WO2016150169A1 - 一种安全通信方法、网关、网络侧服务器及系统 - Google Patents

一种安全通信方法、网关、网络侧服务器及系统 Download PDF

Info

Publication number
WO2016150169A1
WO2016150169A1 PCT/CN2015/094341 CN2015094341W WO2016150169A1 WO 2016150169 A1 WO2016150169 A1 WO 2016150169A1 CN 2015094341 W CN2015094341 W CN 2015094341W WO 2016150169 A1 WO2016150169 A1 WO 2016150169A1
Authority
WO
WIPO (PCT)
Prior art keywords
network side
side server
http request
request message
gateway
Prior art date
Application number
PCT/CN2015/094341
Other languages
English (en)
French (fr)
Inventor
华卫
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016150169A1 publication Critical patent/WO2016150169A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/04Protocols specially adapted for terminals or networks with limited capabilities; specially adapted for terminal portability

Definitions

  • Embodiments of the present invention relate to, but are not limited to, communication technologies, and in particular, to a secure communication method, a gateway, a network side server, and a system.
  • HTTP Hypertext Transfer Protocol
  • the HTTP protocol can be used to request a web document from a terminal, such as a browser, to the web server, or the file in the server can be sent to the browser by using an HTTP protocol, and the file can include various multimedia files such as text, sound, and image.
  • sending the server's file to the terminal using the HTTP protocol may result in insecure communication between the terminal and the server.
  • the embodiment of the invention provides a secure communication method, a gateway, a network side server and a system, which can solve the insecure problem of communication between the terminal and the server.
  • the embodiment of the invention provides a secure communication method, including:
  • the gateway obtains a first hypertext transfer protocol HTTP request message sent by the terminal, where the first HTTP request message includes a uniform resource locator URL that the terminal requests to access the first network side server by using the gateway;
  • the gateway sends a second HTTP request message to the second network side server, so that the second network side server encrypts the second HTTP request message and sends the second HTTP request message to the first network side server.
  • the second HTTP request message includes the URL that the terminal accesses the first network side server.
  • the method before the sending, by the gateway, the second HTTP request packet to the second network side server, the method further includes: determining, by the gateway, whether the first An HTTP request message is encrypted.
  • the gateway determines, according to the first HTTP request packet, whether to encrypt the first HTTP request packet, including:
  • the gateway sends a second HTTP request message to the second network side server, so that the second network side server encrypts the second HTTP request message and sends the second HTTP request message to the first network.
  • the method further includes:
  • the gateway receives a second HTTP request response message sent by the second network side server, where the second request response message includes a resource obtained from a first network side server identified by the URL;
  • the gateway sends a first HTTP request response message to the terminal, where the first HTTP request response message includes a resource obtained from a first network side server identified by the URL.
  • the first HTTP request response message includes a source address and a source port
  • the source address includes an Internet Protocol IP address of the first network side server
  • the source port includes a first network side server.
  • the IP port, the sequence number of the first HTTP request response message includes a value obtained by subtracting a sum of a sequence number of the second HTTP request response message from the first sequence number and subtracting the second sequence number
  • the first sequence number includes a sequence number used by the first network side server when the terminal establishes a transmission control protocol TCP connection handshake with the first network side server
  • the second sequence number includes the gateway and the second network.
  • the second HTTP request packet includes a destination IP address and a destination port
  • the destination IP address includes an IP address of the second network side server
  • the destination port includes the second network side a port of the server
  • the sequence number of the second HTTP request packet includes a sum of a sequence number of the first HTTP request message and a second sequence number, and subtracted from the first sequence number. Value.
  • the gateway sends a second HTTP request message to the second network side server, so that the second network side server encrypts the second HTTP request message and sends the second HTTP request message to the first network.
  • the method further includes:
  • the gateway sends a reset signaling message to the first network side server, where the gateway disconnects the transmission control protocol TCP communication link between the gateway and the first network side server.
  • the embodiment of the invention further provides a secure communication method, including:
  • the second network side server obtains a second HTTP request message sent by the gateway, where the second HTTP request message includes a uniform resource locator URL of the terminal accessing the first network side server;
  • the second network side server sends an HTTPS request message to the first network side server, where the HTTPS request message includes the second network side server encrypting the second request message by using an HTTPS protocol. Text.
  • the method further includes:
  • the second network side server receives an HTTPS request response message sent by the first network side server, where the HTTPS request response message includes a resource obtained by acquiring a first network side server identified by the uniform resource locator URL;
  • a second HTTP request response message sent by the second network side server to the gateway, where the second request response message includes a resource obtained from a first network side server identified by the URL.
  • the embodiment of the invention further provides a gateway, including:
  • a first acquiring module configured to acquire a first hypertext transfer protocol HTTP request message sent by the terminal, where the first HTTP request message includes a uniform resource locator that the terminal requests to access the first network side server by using the gateway URL;
  • a first sending module configured to send a second HTTP request message to the second network side server, so that the second network side server encrypts the second HTTP request message and sends the second HTTP request message to the first network
  • the side server, the second HTTP request message includes a URL of the terminal accessing the first network side server.
  • the gateway further includes: a determining module, configured to determine, according to the first HTTP request message, whether to encrypt the first HTTP request message.
  • the determining module is configured to determine whether the first HTTP request is to be determined according to whether a URL included in the first HTTP request message matches a URL in the gateway configuration information.
  • the message is encrypted. If it matches, the first HTTP request message is encrypted by using the HTTP Secure HTTPS protocol.
  • the first obtaining module is further configured to receive a second HTTP request response message sent by the second network side server, where the second request response message includes the identifier that is identified by the URL.
  • the first sending module is further configured to send a first HTTP request response message to the terminal, where the first HTTP request response message includes a resource obtained from a first network side server identified by the URL.
  • the first HTTP request response message includes a source address and a source port
  • the source address includes an Internet Protocol IP address of the first network side server
  • the source port includes a first network side server.
  • the first sequence number includes a sequence number used by the first network side server when the terminal establishes a transmission control protocol TCP connection handshake with the first network side server
  • the second sequence number includes the gateway and the second network side.
  • the second HTTP request packet includes a destination IP address and a destination port
  • the destination IP address includes an IP address of the second network side server
  • the destination port includes the second network side
  • the sequence number of the second HTTP request message includes a value obtained by subtracting the sum of the sequence number of the first HTTP request message and the second sequence number and subtracting the first sequence number.
  • the first sending module is further configured to send a reset signaling message to the first network side server, where the transmission between the gateway and the first network side server is disconnected.
  • Control protocol TCP communication link is further configured to send a reset signaling message to the first network side server, where the transmission between the gateway and the first network side server is disconnected.
  • the embodiment of the invention further provides a network side server, including:
  • a second acquiring module configured to acquire a second HTTP request message sent by the gateway, where the second HTTP request message includes a Uniform Resource Locator URL of the terminal accessing the first network side server;
  • the second sending module is configured to send an HTTPS request message to the first network side server, where the HTTPS request message includes the second network side server encrypting the second request message by using an HTTPS protocol. Text.
  • the second obtaining module is further configured to receive an HTTPS request response message sent by the first network side server, where the HTTPS request response message includes the identifier identified by acquiring a uniform resource locator URL.
  • the second sending module is further configured to send a second HTTP request response message to the gateway, where the second request response message includes a resource obtained from a first network side server identified by the URL.
  • the embodiment of the invention further provides a secure communication system, comprising: the gateway as described above, and the network side server as described above.
  • the embodiment of the invention further provides a computer readable storage medium storing program instructions, which can be implemented when the program instructions are executed.
  • the embodiment of the present invention includes: the gateway acquires a first hypertext transfer protocol HTTP request message sent by the terminal, where the first HTTP request message includes the terminal requesting access to the first network side by using the gateway a uniform resource locator URL of the server; the gateway sends a second HTTP request message to the second network side server, so that the second network side server sends the encrypted second HTTP request message to The first network side server, the second The HTTP request message includes a URL of the terminal accessing the first network side server. Encrypted communication between the second network side server and the first network side server is implemented, thereby implementing secure communication between the terminal and the server.
  • FIG. 1 is a schematic flowchart of a secure communication method according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a secure communication method according to Embodiment 2 of the present invention.
  • FIG. 3 is a schematic flowchart of an application example secure communication method according to the present invention.
  • FIG. 4 is a schematic structural diagram of a gateway according to Embodiment 3 of the present invention.
  • FIG. 5 is a schematic structural diagram of a network side server according to Embodiment 4 of the present invention.
  • the secure communication method provided by the embodiment of the present invention may be applied to a server that is connected to a network side server, and the network side server may be a server that is provided with a plurality of multimedia files such as text, voice, and image.
  • the secure communication method provided by this embodiment may be implemented by a secure communication device, which may be integrated in a gateway or a network side server, and the secure communication device may be implemented in a software and/or hardware manner.
  • the secure communication method, apparatus, and system provided in this embodiment will be described in detail below.
  • FIG. 1 is a schematic flowchart of a method for secure communication according to an embodiment of the present invention. As shown in FIG. 1 , an execution body of the method in this embodiment may be a gateway. The method comprises the following steps:
  • Step 101 The gateway acquires a first hypertext transfer protocol HTTP request message sent by the terminal.
  • the first Hypertext Transfer Protocol (HTTP) request message includes a Uniform Resoure Locator that the terminal requests to access the first network side server through the gateway. Referred to as URL).
  • HTTP Hypertext Transfer Protocol
  • Step 103 The gateway sends a second HTTP request message to the second network side server, so that the second network side server encrypts the second HTTP request message and sends the second HTTP request message to the first network side server.
  • the second HTTP request message in this embodiment includes the URL of the terminal accessing the first network side server.
  • the second HTTP request message may be: extracting part of the content from the first HTTP request message, or completely including the first HTTP request message, or adding part of the content on the basis of the first HTTP request message, which can be flexibly adapted and control.
  • the step 102 may further include: Step 102: The gateway determines, according to the first HTTP request packet, that the first request packet is encrypted;
  • the gateway matches the information configured by the gateway according to the URL included in the first HTTP request packet to determine whether to encrypt the first HTTP request packet, and the configuration information of the gateway includes need to use HTTPS (Hyper Text Transfer protocol over secure Socket Layer, a secure HTTP channel targeting, referred to as HTTP security) URL protocol encryption.
  • HTTPS Hyper Text Transfer protocol over secure Socket Layer, a secure HTTP channel targeting, referred to as HTTP security
  • URL security HTTP Security
  • the address information of the second network side server may be preset in the gateway.
  • the second HTTP request packet includes a destination IP address and a destination port
  • the destination IP address includes an IP address of the second network side server
  • the destination port includes the second network side.
  • the sequence number of the second HTTP request packet includes a sum of a sum of a sequence number of the first HTTP request message and a second sequence number, and subtracted from the first sequence number, where a serial number includes a terminal establishing a transmission control association with the first network side server
  • the serial number used by the first network side server when the TCP connection handshake is used, and the second serial number includes a serial number used by the second network side server when the TCP connection handshake is established between the gateway and the second network side.
  • the first HTTP request message sent by the terminal is obtained by the gateway, where the first HTTP request message includes a uniform resource locator URL that the terminal requests to access the first network side server by using the gateway; Determining, by the gateway, that the first HTTP request message is encrypted according to the first HTTP request message; the gateway sending a second HTTP request message to the second network side server, so that the second The network side server sends the encrypted second HTTP request message to the first network side server, where the second HTTP request message includes the URL of the terminal accessing the first network side server, The second HTTP request message is obtained by encrypting the first HTTP request message. Encrypted communication between the second network side server and the first network side server is implemented, thereby implementing secure communication between the terminal and the server.
  • FIG. 2 is a schematic flowchart of a method for secure communication according to another embodiment of the present invention.
  • an execution entity of the method in this embodiment may be a second network side server. The method comprises the following steps:
  • Step 201 The second network side server acquires a second HTTP request message sent by the gateway.
  • the second HTTP request message includes a Uniform Resource Locator URL of the terminal accessing the first network side server.
  • Step 202 The second network side server sends an HTTPS request message to the first network side server.
  • the HTTPS request packet includes a packet that is encrypted by the second network side server by using the HTTPS protocol to encrypt the second request packet.
  • the second HTTP request message sent by the gateway is obtained by the second network side server, where the second HTTP request message includes the Uniform Resource Locator URL of the terminal accessing the first network side server;
  • the second network side server sends an HTTPS request message to the first network side server, where the HTTPS request message includes a message that the second network side server encrypts the second request message by using an HTTPS protocol.
  • the Https protocol is used for communication with the first network side server, thereby implementing secure communication between the terminal and the server.
  • FIG. 3 is a schematic flowchart of an application example of the present invention. As shown in FIG. 3, the execution body of the method in this example may be a second network side server. The method comprises the following steps:
  • Step 301 The terminal sends a first HTTP request message to the gateway.
  • the first Hypertext Transfer Protocol (HTTP) request message includes a Uniform Resoure Locator that the terminal requests to access the first network side server through the gateway. Referred to as URL).
  • HTTP Hypertext Transfer Protocol
  • Step 302 The gateway determines, according to the first HTTP request packet, that the first request packet is encrypted by using an HTTPS protocol.
  • the gateway matches the information configured by the gateway according to the URL included in the first HTTP request packet to determine whether the terminal and the first network side server need to use the HTTPS protocol for communication.
  • the gateway's own configuration information includes URLs that need to be encrypted using the HTTPS protocol. For example, if the URL included in the first HTTP request message matches the URL in the configuration information of the gateway, it is determined that the first request message can be encrypted by using the HTTPS protocol between the terminal and the first network side server.
  • Step 303 The gateway sends a reset signaling message to the first network side server, where the transmission control protocol (TCP) communication link between the gateway and the first network side server is disconnected.
  • TCP transmission control protocol
  • Step 304 The gateway sends a second HTTP request message to the second network side server, so that the second network side server sends the second HTTP request message encrypted by using the HTTPS protocol to the first network.
  • Side server
  • the second request message in this embodiment includes the URL of the terminal accessing the first network side server.
  • the IP address and the port information of the second network side server may be preset in the gateway, so that the gateway acquires the information of the second network side server according to the configuration information.
  • Step 305 The gateway sends a TCP synchronization sequence number SYN handshake request message to the second network side server, to establish a communication link with the second network side server.
  • Step 306 The second network side server sends a Transmission Control Protocol (TCP) Synchronize Sequence Numbers (SYN) handshake response message to the gateway.
  • TCP Transmission Control Protocol
  • SYN Synchronize Sequence Numbers
  • the TCP SYN handshake response message includes a first sequence number of the TCP SYN handshake response message.
  • the gateway stores the first serial number.
  • Step 307 The gateway sends a response packet to the second network side server.
  • the response message is used to notify the second network side server that the three-way handshake is successful.
  • Step 308 The gateway sends a second HTTP request message to the second network side server, so that the second network side server sends the second HTTP request message encrypted by using the HTTPS protocol to the first network.
  • Side server
  • the second request message includes a URL that the terminal accesses the first network side server.
  • the second HTTP request message includes a destination IP address and a destination port
  • the destination IP address includes an IP address of the second network side server
  • the destination port includes the second network side server.
  • the port number of the second HTTP request message includes a value obtained by subtracting the sum of the sequence number of the first HTTP request message and the second sequence number and subtracting the first sequence number.
  • the second HTTP request message in this embodiment may be a GET request message.
  • Step 309 The second network side server obtains an IP address of the first network side server identified by the URL through the domain name system DNS server.
  • the condition that the second network side server and the first network side server use the HTTPS protocol for encrypted communication is implemented.
  • Step 310 The second network side server establishes a TCP connection with the first network side server.
  • Step 311 The second network side server receives the HTTPS request response message sent by the first network side server.
  • the HTTPS request response message may include a resource obtained by acquiring the first network side server identified by the uniform resource locator URL.
  • steps 310 and 311 may further implement the authentication and protocol keys between the second network side server and the first network side server, and details are not described herein again.
  • Step 312 A second HTTP request response message sent by the second network side server to the gateway.
  • the second request response message includes a resource obtained from a first network side server identified by the URL.
  • Step 313 The gateway sends a first HTTP request response message to the terminal.
  • the first HTTP request response message includes a resource obtained from the first network side server identified by the URL.
  • the first HTTP request response message in this embodiment may include a source address and a source port, the source address includes an IP address of the first network side server, and the source port includes an IP port of the first network side server.
  • the sequence number of the first HTTP request response message includes a value obtained by subtracting a sum of a sequence number of the second HTTP request response message from the first sequence number and subtracting the second sequence number, the first sequence
  • the number includes a sequence number used by the first network side server when the terminal establishes a transmission control protocol TCP connection handshake with the first network side server, and the second sequence number includes establishing between the gateway and the second network side.
  • the communication between the second network side server and the first network side server is implemented by using the Https protocol, thereby implementing secure communication between the terminal and the server.
  • the gateway in this embodiment includes: an obtaining module 41 and a sending module 43, where
  • the obtaining module 41 is configured to obtain a first hypertext transfer protocol HTTP request message sent by the terminal, where the first HTTP request message includes a uniform resource locator URL that the terminal requests to access the first network side server by using the gateway. ;
  • the sending module 43 is configured to send a second HTTP request message to the second network side server, so that the second network side server encrypts the second HTTP request message and sends the second HTTP request message to the first network side.
  • the server, the second HTTP request message includes a URL of the terminal accessing the first network side server.
  • the foregoing gateway may further include a determining module 42, configured to determine, according to the first HTTP request packet, that the first HTTP request packet is encrypted;
  • the determining module 42 is configured to determine whether to encrypt the first HTTP request packet according to whether the URL included in the first HTTP request packet matches the URL in the gateway configuration information. If there is a match, the first HTTP request message is encrypted using the HTTP Secure HTTPS protocol.
  • the first HTTP request message may also be encrypted by the sending module 43 by using an HTTPS protocol.
  • the first HTTP request message sent by the terminal is obtained by the gateway, where the first HTTP request message includes a uniform resource locator URL that the terminal requests to access the first network side server by using the gateway; Determining, by the gateway, that the first HTTP request message is encrypted according to the first HTTP request message; the gateway sending a second HTTP request message to the second network side server, so that the second The network side server encrypts the second HTTP request message and sends the second HTTP request message to the first network side server, where the second HTTP request message includes the URL of the terminal accessing the first network side server. Encrypted communication between the second network side server and the first network side server is implemented, thereby implementing secure communication between the terminal and the server.
  • the obtaining module 41 is further configured to receive, by the second network side server, a second HTTP request response message, where the second request response message includes a resource obtained from the first network side server identified by the URL;
  • the sending module 43 is further configured to send a first HTTP request response message to the terminal, where the first HTTP request response message includes a resource obtained from a first network side server identified by the URL.
  • the first HTTP request response message includes a source address and a source port.
  • the source address includes an IP address of the first network side server
  • the source port includes an IP port of the first network side server
  • the sequence number of the first HTTP request response message includes a second HTTP request response message.
  • the second HTTP request packet includes a destination IP address and a destination port
  • the destination IP address includes an IP address of the second network side server
  • the destination port includes the second network side server.
  • the port, the sequence number of the second HTTP request message includes a value obtained by subtracting the sum of the sequence number of the first HTTP request message and the second sequence number and subtracting the first sequence number.
  • the sending module 43 is further configured to send a reset signaling message to the first network side server, to disconnect between the gateway and the first network side server.
  • Transmission Control Protocol TCP communication link is further configured to send a reset signaling message to the first network side server, to disconnect between the gateway and the first network side server.
  • the network side server of this embodiment includes: an obtaining module 51 and a sending module 52, where
  • the obtaining module 51 is configured to obtain a second HTTP request message sent by the gateway, where the second HTTP request message includes a Uniform Resource Locator URL of the terminal accessing the first network side server;
  • the sending module 52 is configured to send an HTTPS request packet to the first network side server, where the HTTPS request packet includes a packet that is encrypted by the second network side server by using an HTTPS protocol to encrypt the second request packet. .
  • the second HTTP request message sent by the gateway is obtained by the second network side server, where the second HTTP request message includes the Uniform Resource Locator URL of the terminal accessing the first network side server;
  • the second network side server sends an HTTPS request message to the first network side server, where the HTTPS request message includes the second network side server adopting The HTTPS protocol encrypts the second request packet.
  • the communication between the second network side server and the first network side server is implemented by using the Https protocol, thereby implementing secure communication between the terminal and the server.
  • the acquiring module 51 is further configured to receive an HTTPS request response message sent by the first network side server, where the HTTPS request response message includes the identifier that is obtained by acquiring a uniform resource locator URL. Resources obtained by the first network side server;
  • the sending module 52 is further configured to send a second HTTP request response message to the gateway, where the second request response message includes a resource obtained from a first network side server identified by the URL.
  • the embodiment of the invention further provides a secure communication system, comprising: a gateway as shown in FIG. 4, and a network side server as shown in FIG. 5.
  • the embodiment of the present invention includes: the gateway acquires a first hypertext transfer protocol HTTP request message sent by the terminal, where the first HTTP request message includes a uniform resource locator that the terminal requests to access the first network side server by using the gateway.
  • the gateway sends a second HTTP request message to the second network side server, so that the second network side server sends the encrypted second HTTP request message to the first network side.
  • the server, the second HTTP request message includes a URL of the terminal accessing the first network side server.
  • the encrypted communication between the second network side server and the first network side server is implemented by the embodiment of the present invention, thereby implementing secure communication between the terminal and the server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明实施例公开了一种安全通信方法、网关、网络侧服务器及系统。该方法包括:网关获取终端发送的第一超文本传输协议HTTP请求报文,第一HTTP请求报文包括终端通过网关请求访问第一网络侧服务器的统一资源定位器URL;网关向第二网络侧服务器发送第二HTTP请求报文,以使第二网络侧服务器将第二HTTP请求报文加密后发送给第一网络侧服务器,第二请求报文包括终端访问第一网络侧服务器的URL。

Description

一种安全通信方法、网关、网络侧服务器及系统 技术领域
本发明实施例涉及但不限于通信技术,尤指一种安全通信方法、网关、网络侧服务器及系统。
背景技术
随着通信技术的日益发展,超文本传送协议(Hypertext transfer protocol,简称HTTP)被越来越广泛的应用。
通常,采用HTTP协议可以从终端,如浏览器向万维网服务器请求万维网文档,或者可以采用HTTP协议将服务器中的文件发送给浏览器,该文件可以包括文本、声音、图像等多种多媒体文件。
然而,采用HTTP协议将服务器的文件发送给终端,可能导致终端与服务器之间通信的不安全。
发明内容
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。
本发明实施例提供了一种安全通信方法、网关、网络侧服务器及系统,能够解决终端与服务器之间通信的不安全问题。
本发明实施例提供了一种安全通信方法,包括:
网关获取终端发送的第一超文本传输协议HTTP请求报文,所述第一HTTP请求报文包括所述终端通过所述网关请求访问第一网络侧服务器的统一资源定位器URL;
所述网关向所述第二网络侧服务器发送第二HTTP请求报文,以使所述第二网络侧服务器将所述第二HTTP请求报文加密后发送给所述第一网络侧服务器,所述第二HTTP请求报文包括所述终端访问所述第一网络侧服务器的所述URL。
可选的,在所述网关向所述第二网络侧服务器发送第二HTTP请求报文之前,所述方法还包括,所述网关根据所述第一HTTP请求报文,确定是否将所述第一HTTP请求报文进行加密。
可选的,其中,所述网关根据所述第一HTTP请求报文,确定是否将所述第一HTTP请求报文进行加密,包括:
所述网关根据所述第一HTTP请求报文中包括的URL是否与自身配置信息中的URL相匹配,确定是否将所述第一HTTP请求报文进行加密,如果匹配,则采用HTTP安全版HTTPS协议将所述第一HTTP请求报文进行加密。
可选的,所述网关向所述第二网络侧服务器发送第二HTTP请求报文,以使所述第二网络侧服务器将所述第二HTTP请求报文加密后发送给所述第一网络侧服务器之后,所述方法还包括:
所述网关接收所述第二网络侧服务器发送的第二HTTP请求响应报文,所述第二请求响应报文包括从所述URL标识的第一网络侧服务器中获得的资源;
所述网关向所述终端发送第一HTTP请求响应报文,所述第一HTTP请求响应报文包括从所述URL标识的第一网络侧服务器中获得的资源。
可选的,其中,所述第一HTTP请求响应报文包括源地址和源端口,所述源地址包括所述第一网络侧服务器的互联网协议IP地址,所述源端口包括第一网络侧服务器的IP端口,所述第一HTTP请求响应报文的序列号包括第二HTTP请求响应报文的序列号与第一序列号相加的和数再与第二序列号相减获得的值,所述第一序列号包括终端与所述第一网络侧服务器建立传输控制协议TCP连接握手时,所述第一网络侧服务器使用的序列号,所述第二序列号包括所述网关与第二网络侧之间建立TCP连接握手时,第二网络侧服务器使用的序列号。
可选的,其中,所述第二HTTP请求报文包括目的IP地址和目的端口,所述目的IP地址包括所述第二网络侧服务器的IP地址,所述目的端口包括所述第二网络侧服务器的端口,所述第二HTTP请求报文的序列号包括第一HTTP请求报文的序列号与第二序列号相加的和数再与第一序列号相减获得 的值。
可选的,所述网关向所述第二网络侧服务器发送第二HTTP请求报文,以使所述第二网络侧服务器将所述第二HTTP请求报文加密后发送给所述第一网络侧服务器之前,所述方法还包括:
所述网关向所述第一网络侧服务器发送复位信令报文,用以断开所述网关与所述第一网络侧服务器之间的传输控制协议TCP通信链路。
本发明实施例还提供了一种安全通信方法,包括:
第二网络侧服务器获取网关发送的第二HTTP请求报文,所述第二HTTP请求报文包括所述终端访问第一网络侧服务器的统一资源定位器URL;
所述第二网络侧服务器向所述第一网络侧服务器发送HTTPS请求报文,所述HTTPS请求报文包括所述第二网络侧服务器采用HTTPS协议对所述第二请求报文进行加密的报文。
可选的,所述第二网络侧服务器向所述第一网络侧服务器发送HTTPS请求报文之后,所述方法还包括:
所述第二网络侧服务器接收所述第一网络侧服务器发送的HTTPS请求响应报文,所述HTTPS请求响应报文包括从获取统一资源定位器URL所标识的第一网络侧服务器获得的资源;
所述第二网络侧服务器向所述网关发送的第二HTTP请求响应报文,所述第二请求响应报文包括从所述URL所标识的第一网络侧服务器中获得的资源。
本发明实施例还提供了一种网关,包括:
第一获取模块,设置为获取终端发送的第一超文本传输协议HTTP请求报文,所述第一HTTP请求报文包括所述终端通过所述网关请求访问第一网络侧服务器的统一资源定位器URL;以及
第一发送模块,设置为向所述第二网络侧服务器发送第二HTTP请求报文,以使所述第二网络侧服务器将所述第二HTTP请求报文加密后发送给所述第一网络侧服务器,所述第二HTTP请求报文包括所述终端访问所述第一网络侧服务器的URL。
可选的,所述网关还包括:确定模块,设置为根据所述第一HTTP请求报文,确定是否将所述第一HTTP请求报文进行加密。
可选的,其中:所述确定模块是设置为,根据所述第一HTTP请求报文中包括的URL是否与所述网关自身配置信息中的URL相匹配,确定是否将所述第一HTTP请求报文进行加密,如果匹配,则采用HTTP安全版HTTPS协议将所述第一HTTP请求报文进行加密。
可选的,其中,所述第一获取模块,还设置为接收所述第二网络侧服务器发送的第二HTTP请求响应报文,所述第二请求响应报文包括从所述URL所标识的第一网络侧服务器中获得的资源;
所述第一发送模块,还设置为向所述终端发送第一HTTP请求响应报文,所述第一HTTP请求响应报文包括从所述URL所标识的第一网络侧服务器中获得的资源。
可选的,其中,所述第一HTTP请求响应报文包括源地址和源端口,所述源地址包括所述第一网络侧服务器的互联网协议IP地址,所述源端口包括第一网络侧服务器的IP端口,所述第一HTTP请求响应报文的序列号第二HTTP请求响应报文的序列号与第一序列号相加的和数再与第二序列号相减获得的值,所述第一序列号包括终端与所述第一网络侧服务器建立传输控制协议TCP连接握手时,所述第一网络侧服务器使用的序列号,所述第二序列号包括所述网关与第二网络侧之间建立TCP连接握手时,第二网络侧服务器使用的序列号。
可选的,其中,所述第二HTTP请求报文包括目的IP地址和目的端口,所述目的IP地址包括所述第二网络侧服务器的IP地址,所述目的端口包括所述第二网络侧服务器的端口,所述第二HTTP请求报文的的序列号包括第一HTTP请求报文的序列号与第二序列号相加的和数再与第一序列号相减获得的值。
可选的,其中,所述第一发送模块,还设置为向所述第一网络侧服务器发送复位信令报文,用以断开所述网关与所述第一网络侧服务器之间的传输控制协议TCP通信链路。
本发明实施例还提供了一种网络侧服务器,包括:
第二获取模块,设置为获取网关发送的第二HTTP请求报文,所述第二HTTP请求报文包括所述终端访问第一网络侧服务器的统一资源定位器URL;以及
第二发送模块,设置为向所述第一网络侧服务器发送HTTPS请求报文,所述HTTPS请求报文包括所述第二网络侧服务器采用HTTPS协议对所述第二请求报文进行加密的报文。
可选的,其中,所述第二获取模块,还设置为接收所述第一网络侧服务器发送的HTTPS请求响应报文,所述HTTPS请求响应报文包括从获取统一资源定位器URL所标识的第一网络侧服务器获得的资源;
所述第二发送模块,还设置为向所述网关发送的第二HTTP请求响应报文,所述第二请求响应报文包括从所述URL所标识的第一网络侧服务器中获得的资源。
本发明实施例还提供了一种安全通信系统,包括:如上述所述的网关,和如上述的网络侧服务器。
本发明实施例还提供一种计算机可读存储介质,存储有程序指令,当该程序指令被执行时可实现上述方法。
与相关技术相比,本发明实施例包括:网关获取终端发送的第一超文本传输协议HTTP请求报文,所述第一HTTP请求报文包括所述终端通过所述网关请求访问第一网络侧服务器的统一资源定位器URL;所述网关向所述第二网络侧服务器发送第二HTTP请求报文,以使所述第二网络侧服务器将加密后的所述第二HTTP请求报文发送给所述第一网络侧服务器,所述第二 HTTP请求报文包括所述终端访问所述第一网络侧服务器的URL。实现了第二网络侧服务器与第一网络侧服务器之间加密通信,从而实现了终端与服务器之间的安全通信。
在阅读并理解了附图和详细描述后,可以明白其他方面。
附图概述
图1为本发明实施例一安全通信方法的流程示意图;
图2为本发明实施例二安全通信方法的流程示意图;
图3为本发明应用示例安全通信方法的流程示意图;
图4为本发明实施例三网关的结构示意图;
图5为本发明实施例四网络侧服务器的结构示意图。
本发明的实施方式
下文中将结合附图对本发明实施例进行详细说明。需要说明的是,在不冲突的情况下,本发明实施例及实施例中的特征可以相互任意组合。
在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行。并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。
本发明实施例提供的安全通信方法可以应用于终端与网络侧服务器进行通信时,该网络侧服务器可以是设置有文本、声音、图像等多种多媒体文件的服务器。本实施例提供的安全通信方法可以通过安全通信装置来执行,该安全通信装置可以集成在网关或网络侧服务器中,该安全通信装置可以采用软件和/或硬件的方式来实现。以下对本实施例提供的安全通信方法、装置及系统进行详细地说明。
实施例一
图1为本发明实施例安全通信方法的流程示意图,如图1所示,本实施例的方法的执行主体可以是网关。该方法包括如下步骤:
步骤101、网关获取终端发送的第一超文本传输协议HTTP请求报文;
在本实施例中,该第一超文本传输协议(Hyper Text Transfer Protocol,简称HTTP)请求报文包括所述终端通过所述网关请求访问第一网络侧服务器的统一资源定位器(Uniform Resoure Locator,简称URL)。
步骤103、网关向所述第二网络侧服务器发送第二HTTP请求报文,以使所述第二网络侧服务器将所述第二HTTP请求报文加密后发送给所述第一网络侧服务器。
本实施例中的第二HTTP请求报文包括所述终端访问所述第一网络侧服务器的URL。第二HTTP请求报文可以是从第一HTTP请求报文中提取部分内容,或者完全包括第一HTTP请求报文,或者在第一HTTP请求报文的基础上增加部分内容,可以灵活适配与控制。
可选地,在步骤101和103之间还可以包括步骤102:网关根据所述第一HTTP请求报文,确定将所述第一请求报文进行加密;
其中,网关根据所述第一HTTP请求报文中包括的URL,与网关自身配置的信息进行匹配,以确定是否对第一HTTP请求报文进行加密,需要说明的是,该网关自身配置信息包括需要采用HTTPS(Hyper Text Transfer Protocol over Secure Socket Layer,以安全为目标的HTTP通道,简称为HTTP安全版)协议进行加密的URL。例如,如果第一HTTP请求报文中包括的URL与网关自身配置信息中的URL相匹配,则确定对第一HTTP请求报文进行加密,即可以确定终端与第一网络侧服务器之间采用HTTPS协议进行通信,也就是说,确定终端与第一网络侧服务器之间可以采用HTTPS协议将所述第一请求报文进行加密。
可选的是,第二网络侧服务器的地址信息可以是预先设置在网关中的。
在本实施例中,所述第二HTTP请求报文包括目的IP地址和目的端口,所述目的IP地址包括所述第二网络侧服务器的IP地址,所述目的端口包括所述第二网络侧服务器的端口,所述第二HTTP请求报文的序列号包括第一HTTP请求报文的序列号与第二序列号相加的和数再与第一序列号相减获得的值,其中,第一序列号包括终端与所述第一网络侧服务器建立传输控制协 议TCP连接握手时,所述第一网络侧服务器使用的序列号,所述第二序列号包括所述网关与第二网络侧之间建立TCP连接握手时,第二网络侧服务器使用的序列号。
在本实施例中,通过网关获取终端发送的第一HTTP请求报文,所述第一HTTP请求报文包括所述终端通过所述网关请求访问第一网络侧服务器的统一资源定位器URL;所述网关根据所述第一HTTP请求报文,确定将所述第一HTTP请求报文进行加密;所述网关向所述第二网络侧服务器发送第二HTTP请求报文,以使所述第二网络侧服务器将加密后的所述第二HTTP请求报文发送给所述第一网络侧服务器,所述第二HTTP请求报文包括所述终端访问所述第一网络侧服务器的URL,所述第二HTTP请求报文包括将所述第一HTTP请求报文加密后获得的。实现了第二网络侧服务器与第一网络侧服务器之间加密通信,从而实现了终端与服务器之间的安全通信。
实施例二
图2为本发明另一实施例安全通信方法的流程示意图,如图2所示,本实施例的方法的执行主体可以是第二网络侧服务器。该方法包括如下步骤:
步骤201、第二网络侧服务器获取网关发送的第二HTTP请求报文;
在本实施例中,该第二HTTP请求报文包括所述终端访问第一网络侧服务器的统一资源定位器URL。
步骤202、第二网络侧服务器向第一网络侧服务器发送HTTPS请求报文。
在本实施例中,该HTTPS请求报文包括所述第二网络侧服务器采用HTTPS协议对所述第二请求报文进行加密的报文。
在本实施例中,通过第二网络侧服务器获取网关发送的第二HTTP请求报文,所述第二HTTP请求报文包括所述终端访问第一网络侧服务器的统一资源定位器URL;所述第二网络侧服务器向所述第一网络侧服务器发送HTTPS请求报文,所述HTTPS请求报文包括所述第二网络侧服务器采用HTTPS协议对所述第二请求报文进行加密的报文。实现了第二网络侧服务器 与第一网络侧服务器之间使用Https协议进行通信,从而实现了终端与服务器之间的安全通信。
应用示例
图3为本发明一应用示例的流程示意图,如图3所示,本示例的方法的执行主体可以是第二网络侧服务器。该方法包括如下步骤:
步骤301、终端向网关发送第一HTTP请求报文;
在本实施例中,该第一超文本传输协议(Hyper Text Transfer Protocol,简称HTTP)请求报文包括所述终端通过所述网关请求访问第一网络侧服务器的统一资源定位器(Uniform Resoure Locator,简称URL)。
步骤302、网关根据所述第一HTTP请求报文,确定采用HTTPS协议将所述第一请求报文进行加密;
其中,网关根据所述第一HTTP请求报文中包括的URL,与网关自身配置的信息进行匹配,以确定终端与第一网络侧服务器之间是否需要使用HTTPS协议进行通信,需要说明的是,该网关自身配置信息包括需要采用HTTPS协议进行加密的URL。例如,如果第一HTTP请求报文中包括的URL与网关自身配置信息中的URL相匹配,则确定终端与第一网络侧服务器之间可以采用HTTPS协议将所述第一请求报文进行加密。
步骤303、网关向所述第一网络侧服务器发送复位信令报文,用以断开所述网关与所述第一网络侧服务器之间的传输控制协议(Transmission Control Protocol,简称TCP)通信链路;
步骤304、网关向所述第二网络侧服务器发送第二HTTP请求报文,以使所述第二网络侧服务器将采用HTTPS协议加密的所述第二HTTP请求报文发送给所述第一网络侧服务器;
本实施例中的第二请求报文包括所述终端访问所述第一网络侧服务器的URL。
可选的是,第二网络侧服务器的IP地址、端口信息可以是预先设置在网关中的,以使网关根据该些配置信息获取到第二网络侧服务器的信息。
步骤305、网关向所述第二网络侧服务器发送TCP同步序列编号SYN握手请求报文,用以与所述第二网络侧服务器建立通信链路;
步骤306、第二网络侧服务器向网关发送传输控制协议(Transmission Control Protocol,简称TCP)同步序列编号(Synchronize Sequence Numbers,简称SYN)握手响应报文;
在本实施例中,该TCP SYN握手响应报文包括所述TCP SYN握手响应报文的第一序列号。网关存储该第一序列号。
步骤307、网关向第二网络侧服务器发送响应报文;
在本实施例中,该响应报文用以告知第二网络侧服务器,三次握手成功。
步骤308、网关向所述第二网络侧服务器发送第二HTTP请求报文,以使所述第二网络侧服务器将采用HTTPS协议加密的所述第二HTTP请求报文发送给所述第一网络侧服务器;
在本实施例中,所述第二请求报文包括所述终端访问所述第一网络侧服务器的URL。
需要说明的是,所述第二HTTP请求报文包括目的IP地址和目的端口,所述目的IP地址包括所述第二网络侧服务器的IP地址,所述目的端口包括所述第二网络侧服务器的端口,所述第二HTTP请求报文的序列号包括第一HTTP请求报文的序列号与第二序列号相加的和数再与第一序列号相减获得的值。
可选地,本实施例中的第二HTTP请求报文可以是GET请求报文。
步骤309、第二网络侧服务器通过域名系统DNS服务器获取URL标识的第一网络侧服务器的IP地址;
本实施例实现了第二网络侧服务器与第一网络侧服务器采用HTTPS协议进行加密通信的条件。
步骤310、第二网络侧服务器与第一网络侧服务器建立TCP连接;
步骤311、第二网络侧服务器接收所述第一网络侧服务器发送的HTTPS请求响应报文;
在本实施例中,该HTTPS请求响应报文可以包括从获取统一资源定位器URL所标识的第一网络侧服务器获得的资源。
在本实施例中,步骤310和步骤311还可以实现第二网络侧服务器与所述第一网络侧服务器之间的认证、协议密钥,在此不再一一赘述。
步骤312、第二网络侧服务器向所述网关发送的第二HTTP请求响应报文;
在本实施例中,该第二请求响应报文包括从所述URL所标识的第一网络侧服务器中获得的资源。
步骤313、网关向所述终端发送第一HTTP请求响应报文。
在本实施例中,第一HTTP请求响应报文包括从所述URL所标识的第一网络侧服务器中获得的资源。
本实施例中的第一HTTP请求响应报文可以包括源地址和源端口,所述源地址包括所述第一网络侧服务器的IP地址,所述源端口包括第一网络侧服务器的IP端口,所述第一HTTP请求响应报文的序列号包括第二HTTP请求响应报文的序列号与第一序列号相加的和数再与第二序列号相减获得的值,所述第一序列号包括终端与所述第一网络侧服务器建立传输控制协议TCP连接握手时,所述第一网络侧服务器使用的序列号,所述第二序列号包括所述网关与第二网络侧之间建立TCP连接握手时,第二网络侧服务器使用的序列号。
在本实施例中,实现了第二网络侧服务器与第一网络侧服务器之间使用Https协议进行通信,进而实现了终端与服务器之间的安全通信。
实施例三
图4为本发明实施例网关的结构示意图,如图4所示,本实施例的网关,包括:获取模块41和发送模块43,其中,
获取模块41,设置为获取终端发送的第一超文本传输协议HTTP请求报文,所述第一HTTP请求报文包括所述终端通过所述网关请求访问第一网络侧服务器的统一资源定位器URL;
发送模块43,设置为向所述第二网络侧服务器发送第二HTTP请求报文,以使所述第二网络侧服务器将所述第二HTTP请求报文加密后发送给所述第一网络侧服务器,所述第二HTTP请求报文包括所述终端访问所述第一网络侧服务器的URL。
可选地,上述网关还可以包括确定模块42,设置为根据所述第一HTTP请求报文,确定将所述第一HTTP请求报文进行加密;
其中,确定模块42是设置为,根据所述第一HTTP请求报文中包括的URL是否与所述网关自身配置信息中的URL相匹配,确定是否将所述第一HTTP请求报文进行加密,如果匹配,则采用HTTP安全版HTTPS协议将所述第一HTTP请求报文进行加密。
可选地,也可以由发送模块43采用HTTPS协议将所述第一HTTP请求报文进行加密。
在本实施例中,通过网关获取终端发送的第一HTTP请求报文,所述第一HTTP请求报文包括所述终端通过所述网关请求访问第一网络侧服务器的统一资源定位器URL;所述网关根据所述第一HTTP请求报文,确定将所述第一HTTP请求报文进行加密;所述网关向所述第二网络侧服务器发送第二HTTP请求报文,以使所述第二网络侧服务器将所述第二HTTP请求报文加密后发送给所述第一网络侧服务器,所述第二HTTP请求报文包括所述终端访问所述第一网络侧服务器的URL。实现了第二网络侧服务器与第一网络侧服务器之间加密通信,从而实现了终端与服务器之间的安全通信。
在上述实施例的基础上,
获取模块41,还设置为接收所述第二网络侧服务器发送第二HTTP请求响应报文,所述第二请求响应报文包括从所述URL所标识的第一网络侧服务器中获得的资源;
所述发送模块43,还设置为向所述终端发送第一HTTP请求响应报文,所述第一HTTP请求响应报文包括从所述URL所标识的第一网络侧服务器中获得的资源。
需要说明的是,所述第一HTTP请求响应报文包括源地址和源端口,所 述源地址包括所述第一网络侧服务器的IP地址,所述源端口包括第一网络侧服务器的IP端口,所述第一HTTP请求响应报文的序列号包括第二HTTP请求响应报文的序列号与第一序列号相加的和数再与第二序列号相减获得的值,所述第一序列号包括终端与所述第一网络侧服务器建立传输控制协议TCP连接握手时,所述第一网络侧服务器使用的序列号,所述第二序列号包括所述网关与第二网络侧之间建立TCP连接握手时,第二网络侧服务器使用的序列号。
可选的,所述第二HTTP请求报文包括目的IP地址和目的端口,所述目的IP地址包括所述第二网络侧服务器的IP地址,所述目的端口包括所述第二网络侧服务器的端口,所述第二HTTP请求报文的序列号包括第一HTTP请求报文的序列号与第二序列号相加的和数再与第一序列号相减获得的值。
在上述实施例的基础上,所述发送模块43,还设置为向所述第一网络侧服务器发送复位信令报文,用以断开所述网关与所述第一网络侧服务器之间的传输控制协议TCP通信链路。
实施例四
图5为本发明实施例网络侧服务器的结构示意图,如图5所示,本实施例的网络侧服务器,包括:获取模块51和发送模块52,其中,
获取模块51,设置为获取网关发送的第二HTTP请求报文,所述第二HTTP请求报文包括所述终端访问第一网络侧服务器的统一资源定位器URL;
发送模块52,设置为向所述第一网络侧服务器发送HTTPS请求报文,所述HTTPS请求报文包括所述第二网络侧服务器采用HTTPS协议对所述第二请求报文进行加密的报文。
在本实施例中,通过第二网络侧服务器获取网关发送的第二HTTP请求报文,所述第二HTTP请求报文包括所述终端访问第一网络侧服务器的统一资源定位器URL;所述第二网络侧服务器向所述第一网络侧服务器发送HTTPS请求报文,所述HTTPS请求报文包括所述第二网络侧服务器采用 HTTPS协议对所述第二请求报文进行加密的报文。实现了第二网络侧服务器与第一网络侧服务器之间使用Https协议进行通信,从而实现了终端与服务器之间的安全通信。
在上述实施例的基础上,所述获取模块51,还设置为接收所述第一网络侧服务器发送的HTTPS请求响应报文,所述HTTPS请求响应报文包括从获取统一资源定位器URL所标识的第一网络侧服务器获得的资源;
所述发送模块52,还设置为向所述网关发送的第二HTTP请求响应报文,所述第二请求响应报文包括从所述URL所标识的第一网络侧服务器中获得的资源。
本发明实施例还提供一种安全通信系统,包括:如图4所示的网关,和如图5所示的网络侧服务器。
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序来指令相关硬件完成,上述程序可以存储于计算机可读存储介质中,如只读存储器、磁盘或光盘等。可选地,上述实施例的全部或部分步骤也可以使用一个或多个集成电路来实现。相应地,上述实施例中的各模块/单元可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。本发明实施例不限制于任何特定形式的硬件和软件的结合。
工业实用性
本发明实施例包括:网关获取终端发送的第一超文本传输协议HTTP请求报文,所述第一HTTP请求报文包括所述终端通过所述网关请求访问第一网络侧服务器的统一资源定位器URL;所述网关向所述第二网络侧服务器发送第二HTTP请求报文,以使所述第二网络侧服务器将加密后的所述第二HTTP请求报文发送给所述第一网络侧服务器,所述第二HTTP请求报文包括所述终端访问所述第一网络侧服务器的URL。通过本发明实施例实现了第二网络侧服务器与第一网络侧服务器之间加密通信,从而实现了终端与服务器之间的安全通信。

Claims (21)

  1. 一种安全通信方法,包括:
    网关获取终端发送的第一超文本传输协议HTTP请求报文,所述第一HTTP请求报文包括所述终端通过所述网关请求访问第一网络侧服务器的统一资源定位器URL;
    所述网关向所述第二网络侧服务器发送第二HTTP请求报文,以使所述第二网络侧服务器将所述第二HTTP请求报文加密后发送给所述第一网络侧服务器,所述第二HTTP请求报文包括所述终端访问所述第一网络侧服务器的所述URL。
  2. 根据权利要求1所述的方法,在所述网关向所述第二网络侧服务器发送第二HTTP请求报文之前,所述方法还包括,所述网关根据所述第一HTTP请求报文,确定是否将所述第一HTTP请求报文进行加密。
  3. 根据权利要求2所述的方法,其中,所述网关根据所述第一HTTP请求报文,确定是否将所述第一HTTP请求报文进行加密,包括:
    所述网关根据所述第一HTTP请求报文中包括的URL是否与自身配置信息中的URL相匹配,确定是否将所述第一HTTP请求报文进行加密,如果匹配,则采用HTTP安全版HTTPS协议将所述第一HTTP请求报文进行加密。
  4. 根据权利要求1或2或3所述的方法,所述网关向所述第二网络侧服务器发送第二HTTP请求报文,以使所述第二网络侧服务器将所述第二HTTP请求报文加密后发送给所述第一网络侧服务器之后,所述方法还包括:
    所述网关接收所述第二网络侧服务器发送的第二HTTP请求响应报文,所述第二请求响应报文包括从所述URL标识的第一网络侧服务器中获得的资源;
    所述网关向所述终端发送第一HTTP请求响应报文,所述第一HTTP请求响应报文包括从所述URL标识的第一网络侧服务器中获得的资源。
  5. 根据权利要求4所述的方法,其中,所述第一HTTP请求响应报文包 括源地址和源端口,所述源地址包括所述第一网络侧服务器的互联网协议IP地址,所述源端口包括第一网络侧服务器的IP端口,所述第一HTTP请求响应报文的序列号包括第二HTTP请求响应报文的序列号与第一序列号相加的和数再与第二序列号相减获得的值,所述第一序列号包括终端与所述第一网络侧服务器建立传输控制协议TCP连接握手时,所述第一网络侧服务器使用的序列号,所述第二序列号包括所述网关与第二网络侧之间建立TCP连接握手时,第二网络侧服务器使用的序列号。
  6. 根据权利要求1-5任一项所述的方法,其中,所述第二HTTP请求报文包括目的IP地址和目的端口,所述目的IP地址包括所述第二网络侧服务器的IP地址,所述目的端口包括所述第二网络侧服务器的端口,所述第二HTTP请求报文的序列号包括第一HTTP请求报文的序列号与第二序列号相加的和数再与第一序列号相减获得的值。
  7. 根据权利要求6所述的方法,所述网关向所述第二网络侧服务器发送第二HTTP请求报文,以使所述第二网络侧服务器将所述第二HTTP请求报文加密后发送给所述第一网络侧服务器之前,所述方法还包括:
    所述网关向所述第一网络侧服务器发送复位信令报文,用以断开所述网关与所述第一网络侧服务器之间的传输控制协议TCP通信链路。
  8. 一种安全通信方法,包括:
    第二网络侧服务器获取网关发送的第二HTTP请求报文,所述第二HTTP请求报文包括所述终端访问第一网络侧服务器的统一资源定位器URL;
    所述第二网络侧服务器向所述第一网络侧服务器发送HTTPS请求报文,所述HTTPS请求报文包括所述第二网络侧服务器采用HTTPS协议对所述第二请求报文进行加密的报文。
  9. 根据权利要求8所述的方法,所述第二网络侧服务器向所述第一网络侧服务器发送HTTPS请求报文之后,所述方法还包括:
    所述第二网络侧服务器接收所述第一网络侧服务器发送的HTTPS请求响应报文,所述HTTPS请求响应报文包括从获取统一资源定位器URL所标 识的第一网络侧服务器获得的资源;
    所述第二网络侧服务器向所述网关发送的第二HTTP请求响应报文,所述第二请求响应报文包括从所述URL所标识的第一网络侧服务器中获得的资源。
  10. 一种网关,包括:
    第一获取模块,设置为获取终端发送的第一超文本传输协议HTTP请求报文,所述第一HTTP请求报文包括所述终端通过所述网关请求访问第一网络侧服务器的统一资源定位器URL;以及
    第一发送模块,设置为向所述第二网络侧服务器发送第二HTTP请求报文,以使所述第二网络侧服务器将所述第二HTTP请求报文加密后发送给所述第一网络侧服务器,所述第二HTTP请求报文包括所述终端访问所述第一网络侧服务器的URL。
  11. 根据权利要求10所述的网关,所述网关还包括:
    确定模块,设置为根据所述第一HTTP请求报文,确定是否将所述第一HTTP请求报文进行加密。
  12. 根据权利要求11所述的网关,其中:
    所述确定模块是设置为,根据所述第一HTTP请求报文中包括的URL是否与所述网关自身配置信息中的URL相匹配,确定是否将所述第一HTTP请求报文进行加密,如果匹配,则采用HTTP安全版HTTPS协议将所述第一HTTP请求报文进行加密。
  13. 根据权利要求10或11或12所述的网关,其中:
    所述第一获取模块,还设置为接收所述第二网络侧服务器发送的第二HTTP请求响应报文,所述第二请求响应报文包括从所述URL所标识的第一网络侧服务器中获得的资源;
    所述第一发送模块,还设置为向所述终端发送第一HTTP请求响应报文,所述第一HTTP请求响应报文包括从所述URL标识的第一网络侧服务器中获得的资源。
  14. 根据权利要求13所述的网关,其中,所述第一HTTP请求响应报文 包括源地址和源端口,所述源地址包括所述第一网络侧服务器的互联网协议IP地址,所述源端口包括第一网络侧服务器的IP端口,所述第一HTTP请求响应报文的序列号第二HTTP请求响应报文的序列号与第一序列号相加的和数再与第二序列号相减获得的值,所述第一序列号包括终端与所述第一网络侧服务器建立传输控制协议TCP连接握手时,所述第一网络侧服务器使用的序列号,所述第二序列号包括所述网关与第二网络侧之间建立TCP连接握手时,第二网络侧服务器使用的序列号。
  15. 根据权利要求10-14任一项所述的网关,其中,所述第二HTTP请求报文包括目的IP地址和目的端口,所述目的IP地址包括所述第二网络侧服务器的IP地址,所述目的端口包括所述第二网络侧服务器的端口,所述第二HTTP请求报文的的序列号包括第一HTTP请求报文的序列号与第二序列号相加的和数再与第一序列号相减获得的值。
  16. 根据权利要求15所述的网关,所述第一发送模块,还设置为向所述第一网络侧服务器发送复位信令报文,用以断开所述网关与所述第一网络侧服务器之间的传输控制协议TCP通信链路。
  17. 一种网络侧服务器,包括:
    第二获取模块,设置为获取网关发送的第二HTTP请求报文,所述第二HTTP请求报文包括所述终端访问第一网络侧服务器的统一资源定位器URL;以及
    第二发送模块,设置为向所述第一网络侧服务器发送HTTPS请求报文,所述HTTPS请求报文包括所述第二网络侧服务器采用HTTPS协议对所述第二请求报文进行加密的报文。
  18. 根据权利要求17所述的网络侧服务器,其中,
    所述第二获取模块,还设置为接收所述第一网络侧服务器发送的HTTPS请求响应报文,所述HTTPS请求响应报文包括从获取统一资源定位器URL所标识的第一网络侧服务器获得的资源;
    所述第二发送模块,还设置为向所述网关发送的第二HTTP请求响应报文,所述第二请求响应报文包括从所述URL所标识的第一网络侧服务器中 获得的资源。
  19. 一种安全通信系统,包括:如权利要求10-16任一项所述的网关,和如权利要求17或18所述的网络侧服务器。
  20. 一种计算机可读存储介质,存储有程序指令,当该程序指令被执行时可实现权利要求1-7任一项所述的方法。
  21. 一种计算机可读存储介质,存储有程序指令,当该程序指令被执行时可实现权利要求8-9任一项所述的方法。
PCT/CN2015/094341 2015-03-25 2015-11-11 一种安全通信方法、网关、网络侧服务器及系统 WO2016150169A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510133710.6A CN104767742A (zh) 2015-03-25 2015-03-25 一种安全通信方法、网关、网络侧服务器及系统
CN201510133710.6 2015-03-25

Publications (1)

Publication Number Publication Date
WO2016150169A1 true WO2016150169A1 (zh) 2016-09-29

Family

ID=53649349

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/094341 WO2016150169A1 (zh) 2015-03-25 2015-11-11 一种安全通信方法、网关、网络侧服务器及系统

Country Status (2)

Country Link
CN (1) CN104767742A (zh)
WO (1) WO2016150169A1 (zh)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112104523A (zh) * 2020-09-11 2020-12-18 中国联合网络通信集团有限公司 流量透传的检测方法、装置、设备及存储介质
CN114697380A (zh) * 2022-03-11 2022-07-01 杭州盈高科技有限公司 访问请求的重定向方法、系统、装置以及存储介质
CN115022059A (zh) * 2022-06-13 2022-09-06 中国银行股份有限公司 一种量子通信方法及装置

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104767742A (zh) * 2015-03-25 2015-07-08 中兴通讯股份有限公司 一种安全通信方法、网关、网络侧服务器及系统
CN106375390B (zh) * 2016-08-29 2019-11-12 北京爱接力科技发展有限公司 一种物联网中数据传输方法、系统及其装置
CN106506552B (zh) * 2016-12-28 2020-04-03 北京奇艺世纪科技有限公司 一种http请求传输方法及装置
CN106850663A (zh) * 2017-02-28 2017-06-13 成都瑞小博科技有限公司 一种在路由器上防止网页劫持的方法
CN107896228B (zh) * 2017-12-22 2019-02-05 北京明朝万达科技股份有限公司 一种数据防泄漏方法及系统
CN112152915A (zh) * 2019-06-28 2020-12-29 北京沃东天骏信息技术有限公司 消息转发网关系统和消息转发方法
CN111193704B (zh) * 2019-10-28 2021-07-23 腾讯科技(深圳)有限公司 Http通信方法、装置及可读存储介质
CN112187801A (zh) * 2020-09-29 2021-01-05 杭州迪普科技股份有限公司 网站访问方法、装置及系统
CN113364781A (zh) * 2021-06-09 2021-09-07 北京华耀科技有限公司 请求处理方法及系统

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101227277A (zh) * 2007-01-15 2008-07-23 中兴通讯股份有限公司 一种基于wap1.2网关实现端到端的安全的系统及其方法
CN102075502A (zh) * 2009-11-24 2011-05-25 北京网御星云信息技术有限公司 一种基于云计算的病毒防护系统
CN102238086A (zh) * 2010-04-28 2011-11-09 微软公司 端点的透明迁移
CN103139185A (zh) * 2011-12-02 2013-06-05 中科信息安全共性技术国家工程研究中心有限公司 一种实现安全反向代理服务的方法
CN104767742A (zh) * 2015-03-25 2015-07-08 中兴通讯股份有限公司 一种安全通信方法、网关、网络侧服务器及系统

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060057179A (ko) * 2004-11-23 2006-05-26 에스케이 텔레콤주식회사 왑 게이트웨이에서의 http 301/302 에러 처리 방법
CN101873332B (zh) * 2010-07-15 2013-04-17 杭州华三通信技术有限公司 一种基于代理服务器的web认证方法和设备
CN102143187A (zh) * 2011-04-07 2011-08-03 北京星网锐捷网络技术有限公司 终端设备访问网络的方法、系统及网络访问代理装置
CN103763308A (zh) * 2013-12-31 2014-04-30 北京明朝万达科技有限公司 一种智能终端安全访问网页和下载数据的方法和装置
CN104135430B (zh) * 2014-08-04 2019-07-05 上海巨浪信息科技有限公司 一种面向移动供应链的智能网关实现方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101227277A (zh) * 2007-01-15 2008-07-23 中兴通讯股份有限公司 一种基于wap1.2网关实现端到端的安全的系统及其方法
CN102075502A (zh) * 2009-11-24 2011-05-25 北京网御星云信息技术有限公司 一种基于云计算的病毒防护系统
CN102238086A (zh) * 2010-04-28 2011-11-09 微软公司 端点的透明迁移
CN103139185A (zh) * 2011-12-02 2013-06-05 中科信息安全共性技术国家工程研究中心有限公司 一种实现安全反向代理服务的方法
CN104767742A (zh) * 2015-03-25 2015-07-08 中兴通讯股份有限公司 一种安全通信方法、网关、网络侧服务器及系统

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112104523A (zh) * 2020-09-11 2020-12-18 中国联合网络通信集团有限公司 流量透传的检测方法、装置、设备及存储介质
CN112104523B (zh) * 2020-09-11 2022-04-12 中国联合网络通信集团有限公司 流量透传的检测方法、装置、设备及存储介质
CN114697380A (zh) * 2022-03-11 2022-07-01 杭州盈高科技有限公司 访问请求的重定向方法、系统、装置以及存储介质
CN114697380B (zh) * 2022-03-11 2023-07-14 杭州盈高科技有限公司 访问请求的重定向方法、系统、装置以及存储介质
CN115022059A (zh) * 2022-06-13 2022-09-06 中国银行股份有限公司 一种量子通信方法及装置

Also Published As

Publication number Publication date
CN104767742A (zh) 2015-07-08

Similar Documents

Publication Publication Date Title
WO2016150169A1 (zh) 一种安全通信方法、网关、网络侧服务器及系统
CN109561066B (zh) 数据处理方法、装置、终端及接入点计算机
US9130935B2 (en) System and method for providing access credentials
EP2850770B1 (en) Transport layer security traffic control using service name identification
US11303431B2 (en) Method and system for performing SSL handshake
US20170149571A1 (en) Method, Apparatus and System for Handshaking Between Client and Server
US10230695B2 (en) Distribution of secure data with entitlement enforcement
WO2019062666A1 (zh) 一种实现安全访问内部网络的系统、方法和装置
US20150172064A1 (en) Method and relay device for cryptographic communication
WO2017031691A1 (zh) 业务处理方法及装置
US10257171B2 (en) Server public key pinning by URL
US20160315915A1 (en) Method for accessing a data memory of a cloud computer system using a modified domain name system (dns)
US20170317836A1 (en) Service Processing Method and Apparatus
US20170127280A1 (en) Secure handling of secure socket layer ("ssl") traffic
US20210258306A1 (en) System and Method for Providing a Configuration File to Client Devices
CN111049789A (zh) 域名访问的方法和装置
US9825942B2 (en) System and method of authenticating a live video stream
US10992741B2 (en) System and method for providing a configuration file to client devices
WO2016176858A1 (zh) 一种传输请求的方法及客户端
GB2498566A (en) Authenticating a user at a proxy using cookies
CN115152258A (zh) 在内容分发网络中传输安全信息
KR101429687B1 (ko) 프록시를 탐지하기 위한 장치 및 방법
WO2017024588A1 (zh) 业务处理方法及装置
KR20190014958A (ko) 접속 제어 장치 및 방법
Khandkar et al. Extended TLS: Masking Server Host Identity on the Internet Using Encrypted TLS Handshake

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15886091

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15886091

Country of ref document: EP

Kind code of ref document: A1