WO2016045541A1 - Method and device for identifying the presence of man-in-the-middle - Google Patents

Method and device for identifying the presence of man-in-the-middle Download PDF

Info

Publication number
WO2016045541A1
WO2016045541A1 PCT/CN2015/089949 CN2015089949W WO2016045541A1 WO 2016045541 A1 WO2016045541 A1 WO 2016045541A1 CN 2015089949 W CN2015089949 W CN 2015089949W WO 2016045541 A1 WO2016045541 A1 WO 2016045541A1
Authority
WO
WIPO (PCT)
Prior art keywords
related information
certificate
certificate related
server
information
Prior art date
Application number
PCT/CN2015/089949
Other languages
French (fr)
Chinese (zh)
Inventor
陈海兵
Original Assignee
阿里巴巴集团控股有限公司
陈海兵
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司, 陈海兵 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2016045541A1 publication Critical patent/WO2016045541A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the field of computer technology, and in particular, to a method and apparatus for identifying the presence of an intermediary.
  • Internet users need to use a non-private terminal to access the Internet, such as using a computer provided by a company or Internet cafe.
  • the security requirements are not exactly the same as the actual user's security requirements of the terminal, and sometimes conflicts may occur.
  • personal privacy such as bank account passwords will not be snooped; but for enterprises, in order to prevent their internal secrets from being maliciously leaked or to improve the efficiency of employees, it is hoped
  • the actual user's Internet traffic is scanned or audited to determine the specific information transmitted by the actual user using the terminal.
  • the left box represents the client (Web Client) installed in the enterprise's terminal
  • the middle box represents the SSL proxy (SSL Proxy1, deployed in the gateway or firewall device at the enterprise network exit), as shown in Figure 1.
  • SSL Proxy1 deployed in the gateway or firewall device at the enterprise network exit
  • the box on the right represents the web server accessed by the client.
  • the name of the server may be "Alipay Web Server" as shown in FIG.
  • the function of monitoring the specific information transmitted by the terminal is an SSL proxy.
  • the implementation principle of the function is roughly as follows: the SSL proxy hijacks the SSL handshake request from the client, and then utilizes the The SSL handshake request initiates an SSL connection with the real server; after the SSL handshake with the server is successful, the SSL handshake with the client is resumed, and when the client performs an SSL handshake, a forged certificate is pushed to the client, so that The client trusts the SSL proxy, which in turn can obtain the information sent by the client.
  • the client will pop up an alarm to inform the user that the currently received certificate is illegal.
  • the alarm is actually caused by the SSL agent deployed by itself. It is not the actual attack on the company network. Therefore, considering that the pop-up alarm will affect the actual user's online experience or work efficiency, it will generally be adopted.
  • the following means 1 and 2 are used to suppress the client pop-up alarm:
  • Means 1 When the certificate is issued by the client using the self-signed certificate of the SSL proxy, the domain name/Subject/Valid of the real server is maintained in the issued certificate.
  • Means 2 Import the self-signed certificate as a trusted e-commerce certificate authority (CA) certificate into the client.
  • CA trusted e-commerce certificate authority
  • the terminal when the terminal verifies the certificate issued by the SSL proxy, the terminal is considered to be a legal certificate, thereby obtaining client trust.
  • a typical information monitoring process may include the following steps as shown in FIG. 1:
  • the client initiates an SSL handshake request to the server.
  • the SSL proxy hijacks the SSL handshake request from the client
  • the SSL proxy initiates an SSL connection request to the server
  • the server responds to the SSL connection request initiated by the SSL proxy, and sends the server's own certificate to the SSL proxy;
  • the SSL proxy re-issues a certificate (hereinafter referred to as a newly generated certificate) using a self-signed certificate according to the certificate of the server (ie, the real server);
  • the client considers that the self-signed certificate used by the SSL proxy is a trusted CA certificate, so that when the subsequent client verifies the newly generated certificate, the client also issues the certificate according to the self-signed certificate.
  • the newly generated certificate is trusted.
  • the SSL proxy pushes the newly generated certificate to the client
  • the client uses the local trusted CA certificate to check the newly generated certificate received, and the verification passes;
  • the client requests a login page from the server
  • the server returns a login page to the client
  • HTTP POST is an HTTP request
  • the SSL proxy decrypts the HTTP POST containing the login ciphertext and obtains the clear text of the login information.
  • the drawback of the above solution is that the terminal is not aware of the existence of the SSL proxy, so that when the actual user of the terminal accesses the privacy or financial HTTPS website, the plaintext information such as the username and password information of the actual user is exposed to the SSL. Agents, which make this information subject to potential security threats.
  • the embodiment of the present application provides a method for identifying the presence of an intermediary to solve the problem that the transmitted information may be threatened by a potential security threat because the client cannot recognize whether there is an intermediary between the client and the server.
  • the embodiment of the present application further provides an apparatus for identifying the presence of an intermediary to solve the problem that the transmitted information may be potentially threatened because the client cannot recognize whether there is an intermediary between the client and the server.
  • a method for identifying an intermediary's presence includes: obtaining first certificate related information of a server received by a client during a handshake between a client and a server, and a non-handshake process between the client and the server The second certificate related information of the server received by the client; Whether the first certificate related information and the second certificate related information are matched.
  • An apparatus for identifying a presence of a middleman comprising: an information obtaining unit, configured to obtain first certificate related information of a server received by a client during a handshake process between a client and a server, and at the client and the The second certificate related information of the server received by the client in the non-handshake process of the server; the identification unit is configured to determine whether the first certificate related information and the second certificate related information obtained by the information obtaining unit match.
  • the middleman When a middleman is set up, the middleman only uses his own self-signed certificate and the identity information of the server (such as domain name/Subject/Valid) in the handshake process between the client and the server to obtain a newly generated certificate, and the client
  • the certificate-related information of the server passed during the non-handshake process with the server does not perform a similar operation, that is, the certificate-related information of the server passed during the non-handshake process is still the real certificate-related information of the server. Therefore, by comparing the handshake process and the certificate related information of the same server received during the non-handshake process, it is possible to identify whether an intermediary exists.
  • FIG. 1 is a schematic diagram of an implementation principle of using a proxy technology to monitor specific information transmitted by a terminal in the prior art
  • FIG. 2 is a schematic flowchart of an implementation method for identifying an existence of an intermediary according to an embodiment of the present disclosure
  • FIG. 3 is a schematic diagram of an implementation process of a method for preventing an intermediary attack according to Embodiment 2 of the present application;
  • FIG. 4 is a schematic structural diagram of an apparatus for identifying the presence of an intermediary according to Embodiment 3 of the present application.
  • Embodiment 1 of the present application provides a method for identifying the presence of an intermediary.
  • the schematic diagram of the specific implementation process of the method is shown in FIG. 2, and includes the following steps:
  • Step 21 Obtain first certificate related information of the server received by the client during the handshake process between the client and the server, and second certificate related information of the server received by the client during the non-handshake process between the client and the server. ;
  • Step 22 Determine whether the first certificate related information and the second certificate related information match.
  • certificate related information may include the certificate itself, and may also include information closely related to the certificate, such as a hash value obtained by hashing the certificate.
  • the intermediary when an intermediary is set, the intermediary only uses its own self-signed certificate and server identity information (such as domain name/Subject/Valid information) during the handshake process between the client and the server.
  • server identity information such as domain name/Subject/Valid information
  • the execution may be performed.
  • specific operation includes an operation of causing an intermediary to receive confidential information.
  • one way to perform a specific operation may include the following steps:
  • the above prompt information may include text information such as "may exist an intermediary, need to guard against its attack?", and the prompt information may also include “agree to prevent” and “no need to guard against” two options.
  • the page including the confidential information input portal can be closed, thereby achieving the purpose of rejecting the input of the confidential information, thereby achieving the middleman receiving To the purpose of confidential information.
  • steps 21 and 22 above are specifically described below.
  • the timing of obtaining the second certificate related information of the server received during the non-handshake process between the client and the server may include: before sending the confidential information.
  • the second certificate related information of the server received during the non-handshake process between the client and the server may be obtained through the following sub-steps 1 to 2:
  • Sub-step 1 Send a confidential information page to the server to obtain a request
  • the “Confidential Information Page” includes a page for inputting confidential information, such as a login page including an input portal of a user login name and a password.
  • Sub-step 2 Receive the confidential information page sent by the server.
  • the confidential information page includes information related to the second certificate.
  • the verification information script may also be included in the confidential information page.
  • the existence of the verification script can cause the verification script to be run at the same time as the presentation of the confidential information page.
  • the process of running the verification script that is, the process of determining whether the first certificate related information and the second certificate related information match.
  • the specific implementation process of step 22 when the first certificate related information includes: a certificate, and the second certificate related information includes: a hash value corresponding to the certificate (referred to as “corresponding hash value”), the specific implementation process of step 22 The following sub-step a to sub-step d may be included:
  • Sub-step a hashing the first certificate related information to obtain a corresponding hash value
  • Sub-step b determining whether the corresponding hash value is the same as the obtained hash value, and performing sub-step c when the judgment result indicates that the corresponding hash value is the same as the obtained hash value; otherwise, performing sub-step d;
  • Sub-step c determining that the first certificate related information and the second certificate related information match
  • Sub-step d determining that the first certificate related information and the second certificate related information do not match.
  • execution bodies of the steps of the method provided in Embodiment 1 may all be the same device, or the method may also be performed by different devices.
  • the execution body of step 21 and step 22 may be device 1; for example, the execution body of step 21 may be device 1, the execution body of step 22 may be device 2;
  • Embodiment 2 provides a method for identifying an intermediary (ie, an SSL proxy mentioned in the background section) existing in the SSL layer, thereby preventing the user from transmitting confidential information to the intermediary, thereby preventing the attack of the middleman.
  • an intermediary ie, an SSL proxy mentioned in the background section
  • the schematic diagram of the system architecture for implementing the method is similar to that of FIG. 1 and will not be described here. The following focuses on how to achieve the purpose of preventing man-in-the-middle attacks based on the system architecture.
  • FIG. 3 of the specification is a specific implementation flowchart of the method provided in Embodiment 2.
  • the process mainly includes the following steps:
  • the client initiates an SSL handshake request to the server.
  • the SSL proxy hijacks the SSL handshake request from the client
  • the SSL proxy initiates an SSL connection request to the server
  • the server responds to the SSL connection request initiated by the SSL proxy, and sends the server's own certificate to the SSL proxy;
  • the SSL proxy re-issues a certificate (hereinafter referred to as a newly generated certificate) using a self-signed certificate according to the certificate of the server (ie, the real server);
  • the SSL proxy pushes the newly generated certificate to the client
  • the client uses the local trusted CA certificate to check the newly generated certificate received, and the verification passes;
  • the client requests a login page from the server
  • the server sends back a login page carrying the certificate related information of the server to the client;
  • the client compares the certificate-related information received from the application layer (that is, the certificate-related information of the server carried in the login page) with the newly generated certificate obtained during the SSL handshake process, and the comparison result indicates receiving from the application layer.
  • the certificate related information is inconsistent with the newly generated certificate, an alarm pops up, and the user selects whether to continue to log in or terminate the login.
  • the client sends an HTTP POST containing the login ciphertext.
  • the login page in step 9 when the certificate related information carried in the login page in step 9 includes a hash value obtained by performing a hash operation on the certificate of the server, the login page may further include a verification script.
  • the client After receiving the login page, the client can trigger the client to obtain the newly generated certificate obtained during the SSL handshake process, and perform a hash operation on the newly generated certificate to obtain a hash value.
  • the client can determine whether the hash value carried in the login page matches the hash value obtained by performing a hash operation on the newly generated certificate. If not, an alarm is generated, and the user selects whether to continue the login or terminate the login. .
  • the method can effectively identify that an intermediary (ie, an SSL proxy) exists between the server and the client, so that the confidential information transmitted by the client can be avoided by sending an alert to the user.
  • an intermediary ie, an SSL proxy
  • Embodiment 3 of the present application provides a device for identifying the presence of the intermediary.
  • the specific structure of the device is shown in FIG. 4 .
  • the indication includes an information obtaining unit 41 and an identifying unit 42.
  • the information obtaining unit 41 is configured to obtain first certificate related information of the server received by the client during the handshake process between the client and the server, and the server received by the client during the non-handshake process between the client and the server. Second certificate related information;
  • the identification unit 42 is configured to determine whether the first certificate related information and the second certificate related information obtained by the information obtaining unit 41 match.
  • the information obtaining unit 41 may obtain second certificate related information of the server received during the non-handshake process between the client and the server before transmitting the confidential information.
  • the information obtaining unit 41 may be divided into the following subunits:
  • a sending subunit configured to send a confidential information page to the server to obtain a request
  • the receiving subunit is configured to receive a confidential information page sent by the server.
  • the confidential information page includes information related to the second certificate.
  • the identification unit 42 may be configured to determine whether the first certificate related information and the second certificate related information match by running the verification script.
  • the identifying unit 42 may be configured to: perform hash operation on the first certificate related information, to obtain Corresponding hash value; determining whether the hash value corresponding to the certificate included in the second certificate related information is the same as the obtained hash value; if the same, determining that the first certificate related information and the second certificate related information match; If the same, it is determined that the first certificate related information and the second certificate related information do not match.
  • the apparatus provided in Embodiment 3 of the present application may further include an operation execution unit.
  • the operation execution unit is configured to determine, at the identification unit 42, the first certificate related information and the first When the two certificate related information matches, a specific operation is performed.
  • the specific operation described above may include, but is not limited to, an operation of causing an intermediary to receive confidential information.
  • the operation execution unit may be configured to perform the following operations:
  • the input of confidential information is rejected, or the input confidential information is denied, or the transmission of confidential information is cancelled.
  • the middleman When a middleman is set up, the middleman only uses his own self-signed certificate and the server's identity information (such as domain name/Subject/Valid information) during the handshake process between the client and the server to obtain a newly generated certificate, and the client is
  • the certificate-related information of the server passed during the non-handshake process between the server and the server does not perform a similar operation, that is, the certificate-related information of the server delivered during the non-handshake process between the client and the server is still the real certificate-related information of the server. Therefore, by comparing the handshake process and the certificate related information of the same server received during the non-handshake process, it is possible to identify whether an intermediary exists.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable information processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable information processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
  • a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
  • processors CPUs
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • the memory may include non-persistent memory, random access memory (RAM), and/or non-volatile memory in a computer readable medium, such as read only memory (ROM) or flash memory.
  • RAM random access memory
  • ROM read only memory
  • Memory is an example of a computer readable medium.
  • Computer readable media includes both permanent and non-persistent, removable and non-removable media.
  • Information storage can be implemented by any method or technology.
  • the information can be computer readable instructions, information structures, modules of programs, or other information.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory. (ROM), electrically erasable programmable read only memory (EEPROM), flash memory or other memory technology, compact disk read only memory (CD-ROM), digital versatile disk (DVD) or other optical storage, Magnetic tape cartridges, magnetic tape storage or other magnetic storage devices or any other non-transportable media can be used to store information that can be accessed by a computing device.
  • computer readable media does not include temporary storage of computer readable media, such as modulated information signals and carrier waves.
  • embodiments of the present application can be provided as a method, system, or computer program product.
  • the present application can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment in combination of software and hardware.
  • the application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

A method for identifying the presence of a man-in-the-middle is disclosed, the method is used to solve the problem that a web client can not identify whether there is a man-in-the-middle between the web client and a server, thus the transmitted information may be subject to potential security threats. The method includes: obtaining the related information of the first certificate of the server received by the web client during the handshake process between the web client and the server, and the related information of the second certificate of the server received by the web client during the non handshake process between the web client and the server (21); determining whether the related information of the first certificate and the related information of the second certificate are matched (22). A device for identifying the presence of a man-in-the-middle is also disclosed.

Description

一种对中间人的存在进行辨识的方法及装置Method and device for identifying the presence of a middleman 技术领域Technical field
本申请涉及计算机技术领域,尤其涉及一种对中间人的存在进行辨识的方法及装置。The present application relates to the field of computer technology, and in particular, to a method and apparatus for identifying the presence of an intermediary.
背景技术Background technique
在很多情况下,互联网使用者需要使用非私有终端上网,如使用公司或者网吧提供的电脑上网。对于此类终端的拥有者,其对于安全的需求与终端的实际使用者对于安全的需求并不完全一致,有时甚至会发生冲突。比如:对于实际使用者,会希望在上网过程中,其个人隐私如银行账号密码等不被窥探;而对于企业而言,为了防止其内部机密被恶意泄露或者为了提升员工的工作效率,则希望对实际使用者的上网流量作扫描或者审计,从而确定实际使用者利用终端所传输的具体信息。In many cases, Internet users need to use a non-private terminal to access the Internet, such as using a computer provided by a company or Internet cafe. For the owner of such a terminal, the security requirements are not exactly the same as the actual user's security requirements of the terminal, and sometimes conflicts may occur. For example, for the actual user, it is hoped that during the online process, personal privacy such as bank account passwords will not be snooped; but for enterprises, in order to prevent their internal secrets from being maliciously leaked or to improve the efficiency of employees, it is hoped The actual user's Internet traffic is scanned or audited to determine the specific information transmitted by the actual user using the terminal.
一般地,对于非加密流量,简单的基于流的扫描就可以达到监控信息的目的;而对于采用安全超文本传输协议(Hyper Text Transfer Protocol over Secure Socket Layer,HTTPS)等安全套接层(Secure Sockets Layer,SSL)协议进行加密得到的加密流量,则需要通过代理技术才能实现信息监控。一种典型的代理技术的实现示意图如图1所示。Generally, for non-encrypted traffic, simple stream-based scanning can achieve the purpose of monitoring information; for Secure Sockets Layer, such as Hyper Text Transfer Protocol over Secure Socket Layer (HTTPS) (Secure Sockets Layer) , SSL) protocol to encrypt the encrypted traffic, you need to use proxy technology to achieve information monitoring. A schematic diagram of a typical proxy technology implementation is shown in Figure 1.
图1中,左侧方框代表企业的终端中安装的客户端(Web Client),中间方框代表在企业网络出口处的网关或防火墙设备部署的SSL代理(SSL Proxy1,在图1所示的场景中,其一般被称为“中间人”),右边方框代表客户端所访问的网站服务器,具体而言,该服务器的名称可以是图1中所示的“Alipay Web Server”。In Figure 1, the left box represents the client (Web Client) installed in the enterprise's terminal, and the middle box represents the SSL proxy (SSL Proxy1, deployed in the gateway or firewall device at the enterprise network exit), as shown in Figure 1. In the scenario, it is generally referred to as "middleman", and the box on the right represents the web server accessed by the client. Specifically, the name of the server may be "Alipay Web Server" as shown in FIG.
图1中,具备监控终端所传输的具体信息这一功能的是SSL代理,该功能的实现原理大致为:SSL代理劫持来自客户端的SSL握手请求,然后利用该 SSL握手请求发起与真实服务器的SSL连接;在与服务器侧的SSL握手成功后,再恢复与客户端的SSL握手,并在与客户端进行SSL握手时,向客户端推送一本伪造的证书,使得客户端信任SSL代理,进而可以获取客户端所发送的信息。In Figure 1, the function of monitoring the specific information transmitted by the terminal is an SSL proxy. The implementation principle of the function is roughly as follows: the SSL proxy hijacks the SSL handshake request from the client, and then utilizes the The SSL handshake request initiates an SSL connection with the real server; after the SSL handshake with the server is successful, the SSL handshake with the client is resumed, and when the client performs an SSL handshake, a forged certificate is pushed to the client, so that The client trusts the SSL proxy, which in turn can obtain the information sent by the client.
需要说明的是,根据SSL协议的设计,其具备一致性检查能力,即当遭受到中间人攻击时,客户端会弹出告警,告知用户“当前接收到的证书非法”。然而,对公司而言,该告警实际上是由自身部署的SSL代理所致,并非公司网络受到实际攻击,因此,考虑到弹出的告警会影响实际使用者的上网体验或者工作效率,一般会采用下述手段1和手段2,抑制客户端弹出告警:It should be noted that, according to the design of the SSL protocol, it has the consistency check capability, that is, when it is attacked by a man-in-the-middle, the client will pop up an alarm to inform the user that the currently received certificate is illegal. However, for the company, the alarm is actually caused by the SSL agent deployed by itself. It is not the actual attack on the company network. Therefore, considering that the pop-up alarm will affect the actual user's online experience or work efficiency, it will generally be adopted. The following means 1 and 2 are used to suppress the client pop-up alarm:
手段1:使用SSL代理的自签名证书为客户端签发证书时,在签发的证书中保持真实服务器的域名/Subject/Valid等信息。Means 1: When the certificate is issued by the client using the self-signed certificate of the SSL proxy, the domain name/Subject/Valid of the real server is maintained in the issued certificate.
手段2:将上述自签名证书作为可信电子商务认证授权机构(Certificate Authority,CA)证书,导入到客户端中。Means 2: Import the self-signed certificate as a trusted e-commerce certificate authority (CA) certificate into the client.
结合上述手段1和手段2,可以使得终端对SSL代理签发的证书进行验证时,会认为该证书是合法证书,从而得到客户端信任。In combination with the foregoing means 1 and 2, when the terminal verifies the certificate issued by the SSL proxy, the terminal is considered to be a legal certificate, thereby obtaining client trust.
通过上述方式,一个典型的信息监控过程可以包括如图1所示的如下步骤:In the above manner, a typical information monitoring process may include the following steps as shown in FIG. 1:
1、客户端向服务器发起SSL握手请求;1. The client initiates an SSL handshake request to the server.
2、SSL代理劫持来自客户端的SSL握手请求;2. The SSL proxy hijacks the SSL handshake request from the client;
3、SSL代理向服务器发起SSL连接请求;3. The SSL proxy initiates an SSL connection request to the server;
4、服务器响应SSL代理发起的SSL连接请求,并发送服务器自身的证书给SSL代理;4. The server responds to the SSL connection request initiated by the SSL proxy, and sends the server's own certificate to the SSL proxy;
5、SSL代理根据服务器(即真实服务器)的证书,使用自签名证书重新签发一本证书(后文称新生成证书);5. The SSL proxy re-issues a certificate (hereinafter referred to as a newly generated certificate) using a self-signed certificate according to the certificate of the server (ie, the real server);
由前文所述的手段2可知,客户端会认为SSL代理使用的自签名证书是可信CA证书,从而后续客户端在对新生成证书进行校验时,也会依据该自签名证书签发的该新生成证书是可信的。 It can be seen from the foregoing method 2 that the client considers that the self-signed certificate used by the SSL proxy is a trusted CA certificate, so that when the subsequent client verifies the newly generated certificate, the client also issues the certificate according to the self-signed certificate. The newly generated certificate is trusted.
6、SSL代理将新生成证书推送给客户端;6. The SSL proxy pushes the newly generated certificate to the client;
7、客户端使用本地可信CA证书对收到的新生成证书做校验,校验通过;7. The client uses the local trusted CA certificate to check the newly generated certificate received, and the verification passes;
8、客户端向服务器请求登录页面;8. The client requests a login page from the server;
9、服务器向客户端回送登录页面;9. The server returns a login page to the client;
10、客户端发送包含登录信息密文的HTTP POST(HTTP POST是一种HTTP请求);10. The client sends an HTTP POST containing the login ciphertext (HTTP POST is an HTTP request);
11、SSL代理对包含登录信息密文的HTTP POST进行解密,得到登录信息明文。11. The SSL proxy decrypts the HTTP POST containing the login ciphertext and obtains the clear text of the login information.
上述方案的缺陷在于,终端对于SSL代理的存在是无感知的,从而当终端的实际使用者访问隐私或者金融类的HTTPS网站时,会将实际使用者的用户名密码信息等明文信息暴露给SSL代理,从而使得该些信息受到潜在的安全威胁。The drawback of the above solution is that the terminal is not aware of the existence of the SSL proxy, so that when the actual user of the terminal accesses the privacy or financial HTTPS website, the plaintext information such as the username and password information of the actual user is exposed to the SSL. Agents, which make this information subject to potential security threats.
类似地,在客户端与服务器之间存在设置在其他协议层的中间人的场景下,也会存在上述问题。Similarly, in the scenario where there is a middleman between the client and the server set in other protocol layers, the above problem also exists.
发明内容Summary of the invention
本申请实施例提供一种对中间人的存在进行辨识的方法,用以解决由于客户端无法辨识客户端与服务器之间是否存在中间人,从而可能使得传输的信息受到潜在的安全威胁的问题。The embodiment of the present application provides a method for identifying the presence of an intermediary to solve the problem that the transmitted information may be threatened by a potential security threat because the client cannot recognize whether there is an intermediary between the client and the server.
本申请实施例还提供一种对中间人的存在进行辨识的装置,用以解决由于客户端无法辨识客户端与服务器之间是否存在中间人,从而可能使得传输的信息受到潜在的安全威胁的问题。The embodiment of the present application further provides an apparatus for identifying the presence of an intermediary to solve the problem that the transmitted information may be potentially threatened because the client cannot recognize whether there is an intermediary between the client and the server.
本申请实施例采用下述技术方案:The embodiments of the present application adopt the following technical solutions:
一种对中间人的存在进行辨识的方法,包括:获得在客户端与服务器的握手过程中由客户端接收的服务器的第一证书相关信息,以及在所述客户端与所述服务器的非握手过程中由客户端接收的所述服务器的第二证书相关信息;判 断第一证书相关信息和第二证书相关信息是否匹配。A method for identifying an intermediary's presence includes: obtaining first certificate related information of a server received by a client during a handshake between a client and a server, and a non-handshake process between the client and the server The second certificate related information of the server received by the client; Whether the first certificate related information and the second certificate related information are matched.
一种对中间人的存在进行辨识的装置,包括:信息获得单元,用于获得在客户端与服务器的握手过程中由客户端接收的服务器的第一证书相关信息,以及在所述客户端与所述服务器的非握手过程中由客户端接收的所述服务器的第二证书相关信息;辨识单元,用于判断信息获得单元获得的第一证书相关信息和第二证书相关信息是否匹配。An apparatus for identifying a presence of a middleman, comprising: an information obtaining unit, configured to obtain first certificate related information of a server received by a client during a handshake process between a client and a server, and at the client and the The second certificate related information of the server received by the client in the non-handshake process of the server; the identification unit is configured to determine whether the first certificate related information and the second certificate related information obtained by the information obtaining unit match.
本申请实施例采用的上述至少一个技术方案能够达到以下有益效果:The above at least one technical solution adopted by the embodiment of the present application can achieve the following beneficial effects:
当设置有中间人时,该中间人仅会在客户端与服务器的握手过程中利用自身的自签名证书和服务器的身份信息(如域名/Subject/Valid等信息),得到新生成证书,而对客户端与服务器的非握手过程中传递的服务器的证书相关信息不会执行类似操作,即非握手过程中传递的服务器的证书相关信息仍然是服务器的真实证书相关信息。因此,通过比较握手过程和非握手过程中接收的同一服务器的证书相关信息,可以达到辨识是否存在中间人的目的。When a middleman is set up, the middleman only uses his own self-signed certificate and the identity information of the server (such as domain name/Subject/Valid) in the handshake process between the client and the server to obtain a newly generated certificate, and the client The certificate-related information of the server passed during the non-handshake process with the server does not perform a similar operation, that is, the certificate-related information of the server passed during the non-handshake process is still the real certificate-related information of the server. Therefore, by comparing the handshake process and the certificate related information of the same server received during the non-handshake process, it is possible to identify whether an intermediary exists.
附图说明DRAWINGS
此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the present application, and are intended to be a part of this application. In the drawing:
图1为现有技术中采用代理技术监控终端所传输的具体信息的实现原理示意图;1 is a schematic diagram of an implementation principle of using a proxy technology to monitor specific information transmitted by a terminal in the prior art;
图2为本申请实施例提供的一种对中间人的存在进行辨识的方法的实现流程示意图;FIG. 2 is a schematic flowchart of an implementation method for identifying an existence of an intermediary according to an embodiment of the present disclosure;
图3为本申请实施例2提供一种防范中间人攻击的方法的实现流程示意图;FIG. 3 is a schematic diagram of an implementation process of a method for preventing an intermediary attack according to Embodiment 2 of the present application;
图4为本申请实施例3提供的一种对中间人的存在进行辨识的装置的具体结构示意图。 FIG. 4 is a schematic structural diagram of an apparatus for identifying the presence of an intermediary according to Embodiment 3 of the present application.
具体实施方式detailed description
为使本申请的目的、技术方案和优点更加清楚,下面将结合本申请具体实施例及相应的附图对本申请技术方案进行清楚、完整地描述。显然,所描述的实施例仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions of the present application will be clearly and completely described in the following with reference to the specific embodiments of the present application and the corresponding drawings. It is apparent that the described embodiments are only a part of the embodiments of the present application, and not all of them. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope are the scope of the present application.
以下结合附图,详细说明本申请各实施例提供的技术方案。The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
实施例1Example 1
为了解决客户端无法辨识客户端与服务器之间是否存在中间人的问题,本申请实施例1提供一种对中间人的存在进行辨识的方法。该方法的具体实现流程示意图如图2所示,包括如下步骤:In order to solve the problem that the client cannot recognize whether there is an intermediary between the client and the server, Embodiment 1 of the present application provides a method for identifying the presence of an intermediary. The schematic diagram of the specific implementation process of the method is shown in FIG. 2, and includes the following steps:
步骤21,获得在客户端与服务器的握手过程中由客户端接收的服务器的第一证书相关信息,以及在客户端与服务器的非握手过程中由客户端接收的该服务器的第二证书相关信息;Step 21: Obtain first certificate related information of the server received by the client during the handshake process between the client and the server, and second certificate related information of the server received by the client during the non-handshake process between the client and the server. ;
步骤22,判断第一证书相关信息和第二证书相关信息是否匹配。Step 22: Determine whether the first certificate related information and the second certificate related information match.
其中,上述“证书相关信息”可以包括证书本身,也可以包括与证书密切相关的信息,比如通过对证书进行哈希运算而得到的哈希值等。The above “certificate related information” may include the certificate itself, and may also include information closely related to the certificate, such as a hash value obtained by hashing the certificate.
采用实施例1提供的上述方法,当设置有中间人时,该中间人仅会在客户端与服务器的握手过程中利用自身的自签名证书和服务器的身份信息(如域名/Subject/Valid等信息),得到新生成证书,而对在客户端与服务器的非握手过程中传递的服务器的证书相关信息不会执行类似操作,即在客户端与服务器的非握手过程中传递的服务器的证书相关信息仍然是服务器的真实证书相关信息。因此,通过比较握手过程和非握手过程中接收的同一服务器的证书相关信息,可以达到辨识是否存在中间人的目的。 With the above method provided in Embodiment 1, when an intermediary is set, the intermediary only uses its own self-signed certificate and server identity information (such as domain name/Subject/Valid information) during the handshake process between the client and the server. Obtaining a newly generated certificate, and the certificate-related information of the server passed during the non-handshake process between the client and the server does not perform a similar operation, that is, the certificate related information of the server transmitted during the non-handshake process between the client and the server is still The server's real certificate related information. Therefore, by comparing the handshake process and the certificate related information of the same server received during the non-handshake process, it is possible to identify whether an intermediary exists.
在一种实施方式中,为了使得中间人获取不到诸如用户机密信息(如针对某服务器的登录名和密码)等机密信息,在判断出第一证书相关信息和第二证书相关信息匹配时,可以执行特定操作。其中,这里所说的特定操作包括:使得中间人接收不到机密信息的操作。In an implementation manner, in order to enable the intermediary to obtain confidential information such as user confidential information (such as a login name and password for a server), when it is determined that the first certificate related information and the second certificate related information match, the execution may be performed. Specific operation. Here, the specific operation mentioned here includes an operation of causing an intermediary to receive confidential information.
比如,一种执行特定操作的方式可以包括下述步骤:For example, one way to perform a specific operation may include the following steps:
展示提示信息;Display prompt information;
接收用户指令;Receiving user instructions;
根据用户指令,拒绝获得输入的机密信息,或取消对机密信息的发送。According to the user's instructions, refuse to obtain the entered confidential information, or cancel the transmission of confidential information.
上述提示信息可以包括“可能存在中间人,是否需要防范其攻击?”这样的文本信息,同时,该提示信息还可以包含“同意防范”和“无需防范”这两个选项。The above prompt information may include text information such as "may exist an intermediary, need to guard against its attack?", and the prompt information may also include "agree to prevent" and "no need to guard against" two options.
后续当接收到用户通过选取“同意防范”这一选项而触发的用户指令时,可以关闭包括机密信息输入入口的页面,从而达到拒绝机密信息的输入的目的,进而也就达到了使得中间人接收不到机密信息的目的。Subsequent to receiving the user instruction triggered by the user selecting the "consume to prevent" option, the page including the confidential information input portal can be closed, thereby achieving the purpose of rejecting the input of the confidential information, thereby achieving the middleman receiving To the purpose of confidential information.
以下具体说明上述步骤21和22的一些可选的实现方式。Some optional implementations of steps 21 and 22 above are specifically described below.
针对步骤21而言,获得在客户端与服务器的非握手过程中接收的服务器的第二证书相关信息的时机可以包括:在发送机密信息前。For step 21, the timing of obtaining the second certificate related information of the server received during the non-handshake process between the client and the server may include: before sending the confidential information.
比如,在发送机密信息前,可以通过下述子步骤1~子步骤2,获得在客户端与服务器的非握手过程中接收的服务器的第二证书相关信息:For example, before sending the confidential information, the second certificate related information of the server received during the non-handshake process between the client and the server may be obtained through the following sub-steps 1 to 2:
子步骤1:向服务器发送机密信息页面获取请求;Sub-step 1: Send a confidential information page to the server to obtain a request;
其中,“机密信息页面”包括机密信息输入入口的页面,比如包括用户登录名和密码的输入入口的登录页面。The “Confidential Information Page” includes a page for inputting confidential information, such as a login page including an input portal of a user login name and a password.
子步骤2:接收服务器发送的机密信息页面。Sub-step 2: Receive the confidential information page sent by the server.
其中,该机密信息页面中包含第二证书相关信息。The confidential information page includes information related to the second certificate.
针对步骤22而言,在一种实施方式中,上述机密信息页面中还可以包含检验脚本。 For the step 22, in one embodiment, the verification information script may also be included in the confidential information page.
该检验脚本的存在,可以使得后续在对机密信息页面进行展示的同时,对该检验脚本进行运行。运行该校验脚本的过程,即判断第一证书相关信息和第二证书相关信息是否匹配的过程。The existence of the verification script can cause the verification script to be run at the same time as the presentation of the confidential information page. The process of running the verification script, that is, the process of determining whether the first certificate related information and the second certificate related information match.
在一种实施方式中,当第一证书相关信息包括:证书,而第二证书相关信息包括:证书所对应的哈希值(简称“对应的哈希值”)时,步骤22的具体实现过程可以包括下述子步骤a~子步骤d:In an embodiment, when the first certificate related information includes: a certificate, and the second certificate related information includes: a hash value corresponding to the certificate (referred to as “corresponding hash value”), the specific implementation process of step 22 The following sub-step a to sub-step d may be included:
子步骤a:对第一证书相关信息进行哈希运算,得到相应的哈希值;Sub-step a: hashing the first certificate related information to obtain a corresponding hash value;
子步骤b:判断对应的哈希值与得到的哈希值是否相同,在判断结果表示对应的哈希值与得到的哈希值相同时,执行子步骤c;否则执行子步骤d;Sub-step b: determining whether the corresponding hash value is the same as the obtained hash value, and performing sub-step c when the judgment result indicates that the corresponding hash value is the same as the obtained hash value; otherwise, performing sub-step d;
子步骤c:确定第一证书相关信息和第二证书相关信息匹配;Sub-step c: determining that the first certificate related information and the second certificate related information match;
子步骤d:确定第一证书相关信息和第二证书相关信息不匹配。Sub-step d: determining that the first certificate related information and the second certificate related information do not match.
需要说明的是,实施例1所提供方法的各步骤的执行主体均可以是同一设备,或者,该方法也由不同设备作为执行主体。比如,步骤21和步骤22的执行主体可以为设备1;又比如,步骤21的执行主体可以为设备1,步骤22的执行主体可以为设备2;等等。It should be noted that the execution bodies of the steps of the method provided in Embodiment 1 may all be the same device, or the method may also be performed by different devices. For example, the execution body of step 21 and step 22 may be device 1; for example, the execution body of step 21 may be device 1, the execution body of step 22 may be device 2;
实施例2Example 2
实施例2提供一种对SSL层中存在的中间人(即背景技术部分所说的SSL代理)进行辨识,进而避免用户向中间人发送机密信息,从而防范中间人攻击的方法。Embodiment 2 provides a method for identifying an intermediary (ie, an SSL proxy mentioned in the background section) existing in the SSL layer, thereby preventing the user from transmitting confidential information to the intermediary, thereby preventing the attack of the middleman.
实现该方法的系统架构示意图与图1类似,此处不再赘述。下文重点介绍基于该系统架构,如何达到防范中间人攻击的目的。The schematic diagram of the system architecture for implementing the method is similar to that of FIG. 1 and will not be described here. The following focuses on how to achieve the purpose of preventing man-in-the-middle attacks based on the system architecture.
请参考说明书附图3,其为实施例2提供的该方法的具体实现流程图。该流程主要包括下述步骤:Please refer to FIG. 3 of the specification, which is a specific implementation flowchart of the method provided in Embodiment 2. The process mainly includes the following steps:
1、客户端向服务器发起SSL握手请求;1. The client initiates an SSL handshake request to the server.
2、SSL代理劫持来自客户端的SSL握手请求; 2. The SSL proxy hijacks the SSL handshake request from the client;
3、SSL代理向服务器发起SSL连接请求;3. The SSL proxy initiates an SSL connection request to the server;
4、服务器响应SSL代理发起的SSL连接请求,并发送服务器自身的证书给SSL代理;4. The server responds to the SSL connection request initiated by the SSL proxy, and sends the server's own certificate to the SSL proxy;
5、SSL代理根据服务器(即真实服务器)的证书,使用自签名证书重新签发一本证书(后文称新生成证书);5. The SSL proxy re-issues a certificate (hereinafter referred to as a newly generated certificate) using a self-signed certificate according to the certificate of the server (ie, the real server);
6、SSL代理将新生成证书推送给客户端;6. The SSL proxy pushes the newly generated certificate to the client;
7、客户端使用本地可信CA证书对收到的新生成证书做校验,校验通过;7. The client uses the local trusted CA certificate to check the newly generated certificate received, and the verification passes;
8、客户端向服务器请求登录页面;8. The client requests a login page from the server;
9、服务器向客户端回送携带有服务器的证书相关信息的登录页面;9. The server sends back a login page carrying the certificate related information of the server to the client;
10、客户端比较从应用层接收到的证书相关信息(即登录页面中携带的服务器的证书相关信息)和SSL握手过程中获得的新生成证书的一致性,并在比较结果表示从应用层接收到的证书相关信息和该新生成证书不一致时,弹出告警,由用户选择是否继续登录,或终止登录。10. The client compares the certificate-related information received from the application layer (that is, the certificate-related information of the server carried in the login page) with the newly generated certificate obtained during the SSL handshake process, and the comparison result indicates receiving from the application layer. When the certificate related information is inconsistent with the newly generated certificate, an alarm pops up, and the user selects whether to continue to log in or terminate the login.
11、客户端发送包含登录信息密文的HTTP POST。11. The client sends an HTTP POST containing the login ciphertext.
在一种实施方式中,当步骤9中所述的登录页面中携带的证书相关信息包括对服务器的证书执行哈希运算而得到的哈希值时,该登录页面中还可以包含检验脚本。客户端在接收到该登录页面后,通过运行该检验脚本,可以触发客户端获取SSL握手过程中获得的新生成证书,并对该新生成证书执行哈希运算,得到哈希值。In an embodiment, when the certificate related information carried in the login page in step 9 includes a hash value obtained by performing a hash operation on the certificate of the server, the login page may further include a verification script. After receiving the login page, the client can trigger the client to obtain the newly generated certificate obtained during the SSL handshake process, and perform a hash operation on the newly generated certificate to obtain a hash value.
进一步地,客户端可以判断登录页面中携带的哈希值与对新生成证书执行哈希运算得到的哈希值是否匹配,若不匹配,则弹出告警,由用户选择是否继续登录,或终止登录。Further, the client can determine whether the hash value carried in the login page matches the hash value obtained by performing a hash operation on the newly generated certificate. If not, an alarm is generated, and the user selects whether to continue the login or terminate the login. .
通过本申请实施例2提供的上述方法可知,该方法可以有效地辨识出服务器和客户端之间存在中间人(即SSL代理),从而可以通过向用户发出告警的方式,避免客户端传输的机密信息受到来自中间人的潜在的安全威胁。 According to the foregoing method provided in Embodiment 2 of the present application, the method can effectively identify that an intermediary (ie, an SSL proxy) exists between the server and the client, so that the confidential information transmitted by the client can be avoided by sending an alert to the user. Subject to potential security threats from intermediaries.
实施例3Example 3
为了解决现有技术中的客户端无法辨识客户端与服务器之间是否存在中间人的问题,本申请实施例3提供一种对中间人的存在进行辨识的装置,该装置的具体结构示意图如图4所示,包括信息获得单元41和辨识单元42。In order to solve the problem that the client in the prior art cannot recognize whether there is an intermediary between the client and the server, Embodiment 3 of the present application provides a device for identifying the presence of the intermediary. The specific structure of the device is shown in FIG. 4 . The indication includes an information obtaining unit 41 and an identifying unit 42.
其中,信息获得单元41,用于获得在客户端与服务器的握手过程中由客户端接收的服务器的第一证书相关信息,以及在客户端与服务器的非握手过程中由客户端接收的该服务器的第二证书相关信息;The information obtaining unit 41 is configured to obtain first certificate related information of the server received by the client during the handshake process between the client and the server, and the server received by the client during the non-handshake process between the client and the server. Second certificate related information;
辨识单元42,用于判断信息获得单元41获得的第一证书相关信息和第二证书相关信息是否匹配。The identification unit 42 is configured to determine whether the first certificate related information and the second certificate related information obtained by the information obtaining unit 41 match.
在一种实施方式中,信息获得单元41可以是在发送机密信息前,获得在客户端与服务器的非握手过程中接收的服务器的第二证书相关信息。In an embodiment, the information obtaining unit 41 may obtain second certificate related information of the server received during the non-handshake process between the client and the server before transmitting the confidential information.
在一种实施方式中,信息获得单元41可以划分为以下子单元:In an embodiment, the information obtaining unit 41 may be divided into the following subunits:
发送子单元,用于向服务器发送机密信息页面获取请求;a sending subunit, configured to send a confidential information page to the server to obtain a request;
接收子单元,用于接收服务器发送的机密信息页面。The receiving subunit is configured to receive a confidential information page sent by the server.
其中,机密信息页面中包含第二证书相关信息。The confidential information page includes information related to the second certificate.
在一种实施方式中,当机密信息页面中包含有检验脚本时,辨识单元42可以用于通过运行该检验脚本,判断第一证书相关信息和第二证书相关信息是否匹配。In an embodiment, when the verification script is included in the confidential information page, the identification unit 42 may be configured to determine whether the first certificate related information and the second certificate related information match by running the verification script.
在一种实施方式中,若第一证书相关信息包括证书,第二证书相关信息包括证书所对应的哈希值,则辨识单元42可以用于:对第一证书相关信息进行哈希运算,得到相应的哈希值;判断第二证书相关信息包括的证书所对应的哈希值与得到的哈希值是否相同;若相同,则确定第一证书相关信息和第二证书相关信息匹配;若不相同,则确定第一证书相关信息和第二证书相关信息不匹配。In an embodiment, if the first certificate related information includes a certificate, and the second certificate related information includes a hash value corresponding to the certificate, the identifying unit 42 may be configured to: perform hash operation on the first certificate related information, to obtain Corresponding hash value; determining whether the hash value corresponding to the certificate included in the second certificate related information is the same as the obtained hash value; if the same, determining that the first certificate related information and the second certificate related information match; If the same, it is determined that the first certificate related information and the second certificate related information do not match.
在一种实施方式中,本申请实施例3提供的该装置还可以进一步包括操作执行单元。该操作执行单元用于在辨识单元42判断出第一证书相关信息和第 二证书相关信息匹配时,执行特定操作。In an embodiment, the apparatus provided in Embodiment 3 of the present application may further include an operation execution unit. The operation execution unit is configured to determine, at the identification unit 42, the first certificate related information and the first When the two certificate related information matches, a specific operation is performed.
其中,上述特定操作可以但不限于包括:使得中间人接收不到机密信息的操作。The specific operation described above may include, but is not limited to, an operation of causing an intermediary to receive confidential information.
在一种实施方式中,操作执行单元可以用于执行下述操作:In an embodiment, the operation execution unit may be configured to perform the following operations:
展示提示信息;Display prompt information;
接收用户指令;Receiving user instructions;
根据用户指令,拒绝机密信息的输入,或拒绝获得输入的机密信息,或取消对机密信息的发送。According to the user's instruction, the input of confidential information is rejected, or the input confidential information is denied, or the transmission of confidential information is cancelled.
当设置有中间人时,该中间人仅会在客户端与服务器的握手过程中利用自身的自签名证书和服务器的身份信息(如域名/Subject/Valid等信息),得到新生成证书,而对在客户端与服务器的非握手过程中传递的服务器的证书相关信息不会执行类似操作,即在客户端与服务器的非握手过程中传递的服务器的证书相关信息仍然是服务器的真实证书相关信息。因此,通过比较握手过程和非握手过程中接收的同一服务器的证书相关信息,可以达到辨识是否存在中间人的目的。When a middleman is set up, the middleman only uses his own self-signed certificate and the server's identity information (such as domain name/Subject/Valid information) during the handshake process between the client and the server to obtain a newly generated certificate, and the client is The certificate-related information of the server passed during the non-handshake process between the server and the server does not perform a similar operation, that is, the certificate-related information of the server delivered during the non-handshake process between the client and the server is still the real certificate-related information of the server. Therefore, by comparing the handshake process and the certificate related information of the same server received during the non-handshake process, it is possible to identify whether an intermediary exists.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程信息处理设备的处理器以产生一个机器,使得通过计算机或其他可编程信息处理设备的处理器执行的指令产生用于实现在流程图一 个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable information processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable information processing device. Implemented in flowchart one Means of a process or a plurality of processes and/or block diagrams of a function specified in a block or blocks.
这些计算机程序指令也可存储在能引导计算机或其他可编程信息处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable information processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程信息处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable information processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。The memory may include non-persistent memory, random access memory (RAM), and/or non-volatile memory in a computer readable medium, such as read only memory (ROM) or flash memory. Memory is an example of a computer readable medium.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、信息结构、程序的模块或其他信息。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的信息信号和载波。Computer readable media includes both permanent and non-persistent, removable and non-removable media. Information storage can be implemented by any method or technology. The information can be computer readable instructions, information structures, modules of programs, or other information. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory. (ROM), electrically erasable programmable read only memory (EEPROM), flash memory or other memory technology, compact disk read only memory (CD-ROM), digital versatile disk (DVD) or other optical storage, Magnetic tape cartridges, magnetic tape storage or other magnetic storage devices or any other non-transportable media can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include temporary storage of computer readable media, such as modulated information signals and carrier waves.
还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包 括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the terms "including", "comprising" or "comprising" or any other variations thereof are intended to encompass a non-exclusive inclusion, such that a process, method, article, These elements are included, as well as other elements not explicitly listed, or elements that are inherent to such a process, method, commodity, or equipment. An element defined by the phrase "comprising a ..." does not exclude the presence of additional equivalent elements in the process, method, item, or device including the element.
本领域技术人员应明白,本申请的实施例可提供为方法、系统或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present application can be provided as a method, system, or computer program product. Thus, the present application can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment in combination of software and hardware. Moreover, the application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
以上所述仅为本申请的实施例而已,并不用于限制本申请。对于本领域技术人员来说,本申请可以有各种更改和变化。凡在本申请的精神和原理之内所作的任何修改、等同替换、改进等,均应包含在本申请的权利要求范围之内。 The above description is only an embodiment of the present application and is not intended to limit the application. Various changes and modifications can be made to the present application by those skilled in the art. Any modifications, equivalents, improvements, etc. made within the spirit and scope of the present application are intended to be included within the scope of the appended claims.

Claims (14)

  1. 一种对中间人的存在进行辨识的方法,其特征在于,包括:A method for identifying the presence of an intermediary, characterized by comprising:
    获得在客户端与服务器的握手过程中由所述客户端接收的第一证书相关信息,以及在所述客户端与所述服务器的非握手过程中由所述客户端接收的所述服务器的第二证书相关信息;Obtaining first certificate related information received by the client during a handshake between the client and the server, and the server receiving the server by the client during a non-handshake process between the client and the server Second certificate related information;
    判断第一证书相关信息和第二证书相关信息是否匹配。It is determined whether the first certificate related information and the second certificate related information match.
  2. 如权利要求1所述的方法,其特征在于,获得在所述客户端与所述服务器的非握手过程中由所述客户端接收的所述服务器的第二证书相关信息,包括:The method according to claim 1, wherein obtaining the second certificate related information of the server received by the client during the non-handshake process between the client and the server comprises:
    在发送机密信息前,获得所述非握手过程中由所述客户端接收的所述服务器的第二证书相关信息。Before transmitting the confidential information, the second certificate related information of the server received by the client in the non-handshake process is obtained.
  3. 如权利要求2所述的方法,其特征在于,在发送机密信息前,获得在所述客户端与所述服务器的非握手过程中由所述客户端接收的所述服务器的第二证书相关信息,包括:The method of claim 2, wherein prior to transmitting the confidential information, obtaining second certificate related information of the server received by the client during a non-handshake process between the client and the server ,include:
    向所述服务器发送机密信息页面获取请求;Sending a confidential information page acquisition request to the server;
    接收所述服务器发送的机密信息页面;其中,所述机密信息页面中包含第二证书相关信息。Receiving a confidential information page sent by the server; wherein the confidential information page includes second certificate related information.
  4. 如权利要求3所述的方法,其特征在于,所述机密信息页面中包含有检验脚本;The method of claim 3, wherein the confidential information page includes a verification script;
    判断第一证书相关信息和第二证书相关信息是否匹配,包括:Determining whether the first certificate related information and the second certificate related information match, including:
    通过运行所述检验脚本,判断第一证书相关信息和第二证书相关信息是否匹配。By running the verification script, it is determined whether the first certificate related information and the second certificate related information match.
  5. 如权利要求1~4任一权项所述的方法,其特征在于,第一证书相关信息包括:证书;第二证书相关信息包括:证书所对应的哈希值;The method according to any one of claims 1 to 4, wherein the first certificate related information comprises: a certificate; and the second certificate related information comprises: a hash value corresponding to the certificate;
    判断第一证书相关信息和第二证书相关信息是否匹配,包括:Determining whether the first certificate related information and the second certificate related information match, including:
    对第一证书相关信息进行哈希运算,得到相应的哈希值; Performing a hash operation on the first certificate related information to obtain a corresponding hash value;
    判断所述对应的哈希值与得到的所述哈希值是否相同;Determining whether the corresponding hash value is the same as the obtained hash value;
    若相同,则确定第一证书相关信息和第二证书相关信息匹配;If they are the same, determining that the first certificate related information and the second certificate related information match;
    若不相同,则确定第一证书相关信息和第二证书相关信息不匹配。If not, it is determined that the first certificate related information and the second certificate related information do not match.
  6. 如权利要求1所述的方法,其特征在于,所述方法还包括:The method of claim 1 wherein the method further comprises:
    在判断出第一证书相关信息和第二证书相关信息匹配时,执行特定操作;Performing a specific operation when it is determined that the first certificate related information and the second certificate related information match;
    其中,所述特定操作包括:使得中间人接收不到机密信息的操作。The specific operation includes an operation of causing an intermediary to receive no confidential information.
  7. 如权利要求6所述的方法,其特征在于,执行特定操作,包括:The method of claim 6 wherein performing a specific operation comprises:
    展示提示信息;Display prompt information;
    接收用户指令;Receiving user instructions;
    根据用户指令,拒绝所述机密信息的输入,或拒绝获得输入的所述机密信息,或取消对所述机密信息的发送。The input of the confidential information is rejected according to a user instruction, or the input of the confidential information is denied, or the transmission of the confidential information is cancelled.
  8. 一种对中间人的存在进行辨识的装置,其特征在于,包括:A device for identifying the presence of an intermediary, comprising:
    信息获得单元,用于获得在客户端与服务器的握手过程中由客户端接收的服务器的第一证书相关信息,以及在所述客户端与所述服务器的非握手过程中由所述客户端接收的所述服务器的第二证书相关信息;An information obtaining unit, configured to obtain first certificate related information of a server received by the client during a handshake process between the client and the server, and received by the client during a non-handshake process between the client and the server The second certificate related information of the server;
    辨识单元,用于判断信息获得单元获得的第一证书相关信息和第二证书相关信息是否匹配。The identification unit is configured to determine whether the first certificate related information and the second certificate related information obtained by the information obtaining unit match.
  9. 如权利要求8所述的装置,其特征在于:The device of claim 8 wherein:
    信息获得单元,用于在发送机密信息前,获得在所述客户端与所述服务器的非握手过程中由所述客户端接收的所述服务器的第二证书相关信息。And an information obtaining unit, configured to obtain second certificate related information of the server received by the client during a non-handshake process between the client and the server, before sending the confidential information.
  10. 如权利要求9所述的装置,其特征在于,信息获得单元包括:The apparatus according to claim 9, wherein the information obtaining unit comprises:
    发送子单元,用于向所述服务器发送机密信息页面获取请求;a sending subunit, configured to send a confidential information page to the server to obtain a request;
    接收子单元,用于接收所述服务器发送的机密信息页面;其中,所述机密信息页面中包含第二证书相关信息。And a receiving subunit, configured to receive a confidential information page sent by the server, where the confidential information page includes second certificate related information.
  11. 如权利要求10所述的装置,其特征在于,所述机密信息页面中包含有检验脚本; The device according to claim 10, wherein the confidential information page includes a verification script;
    辨识单元,用于通过运行所述检验脚本,判断第一证书相关信息和第二证书相关信息是否匹配。And an identifying unit, configured to determine, by running the verification script, whether the first certificate related information and the second certificate related information match.
  12. 如权利要求8~11任一权项所述的装置,其特征在于,第一证书相关信息包括:证书;第二证书相关信息包括:证书所对应的哈希值;The device according to any one of claims 8 to 11, wherein the first certificate related information comprises: a certificate; the second certificate related information comprises: a hash value corresponding to the certificate;
    辨识单元,用于:Identification unit for:
    对第一证书相关信息进行哈希运算,得到相应的哈希值;Performing a hash operation on the first certificate related information to obtain a corresponding hash value;
    判断所述对应的哈希值与得到的所述哈希值是否相同;Determining whether the corresponding hash value is the same as the obtained hash value;
    若相同,则确定第一证书相关信息和第二证书相关信息匹配;If they are the same, determining that the first certificate related information and the second certificate related information match;
    若不相同,则确定第一证书相关信息和第二证书相关信息不匹配。If not, it is determined that the first certificate related information and the second certificate related information do not match.
  13. 如权利要求8所述的装置,其特征在于,所述装置还包括:The device of claim 8 further comprising:
    操作执行单元,用于在辨识单元判断出第一证书相关信息和第二证书相关信息匹配时,执行特定操作;An operation execution unit, configured to perform a specific operation when the identification unit determines that the first certificate related information and the second certificate related information match;
    其中,所述特定操作包括:使得中间人接收不到机密信息的操作。The specific operation includes an operation of causing an intermediary to receive no confidential information.
  14. 如权利要求13所述的装置,其特征在于:The device of claim 13 wherein:
    操作执行单元,用于展示提示信息;接收用户指令;根据用户指令,拒绝所述机密信息的输入,或拒绝获得输入的所述机密信息,或取消对所述机密信息的发送。 The operation execution unit is configured to display the prompt information; receive the user instruction; reject the input of the confidential information according to the user instruction, or refuse to obtain the input confidential information, or cancel the transmission of the confidential information.
PCT/CN2015/089949 2014-09-26 2015-09-18 Method and device for identifying the presence of man-in-the-middle WO2016045541A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410504854.3A CN105516066B (en) 2014-09-26 2014-09-26 A kind of method and device that internuncial presence is recognized
CN201410504854.3 2014-09-26

Publications (1)

Publication Number Publication Date
WO2016045541A1 true WO2016045541A1 (en) 2016-03-31

Family

ID=55580295

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/089949 WO2016045541A1 (en) 2014-09-26 2015-09-18 Method and device for identifying the presence of man-in-the-middle

Country Status (3)

Country Link
CN (1) CN105516066B (en)
HK (1) HK1222060A1 (en)
WO (1) WO2016045541A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110557255A (en) * 2018-05-31 2019-12-10 北京京东尚科信息技术有限公司 certificate management method and device
CN115296863A (en) * 2022-07-15 2022-11-04 天翼云科技有限公司 Method, device and storage medium for ensuring user safety

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572123A (en) * 2016-12-30 2017-04-19 哈尔滨安天科技股份有限公司 Blackmail software defense system and method based on data redirection
CN106899579B (en) * 2017-02-08 2019-12-06 北京网康科技有限公司 detection method and device for man-in-the-middle attack
CN110768940B (en) * 2018-07-27 2022-03-22 深信服科技股份有限公司 Ciphertext data management and control method and system based on HTTPS (Hypertext transfer protocol secure) protocol, proxy server and storage medium
CN109257365B (en) * 2018-10-12 2021-08-13 深信服科技股份有限公司 Information processing method, device, equipment and storage medium
CN114844651B (en) * 2022-05-31 2024-05-28 唯思电子商务(深圳)有限公司 Method and system for strong verification of https certificate of app client

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080295169A1 (en) * 2007-05-25 2008-11-27 Crume Jeffery L Detecting and defending against man-in-the-middle attacks
CN101860546A (en) * 2010-06-18 2010-10-13 杭州电子科技大学 Method for improving SSL handshake protocol
CN102571770A (en) * 2011-12-27 2012-07-11 北京神州绿盟信息安全科技股份有限公司 Man-in-the-middle attack detection method, device, server and system
CN103188074A (en) * 2011-12-28 2013-07-03 上海格尔软件股份有限公司 Proxy method for improving SSL algorithm intensity of browser
CN103490884A (en) * 2012-09-28 2014-01-01 卡巴斯基实验室封闭式股份公司 System and method for verification of digital certificates

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI20050491A0 (en) * 2005-05-09 2005-05-09 Nokia Corp System for delivery of certificates in a communication system
CN103414699B (en) * 2013-07-23 2017-04-26 北京星网锐捷网络技术有限公司 Authentication method for client certificate, server and client
CN103763356B (en) * 2014-01-08 2017-05-31 深圳大学 A kind of SSL establishment of connection method, apparatus and system
CN103986716B (en) * 2014-05-21 2017-02-01 深圳大学 Establishing method for SSL connection and communication method and device based on SSL connection

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080295169A1 (en) * 2007-05-25 2008-11-27 Crume Jeffery L Detecting and defending against man-in-the-middle attacks
CN101860546A (en) * 2010-06-18 2010-10-13 杭州电子科技大学 Method for improving SSL handshake protocol
CN102571770A (en) * 2011-12-27 2012-07-11 北京神州绿盟信息安全科技股份有限公司 Man-in-the-middle attack detection method, device, server and system
CN103188074A (en) * 2011-12-28 2013-07-03 上海格尔软件股份有限公司 Proxy method for improving SSL algorithm intensity of browser
CN103490884A (en) * 2012-09-28 2014-01-01 卡巴斯基实验室封闭式股份公司 System and method for verification of digital certificates

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110557255A (en) * 2018-05-31 2019-12-10 北京京东尚科信息技术有限公司 certificate management method and device
CN115296863A (en) * 2022-07-15 2022-11-04 天翼云科技有限公司 Method, device and storage medium for ensuring user safety

Also Published As

Publication number Publication date
CN105516066B (en) 2019-04-09
CN105516066A (en) 2016-04-20
HK1222060A1 (en) 2017-06-16

Similar Documents

Publication Publication Date Title
US11695576B2 (en) Transaction verification through enhanced authentication
WO2016045541A1 (en) Method and device for identifying the presence of man-in-the-middle
US11102191B2 (en) Enabling single sign-on authentication for accessing protected network services
US10084807B2 (en) Detection of bypass vulnerabilities
US8832857B2 (en) Unsecured asset detection via correlated authentication anomalies
US9369286B2 (en) System and methods for facilitating authentication of an electronic device accessing plurality of mobile applications
US10257171B2 (en) Server public key pinning by URL
US11997210B2 (en) Protection of online applications and webpages using a blockchain
WO2016188335A1 (en) Access control method, apparatus and system for user data
Hossain et al. OAuth-SSO: A framework to secure the OAuth-based SSO service for packaged web applications
CN111382422A (en) System and method for changing password of account record under threat of illegal access to user data
Jana et al. Management of identity and credentials in mobile cloud environment
TWI670618B (en) Login system implemented along with a mobile device without password and method thereof
Foltz et al. Secure Endpoint Device Agent Architecture.
US20170012973A1 (en) Trust framework for secured digital interactions between entities

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15844934

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15844934

Country of ref document: EP

Kind code of ref document: A1