报文携带第一域的公钥。  The DNS server is configured to send a DNS response packet to the first device after receiving the DNS request packet, where the DNS response packet carries the public key of the first domain.
采用上述本发明的实施例提供的获取公钥的方法、 装置和系统, 由于与 DNS服务器之间传递的 ^^于短密钥体系的公钥, 因此, 不管和 DNS服 务器之间建立的是 UDP连接还是 TCP连接, 公钥的长度都不会超过协议 规定的报文长度。 从而解决了现有技术中由于域的公钥长度过长, 而无法 通过 UDP报文获取到公钥的问题。  The method, device and system for obtaining a public key provided by the above embodiment of the present invention, because of the public key transmitted between the DNS server and the short key system, the UDP is established between the DNS server and the DNS server. The connection is still a TCP connection, and the length of the public key does not exceed the length of the packet specified by the protocol. Therefore, in the prior art, the problem that the public key of the domain is too long to obtain the public key through the UDP packet is solved.
通过以上的实施方式的描述, 本领域的普通技术人员可以清楚地了解到 本发明实施例可借助软件加必需的通用硬件平台的方式来实现, 当然也可 以通过硬件来实现。 基于这样的理解, 本发明实施例的技术方案可以以软 件产品的形式体现出来, 该计算机软件产品可以存储在存储介质中, 如 ROM/RAM,磁碟、 光盘等, 包括若干指令用以使得一台计算机设备、 或者 服务器、 或者其他网络设备执行本发明各个实施例或者实施例的某些部分 所述的方法。  Through the description of the above embodiments, those skilled in the art can clearly understand that the embodiments of the present invention can be implemented by means of software plus a necessary general hardware platform, and of course, can also be implemented by hardware. Based on the understanding, the technical solution of the embodiment of the present invention may be embodied in the form of a software product, where the computer software product may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes a plurality of instructions for making a A computer device, or server, or other network device, performs the methods described in various embodiments of the present invention or in some portions of the embodiments.
以上仅为本发明的较佳实施例, 并非用于限定本发明的保护范围。 凡在 本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均应包 含在本发明的保护范围之内。  The above are only the preferred embodiments of the present invention and are not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权利要求 Rights request
1、 一种获取公钥的方法, 其特征在于, 包括: A method for obtaining a public key, comprising:
与域名系统 DNS服务器建立传输控制协议 TCP连接;  Establish a transmission control protocol TCP connection with the domain name system DNS server;
通过所述 TCP连接, 向所述 DNS服务器发送 DNS请求报文, 请求获 取第一域的公钥;  Sending, by using the TCP connection, a DNS request packet to the DNS server, requesting obtaining a public key of the first domain;
通过所述 TCP连接, 接收来自所述 DNS服务器的 DNS响应报文; 所 述 DNS响应报文携带所述第一域的公钥;  Receiving, by the TCP connection, a DNS response packet from the DNS server; the DNS response packet carrying a public key of the first domain;
根据所述 DNS响应报文, 获取所述第一域的公钥。  Obtaining a public key of the first domain according to the DNS response packet.
2、 如权利要求 1所述的方法, 其特征在于, 所述 DNS请求报文携带所 述第一域的公钥的类型标识。  2. The method according to claim 1, wherein the DNS request message carries a type identifier of a public key of the first domain.
3、 如权利要求 1或 2所述的方法, 其特征在于, 所述 DNS响应报文携 带所述第一域的公钥, 具体为: 所述 DNS响应报文携带所述第一域公钥的 文本类型的资源记录。  The method of claim 1 or 2, wherein the DNS response packet carries the public key of the first domain, specifically: the DNS response packet carries the first domain public key Resource record for the text type.
4、 一种获取公钥的装置, 其特征在于, 包括:  4. A device for obtaining a public key, comprising:
建立连接模块, 用于与 DNS服务器建立 TCP连接;  Establish a connection module for establishing a TCP connection with the DNS server;
发送模块, 用于通过所述建立连接模块建立的 TCP连接, 向所述 DNS 服务器发送 DNS请求报文, 请求获取第一域的公钥;  a sending module, configured to send a DNS request packet to the DNS server by using the TCP connection established by the establishing connection module, to obtain a public key of the first domain;
接收模块, 用于通过所述建立连接模块建立的 TCP连接, 接收来自所 述 DNS服务器的 DNS响应报文,所述 DNS响应报文中携带所述第一域的 公钥;  a receiving module, configured to receive, by using the TCP connection established by the establishing connection module, a DNS response packet from the DNS server, where the DNS response packet carries a public key of the first domain;
获取模块, 用于根据所述接收模块接收到的所述 DNS响应报文, 获取 所述第一域的公钥。  And an obtaining module, configured to acquire the public key of the first domain according to the DNS response packet received by the receiving module.
5、 如权利要求 4所述的装置, 其特征在于, 所述发送模块包括: 标识单元, 用于在所述 DNS请求报文中携带所述第一域的公钥的类型 标识;  The device according to claim 4, wherein the sending module comprises: an identifying unit, configured to carry, in the DNS request packet, a type identifier of a public key of the first domain;
发送单元, 用于向所述 DNS服务器发送所述携带第一域的公钥的类型 标识的 DNS请求 4艮文。  And a sending unit, configured to send, to the DNS server, the DNS request that carries the type identifier of the public key of the first domain.
6、 一种获取公钥的系统, 其特征在于, 包括: 第一设备, 用于与 DNS服务器建立 TCP连接, 通过所述 TCP连接, 向所述 DNS服务器发送 DNS请求报文, 请求获取第一域的公钥; 接收来 自所述 DNS服务器的 DNS响应报文,获取所述 DNS响应报文中携带的所 述第一域的公钥; 6. A system for obtaining a public key, comprising: a first device, configured to establish a TCP connection with the DNS server, send a DNS request message to the DNS server, request to acquire a public key of the first domain, and receive a DNS response message from the DNS server. Obtaining the public key of the first domain carried in the DNS response packet;
所述 DNS服务器, 用于在接收到所述 DNS请求报文之后, 通过所述 TCP连接, 向所述第一设备发送所述 DNS响应报文, 所述 DNS响应报文 携带所述第一域的公钥。  The DNS server is configured to send the DNS response packet to the first device by using the TCP connection after receiving the DNS request packet, where the DNS response packet carries the first domain Public key.
7、 一种获取公钥的方法, 其特征在于, 包括:  7. A method for obtaining a public key, comprising:
与 DNS服务器建立通信连接;  Establish a communication connection with the DNS server;
通过所述通信连接, 向所述 DNS服务器发送 DNS请求报文,请求获取 第一域的公钥; 所述公钥为采用短密钥体系的密钥;  Sending, by the communication connection, a DNS request packet to the DNS server, requesting to obtain a public key of the first domain; the public key is a key using a short key system;
通过所述通信连接,接收来自所述 DNS月良务器的 DNS响应 4艮文; 所述 DNS响应报文携带所述第一域的公钥;  Receiving, by the communication connection, a DNS response message from the DNS server; the DNS response message carrying a public key of the first domain;
根据所述 DNS响应报文, 获取所述第一域的公钥。  Obtaining a public key of the first domain according to the DNS response packet.
8、 如权利要求 6所述的方法, 其特征在于, 所述 DNS请求报文携带所 述第一域的公钥的类型标识。  8. The method according to claim 6, wherein the DNS request message carries a type identifier of a public key of the first domain.
9、 如权利要求 7或 8所述的方法, 其特征在于, 所述 DNS响应报文携 带所述第一域的公钥, 具体为: 所述 DNS响应报文携带所述第一域公钥的 文本类型的资源记录。  The method according to claim 7 or 8, wherein the DNS response packet carries the public key of the first domain, specifically: the DNS response packet carries the first domain public key Resource record for the text type.
10、 一种获取公钥的装置, 其特征在于, 包括:  10. A device for obtaining a public key, comprising:
建立连接模块, 用于与 DNS服务器建立通信连接;  Establishing a connection module for establishing a communication connection with the DNS server;
发送模块, 用于通过所述建立连接模块建立的通信连接, 向所述 DNS 服务器发送 DNS请求报文,请求获取第一域的公钥; 所述公钥为采用短密 钥体系的密钥;  a sending module, configured to send a DNS request message to the DNS server by using the communication connection established by the establishing connection module, requesting to acquire a public key of the first domain; the public key is a key using a short key system;
接收模块, 用于通过所述建立连接模块建立的通信连接, 接收来自所述 DNS服务器的 DNS响应报文, 所述 DNS响应报文中携带所述第一域的公 钥;  a receiving module, configured to receive, by using the communication connection established by the establishing connection module, a DNS response packet from the DNS server, where the DNS response packet carries a public key of the first domain;
获取模块, 用于根据所述接收模块接收到的所述 DNS响应报文, 获取 所述第一域的公钥。 An obtaining module, configured to obtain, according to the DNS response packet received by the receiving module, The public key of the first domain.
11、 如权利要求 10所述的装置, 其特征在于, 所述发送模块包括: 标识单元, 用于在所述 DNS请求报文中携带所述第一域的公钥的类型 标识;  The device according to claim 10, wherein the sending module comprises: an identifying unit, configured to carry, in the DNS request packet, a type identifier of a public key of the first domain;
发送单元, 用于向所述 DNS服务器发送所述携带第一域的公钥的类型 标识的 DNS请求 4艮文。  And a sending unit, configured to send, to the DNS server, the DNS request that carries the type identifier of the public key of the first domain.
12、 一种获取公钥的系统, 其特征在于, 包括:  12. A system for obtaining a public key, comprising:
第一设备, 用于与 DNS服务器建立通信连接, 通过所述通信连接, 向 所述 DNS服务器发送 DNS请求报文, 请求获取第一域的公钥; 接收来自 所述 DNS服务器的 DNS响应报文,获取所述 DNS响应报文中携带的所述 第一域的公钥; 所述公钥为采用短密钥体系的密钥;  a first device, configured to establish a communication connection with the DNS server, send a DNS request message to the DNS server, request to acquire a public key of the first domain, and receive a DNS response message from the DNS server. Obtaining a public key of the first domain carried in the DNS response packet; the public key is a key using a short key system;
所述 DNS服务器, 用于在接收到所述 DNS请求报文之后,通过所述通 信连接, 向所述第一设备发送所述 DNS响应报文, 所述 DNS响应报文携 带所述第一域的公钥。  The DNS server is configured to send the DNS response packet to the first device by using the communication connection after receiving the DNS request packet, where the DNS response packet carries the first domain Public key.
PCT/CN2010/071521 2009-04-29 2010-04-02 Method, apparatus and system for obtaining public key WO2010124549A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2009101069323A CN101877693A (en) 2009-04-29 2009-04-29 Method, device and system for obtaining public key
CN200910106932.3 2009-04-29

Publications (1)

Publication Number Publication Date
WO2010124549A1 true WO2010124549A1 (en) 2010-11-04

Family

ID=43020156

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/071521 WO2010124549A1 (en) 2009-04-29 2010-04-02 Method, apparatus and system for obtaining public key

Country Status (2)

Country Link
CN (1) CN101877693A (en)
WO (1) WO2010124549A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104796502A (en) * 2015-05-08 2015-07-22 上海斐讯数据通信技术有限公司 DNS (domain name system) system and method
CN107395312B (en) * 2017-09-19 2019-03-19 电信科学技术第五研究所有限公司 A kind of secure network method for synchronizing time and device
CN112152978B (en) * 2019-06-28 2021-07-20 北京金山云网络技术有限公司 Key management method, device, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005026921A2 (en) * 2003-08-26 2005-03-24 Yahoo Inc. Method and system for authenticating a message sender using domain keys
CN101000538A (en) * 2007-01-05 2007-07-18 东南大学 Implement method of elliptic curve cipher system coprocessor
US20080133672A1 (en) * 2006-12-01 2008-06-05 Microsoft Corporation Email safety determination
CN101257450A (en) * 2008-03-28 2008-09-03 华为技术有限公司 Network safety protection method, gateway equipment, client terminal as well as network system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005026921A2 (en) * 2003-08-26 2005-03-24 Yahoo Inc. Method and system for authenticating a message sender using domain keys
US20080133672A1 (en) * 2006-12-01 2008-06-05 Microsoft Corporation Email safety determination
CN101000538A (en) * 2007-01-05 2007-07-18 东南大学 Implement method of elliptic curve cipher system coprocessor
CN101257450A (en) * 2008-03-28 2008-09-03 华为技术有限公司 Network safety protection method, gateway equipment, client terminal as well as network system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
NETWORK WORKING GROUP, DOMAINKEYS IDENTIFIED MAIL (DKIM) SIGNATURES, REQUEST FOR COMMENTS: 4871, May 2007 (2007-05-01), Retrieved from the Internet <URL:http://www.dkim.org/specs/rfc4871-dkimbase.pdf> [retrieved on 20100610] *

Also Published As

Publication number Publication date
CN101877693A (en) 2010-11-03

Similar Documents

Publication Publication Date Title
CN108650227B (en) Handshaking method and system based on datagram secure transmission protocol
CN101667916B (en) Method of identifying user identity by digital certificate based on separating mapping network
US20140351595A1 (en) Key Management in a Communication Network
US20140337619A1 (en) Derived Certificate based on Changing Identity
EP2329621B1 (en) Key distribution to a set of routers
US20170201382A1 (en) Secure Endpoint Devices
WO2010078755A1 (en) Method and system for transmitting electronic mail, wlan authentication and privacy infrastructure (wapi) terminal thereof
WO2010124482A1 (en) Method and system for implementing secure forking calling session in ip multi-media subsystem
KR101485747B1 (en) Method of configuring a node, related node and configuration server
EP2951946B1 (en) Method and system for protecting data using data passports
CN103188080A (en) Method and system for secret key certification consultation of terminal to terminal based on identify label
CN113904809B (en) Communication method, device, electronic equipment and storage medium
WO2010083695A1 (en) Method and apparatus for securely negotiating session key
WO2008040213A1 (en) Message encryption and signature method, system and device in communication system
WO2010088812A1 (en) Transmission method, system and wapi terminal for instant message
Chen Secure multicast key protocol for electronic mail systems with providing perfect forward secrecy
CN109995723B (en) Method, device and system for DNS information interaction of domain name resolution system
US20170359178A1 (en) Network communication method having function of recovering terminal session
WO2010124549A1 (en) Method, apparatus and system for obtaining public key
Wang et al. T-IP: A self-trustworthy and secure Internet protocol
CN107395552A (en) A kind of data transmission method and device
CN115567207A (en) Method and system for realizing multicast data encryption and decryption by quantum key distribution
Zimmermann et al. RFC 6189: ZRTP: Media Path Key Agreement for Unicast Secure RTP
KR101549218B1 (en) Method for authentication of encryption
EP3907967A1 (en) Method for preventing sip device from being attacked, calling device, and called device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10769238

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10769238

Country of ref document: EP

Kind code of ref document: A1