WO2011076008A1 - Systeme et procede pour transmettre des fichiers entre un teminal wapi et un serveur d'application - Google Patents

Systeme et procede pour transmettre des fichiers entre un teminal wapi et un serveur d'application Download PDF

Info

Publication number
WO2011076008A1
WO2011076008A1 PCT/CN2010/075406 CN2010075406W WO2011076008A1 WO 2011076008 A1 WO2011076008 A1 WO 2011076008A1 CN 2010075406 W CN2010075406 W CN 2010075406W WO 2011076008 A1 WO2011076008 A1 WO 2011076008A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
application server
wapi
content
digital signature
Prior art date
Application number
PCT/CN2010/075406
Other languages
English (en)
Chinese (zh)
Inventor
施元庆
康望星
梁洁辉
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011076008A1 publication Critical patent/WO2011076008A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • the present invention relates to the field of wireless local area network authentication and privacy infrastructure (WAPI), and specifically relates to a system and method for transmitting files by a WAPI terminal and an application server.
  • WAPI wireless local area network authentication and privacy infrastructure
  • WAPI Wired Equivalent Privacy
  • the MAC Service Data Unit (MSDU) of the Media Access Control (MAC) sublayer performs addition and decryption processing.
  • An access point (AP) refers to any entity that has a site function to provide distributed services to associated sites through wireless media;
  • ASUE authentication supplicant entity
  • AE authenticator entity
  • the entity resides in the access point or the terminal;
  • the basic function of the authentication service unit (ASU) is to implement the management of the user certificate and the identification of the user identity, etc., which is based on the WAI authentication of the public key cryptography technology.
  • an authentication service entity that provides an identity authentication service for the discriminator and the authentication requester.
  • the entity resides in the authentication service unit, and the node in the corresponding network of the authentication service unit is the WAPI authentication server 11, as shown in FIG.
  • the user certificate is a public key certificate, which is an important part of the WAI system construction.
  • the public key certificate is the digital identity of the network user. It is verified that the identity of the network user can be uniquely determined by private key authentication.
  • Network storage is a common Internet service that provides upload, download, and retrieval of various file contents.
  • WAPI more and more mobile terminals support wireless LAN access, and will also support more and more Internet service functions.
  • Network storage has considerable value for mobile terminals.
  • the current mobile terminal has gradually evolved into a multimedia information platform with personal communication as the core.
  • the powerful multimedia information collection function of the terminal is bound to require a reliable memory storage platform.
  • Considering the content sharing among multiple devices, network storage is undoubtedly a Very promising mobile internet business.
  • Web-based network storage applications usually have their own login mechanism in the Internet environment. Users need to provide a username and password to identify themselves. How to effectively ensure the security of the contents of the transmitted file is an important issue that needs to be solved.
  • the mobile terminal has completed the identity authentication process when accessing the network. If the access authentication capability can be fully utilized, the operation of the terminal user is simplified on the one hand, and the application provider can reuse the public key on which the WAPI depends.
  • the Public Key Infrastructure which includes resources such as the certificate issuing system and the certificate on the client, can also provide customers with integrity and confidentiality protection of the stored content.
  • the technical problem to be solved by the present invention is to provide a system and method for transmitting files by a WAPI terminal and an application server, thereby effectively ensuring the security of the content of the transmitted file.
  • the present invention provides a method for transmitting a file by a WAPI terminal and an application server, including:
  • the sender uses the wireless local area network security infrastructure WPI algorithm to encrypt the transmitted file content, and digitally signs the transmitted file content through HTTP.
  • the receiving end parses the content of the file and verifies the digital signature. If the digital signature is verified, the content of the transmitted file is not changed.
  • the method before the step of transmitting the file content, the method further includes: when the terminal sends an HTTP Get (GET) request to the application server, setting a field value of the HTTP GET request For a preset value, the terminal is a WAPI terminal, and after the application server receives the HTTP GET request, if the header field value is the preset value, it is determined that the terminal is a WAPI terminal.
  • HTTP Get HTTP Get
  • the method further includes:
  • the step of generating the digital signature includes: calculating a returned page using a wireless local area network authentication infrastructure WAI hash algorithm, and using a private key of the application server WAPI certificate Encrypting the hash calculation result using WAI's elliptic curve algorithm to generate the digital signature;
  • the terminal parses the digital signature, obtains the public key of the application server WAPI certificate pre-stored on the terminal, decrypts the digital signature, and hashes the page content by using a WAI hash function, and compares Whether the result of the hash calculation is consistent with the decrypted digital signature. If the result of the hash calculation is consistent with the decrypted digital signature, the authentication is performed on the application server, and if the result of the hash calculation is inconsistent with the decrypted digital signature, the authentication is not by.
  • the sending end when the sending end is a WAPI terminal and the receiving end is an application server, the sending end encrypts the transmitted file content by using a wireless local area network security infrastructure WPI algorithm, and digitally signs the transmitted file content.
  • the HTTP message transmission step includes: when the WAPI terminal transmits the file content, first generates a 128-bit random number as the temporary session key, and uses the symmetric key algorithm SMS4 in the WPI to encrypt the transmitted file content to obtain the ciphertext;
  • the public key of the server WAPI certificate encrypts the temporary session key by the public key algorithm to obtain the encrypted key; digitally signs the transmitted file content; and the ciphertext, digital signature, encrypted key, and terminal WAPI
  • the certificate information is encapsulated together, and the encapsulated content is sent to the application server through HTTP submission (POST), where the terminal WAPI certificate information includes a terminal WAPI certificate identifier or a terminal WAPI certificate;
  • the receiving end After receiving the HTTP message containing the file content, the receiving end parses the file content and verifies the digital signature. If the digital signature verification is passed, the step of transmitting the file content is not changed.
  • the application server After receiving the HTTP POST, the application server separates the terminal WAPI certificate identifier or the terminal WAPI certificate, and if the terminal WAPI certificate identifier is separated, the terminal WAPI certificate is obtained.
  • the encrypted key is decrypted by the public key algorithm to obtain a temporary session key, and the ciphertext in the transmitted file content is decrypted by a symmetric key algorithm to obtain a text, and decrypted.
  • the text of the output is hashed to obtain a hash value; the application server decrypts the digital signature by using the public key of the terminal WAPI certificate to obtain another hash value; whether the obtained two hash values are consistent, If the two hash values are consistent, the verification of the WAPI terminal is passed, and the content of the received file is not changed;
  • the sending end is an application server and the receiving end is a WAPI terminal
  • the HTTP GET message is sent to the application server, and the uniform resource locator corresponding to the content to be acquired is carried;
  • the sending end encrypts the transmitted file content by using the wireless local area network security infrastructure WPI algorithm, and performs digital signature on the transmitted file content and then transmits the HTTP message through the following steps: the application server receives the HTTP GET message and then according to the The uniform resource locator is known
  • the file content requested by the WAPI terminal and then generating a 128-bit random number as a temporary session key, and using the temporary session key to perform SMS4 encryption on the file content requested by the WAPI terminal to obtain a ciphertext, and digitally signing the content of the file, Encrypting the temporary session key using a public key of the terminal WAPI certificate to obtain an encrypted key, the encrypted key, ciphertext and digital signature being encapsulated in a fixed format or in the form of a form as a 200 OK message Return to the WAPI terminal;
  • the receiving end After receiving the HTTP message containing the file content, the receiving end parses the file content and verifies the digital signature. If the digital signature verification is passed, the step of transmitting the file content is not changed.
  • the WAPI terminal After receiving the 200 OK message, the WAPI terminal decrypts the encrypted key by using the private key of the terminal WAPI certificate to obtain a temporary session key, and then uses the temporary session key to perform the ciphertext.
  • the symmetric key algorithm decrypts the text, and hashes the decrypted text to obtain a hash value.
  • the public key of the application server WAPI certificate is used to decrypt the digital signature to obtain another hash value. Whether the two hash values are the same, if two If the hash value is consistent, the verification is passed, and the contents of the received file are not changed.
  • the WAPI terminal sends an HTTP GET message to the application server
  • the step of carrying the uniform resource locator corresponding to the content is
  • the terminal sends an HTTP GET message to the application server
  • the unified resource locator is digitally signed, and the digital signature and the terminal WAPI certificate identifier are sent to the application server by using an HTTP GET message as a uniform resource locator parameter;
  • the method further includes:
  • the application server After receiving the HTTP GET message, the application server separates the terminal WAPI certificate identifier, obtains the terminal WAPI certificate, and decrypts the digital signature by using the public key in the terminal WAPI certificate; hashing the page content by using the WAI hash function Whether the result of the comparison hash calculation is consistent with the decrypted digital signature, and if the result of the hash calculation is consistent with the decrypted digital signature, the terminal is authenticated.
  • the step of digitally signing the content of the transmitted file by the WAPI terminal comprises: performing hash calculation on the content of the file, and performing public key algorithm encryption on the hashed value by using a private key of the terminal WAPI certificate. .
  • the step of the application server digitally signing the file content comprises: performing hash calculation on the file content, and performing a public key algorithm encryption on the hash calculated value by using a private key of the application server WAPI certificate.
  • the invention also provides a wireless local area network authentication and security infrastructure WAPI terminal and an application server for transmitting files, including a transmitting end and a receiving end;
  • the sending end is configured to encrypt the transmitted file content by using a wireless local area network security infrastructure WPI algorithm, and digitally sign the transmitted file content through a hypertext transfer protocol.
  • the receiving end is configured to parse out the content of the file after receiving the HTTP message and verify the digital signature, and if the digital signature is verified, the content of the transmitted file is not changed.
  • the sending end is a WAPI terminal, and the receiving end is an application server; or the sending end is an application server, and the receiving end is a WAPI terminal;
  • the WAPI terminal includes a setting module;
  • the setting module of the WAPI terminal is configured to: when sending an HTTP get (GET) request to the application server before transmitting the file content, setting a field value of the HTTP GET request to a preset value indicates that the terminal is a WAPI terminal;
  • the application server is further configured to determine that the terminal is a WAPI terminal if the header field value is a preset value after receiving the HTTP GET request.
  • the application server includes an encryption module and a sending module
  • the WAPI terminal further includes a decryption module
  • the encryption module of the application server is configured to calculate a returned page by using a wireless local area network authentication WAI hash algorithm, and encrypt the hash calculation result by using a WAI elliptic curve algorithm using a private key of the application server WAPI certificate. Calculate the generated digital signature;
  • the sending module of the application server is configured to carry the digital signature when returning a 200 response (OK) message to the terminal;
  • the decryption module of the WAPI terminal is configured to parse the digital signature after receiving the 200 OK message, obtain the public key of the application server WAPI certificate pre-stored on the WAPI terminal, decrypt the digital signature, and use the WAI hash function pair.
  • the content of the page is hashed, and the result of the hash calculation is consistent with the decrypted digital signature. If the result of the hash calculation is consistent with the decrypted digital signature, the result of the hash calculation and the decryption are determined by the authentication of the application server. If the digital signatures are inconsistent, the authentication fails.
  • the terminal when the terminal uploads the file content to the application server, the terminal is a sending end, and the application server is a receiving end;
  • the terminal includes an encryption module and a sending module
  • the encryption module of the terminal is configured to generate a 128-bit random number as a temporary session key, and encrypt the uploaded file content using the symmetric key algorithm SMS4 in the WPI to obtain a ciphertext; use the public key of the application server WAPI certificate Encrypting the temporary session key by public key algorithm to obtain the encrypted key; and digitally signing the content of the uploaded file;
  • the sending module of the terminal is configured to encapsulate the ciphertext, the digital signature, the encrypted key and the terminal WAPI certificate information, and send the encapsulated content through HTTP submission (POST).
  • the terminal WAPI certificate information includes a terminal WAPI certificate identifier or a terminal WAPI certificate;
  • the application server includes a receiving module and a decryption module
  • the receiving module of the application server is configured to: after receiving the HTTP POST, separate the terminal WAPI certificate identifier or the terminal WAPI certificate, and if the terminal WAPI certificate identifier is separated, obtain the terminal WAPI certificate;
  • the decryption module of the application server is configured to decrypt the encrypted key by using a private key of the WAPI certificate of the application server to obtain a temporary session key, and use the temporary session key pair to transfer the file content.
  • the ciphertext is decrypted by the symmetric key algorithm to obtain the body text, and the decrypted text is hashed to obtain a hash value; and the public key of the terminal WAPI certificate is used to decrypt the signature to obtain another hash value. And compare whether the obtained two hash values are consistent. If the two hash values are consistent, the verification of the terminal is passed, and the content of the received file is not changed.
  • the terminal acquires file content from an application server
  • the application server is a sending end
  • the terminal is a receiving end
  • the terminal includes a sending module, a receiving module, and a decrypting module
  • the sending module of the terminal is configured to: when sending an HTTP GET message to the application server, carry a uniform resource locator corresponding to the content of the file;
  • the application server includes a receiving module, an encryption module, and a sending module;
  • the receiving module of the application server is configured to: after receiving the HTTP GET message, learn the file content requested by the terminal according to the unified resource locator;
  • the encryption module of the application server is configured to generate a 128-bit random number as a temporary session key, and use the temporary session key to perform SMS4 encryption on the file content requested by the terminal to form a ciphertext, and digitally sign the content of the file, and Encrypting the temporary session key using a public key of the terminal WAPI certificate to obtain an encrypted key;
  • the sending module of the application server is configured to send the ciphertext, the digital signature, and the encrypted key to the terminal as a 200 OK message;
  • the receiving module of the terminal is configured to send the received 200 OK message to the solution of the terminal.
  • the encryption module of the terminal is further configured to digitally sign the uniform resource locator when sending an HTTP GET message to the application server;
  • the sending module of the terminal is further configured to: send the digital signature and the user certificate identifier as a uniform resource locator parameter to the application server when sending the HTTP GET message to the application server; the decryption module of the application server is further configured to be separated Extracting the terminal WAPI certificate identifier in the HTTP GET message, and obtaining the terminal WAPI certificate, and decrypting the digital signature using the public key in the terminal WAPI certificate; hashing the page content using the WAI hash function; comparing hash calculation Whether the result is consistent with the decrypted digital signature, if the result of the hash calculation is consistent with the decrypted digital signature, the terminal is authenticated.
  • the encryption module of the terminal is configured to perform hash calculation on the file content, and use a private key of the terminal WAPI certificate to perform a public key algorithm encryption on the hashed value to transmit the file content. Make a digital signature.
  • the encryption module of the application server is configured to perform hash calculation on the file content, and use a private key of the application server WAPI certificate to perform a public key algorithm encryption on the hashed value to the file content. Make a digital signature.
  • the public key certificate authority and the client WAPI certificate provided by the WAPI infrastructure are fully utilized.
  • the WAPI terminal user relies on the WAPI authentication service to implement the user login process.
  • the login process does not require the user to input a username and password.
  • the client saves the content
  • the temporary session key and the symmetric encryption algorithm negotiated in the certificate authentication process encrypt the stored content to ensure content confidentiality
  • the client uses the private function of the hash function and the public certificate to store the content.
  • the client decrypts the obtained content through the temporary session key negotiated in the certificate authentication process and the symmetric encryption algorithm.
  • Figure 1 is the network system structure
  • Figure 2 is a schematic structural view of the system of the present invention.
  • FIG. 3 is a flow chart of the terminal of the present invention uploading content to an application server
  • FIG. 4 is a flow chart of the terminal of the present invention when acquiring content from an application server
  • FIG. 5 is a process diagram of a process when a terminal of the present invention uploads content
  • FIG. 6 is a process diagram of the application server when the content is delivered by the application server
  • FIG. 7 is a process diagram of the terminal and the application server of the present invention after receiving the file content;
  • FIG. 8 is a process diagram of the terminal of the present invention for authenticating the application server. Preferred embodiment of the invention
  • the present invention provides a system for transmitting files by a WAPI terminal and an application server, as shown in FIG. 2, the system includes a transmitting end and a receiving end;
  • the sender is the WAPI terminal 21 or the application server 22, and the receiving end is the application server 22 or the WAPI terminal 21;
  • the sending end is configured to encrypt the transmitted file content by using the WPI algorithm, and digitally sign the transmitted content, and then send the content to the receiving end through a hypertext transfer protocol (HTTP) message; the receiving end is set to receive the HTTP message.
  • HTTP hypertext transfer protocol
  • the WAPI terminal 21 includes a setting module 211, a first encryption module 212, a first decryption module 213, a first sending module 214, and a first receiving module 215;
  • the application server 22 includes a second encryption module 221, a second decryption module 222, a second sending module 223, and a second receiving module 224;
  • the setting module of the WAPI terminal is configured to: when sending an HTTP get (GET) request to the application server before transmitting the file content, indicating a field value of the request as a preset value indicates that the terminal is a WAPI terminal, and the application server receives the HTTP After the GET request, if the header field value is a preset value, it is determined that the terminal is a WAPI terminal.
  • the second encryption module is configured to calculate the returned page by using a WAI hash algorithm, and use the private key of the application server WAPI certificate to perform an encryption calculation on the hash calculation result to generate a digital signature by using an elliptic curve algorithm of WAI;
  • the second sending module is configured to carry the digital signature when returning the 200 OK message to the WAPI terminal;
  • the first decryption module is configured to parse the digital signature after receiving the 200 OK message, obtain the public key pre-stored in the WAPI certificate of the application server on the terminal, decrypt the digital signature, and hash the webpage content by using a WAI hash function. The calculation then compares the result of the hash calculation with the decrypted digital signature. If it is consistent, it authenticates the application server, otherwise the authentication fails.
  • the terminal uploads content to the application server
  • the terminal is the sending end
  • the application server is the receiving end
  • the first encryption module is configured to generate a 128-bit random number as a temporary session key, and encrypt the uploaded file content using the symmetric key algorithm (SMS4) in WPI to obtain a ciphertext, using the public key of the application server WAPI certificate.
  • SMS4 symmetric key algorithm
  • the public session key algorithm encrypts the temporary session key to obtain the encrypted key, and digitally signs the uploaded file content;
  • the first sending module is configured to encapsulate the encrypted ciphertext, the digital signature, the encrypted random number together with the user WAPI certificate identifier or the WAPI certificate, and send the encapsulated content to the application server through HTTP submission (POST);
  • the second receiving module is configured to: after receiving the HTTP POST, separate the WAPI certificate identifier or the WAPI certificate of the user, and if the WAPI certificate identifier is separated, obtain the WAPI certificate;
  • the second decryption module is configured to decrypt the encrypted key by using a public key of the WAPI certificate of the application server to obtain a temporary session key, and use the temporary session key to symmetrically encrypt the ciphertext in the uploaded content.
  • the key algorithm decrypts the body, and hashes the decrypted body to obtain a hash value, and uses the public key of the terminal WAPI certificate to publicize the signature.
  • the algorithm decrypts to obtain another hash value, and compares whether the obtained two hash values are consistent. If they are consistent, the verification of the terminal passes, and the received file content is not changed.
  • the first encryption module digitally signs the content of the uploaded file, and performs hash calculation on the content of the file, and then uses the private key of the terminal WAPI certificate to encrypt the hashed value with the public key algorithm.
  • the first sending module is configured to: when sending an HTTP GET message to the application server, carry a uniform resource locator corresponding to the content to be obtained;
  • the second receiving module is configured to: after receiving the HTTP GET message, learn, according to the uniform resource locator, the content of the document requested by the terminal;
  • the second encryption module is configured to generate a 128-bit random number as a temporary session key, and use the temporary session key to encrypt the document content requested by the terminal by using a symmetric key algorithm (SMS4) to form a ciphertext, and to digitally mark the content of the document. Signing, and using the public key of the terminal WAPI certificate to encrypt the temporary session key by public key algorithm to obtain the encrypted key;
  • SMS4 symmetric key algorithm
  • the second sending module is configured to send the ciphertext, the signature, and the encrypted temporary session key to the terminal as a 200 OK message body;
  • the first receiving module is configured to send the received 200 OK message to the first decryption module; the first decryption module is configured to use the private key of the terminal WAPI certificate to decrypt the encrypted key by using a public key algorithm to obtain a temporary session.
  • the key, and the temporary session key decrypt the ciphertext by the symmetric key algorithm to obtain the document body, hash the decrypted text to obtain a hash value, and publicize the signature by using the public key of the application server WAPI certificate.
  • the key algorithm decrypts to obtain another hash value, and whether the above two hash values obtained by the comparison are consistent. If they are consistent, the verification passes, and the received file content is not changed.
  • the first encryption module is further configured to digitally sign the unified resource locator when sending the HTTP GET message to the application server;
  • the first sending module is further configured to send the digital signature and the user certificate identifier as a uniform resource locator parameter to the application server when sending the HTTP GET message to the application server;
  • the second decryption module is further configured to: separate the user certificate identifier in the HTTP GET message, obtain the user certificate, and decrypt the digital signature by using the public key in the certificate, and use the WAI hash function to perform the uniform resource locator Hash calculation, then compare the result of the hash calculation with the decrypted digital signature, and if it is consistent, pass the identification of the terminal.
  • the second encryption module performs signature calculation on the content of the document, and performs hash calculation on the content of the document, and then uses the private key of the application server WAPI certificate to encrypt the hashed value with the public key algorithm.
  • the invention also provides a method for transmitting files by a WAPI terminal and an application server.
  • the sender uses the WPI algorithm to encrypt the transmitted file content, and encrypts the transmitted content.
  • the receiving end parses the content of the file and verifies the digital signature after receiving the HTTP message containing the content of the file, and if the digital signature is verified, the content of the transmitted file is not changed.
  • This embodiment is a method for a terminal to upload file content to an application server. As shown in FIG. 3, the method includes the following steps:
  • Step 301 The terminal browser sends an HTTP GET request to the application server to obtain a page of the network storage application, and the terminal indicates that it is a WAPI terminal by setting a header field value in the request to a preset value, for example, the User-Agent may be (User Agent) Set to WAPI Mobile User (WAPI-Mobile-Client) VI.0;
  • the User-Agent may be (User Agent) Set to WAPI Mobile User (WAPI-Mobile-Client) VI.0;
  • the value of the header field may be specified by the terminal when the request is made, or may be modified by a Wireless Application Protocol (WAP)/HTTP application gateway adjacent to the WLAN segment.
  • WAP Wireless Application Protocol
  • Step 302 The application server receives the HTTP GET request sent by the terminal, and determines whether the request is from the WAPI terminal according to the value in a header field; for example, when the value of the User-Agent is WAPI-Mobile-Client VI.0.
  • the terminal is a WAPI terminal;
  • Step 303 The application server returns a 200 OK message to the terminal, and adds a hidden form to the message, and the content includes at least one digital signature encrypted by the WAI public key algorithm.
  • the signature method is as follows:
  • the generated signature is sent to the terminal browser in a hidden form in the page response.
  • Step 304 As shown in FIG. 8, after receiving the 200 OK message, the terminal parses the digital signature from the hidden form, obtains the public key pre-stored in the WAPI certificate of the application server on the terminal, decrypts the digital signature, and uses the WAI.
  • the hash function hashes the content of the webpage, and then compares whether the result of the hash calculation is consistent with the decrypted digital signature. If they are consistent, the authentication is passed, otherwise the authentication fails.
  • the method for obtaining the application server WAPI certificate by the terminal is the same as the prior art.
  • Step 305 The WAPI terminal browser presents the page after acquiring the application server webpage data and completing the authentication of the server.
  • the terminal submits the content of the file to be uploaded through the browser. Submit the process using the HTTP POST method.
  • the WAPI terminal first generates a 128-bit random number as the temporary session key, and encrypts the content of the uploaded file to obtain the ciphertext by using the SMS4 algorithm in WPI (ie, the symmetric key algorithm in FIG. 5), and then uses the public key of the application server WAPI certificate.
  • the public key algorithm is encrypted for the temporary session key to obtain the encrypted key, and then the digital signature of the uploaded content is completed by using the private key of the terminal WAPI certificate.
  • the digital signature process first performs hash calculation on the file content, and then uses The private key of the terminal WAPI certificate is encrypted and hashed; the ciphertext, digital signature, and encrypted key and user WAPI certificate identifier or certificate are encapsulated in a fixed format, for example:
  • the content of the POST is composed and sent to the application service by the terminal browser or through the form.
  • Step 306 After the application server receives the HTTP POST message, first according to the form or a certain A fixed format separates the user's WAPI certificate identifier or WAPI certificate. If it is a certificate identifier, the user's public key certificate is obtained through interaction with the public authentication center (the acquisition process is a standard process, which is not described in detail in the present invention).
  • the application server obtains the random number encrypted value generated by the terminal and encrypted by the application server public key, and uses the private key of the WAPI certificate of the application server to decrypt the encrypted key by a public key algorithm to obtain a 128-bit temporary session key. Then, using the 128-bit temporary session key, the ciphertext in the uploaded content is decrypted by a symmetric key algorithm to obtain a body text, and the decrypted body is hashed to obtain a hash value, and the application server also uses the terminal WAPI certificate.
  • the key pair signature is decrypted by the public key algorithm to obtain another hash value, and then the obtained two hash values are compared. If the two hash values are consistent, the verification is passed, indicating that the uploaded file content has not been changed. If not, the verification fails. .
  • This embodiment is a method for a terminal to obtain content from an application server. As shown in FIG. 4, the method includes the following steps:
  • Step 401 The terminal browser sends an HTTP GET request to the application server, and obtains a page of the network storage application.
  • the terminal indicates that it is a WAPI terminal by setting a certain header field value of the request to a preset value, for example, the User-Agent may be The (user agent) is set to WAPI-Mobile-Client VI.0; the value of the header field may be specified by the terminal when the request is made, or may be modified by the WAP/HTTP application gateway adjacent to the wireless LAN segment.
  • Step 402 The application server receives the HTTP GET request sent by the terminal, and determines whether the request is from the WAPI terminal according to a header field value. If the value of the User-Agent is WAPI-Mobile-Client VI.0, the terminal is determined. Is a WAPI terminal;
  • Step 403 The application server returns a 200 OK message to the terminal, and adds a hidden form to the message, and the content includes at least one digital signature encrypted by the WAI public key algorithm.
  • the signature method is as follows:
  • Step 404 As shown in FIG. 8, after receiving the 200 OK message, the terminal parses the digital signature from the hidden form, and obtains the public key of the WAPI certificate of the application server pre-stored on the terminal to decrypt the signature by the public key algorithm, and The hash function of the WAI is used to hash the content of the webpage, and then the result of the hash calculation is compared with the decrypted digital signature. If they are consistent, the authentication is passed, otherwise the authentication fails.
  • the method for obtaining the application server WAPI certificate by the terminal is the same as the prior art.
  • Step 405 The WAPI terminal browser presents the page after acquiring the application server webpage data and completing the server identity authentication.
  • Step 406 The terminal specifies, by using an interface, a URL (Uniform Resource Locator) corresponding to the content, and uses the GET method to obtain the content.
  • a URL Uniform Resource Locator
  • the client plug-in invokes the WAI function to perform signature calculation on the Uniform Resource Locator (URL, Uniform Resource Locator).
  • the signature method is as follows:
  • the digital signature for the Uniform Resource Locator does not include the URL parameter portion.
  • Step 407 The application server receives the HTTP GET message, separates the user certificate identifier in the URL parameter, obtains the user certificate, and then decrypts the digital signature by using the public key in the terminal WAPI certificate, and uses the WAI hash function to the webpage content. The hash calculation is performed, and then the result of the hash calculation is compared with the decrypted digital signature. If they are consistent, the terminal is authenticated, otherwise the authentication fails.
  • a 128-bit random number is generated as a temporary session key, and the temporary session key is used to perform SMS4 encryption on the document content requested by the client (that is, as shown in FIG. 6 Perform symmetric key encryption on the document, and digitally sign the body of the document.
  • the digital signature process first hashes the document body, and then uses the private key of the application server WAPI certificate to encrypt the hashed value with the public key algorithm; the application server also uses the public key pair of the terminal WAPI certificate for the temporary session.
  • the key is encrypted by the public key algorithm to obtain the encrypted key.
  • all the content is encapsulated in a fixed format or in the form of a form, and is returned to the terminal as a 200 OK message body.
  • Step 408 As shown in FIG. 7, after receiving the 200 OK message, the terminal decrypts the encrypted key by using the private key of the terminal WAPI certificate to obtain a temporary session key, and then uses the temporary session key pair.
  • the ciphertext is decrypted by the symmetric key algorithm to obtain the document body, and the hashed text is hashed to obtain the hash value.
  • the public key of the application server WAPI certificate is used to decrypt the signature by the public key algorithm to obtain another hash value. Whether the above two hash values obtained by the comparison are consistent, if they are consistent, the verification is passed, and the content of the received file is not changed, and if not, the verification fails.
  • the terminal and the application server use the same public key algorithm for encryption and decryption.
  • the invention completes the authentication process based on the WAPI certificate and the encryption and integrity protection of the transmitted data through the HTTP message body or the form in the hypertext without changing the HTTP protocol, and does not affect the WEB of the application server.
  • the normal process of access request processing, the mentioned functions can be completed by adding new function modules. The new functions only involve WAPI related public keys and symmetric encryption calculations, and the contents of HTTP and hypertext transfer protocols are not changed.
  • the system and method for transmitting files by the WAPI terminal and the application server provided by the invention complete the authentication process based on the WAPI certificate, encrypt and complete the transmission data through the HTTP message body or the form in the hypertext without changing the HTTP protocol.
  • the mentioned functions can be completed by adding new function modules. The new functions only involve WAPI-related public keys and symmetric encryption calculations, without changing HTTP and hypertext transfer protocols. content.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un système et un procédé pour transmettre des fichiers entre un terminal d'infrastructure de confidentialité et d'authentification (WAPI) de réseau local sans fil (WLAN) et un serveur d'applications. Le procédé comprend les étapes suivantes : lorsqu'on utilise des messages de protocole de transfert hypertexte (HTTP) pour transmettre le contenu d'un fichier entre le terminal WAPI et le serveur d'application, l'extrémité de transmission crypte, au moyen d'un algorithme d'infrastructure de confidentialité (WPI) WLAN, le contenu du fichier à transmettre, et transmet ce dernier après exécution d'une signature numérique sur le contenu du fichier à transmettre; l'extrémité de réception résout le contenu du fichier après réception des messages HTTP comprenant le contenu dudit fichier, et valide la signature numérique; si la signature numérique est validée avec succès, le contenu transmis n'a pas été modifié. Le système et le procédé de transmission de fichiers entre le terminal WAPI et le serveur d'applications de l'invention, permettent d'exécuter le processus d'authentification en fonction du certificat WAPI, le cryptage des données de transmission et la fonction de protection d'intégrité sans modifier le protocole HTTP.
PCT/CN2010/075406 2009-12-21 2010-07-22 Systeme et procede pour transmettre des fichiers entre un teminal wapi et un serveur d'application WO2011076008A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910247064.0 2009-12-21
CN200910247064A CN101742508A (zh) 2009-12-21 2009-12-21 一种wapi终端与应用服务器传输文件的系统及方法

Publications (1)

Publication Number Publication Date
WO2011076008A1 true WO2011076008A1 (fr) 2011-06-30

Family

ID=42465224

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/075406 WO2011076008A1 (fr) 2009-12-21 2010-07-22 Systeme et procede pour transmettre des fichiers entre un teminal wapi et un serveur d'application

Country Status (2)

Country Link
CN (1) CN101742508A (fr)
WO (1) WO2011076008A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013086756A1 (fr) * 2011-12-14 2013-06-20 金峰顺泰知识产权有限公司 Procédé et système pour la documentation d'archives numériques
CN114760129A (zh) * 2022-04-11 2022-07-15 平安国际智慧城市科技股份有限公司 数据访问方法、装置、设备及存储介质

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101742508A (zh) * 2009-12-21 2010-06-16 中兴通讯股份有限公司 一种wapi终端与应用服务器传输文件的系统及方法
CN103220159A (zh) * 2012-01-19 2013-07-24 北京千橡网景科技发展有限公司 用于传送信息的方法和装置
CN103368901A (zh) * 2012-03-27 2013-10-23 复旦大学 基于大规模离散数据的云计算系统
CN102868765B (zh) * 2012-10-09 2015-06-03 乐视网信息技术(北京)股份有限公司 文件上传方法和系统
CN103220295A (zh) * 2013-04-26 2013-07-24 福建伊时代信息科技股份有限公司 一种文档加密及解密的方法、装置和系统
CN105227514A (zh) * 2014-05-27 2016-01-06 北大方正集团有限公司 基于浏览器的文件传输处理方法和浏览器
CN105825145B (zh) * 2016-03-16 2018-08-31 孙凤鸣 电子取证方法、取证服务器、取证智能终端及取证系统
CN105933124B (zh) * 2016-06-30 2020-10-30 武汉理工大学 一种数字签名及消息散列值恢复和签名验证方法
CN106326394A (zh) * 2016-08-18 2017-01-11 乐视控股(北京)有限公司 一种文件名获取方法及装置
CN106790075A (zh) * 2016-12-21 2017-05-31 上海云熵网络科技有限公司 用于udp传输的认证系统及认证方法
CN109561124A (zh) * 2017-09-27 2019-04-02 深圳市创易联合科技有限公司 一种文件传输的方法、系统及终端设备
CN107920069A (zh) * 2017-11-15 2018-04-17 中国联合网络通信集团有限公司 加密终端内应用程序安全处理方法及装置
CN108400979B (zh) * 2018-02-06 2021-07-30 武汉斗鱼网络科技有限公司 应用于客户端和服务器的通信方法及电子设备
CN108549701A (zh) * 2018-04-17 2018-09-18 上海海事大学 云环境加密外包数据语义扩展搜索方法及系统
CN109194631A (zh) * 2018-08-17 2019-01-11 郑州云海信息技术有限公司 一种身份校验方法以及相关装置
CN109150516A (zh) * 2018-08-31 2019-01-04 密信技术(深圳)有限公司 浏览器文件的签名及/或加密方法、装置、浏览器及介质
CN109088889B (zh) * 2018-10-16 2021-07-06 深信服科技股份有限公司 一种ssl加解密方法、系统及计算机可读存储介质
CN109672530A (zh) * 2019-01-08 2019-04-23 如般量子科技有限公司 基于非对称密钥池的抗量子计算数字签名方法和抗量子计算数字签名系统
CN109889344B (zh) * 2019-01-31 2020-06-16 深圳中兴飞贷金融科技有限公司 终端、数据的传输方法和计算机可读存储介质
CN109831311B (zh) * 2019-03-21 2022-04-01 深圳市网心科技有限公司 一种服务器验证方法、系统、用户终端及可读存储介质
CN110008727B (zh) * 2019-04-10 2020-07-21 南方电网数字电网研究院有限公司 加密敏感参数的处理方法、装置、计算机设备和存储介质
CN114499871B (zh) * 2021-12-23 2024-01-09 成都卫士通信息产业股份有限公司 一种签名加密方法、装置、系统及计算机可读存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1505360A (zh) * 2002-11-29 2004-06-16 英华达(上海)电子有限公司 利用超文本传输通讯协定服务实现程序更新的方法及系统
CN1905504A (zh) * 2006-07-31 2007-01-31 西安西电捷通无线网络通信有限公司 无线局域网中实现基于wapi体制的虚拟局域网的方法
CN101466079A (zh) * 2009-01-12 2009-06-24 中兴通讯股份有限公司 电子邮件的传送方法、系统及wapi终端
CN101742508A (zh) * 2009-12-21 2010-06-16 中兴通讯股份有限公司 一种wapi终端与应用服务器传输文件的系统及方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1505360A (zh) * 2002-11-29 2004-06-16 英华达(上海)电子有限公司 利用超文本传输通讯协定服务实现程序更新的方法及系统
CN1905504A (zh) * 2006-07-31 2007-01-31 西安西电捷通无线网络通信有限公司 无线局域网中实现基于wapi体制的虚拟局域网的方法
CN101466079A (zh) * 2009-01-12 2009-06-24 中兴通讯股份有限公司 电子邮件的传送方法、系统及wapi终端
CN101742508A (zh) * 2009-12-21 2010-06-16 中兴通讯股份有限公司 一种wapi终端与应用服务器传输文件的系统及方法

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013086756A1 (fr) * 2011-12-14 2013-06-20 金峰顺泰知识产权有限公司 Procédé et système pour la documentation d'archives numériques
CN114760129A (zh) * 2022-04-11 2022-07-15 平安国际智慧城市科技股份有限公司 数据访问方法、装置、设备及存储介质

Also Published As

Publication number Publication date
CN101742508A (zh) 2010-06-16

Similar Documents

Publication Publication Date Title
WO2011076008A1 (fr) Systeme et procede pour transmettre des fichiers entre un teminal wapi et un serveur d'application
CN108650227B (zh) 基于数据报安全传输协议的握手方法及系统
KR102124413B1 (ko) 아이디 기반 키 관리 시스템 및 방법
CN109088870B (zh) 一种新能源厂站发电单元采集终端安全接入平台的方法
US8635444B2 (en) System and method for distributing keys in a wireless network
KR102134302B1 (ko) 무선 네트워크 접속 방법 및 장치, 및 저장 매체
KR100832893B1 (ko) 무선 근거리 통신망으로 이동 단말의 보안 접근 방법 및 무선 링크를 통한 보안 데이터 통신 방법
WO2010078755A1 (fr) Procédé et système de transmission de courriers électroniques, terminal d’authentification wlan et d’infrastructure de confidentialité (wapi) associé
US20080222714A1 (en) System and method for authentication upon network attachment
WO2006032214A1 (fr) Procede de transmission de donnees synchrones syncml
CN110995414B (zh) 基于国密算法在tls1_3协议中建立通道的方法
KR101706117B1 (ko) 휴대용 단말기에서 다른 휴대용 단말기를 인증하는 장치 및 방법
KR20050064119A (ko) 인터넷접속을 위한 확장인증프로토콜 인증시 단말에서의서버인증서 유효성 검증 방법
CN109714360B (zh) 一种智能网关及网关通信处理方法
CN112165386B (zh) 一种基于ecdsa的数据加密方法及系统
CN106788960A (zh) 一种密钥协商的方法及装置
WO2022135391A1 (fr) Procédé et appareil d'authentification d'identité, support de stockage, programme et produit-programme
WO2010088812A1 (fr) Procédé de transmission, système et terminal wapi pour message instantané
Kambourakis et al. Performance evaluation of public key-based authentication in future mobile communication systems
KR101572598B1 (ko) Sso 인증 시스템 기반 인증 정보 재전송 공격에 안전한 사용자 인증 방법
CN112583807A (zh) 一种验证方法、装置、电子设备及存储介质
WO2015104567A1 (fr) Procédé de communication sécurisé entre un serveur et un navigateur web client
Shojaie et al. Enhancing EAP-TLS authentication protocol for IEEE 802.11 i
CN213938340U (zh) 5g应用接入认证网络架构
CN114386020A (zh) 基于量子安全的快速二次身份认证方法及系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10838571

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10838571

Country of ref document: EP

Kind code of ref document: A1