WO2017215582A1 - 加密内容检测的方法和设备 - Google Patents

加密内容检测的方法和设备 Download PDF

Info

Publication number
WO2017215582A1
WO2017215582A1 PCT/CN2017/087989 CN2017087989W WO2017215582A1 WO 2017215582 A1 WO2017215582 A1 WO 2017215582A1 CN 2017087989 W CN2017087989 W CN 2017087989W WO 2017215582 A1 WO2017215582 A1 WO 2017215582A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
secure channel
server
information
network device
Prior art date
Application number
PCT/CN2017/087989
Other languages
English (en)
French (fr)
Inventor
谢于明
张波
黄志钢
尤建洁
汪洋
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP17812693.4A priority Critical patent/EP3461097B1/en
Publication of WO2017215582A1 publication Critical patent/WO2017215582A1/zh
Priority to US16/222,152 priority patent/US20190140823A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/562Brokering proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0464Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload using hop-by-hop encryption, i.e. wherein an intermediate entity decrypts the information and re-encrypts it before forwarding it
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/067Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys

Definitions

  • the present invention relates to the field of communications, and more particularly to a method of encrypted content detection, a key manager, an intermediate box network device, and a server.
  • DCN Data Center Network
  • TLS Secure Transport Layer Protocol
  • IPS Intrusion Prevention System
  • DDoS Distributed Denial of Service
  • TLS While TLS is used to provide confidentiality and data integrity between two communication applications, it also provides a hidden new threat carrier for hackers. If the encrypted content is hidden by viruses, Trojans, malware, etc., without using FW, Intrusion Detection Systems (IDS), IPS and other network security devices (commonly referred to as middle box network devices (middlebox)) Testing will bring losses to businesses and individuals. Therefore, how network security devices such as FW and IPS detect TLS encrypted content accessing DCN services has become a key issue.
  • IDS Intrusion Detection Systems
  • the prior art uses the method shown in FIG. 1 to detect TLS encrypted content.
  • a TLS secure channel 1 is established between the client and the TLS proxy server, and a TLS secure channel 2 is established between the TLS proxy server and the server.
  • the TLS proxy server decrypts the encrypted message received through the TLS secure channel 1, and then transmits it to the middle box network device (middlebox) for plaintext content detection; the intermediate box network device
  • the optimized processed message is transmitted back to the TLS proxy server, and the TLS proxy server encrypts the optimized processed message and sends it to the server through TLS connection 2.
  • it is necessary to rely on the TLS proxy server which causes problems of high detection complexity and high cost.
  • Embodiments of the present invention provide a method for detecting an encrypted content, a key manager, an intermediate box network device, a server, a client, and a Software Defined Network (SDN) controller, which can reduce detection complexity and can reduce Check the cost.
  • SDN Software Defined Network
  • a method for detecting encrypted content is provided, the method being applied to a communication network, the communication network comprising an intermediate box network device, a key manager and a server, the intermediate box network device being located between the client and the server
  • the secure transport layer protocol TLS secure channel includes: the key manager obtains key information of the TLS secure channel; the key manager sends the key information to the intermediate box network device through the first secure channel, so that the intermediate box network device adopts The number of encrypted applications transmitted by the session key pair corresponding to the key information over the TLS secure channel Decrypting, and detecting the decrypted application data, wherein the encrypted application data is generated by the client or the server encrypting the application data based on the session key, and the first secure channel is a key manager and a box network device.
  • the method for detecting encrypted content in the embodiment of the present invention decrypts the encrypted application data through the intermediate box network device, and detects the decrypted application data, so that the detection of the encrypted content does not depend on the TLS proxy server, thereby being able to reduce The complexity is detected and the cost of detection can be reduced.
  • the method before the key manager obtains the key information of the TLS secure channel, the method further includes: the key manager receiving the intermediate box network device a first key request message sent by a secure channel, the first key request message includes quintuple information of the TLS secure channel, the first key request message is used to request key information, and the quintuple information includes an internet protocol of the client The IP address, the port number of the client, the IP address of the server, the port number of the server, and the transport layer protocol.
  • the key manager obtains the key information of the TLS secure channel, including: the key manager obtains the secret according to the quintuple information. Key information.
  • the key manager obtains the key information according to the quintuple information, including: the key manager passes the second The secure channel sends a second key request message to the server, the second key request message includes quintuple information, and the second secure channel is a secure channel established between the key manager and the server; the key manager receives the server according to the The key information sent by the second key request message.
  • the key manager obtains the key information of the TLS secure channel, including: the key manager receiving the session information sent by the server by using the second secure channel,
  • the session information includes quintuple information and key information of the TLS secure channel, and the quintuple information includes an Internet Protocol (IP) address of the client, a port number of the client, an IP address of the server, a port number of the server, and a transport layer.
  • IP Internet Protocol
  • the second secure channel is a secure channel established between the key manager and the server; the key manager obtains key information in the session information; wherein, the key manager passes the first secure channel to the intermediate box network device Before transmitting the key information, the method further includes: the key manager determining the intermediate box network device of the TLS secure channel identified by the quintuple information; the method further comprising: the key manager sending the five-element to the intermediate box network device Group information.
  • the communications network further includes a software-defined network SDN controller, wherein the key manager and the SDN controller Inter-phase connection, the SDN controller is connected with the intermediate box network device; the key manager determines the intermediate box network device according to the quintuple information, including: the key manager sends a device request message to the SDN controller, and the device request message The quintuple information is included, and the device request message is used to request device information of the intermediate box network device of the TLS secure channel identified by the quintuple information; and the key manager receives the device information sent by the SDN controller according to the device request message.
  • the key manager determines the intermediate box network device according to the quintuple information, including: the key manager sends a device request message to the SDN controller, and the device request message The quintuple information is included, and the device request message is used to request device information of the intermediate box network device of the TLS secure channel identified by the quintuple information; and the key manager receives the device information sent by the SDN controller
  • the key information includes a first random number, a second random number, and a pre-master key And a pseudo-random function, the first random number and the pre-master key are random numbers generated by the client, the second random number is a random number generated by the server, and the pseudo-random function is used according to the first random number, the second random number, and the pre-
  • the master key generates a session key.
  • the key information includes the session Key.
  • the key information includes a session key
  • the key manager obtains key information of the TLS secure channel, including: the key manager receives according to the slave server First The random number, the second random number, the pre-master key, and the pseudo-random function generate a session key, the first random number and the pre-master key are random numbers generated by the client, and the second random number is a random number generated by the server, and the pseudo-number A random function is used to generate a session key based on the first random number, the second random number, and the pre-master key.
  • the key manager sends the key information to the intermediate box network device by using the first secure channel Previously, the method further comprises: establishing the first secure channel between the key manager and the intermediate box network device.
  • a method for detecting encrypted content is provided, the method being applied to a communication network, the communication network comprising an intermediate box network device, a key manager and a server, wherein the intermediate box network device is located between the client and the server
  • the secure transport layer protocol TLS secure channel includes: the intermediate box network device receives the key information of the TLS secure channel sent by the key manager through the first secure channel, wherein the first secure channel is an intermediate box network device and key management A secure channel established between the devices; the intermediate box network device obtains encrypted application data transmitted through the TLS secure channel according to the quintuple information of the TLS secure channel, and the quintuple information includes the IP address of the client's Internet Protocol, the port number of the client, The IP address of the server, the port number of the server, the transport layer protocol, and the encrypted application data are generated by the client or the server encrypting the application data based on the session key corresponding to the key information; the intermediate box network device is encrypted by the session key pair Application data for decryption and
  • the method for detecting encrypted content in the embodiment of the present invention decrypts the encrypted application data through the intermediate box network device, and detects the decrypted application data, so that the detection of the encrypted content does not depend on the TLS proxy server, thereby being able to reduce The complexity is detected and the cost of detection can be reduced.
  • the key information includes a first random number, a second random number, a pre-master key, and a pseudo-random function, the first random number and the pre-primary secret
  • the key is a random number generated by the client
  • the second random number is a random number generated by the server
  • the pseudo random function is used to generate a session key according to the first random number, the second random number and the pre-master key
  • the method further includes: the intermediate box network device generates the session key according to the first random number, the second random number, the pre-master key, and the pseudo-random function, eg, The first random number, the second random number, and the pre-master key are used as arguments of the pseudo-random function, and the session key is calculated by the pseudo-random function.
  • the key information includes a session key.
  • the intermediate box network device receives the TLS sent by the key manager through the first secure channel Before the key information of the secure channel, the method further includes: the intermediate box network device sends a key request message to the key manager through the first secure channel, the key request message includes quintuple information, and the key request message is used for requesting Key information; wherein the intermediate box network device receives the key information of the TLS secure channel sent by the key manager through the first secure channel, including: the intermediate box network device receives the key manager according to the key request through the first secure channel Key information sent by the message.
  • the intermediate box network device obtains the security through TLS according to the quintuple information of the TLS security channel. Before the channel transmits the encrypted application data, the method further includes: the intermediate box network device receives the quintuple information sent by the key manager through the first secure channel.
  • a method for detecting encrypted content is provided, the method being applied to a communication network, the communication network Including the intermediate box network device, the key manager and the server, the intermediate box network device is located on the secure transport layer protocol TLS secure channel established between the client and the server, and includes: the server determines the key information of the TLS secure channel; the server passes the The second secure channel sends the key information to the key manager, so that the key manager sends the key information to the intermediate box network device through the first secure channel, so that the intermediate box network device adopts the session key corresponding to the key information.
  • the method for detecting encrypted content in the embodiment of the present invention decrypts the encrypted application data through the intermediate box network device, and detects the decrypted application data, so that the detection of the encrypted content does not depend on the TLS proxy server, thereby being able to reduce The complexity is detected and the cost of detection can be reduced.
  • the method before the server sends the key information to the key manager through the second secure channel, the method further includes: the server is configured to the client through the TLS secure channel Sending a detection query message, the detection query message is used to determine whether the client agrees to the intermediate box network device to perform encrypted content detection on the encrypted application data; the server receives the consent detection message sent by the client for feedback detection message, and agrees to the detection message for Instruct the client to agree to the intermediate box network device to perform encrypted content detection on the encrypted application data.
  • the security risk can be reduced by performing encrypted content detection in the case of determining that the client agrees to detect encrypted content transmitted between the client and the server.
  • the method further includes: receiving the server The key request message sent by the key manager through the second secure channel, the key request message includes quintuple information of the TLS secure channel, the key request message is used to request the key information, and the quintuple information includes the internet protocol of the client The IP address, the port number of the client, the IP address of the server, the port number of the server, and the transport layer protocol.
  • the server determines the key information, including: the server determines, according to the quintuple information, the TLS secure channel identified by the quintuple information. Key information.
  • the method further includes: determining, by the server, the quintuple information of the TLS security channel, the quintuple The information includes the Internet Protocol IP address of the client, the port number of the client, the IP address of the server, the port number of the server, and the transport layer protocol; the server sends the quintuple information to the key manager.
  • a method for detecting encrypted content is provided, the method being applied to a communication network, the communication network comprising an intermediate box network device, a key manager and a server, wherein the intermediate box network device is located between the client and the server
  • the secure transport layer protocol TLS secure channel includes: a test query message sent by the client receiving server through the TLS secure channel, and the check query message is used to determine whether the client agrees to the intermediate box network device to perform encrypted content detection on the encrypted application data, and encrypts
  • the application data is generated by the client or the server encrypting the application data based on the session key of the TLS secure channel; when the client agrees that the intermediate box network device performs the encrypted content detection on the encrypted application data, the client sends a consent to the server through the TLS secure channel. Detect messages.
  • the security risk can be reduced by performing encrypted content detection in the case of determining that the client agrees to detect encrypted content transmitted between the client and the server.
  • a method for detecting encrypted content is provided, the method being applied to a communication network, the communication network Including the intermediate box network device, key manager, SDN controller and server, the intermediate box network device is located on the secure transport layer protocol TLS secure channel established between the client and the server, and the key manager and the SDN controller are
  • the connection between the SDN controller and the intermediate box network device includes: the SDN controller receives the device request message sent by the key manager, the device request message includes quintuple information of the TLS security channel, and the quintuple information includes the client.
  • SDN controller determines the intermediate box network of the TLS secure channel identified by the quintuple information according to the device request message The device information of the device; the SDN controller sends the device information to the key manager, so that the key manager sends the quintuple information to the intermediate box network device through the first secure channel according to the device information of the intermediate box network device.
  • TLS secure channel key information to enable the intermediate box network device to be based on quintuple information
  • the application data is generated by the client or the server encrypting the application data based on the session key
  • the first secure channel is a secure channel established between the intermediate box network device and the key manager.
  • the intermediate box network device determined by the SDN controller decrypts the encrypted application data, and detects the decrypted application data, so that the detection of the encrypted content is no longer dependent on the TLS proxy.
  • the server is able to reduce the detection complexity and reduce the detection cost.
  • a key manager for performing the method of the first aspect or any possible implementation of the first aspect.
  • the key manager comprises means for performing the method of the first aspect or any of the possible implementations of the first aspect.
  • an intermediate box network device for performing the method of any of the possible implementations of the second aspect or the second aspect.
  • the intermediate box network device comprises means for performing the method of any of the second aspect or any of the possible implementations of the second aspect.
  • a server for performing the method of any of the possible implementations of the third aspect or the third aspect.
  • the server comprises means for performing the method of any of the third or third aspects of the possible implementation.
  • a client for performing the method of any of the possible implementations of the fourth aspect or the fourth aspect.
  • the client comprises means for performing the method of any of the possible implementations of the fourth aspect or the fourth aspect.
  • an SDN controller for performing the method of any of the fifth or fifth possible implementations.
  • the SDN controller comprises means for performing the method of any of the fifth or fifth aspects of the possible implementation.
  • a key manager in an eleventh aspect, includes a receiver, a transmitter, a processor, a memory, and a bus system.
  • the receiver, the transmitter, the processor and the memory are connected by a bus system, the memory is used for storing instructions, and the processor is configured to execute instructions stored in the memory to control the receiver to receive signals and control the transmitter to send signals. And when the processor executes the instructions stored in the memory, causing the processor to perform the method of the first aspect or any possible implementation of the first aspect.
  • an intermediate box network device comprising a receiver, a transmitter, a processor, a memory, and a bus system.
  • the receiver, the transmitter, the processor and the memory are connected by a bus system, the memory is used for storing instructions, and the processor is configured to execute instructions stored in the memory to control the receiver to receive signals and control the transmitter to send signals. And when the processor executes the instructions stored in the memory, causing the processor to execute The method of the second aspect or any possible implementation of the second aspect.
  • a server comprising a receiver, a transmitter, a processor, a memory, and a bus system.
  • the receiver, the transmitter, the processor and the memory are connected by a bus system, the memory is used for storing instructions, and the processor is configured to execute instructions stored in the memory to control the receiver to receive signals and control the transmitter to send signals.
  • the processor executes the instructions stored in the memory, causing the processor to perform the method in any of the possible implementations of the third aspect or the third aspect.
  • a client in a fourteenth aspect, includes a receiver, a transmitter, a processor, a memory, and a bus system.
  • the receiver, the transmitter, the processor and the memory are connected by a bus system, the memory is used for storing instructions, and the processor is configured to execute instructions stored in the memory to control the receiver to receive signals and control the transmitter to send signals.
  • the processor executes the instructions stored in the memory, causing the processor to perform the method in any of the possible implementations of the fourth aspect or the fourth aspect.
  • an SDN controller comprising a receiver, a transmitter, a processor, a memory, and a bus system.
  • the receiver, the transmitter, the processor and the memory are connected by a bus system, the memory is used for storing instructions, and the processor is configured to execute instructions stored in the memory to control the receiver to receive signals and control the transmitter to send signals. And when the processor executes the instructions stored in the memory, causing the processor to perform the method in any of the possible implementations of the fifth aspect or the fifth aspect.
  • the present application provides a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of the first aspect or any of the possible implementations of the first aspect.
  • the present application provides a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of any of the second aspect or any of the possible implementations of the second aspect.
  • the application provides a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of any of the third aspect or any of the possible implementations of the third aspect.
  • the present application provides a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of any of the fourth aspect or any of the possible implementations of the fourth aspect.
  • the present application provides a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of any of the fifth or fifth aspects of the possible implementation.
  • FIG. 1 is a method of detecting encrypted content in the prior art.
  • FIG. 2 is a schematic flow chart of a TLS handshake phase flow.
  • FIG. 3 is a schematic block diagram of a system architecture in accordance with an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart of a method for detecting encrypted content according to an embodiment of the present invention.
  • FIG. 5 is a schematic flowchart of a method for detecting encrypted content according to an embodiment of the present invention.
  • FIG. 6 is a schematic flowchart of a method for detecting encrypted content according to another embodiment of the present invention.
  • FIG. 7 is a schematic block diagram of a key manager in accordance with an embodiment of the present invention.
  • FIG. 8 is a schematic block diagram of an intermediate box network device in accordance with an embodiment of the present invention.
  • FIG. 9 is a schematic block diagram of a server in accordance with an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of a key manager according to an embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of an intermediate box network device according to an embodiment of the present invention.
  • FIG. 12 is a schematic structural diagram of a server according to an embodiment of the present invention.
  • Secure Transport Layer Protocol TLS is used to provide confidentiality and data integrity between two communication applications.
  • the basic process of the TLS protocol is: (1) the client requests and verifies the public key from the server; (2) the two parties negotiate to generate a "session key” ("session key” is also called “master key”); (3) Both parties use the "session key” for encrypted communication.
  • the first two steps of the above process are also referred to as the "handshake phase.”
  • One communication application, the process of the handshake phase between the client and the server, is shown in Figure 2.
  • the client sends a client handshake (client_hello) message to the server to start a TLS session.
  • client_hello client handshake
  • the client (usually the browser) first sends a request for encrypted communication to the server, called client_hello.
  • client_hello the server
  • the client mainly provides the following information to the server:
  • Supported protocol versions such as TLS version 1.0.
  • a random number generated by a client which is later used to generate a "session key".
  • the random number generated by the client is referred to as a "first random number” in the following description.
  • the server sends a server handshake (server_hello) message to the client.
  • server_hello server handshake
  • the server handshake message mainly includes the following contents:
  • a server-generated random number which is later used to generate a "session key.”
  • the random number generated by the server is referred to as a "second random number" in the following description.
  • the server sends a digital certificate (certificate) to the client.
  • the server's digital certificate includes the server's public key. After receiving the digital certificate sent by the server, the client authenticates the digital certificate. If the authentication passes, the client will get the server's public key.
  • the server sends a server handshake offline (serve_hello_done) message to the client.
  • the server handshake offline message indicates that the server's Hello message has been sent.
  • the client sends a key exchange (client_key_exchange) message to the server.
  • the key exchange message is encrypted using the server's public key.
  • the key exchange message includes a random number generated by the client. This random number is the third random number in the handshake phase, also known as the "pre-master key.” With the pre-master key, the customer Both the server and the server have three random numbers. Then the two sides use three random numbers as the three independent variables of the pseudo-random function, and each can generate the same "session key" used in this session.
  • the client sends a client finished message to the server.
  • the client completion message includes hash hash values of all the content sent in steps 201-205 for use by the server for verification.
  • the server sends a server completed message to the client.
  • the server After the server receives the third random number of the client, that is, the pre-master key, it calculates the "session key" used to generate the session. Then, send a server completion message to the client.
  • the server completion message includes the hash hash value of all the content sent in steps 201-206, and is used for client verification. At this point, the entire handshake phase is over.
  • the TLS security channel is successfully established, and the client and the server can transmit application data through the TLS secure channel, that is, the client and the server enter the encrypted communication.
  • the client and the server can transmit application data through the TLS secure channel, that is, the client and the server enter the encrypted communication.
  • the other party can decrypt the received encrypted content using the session key.
  • the TLS encrypted content needs to be detected.
  • the solution shown in FIG. 1 adopted by the prior art needs to rely on a TLS proxy server, which causes a problem of high detection complexity and high cost.
  • an embodiment of the present invention provides a method for detecting encrypted content, which does not need to rely on a TLS proxy server, thereby reducing detection complexity and reducing detection cost.
  • the method for detecting encrypted content in the embodiment of the present invention can be applied to a communication network, for example, a data center network DCN, a Wide Area Network (WAN), or the like.
  • a communication network for example, a data center network DCN, a Wide Area Network (WAN), or the like.
  • the embodiment of the present invention takes the communication network as the data center network DCN as an example, and combines the system structure shown in FIG. 3 to specifically describe the method for detecting the encrypted content according to the embodiment of the present invention.
  • the system architecture includes a data center network DCN 300 and a client 310.
  • the DCN 300 includes a server 320, an SDN controller 330, a key manager 340, and an intermediate box network device 350.
  • the SDN controller 330 and the key manager 340 are two logically separate components, and the physical key manager 340 may be a part of the SDN controller 330 or may be a separate device.
  • the method for detecting encrypted content according to an embodiment of the present invention is mainly described by using the key manager 340 and the SDN controller 330 as two independent devices.
  • the key manager 340 and the SDN controller 330 are two independent devices, the key manager 340 and the SDN controller 330 are connected, for example, through a Transmission Control Protocol (Transmission Control Protocol, The TCP) connection, or through a User Datagram Protocol (UDP) connection, is connected between the SDN controller 330 and the intermediate box network device 350 (e.g., via a TCP connection or a UDP connection).
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • the client 310 and the server 320 are two endpoints of a TLS session for accessing a service, and communicate by establishing a TLS secure channel.
  • Key manager 340 is responsible for centralized management of TLS session parameters (eg, quintuple information) and key parameters (eg, first random number, second random number, pre-master key, and pseudo-random function, or session key) .
  • DCN 300 can include a plurality of intermediate box network devices 350, such as FW, IDS, IPS, and the like.
  • the middle box network device 350 is on the TLS secure channel.
  • the middle box network device 350 can acquire the communication content between the client 310 and the server 320 (including the plaintext in the handshake phase and the encrypted content encrypted by the public key and the encrypted content after the handshake phase is completed), and is responsible for detecting the encrypted content.
  • SDN control The device 330 provides device information to the key manager 340, i.e., informs the key manager 340 which intermediate box network devices 350 traversed on the TLS secure channel need to detect the encrypted content.
  • the key manager 340 establishes a first secure channel between each of the intermediate box network devices 350 that needs to detect the encrypted content for transmitting the TLS session parameters and the secret between the key manager 340 and the intermediate box network device 350. Key parameters, etc.
  • the first secure channel may be a TLS secure channel, a Datagram Transport Layer Security (DTLS) secure channel, or the like.
  • a second secure channel is established between the key manager 340 and the server 320 for transmitting TLS session parameters and key parameters and the like between the key manager 340 and the server 320.
  • the second secure channel can be a TLS secure channel, a DTLS secure channel, or the like.
  • the process of establishing the first safety channel and the second safety channel may refer to the method shown in FIG. 2, which will not be described in detail herein for brevity.
  • the description of the encrypted content detection in the embodiment of the present invention indicates that the encrypted application data is decrypted and the decrypted application data is detected.
  • FIG. 4 A method of detecting encrypted content according to an embodiment of the present invention will be described in detail below with reference to FIGS. 3 and 4. It should be understood that each of the execution bodies in FIG. 4 may correspond to the respective devices shown in FIG.
  • IPS, IDS, DDoS, etc. all need to perform encrypted content detection
  • FIG. 4 only Take an intermediate box network device as an example for description.
  • Other intermediate box network devices that need to perform encrypted content detection on encrypted application data transmitted over the TLS secure channel may refer to the description of the intermediate box network device shown in FIG. 4, which will not be described in detail below.
  • the key manager obtains key information of the TLS secure channel.
  • the TLS secure channel may be the TLS secure channel shown in FIG.
  • the key information may include a first random number, a second random number, a pre-master key, and a pseudo-random function.
  • first random number a first random number
  • second random number a second random number
  • pre-master key a pre-master key
  • pseudo-random function a pseudo-random function
  • the key information may include a session key.
  • the session key may refer to the existing protocol or the description of FIG. 2 above, and for brevity, no further details are provided herein.
  • the key information may be sent by the server to the key manager, or may be stored before the key manager.
  • the key manager may acquire the TLS secure channel key information from the server, and obtain the obtained secret. The key information is sent to the intermediate box network device. At the same time, the key manager can also store the key information of the TLS secure channel locally. Then, when other intermediate box network devices also need to perform encrypted content detection on the encrypted application data transmitted through the TLS secure channel, the key manager can directly send the previously stored TLS secure channel key to the intermediate box network devices. Information, no need to request it from the server.
  • the method may further include: the server sending the detection query message to the client through the TLS secure channel, The detection query message is used to determine whether the client agrees to the intermediate box network device to add the encrypted application data.
  • the confidential content detection the server receives the consent detection message sent by the client for the feedback of the detection query message, and the consent detection message is used to instruct the client to agree to the intermediate box network device to perform the encrypted content detection on the encrypted application data.
  • the server first asks the client whether to agree to the intermediate box network device to perform encrypted content detection on the encrypted application data. If the client agrees that the intermediate box network device performs encrypted content detection on the encrypted application data, the server can only send the key manager to the key manager. Send key information. If the client does not agree that the intermediate box network device detects the encrypted application data, the server does not send the key information to the key manager, or informs the key manager that the server cannot provide the key information to the key manager.
  • the key manager sends the key information to the intermediate box network device through the first secure channel.
  • first safety channel may be the first safety channel shown in FIG.
  • the encrypted application data is transmitted between the client and the server through the TLS secure channel.
  • the sender When the application data is transmitted between the client and the server through the TLS secure channel, the sender encrypts the application data by using the session key, and generates encrypted application data for transmission.
  • the intermediate box network device obtains the encrypted application data according to the quintuple information of the TLS secure channel.
  • the intermediate box network device can obtain the quintuple information of the TLS secure channel.
  • the quintuple information uniquely identifies the TLS secure channel.
  • the quintuple information includes the client's Internet Protocol IP address, the client's port number, the server's IP address, the server's port number, and the transport layer protocol.
  • the intermediate box network device can obtain the encrypted application data transmitted through the TLS through the quintuple information.
  • the intermediate box network device decrypts the encrypted application data by using a session key corresponding to the key information, and detects the decrypted application data.
  • the key information sent by the key manager to the intermediate box network device includes a first random number, a second random number, a pre-master key, and a pseudo-random function, then before 403
  • the intermediate box network device may generate a session key according to the first random number, the second random number, the pre-master key, and the pseudo-random function sent by the key manager.
  • the intermediate box network device may calculate the session key by using the first random number, the second random number, and the pre-master key sent by the key manager as three independent variables of a pseudo-random function.
  • the intermediate box network device obtains the encrypted application data according to the quintuple information, and may use the session key previously obtained by the calculation to encrypt the data.
  • the application data is decrypted and the decrypted application data is detected.
  • the session key corresponding to the key information refers to a session key generated based on the first random number, the second random number, the pre-master key, and the pseudo-random function included in the key information.
  • the first random number, the second random number, the pre-master key, and the pseudo-random function transmitted by the key manager to the intermediate box network device may be received from the server.
  • the second case is that the key information sent by the key manager to the intermediate box network device includes a session key.
  • the session key corresponding to the key information refers to the session key included in the key information, and the intermediate box network device can directly adopt the session secret after acquiring the encrypted application data according to the quintuple information.
  • the key decrypts the encrypted application data and detects the decrypted application data.
  • the session key sent by the key manager to the middle box network device may be received from the server, or may be based on the first random number received from the server, Generated by two random numbers, pre-master keys, and pseudo-random functions.
  • the DCN can control to stop transmitting the encrypted application data.
  • the DCN can control that the subsequent application data to be transmitted is no longer transmitted.
  • the method for detecting encrypted content in the embodiment of the present invention decrypts the encrypted application data through the intermediate box network device, and detects the decrypted application data, so that the detection of the encrypted content does not depend on the TLS proxy server, thereby It can reduce the detection complexity and reduce the detection cost.
  • FIG. 5 is a schematic flowchart of a method for detecting encrypted content according to an embodiment of the present invention.
  • the intermediate box network device 1 to the intermediate box network device N shown in FIG. 5 are N intermediate box network devices that need to perform encrypted content detection on encrypted application data transmitted through the TLS secure channel.
  • the intermediate box network device that needs to perform encrypted content detection on the encrypted application data transmitted by a certain TLS secure channel may be one or more.
  • the server sends a detection inquiry message to the client.
  • the server sends a detection query message to the client through the TLS secure channel to determine whether the client agrees to the intermediate box network device to perform encrypted content detection on the encrypted application data.
  • the encrypted application data is generated by the client or server encrypting the application data based on the session key.
  • the second safety channel may be the second safety channel shown in FIG.
  • the client sends an consent detection message to the server.
  • the client After receiving the detection query message, the client, if it agrees to the intermediate box network device performing the encrypted content detection on the encrypted application data, responds to the consent detection message.
  • the server sends session information to the key manager.
  • the server may actively provide the session information to the key manager through the second secure channel.
  • the session information may be directly sent to the key manager without asking the client's opinion.
  • the session information may include key information and quintuple information.
  • the specific content of the key information and the quintuple information may refer to the key information in step 401 and the description of the quintuple information in step 404, respectively, and are not described herein again for brevity.
  • the key manager obtains key information.
  • the key manager may obtain key information in the session information.
  • the key manager determines the intermediate box network device according to the quintuple information.
  • the key manager determines an intermediate box network device that passes through the TLS secure channel identified by the quintuple information.
  • the key manager may be a module of the SDN controller, or may be a device independent of the SDN controller.
  • the SDN controller is configured to control a path for transmitting data between the client and the server.
  • the forwarding device receives the first packet in the handshake phase between the client and the server, and reports the packet to the SDN controller.
  • the SDN controller can determine the packet according to the information in the packet. It belongs to the server, and can further determine the intermediate network device that the subsequent application data needs to pass and the intermediate network device that needs to detect the encrypted content.
  • the SDN controller stores a mapping relationship between the quintuple information and the intermediate box network device, and the mapping relationship represents a correspondence between the quintuple information and the intermediate network device that detects the encrypted content.
  • the key manager is a module of the SDN controller, it is clear that the key manager can directly determine the intermediate box network device.
  • the key manager may specifically include the following steps when determining the intermediate box network device:
  • the key manager sends a device request message to the SDN controller, where the device request message includes quintuple information, and the device request message is used to request device information of the intermediate box network device of the TLS secure channel identified by the quintuple information.
  • the device information of the intermediate box network device may specifically include an IP address of the intermediate box network device.
  • the key manager receives device information sent by the SDN controller according to the device request message.
  • the key manager sends a device request message to the SDN controller to determine an intermediate box network device that needs to perform encrypted content detection on the encrypted application data.
  • the SDN controller may determine the device information requested by the key manager according to the stored mapping relationship between the quintuple information and the intermediate box network device.
  • the SDN controller sends information to the key manager.
  • the key manager can determine the N intermediate box network devices according to the device information.
  • the key manager sends session information to the intermediate box network device.
  • the key manager sends session information to the N intermediate box network devices through the N first secure channels, and informs the N intermediate box network device servers of the quintuple information and the key information.
  • the intermediate box network device acquires a session key according to the key information.
  • the key manager sets the first random number, the second random number, and the pre-master The key is used as the three independent variables of the pseudo-random function to calculate the session key.
  • the key manager extracts the session key directly from the session information.
  • the encrypted application data is transmitted between the client and the server through a TLS secure channel.
  • the intermediate box network device obtains the encrypted application data according to the quintuple information.
  • the intermediate box network device decrypts the encrypted application data by using the session key, and detects the decrypted application data.
  • steps 510-512 may refer to steps 403-405 in the method shown in FIG. 4, which will not be described in detail herein for brevity.
  • the method for detecting encrypted content in the embodiment of the present invention decrypts the encrypted application data through the intermediate box network device, and detects the decrypted application data, so that the detection of the encrypted content does not depend on the TLS proxy server, thereby being able to reduce The complexity is detected and the cost of detection can be reduced.
  • FIG. 6 is a schematic flowchart of a method for detecting encrypted content according to another embodiment of the present invention.
  • the intermediate box network device 1 to the intermediate box network device N shown in FIG. 6 are N intermediate box network devices that need to perform encrypted content detection on encrypted application data transmitted through the TLS secure channel.
  • the intermediate box network device that needs to perform encrypted content detection on the encrypted application data transmitted by a certain TLS secure channel may be one or more.
  • the intermediate box network device sends a first key request message to the key manager.
  • the key request message includes quintuple information for the TLS secure channel.
  • quintuple information for the TLS secure channel.
  • the middle box network device can detect that the TLS secure channel is established between the client and the server, and the quintuple information can be obtained.
  • the quintuple information can be carried by the first key request message.
  • the key information can be requested to obtain a session key by sending a first key request message to the key manager.
  • the key manager checks whether it stores the key information corresponding to the quintuple information. If the key manager has stored the key information, step 607 may be performed to transmit the key information to the intermediate box network device. If the key manager does not store the key information, step 602 may be performed.
  • the key manager sends a second key request message to the server.
  • the second key request message includes quintuple information.
  • the key manager sends a second key request message to the server through the second secure channel to request the key information.
  • the server sends a detection inquiry message to the client.
  • the server may send a detection inquiry message to the client to ask whether the client agrees to the intermediate box network device to perform encrypted content detection on the encrypted application data.
  • the encrypted application data is generated by the client or server encrypting the application data based on the session key.
  • the server may directly execute step 605 without inquiring the client's opinion.
  • the client sends an consent detection message to the server.
  • the client After receiving the detection query message, the client, if it agrees to the intermediate box network device performing the encrypted content detection on the encrypted application data, responds to the consent detection message.
  • the server determines key information.
  • the server may determine the key information required by the key manager according to the quintuple information in the second key request message. This key information is obtained by the server during the handshake phase of establishing a TLS secure channel.
  • the server sends the key information to the key manager through the second secure channel.
  • the server may further send the quintuple information to the key manager, where the key information and the quintuple may be carried in the same message (such as the second).
  • the key message is sent to the key manager, and the key manager receives the message to know that the key information carried in the message is the five-element The key information corresponding to the group information.
  • the server may not send the quintuple information to the key manager, and may send the response information corresponding to the second key request message by sending the key information, correspondingly,
  • the key manager may determine, according to the correspondence between the second key request message and the response message, that the key information is key information corresponding to the quintuple information included in the second key request message.
  • the key manager sends the key information to the intermediate box network device.
  • the key manager sends the received key information to the intermediate box network device through the first secure channel.
  • the key manager may further send the quintuple information to the intermediate box network device, where the key information and the quintuple may be carried in the same message.
  • the intermediate message network device is sent to the intermediate box network device, and the intermediate box network device receives the message to learn that the key information carried in the message is The key information corresponding to the quintuple information.
  • the key manager may also not send the quintuple information to the intermediate box network device, and may send the response information corresponding to the first key request message by sending the key information, correspondingly Ground
  • the intermediate box network device may determine, according to the correspondence between the first key request message and the response message, that the key information is key information corresponding to the quintuple information included in the first key request message.
  • the intermediate box network device acquires a session key according to the key information.
  • the key manager uses the first random number, the second random number, and the pre-master key as pseudo
  • the three independent variables of the random function are calculated by the session key.
  • the key manager extracts the session key directly from the session information.
  • the encrypted application data is transmitted between the client and the server through the TLS secure channel.
  • the middle box network device obtains the encrypted application data according to the quintuple information.
  • the intermediate box network device decrypts the encrypted application data by using a session key, and detects the decrypted application data.
  • steps 609-611 can refer to steps 403-405 in the method shown in FIG. 4, which will not be described in detail herein for brevity.
  • the method for detecting encrypted content in the embodiment of the present invention decrypts the encrypted application data through the intermediate box network device, and detects the decrypted application data, so that the detection of the encrypted content does not depend on the TLS proxy server, thereby being able to reduce The complexity is detected and the cost of detection can be reduced.
  • FIG. 7 is a schematic block diagram of a key manager 700 in accordance with an embodiment of the present invention. As shown in FIG. 7, the key manager 700 includes an obtaining unit 710 and a transmitting unit 720.
  • the obtaining unit 710 is configured to obtain key information of a secure transport layer protocol TLS secure channel, where the TLS secure channel is a secure channel established between the client and the server.
  • the sending unit 720 is configured to send, by using the first secure channel, the key information acquired by the acquiring unit 710 to the intermediate box network device, so that the intermediate box network device adopts a session key corresponding to the key information.
  • Decrypting encrypted application data transmitted over the TLS secure channel and detecting the decrypted application data, wherein the encrypted application data is based on the session key pair by the client or the server The intermediate box network device is located on the TLS secure channel, and the first secure channel is a secure channel established between the key manager and the box network device.
  • the units of the key manager 700 and the other operations or functions described above in accordance with an embodiment of the present invention are respectively implemented in order to implement the respective flows performed by the key manager in the methods illustrated in FIGS. 4-6. For the sake of brevity, it will not be repeated here.
  • the key manager of the embodiment of the present invention enables the intermediate box network device to decrypt the encrypted application data by using the session key corresponding to the key information by providing key information to the intermediate box network device, and decrypting The subsequent application data is detected, so that the detection of the encrypted content is no longer dependent on the TLS proxy server, thereby reducing the detection complexity and reducing the detection cost.
  • FIG. 8 is a schematic block diagram of an intermediate box network device 800 in accordance with an embodiment of the present invention. As shown in FIG. 8, the intermediate box network device 800 includes a receiving unit 810, an obtaining unit 820, and a decryption detecting unit 830.
  • the receiving unit 810 is configured to receive, by using the first secure channel, key information of the TLS secure channel sent by the key manager, where the first secure channel is the intermediate box network device and the key manager A secure channel established between.
  • the obtaining unit 820 is configured to acquire, according to the quintuple information of the TLS secure channel, encrypted application data transmitted by using the TLS secure channel, where the quintuple information includes an internet protocol IP address of the client, and the guest a port number of the client, an IP address of the server, a port number of the server, a transport layer protocol, and the encrypted application data is a session key corresponding to the key information by the client or the server Generated by applying data encryption.
  • the decryption detecting unit 830 is configured to decrypt the encrypted application data by using the session key, and detect the decrypted application data.
  • the units of the intermediate box network device 800 and the other operations or functions described above in accordance with embodiments of the present invention are respectively configured to implement the respective processes performed by the intermediate box network device in the methods illustrated in FIGS. 4-6. For the sake of brevity, it will not be repeated here.
  • the intermediate box network device in the embodiment of the present invention decrypts the encrypted application data and detects the decrypted application data, so that the detection of the encrypted content does not depend on the TLS proxy server, thereby reducing detection complexity. Degree, and can reduce the cost of testing.
  • FIG. 9 is a schematic block diagram of a server 900 in accordance with an embodiment of the present invention. As shown in FIG. 9, the server 900 includes a determining unit 910 and a transmitting unit 920.
  • the determining unit 910 is configured to determine key information of a secure transport layer protocol TLS secure channel established between the client and the server.
  • the sending unit 920 is configured to send, by using the second secure channel, the key information determined by the determining unit 910 to the key manager, so that the key manager is located in the TLS secure channel through the first secure channel.
  • the intermediate box network device transmits the key information to enable the intermediate box network device to decrypt the encrypted application data transmitted through the TLS secure channel by using a session key corresponding to the key information, and
  • the decrypted application data is detected, wherein the encrypted application data is generated by the client or the server encrypting application data based on the session key, and the first secure channel is the key A secure channel established between the manager and the intermediate box network device, the second secure channel being a secure channel established between the key manager and the server.
  • the units of the server 900 and the other operations or functions described above in accordance with an embodiment of the present invention respectively implement the respective flows performed by the server 900 in the methods illustrated in FIGS. 4-6. For the sake of brevity, it will not be repeated here.
  • the server of the embodiment of the present invention by providing key information to the intermediate box network device to the key manager, enables the intermediate box network device to decrypt the encrypted application data by using the session key corresponding to the key information.
  • the decrypted application data is detected, so that the detection of the encrypted content is no longer dependent on the TLS proxy server, thereby reducing the detection complexity and reducing the detection cost.
  • the embodiment of the invention further provides a client, which includes a receiving unit and a sending unit.
  • a receiving unit configured to detect, by using a secure transport layer protocol TLS secure channel established between the client and the server, the check query message is used to determine whether the client agrees to the intermediate box network device to perform encrypted content detection on the encrypted application,
  • the encrypted application data is generated by the client or server encrypting the application data based on the session key of the TLS secure channel.
  • the sending unit is configured to: when the client agrees that the intermediate box network device performs the encrypted content detection on the encrypted application data, sends the consent detection message to the server through the TLS secure channel.
  • the security risk can be reduced by performing the encrypted content detection in the case of determining that the client agrees to detect the encrypted content transmitted between the client and the server.
  • An embodiment of the present invention further provides an SDN controller, where the SDN controller includes a receiving unit, a determining unit, and a sending unit.
  • a receiving unit configured to receive a device request message sent by the key manager, where the device request message includes quintuple information of a secure transport layer protocol TLS secure channel established between the client and the server, where the quintuple information includes an internet protocol of the client IP address, client port number, server IP address, server port number, transport layer protocol.
  • a determining unit configured to determine, according to the device request message, device information of the intermediate box network device that passes through the TLS secure channel identified by the quintuple information.
  • a sending unit configured to send device information to the key manager, so that the key manager sends the quintuple information and the TLS secure channel to the intermediate box network device through the first secure channel according to the device information of the intermediate box network device.
  • Key information so that the intermediate box network device acquires encrypted application data transmitted between the client and the server through the TLS secure channel according to the quintuple information, and uses the session key corresponding to the key information to perform the encrypted application data.
  • Decrypting and detecting the decrypted application data wherein the encrypted application data is generated by the client or the server encrypting the application data based on the session key, and the first secure channel is between the intermediate box network device and the key manager. Established a secure channel.
  • the intermediate box network device determined by the SDN controller decrypts the encrypted application data, and detects the decrypted application data, so that the detection of the encrypted content does not depend on the TLS proxy server, thereby reducing detection complexity. Degree, and can reduce the cost of testing.
  • the method for detecting encrypted content according to an embodiment of the present invention is described in detail above with reference to FIG. 1 to FIG. 6.
  • the following describes a key manager, an intermediate box network device, and a server according to an embodiment of the present invention with reference to FIGS. 10 through 12. .
  • FIG. 10 is a schematic block diagram of a key manager 1000 in accordance with an embodiment of the present invention.
  • the key manager 1000 includes a receiver 1010, a transmitter 1020, a processor 1030, a memory 1040, and a bus system 1050.
  • the receiver 1010, the transmitter 1020, the processor 1030, and the memory 1040 are connected by a bus system 1050 for storing instructions for executing the instructions stored by the memory 1040 to control the receiver 1010 to receive.
  • Signaling and controlling the transmitter 1020 to send a signal wherein
  • the processor 1030 is configured to obtain key information of a secure transport layer protocol TLS secure channel, where the TLS secure channel is a secure channel established between the client and the server;
  • the transmitter 1020 is configured to send, by using the first secure channel, the key information acquired by the processor 1030 to the intermediate box network device, so that the intermediate box network device adopts a session key corresponding to the key information.
  • the intermediate box network device is located on the TLS secure channel, and the first secure channel is a secure channel established between the key manager and the box network device.
  • the processor 1030 may be a central processing unit (“CPU"), and the processor 1030 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory 1040 can include read only memory and random access memory and provides instructions and data to the processor 1030.
  • a portion of the memory 1040 may also include a non-volatile random access memory.
  • the memory 1040 may also store information of a mapping relationship between the quintuple information and the key information.
  • the bus system 1050 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 1050 in the figure.
  • each step of the above method may be completed by an integrated logic circuit of hardware in the processor 1030 or an instruction in a form of software.
  • the steps of the method for detecting the encrypted content disclosed in the embodiment of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in the memory 1040, and the processor 1030 reads the information in the memory 1040 and performs the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
  • the units of the key manager 1000 and the other operations or functions described above in accordance with an embodiment of the present invention respectively implement respective flows executed by the key manager in the methods illustrated in FIGS. 4 through 6. For the sake of brevity, it will not be repeated here.
  • the key manager of the embodiment of the present invention enables the intermediate box network device to decrypt the encrypted application data by using the session key corresponding to the key information by providing key information to the intermediate box network device, and decrypting The latter content is detected, so that the detection of the encrypted content is no longer dependent on the TLS proxy server, thereby reducing the detection complexity and reducing the detection cost.
  • the intermediate box network device 1100 includes a receiver 1110, a transmitter 1120, a processor 1130, a memory 1140, and a bus system 1150.
  • the receiver 1110, the transmitter 1120, the processor 1130, and the memory 1140 are connected by a bus system 1150.
  • the memory 1140 is configured to store instructions for executing the instructions stored by the memory 1140 to control the receiver 1110 to receive. Signaling and controlling the transmitter 1120 to send a signal, wherein
  • a receiver 1110 configured to receive, by using a first secure channel, key information of the TLS secure channel sent by a key manager, where the first secure channel is the intermediate box network device and the key manager A secure channel established between.
  • the processor 1130 is configured to acquire, according to the quintuple information of the TLS secure channel, encrypted application data transmitted by using the TLS secure channel, where the quintuple information includes an internet protocol IP address of the client, the client a port number of the port, an IP address of the server, a port number of the server, a transport layer protocol, the encrypted application data is a session key pair corresponding to the key information by the client or the server Application data encryption generated.
  • the processor 1130 is further configured to decrypt the encrypted application data by using the session key, and detect the decrypted application data.
  • the processor 1130 may be a central processing unit (“CPU"), and the processor 1130 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory 1140 can include read only memory and random access memory and provides instructions and data to the processor 1130. A portion of the memory 1140 can also include a non-volatile random access memory.
  • the bus system 1150 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 1150 in the figure.
  • each step of the above method may be through an integrated logic circuit of hardware in the processor 1130 or The instructions in the form of software are completed.
  • the steps of the method for detecting the encrypted content disclosed in the embodiment of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in the memory 1140, and the processor 1130 reads the information in the memory 1140 and completes the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
  • the units of the intermediate box network device 1100 and the other operations or functions described above in accordance with embodiments of the present invention are respectively configured to implement the respective processes performed by the intermediate box network device in the methods illustrated in FIGS. 4-6. For the sake of brevity, it will not be repeated here.
  • the intermediate box network device in the embodiment of the present invention decrypts the encrypted application data and detects the decrypted content, so that the detection of the encrypted content does not depend on the TLS proxy server, thereby reducing the detection complexity. And can reduce the cost of testing.
  • FIG. 12 is a schematic block diagram of a server 1200 in accordance with an embodiment of the present invention.
  • the server 1200 includes a receiver 1210, a transmitter 1220, a processor 1230, a memory 1240, and a bus system 1250.
  • the receiver 1210, the transmitter 1220, the processor 1230, and the memory 1240 are connected by a bus system 1250 for storing instructions for executing the instructions stored by the memory 1240 to control the receiver 1210 to receive.
  • Signaling and controlling the transmitter 1220 to send a signal wherein
  • the processor 1230 is configured to determine key information of a secure transport layer protocol TLS secure channel established between the client and the server.
  • the sender 1220 is configured to send, by using the second secure channel, the key information determined by the processor 1230 to the key manager, so that the key manager is located in the TLS secure channel through the first secure channel.
  • the intermediate box network device transmits the key information to enable the intermediate box network device to decrypt the encrypted application data transmitted through the TLS secure channel by using a session key corresponding to the key information, and
  • the decrypted application data is detected, wherein the encrypted application data is generated by the client or the server encrypting application data based on the session key, and the first secure channel is the key A secure channel established between the manager and the intermediate box network device, the second secure channel being a secure channel established between the key manager and the server.
  • the processor 1230 may be a central processing unit (“CPU"), and the processor 1230 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory 1240 can include read only memory and random access memory and provides instructions and data to the processor 1230. A portion of the memory 1240 may also include a non-volatile random access memory.
  • the bus system 1250 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 1250 in the figure.
  • each step of the above method may be completed by an integrated logic circuit of hardware in the processor 1230 or an instruction in a form of software.
  • the steps of the method for detecting the encrypted content disclosed in the embodiment of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • Software modules can be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable Memory, registers, etc. are well-known in the storage medium.
  • the storage medium is located in the memory 1240, and the processor 1230 reads the information in the memory 1240 and, in conjunction with its hardware, performs the steps of the above method. To avoid repetition, it will not be described in detail here.
  • the units of the server 1200 and the other operations or functions described above in accordance with an embodiment of the present invention are respectively configured to implement the respective processes executed by the server in the methods illustrated in FIGS. 4-6. For the sake of brevity, it will not be repeated here.
  • the server of the embodiment of the present invention by providing key information to the intermediate box network device to the key manager, enables the intermediate box network device to decrypt the encrypted application data by using the session key corresponding to the key information.
  • the decrypted content is detected, so that the detection of the encrypted content is no longer dependent on the TLS proxy server, thereby reducing the detection complexity and reducing the detection cost.
  • the embodiment of the invention further provides a client, which comprises a receiver, a transmitter, a processor, a memory and a bus system.
  • a client which comprises a receiver, a transmitter, a processor, a memory and a bus system.
  • the receiver, the transmitter, the processor and the memory are connected by a bus system for storing instructions for executing instructions stored in the memory to control the receiver to receive signals and controlling the transmitter to transmit signals, wherein ,
  • a receiver configured to detect a query message sent by a secure transport layer protocol TLS secure channel established between the client and the server, and the check query message is used to determine whether the client agrees to the intermediate box network device to perform encrypted content detection on the encrypted application data.
  • the encrypted application data is generated by the client or the server encrypting the application data based on the session key of the TLS secure channel.
  • the transmitter is configured to send an consent detection message to the server through the TLS secure channel when the client agrees that the intermediate box network device performs the encrypted content detection on the encrypted application data.
  • the processor may be a central processing unit (“CPU"), and the processor may also be other general-purpose processors, digital signal processors (DSPs), and dedicated processors. Integrated circuit (ASIC), off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, etc.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory can include read only memory and random access memory and provides instructions and data to the processor.
  • a portion of the memory may also include a non-volatile random access memory.
  • the bus system may include a power bus, a control bus, and a status signal bus in addition to the data bus.
  • a power bus may include a power bus, a control bus, and a status signal bus in addition to the data bus.
  • the various buses are labeled as bus systems in the figure.
  • each step of the above method may be completed by an integrated logic circuit of hardware in a processor or an instruction in a form of software.
  • the steps of the method for detecting the encrypted content disclosed in the embodiment of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in the memory, and the processor reads the information in the memory and combines the hardware to complete the steps of the above method. To avoid repetition, it will not be described in detail here.
  • the security risk can be reduced by performing encrypted content detection in the case of determining that the client agrees to detect encrypted content transmitted between the client and the server.
  • Embodiments of the present invention also provide an SDN controller including a receiver, a transmitter, a processor, a memory, and a bus system. Wherein the receiver, the transmitter, the processor and the memory are connected by a bus system.
  • the memory is configured to store instructions for executing instructions stored in the memory to control a receiver to receive signals and to control a transmitter to transmit signals, wherein
  • the receiver is configured to receive a device request message sent by the key manager, where the device request message includes quintuple information of a secure transport layer protocol TLS secure channel established between the client and the server, and the quintuple information includes an internet protocol of the client.
  • the IP address, the port number of the client, the IP address of the server, the port number of the server, the transport layer protocol, and the device information request message are used to request device information of the intermediate box network device of the TLS secure channel identified by the quintuple information.
  • a processor configured to determine, according to the device request message, device information of the intermediate box network device that passes through the TLS secure channel identified by the quintuple information.
  • a transmitter configured to send device information to the key manager, so that the key manager sends the quintuple information and the TLS secure channel to the intermediate box network device through the first secure channel according to the device information of the intermediate box network device.
  • Key information so that the intermediate box network device acquires encrypted application data transmitted between the client and the server through the TLS secure channel according to the quintuple information, and uses the session key corresponding to the key information to perform the encrypted application data.
  • Decrypting and detecting the decrypted application data wherein the encrypted application data is generated by the client or the server encrypting the application data based on the session key, and the first secure channel is between the intermediate box network device and the key manager. Established a secure channel.
  • the processor may be a central processing unit (“CPU"), and the processor may also be other general-purpose processors, digital signal processors (DSPs), and dedicated processors. Integrated circuit (ASIC), off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, etc.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory can include read only memory and random access memory and provides instructions and data to the processor.
  • a portion of the memory may also include a non-volatile random access memory.
  • the bus system may include a power bus, a control bus, and a status signal bus in addition to the data bus.
  • a power bus may include a power bus, a control bus, and a status signal bus in addition to the data bus.
  • the various buses are labeled as bus systems in the figure.
  • each step of the above method may be completed by an integrated logic circuit of hardware in a processor or an instruction in a form of software.
  • the steps of the method for detecting the encrypted content disclosed in the embodiment of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in the memory, and the processor reads the information in the memory and combines the hardware to complete the steps of the above method. To avoid repetition, it will not be described in detail here.
  • the units of the SDN controller and the other operations or functions described above in accordance with embodiments of the present invention are respectively implemented to implement the respective processes performed by the SDN controller in the methods illustrated in FIGS. 4-6. For the sake of brevity, it will not be repeated here.
  • the intermediate box network device determined by the SDN controller decrypts the encrypted application data, and detects the decrypted application data, so that the detection of the encrypted content does not depend on the TLS proxy server, thereby reducing detection complexity. Degree, and can reduce the cost of testing.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
  • the technical solution of the present invention which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
  • the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明实施例提供了一种加密内容检测的方法和设备,该方法包括:中间盒子网络设备通过第一安全通道接收密钥管理器发送的TLS安全通道的密钥信息;中间盒子网络设备根据TLS安全通道的五元组信息获取通过TLS安全通道传输的加密的应用数据;中间盒子网络设备采用会话密钥对加密的应用数据进行解密,并对解密后的内容进行检测。本发明实施例的加密内容检测的方法,通过中间盒子网络设备对加密的应用数据进行解密,并对解密后的应用数据进行检测,使得对加密内容的检测不再依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。

Description

加密内容检测的方法和设备 技术领域
本发明涉及通信领域,并且更具体地,涉及一种加密内容检测的方法、密钥管理器、中间盒子网络设备和服务器。
背景技术
云技术的广泛应用使得越来越多的企业在数据中心网络(Data Center Network,DCN)内部署了云业务。为了保护用户信息隐私的安全性,DCN提供了安全传输层协议(Transport Layer Security,TLS)加密访问云服务。同时为了保护业务自身的安全性,DCN出口处部署了安全资源池,包括防火墙(FireWall,FW)、入侵防御系统(Intrusion Prevention System,IPS)、分布式拒绝服务(Distributed Denial of Service,DDoS)防御、病毒检测、网络行为监控等。
在TLS用于在两个通信应用程序之间提供保密性和数据完整性的同时,也为黑客提供了一个隐蔽的新威胁载体。如果加密内容隐藏有病毒、木马、恶意软件等,而不利用FW、入侵检测系统(Intrusion Detection Systems,IDS),IPS等网络安全设备(通常称为中间盒子网络设备(middlebox))对加密内容进行检测,就会给企业与个人带来损失。因此FW,IPS等网络安全设备如何对访问DCN业务的TLS加密内容进行检测成为了关键问题。
现有技术采用如图1所示的方法对TLS加密内容进行检测。如图1所示,客户端与TLS代理服务器之间建立TLS安全通道1,TLS代理服务器与服务器之间建立TLS安全通道2。以客户端向服务器发送加密报文为例,TLS代理服务器对通过TLS安全通道1接收到的加密报文进行解密,然后传送到中间盒子网络设备(middlebox)上做明文内容检测;中间盒子网络设备将优化处理过的报文再传送回TLS代理服务器,TLS代理服务器再对优化处理过的报文进行加密,并通过TLS连接2发送给服务器。在这种采用两段独立的TLS安全通道的方案中,需要依赖TLS代理服务器,这样会造成检测复杂度高以及成本较高的问题。
发明内容
本发明实施例提供一种加密内容检测的方法、密钥管理器、中间盒子网络设备、服务器、客户端和软件定义网络(Software Defined Network,SDN)控制器,能够降低检测复杂度,并且能够降低检测成本。
第一方面,提供了一种加密内容检测的方法,该方法应用于通信网络,该通信网络包括中间盒子网络设备、密钥管理器和服务器,中间盒子网络设备位于客户端和服务器之间建立的安全传输层协议TLS安全通道上,包括:密钥管理器获取TLS安全通道的密钥信息;密钥管理器通过第一安全通道向中间盒子网络设备发送密钥信息,以便于中间盒子网络设备采用与密钥信息对应的会话密钥对通过TLS安全通道传输的加密的应用数 据进行解密,和对解密后的应用数据进行检测,其中,加密的应用数据是客户端或服务器基于会话密钥对应用数据加密生成的,第一安全通道为密钥管理器与盒子网络设备之间建立的安全通道。
本发明实施例的加密内容检测的方法,通过中间盒子网络设备对加密的应用数据进行解密,并对解密后的应用数据进行检测,使得对加密内容进行检测不再依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。
结合第一方面,在第一方面的第一种可能的实现方式中,在密钥管理器获取TLS安全通道的密钥信息之前,该方法还包括:密钥管理器接收中间盒子网络设备通过第一安全通道发送的第一密钥请求消息,第一密钥请求消息包括TLS安全通道的五元组信息,第一密钥请求消息用于请求密钥信息,五元组信息包括客户端的网际协议IP地址、客户端的端口号、服务器的IP地址,服务器的端口号、传输层协议;其中,密钥管理器获取TLS安全通道的密钥信息,包括:密钥管理器根据五元组信息获取密钥信息。
结合第一方面的第一种可能的实现方式,在第一方面的第二种可能的实现方式中,密钥管理器根据五元组信息获取密钥信息,包括:密钥管理器通过第二安全通道向服务器发送第二密钥请求消息,第二密钥请求消息包括五元组信息,第二安全通道为密钥管理器与服务器之间建立的安全通道;密钥管理器接收服务器根据第二密钥请求消息发送的密钥信息。
结合第一方面,在第一方面的第三种可能的实现方式中,密钥管理器获取TLS安全通道的密钥信息,包括:密钥管理器通过第二安全通道接收服务器发送的会话信息,会话信息包括TLS安全通道的五元组信息和密钥信息,五元组信息包括客户端的网际协议(Internet Protocol,IP)地址、客户端的端口号、服务器的IP地址,服务器的端口号、传输层协议,第二安全通道为密钥管理器和服务器之间建立的安全通道;密钥管理器获取会话信息中的密钥信息;其中,在密钥管理器通过第一安全通道向中间盒子网络设备发送密钥信息之前,该方法还包括:密钥管理器确定经过五元组信息所标识的TLS安全通道的中间盒子网络设备;该方法还包括:密钥管理器向中间盒子网络设备发送五元组信息。
结合第一方面的第三种可能的实现方式,在第一方面的第四种可能的实现方式中,该通信网络还包括软件定义网络SDN控制器,其中,密钥管理器和SDN控制器之间相连接,SDN控制器与中间盒子网络设备之间相连接;密钥管理器根据五元组信息确定中间盒子网络设备,包括:密钥管理器向SDN控制器发送设备请求消息,设备请求消息包括五元组信息,设备请求消息用于请求经过五元组信息所标识的TLS安全通道的中间盒子网络设备的设备信息;密钥管理器接收SDN控制器根据设备请求消息发送的设备信息。
结合第一方面或第一方面的上述任一种可能的实现方式,在第一方面的第五种可能的实现方式中,密钥信息包括第一随机数、第二随机数、预主密钥和伪随机函数,第一随机数和预主密钥为客户端生成的随机数,第二随机数为服务器生成的随机数,伪随机函数用于根据第一随机数、第二随机数和预主密钥生成会话密钥。
结合第一方面或第一方面的第二种至第四种的可能的实现方式中的任一种可能的实现方式,在第一方面的第六种可能的实现方式中,密钥信息包括会话密钥。
结合第一方面,在第一方面的第七种可能的实现方式中,密钥信息包括会话密钥,密钥管理器获取TLS安全通道的密钥信息,包括:密钥管理器根据从服务器接收的第一 随机数、第二随机数、预主密钥和伪随机函数生成会话密钥,第一随机数和预主密钥为客户端生成的随机数,第二随机数为服务器生成的随机数,伪随机函数用于根据第一随机数、第二随机数和预主密钥生成会话密钥。
结合第一方面或第一方面的上述任一种可能的实现方式,在第一方面的第八种可能的实现方式中,密钥管理器通过第一安全通道向中间盒子网络设备发送密钥信息之前,该方法还包括:密钥管理器与中间盒子网络设备之间建立该第一安全通道。
第二方面,提供了一种加密内容检测的方法,该方法应用于通信网络,该通信网络包括中间盒子网络设备、密钥管理器和服务器,中间盒子网络设备位于客户端和服务器之间建立的安全传输层协议TLS安全通道上,包括:中间盒子网络设备通过第一安全通道接收密钥管理器发送的TLS安全通道的密钥信息,其中,第一安全通道为中间盒子网络设备与密钥管理器之间建立的安全通道;中间盒子网络设备根据TLS安全通道的五元组信息获取通过TLS安全通道传输的加密的应用数据,五元组信息包括客户端的网际协议IP地址、客户端的端口号、服务器的IP地址,服务器的端口号、传输层协议,加密的应用数据是客户端或服务器基于与密钥信息对应的会话密钥对应用数据加密生成的;中间盒子网络设备采用会话密钥对加密的应用数据进行解密,并对解密后的应用数据进行检测。
本发明实施例的加密内容检测的方法,通过中间盒子网络设备对加密的应用数据进行解密,并对解密后的应用数据进行检测,使得对加密内容进行检测不再依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。
结合第二方面,在第二方面的第一种可能的实现方式中,密钥信息包括第一随机数、第二随机数、预主密钥和伪随机函数,第一随机数和预主密钥为客户端生成的随机数,第二随机数为服务器生成的随机数,伪随机函数用于根据第一随机数、第二随机数和预主密钥生成会话密钥,其中,在中间盒子网络设备采用会话密钥对加密的应用数据进行解密之前,该方法还包括:中间盒子网络设备根据第一随机数、第二随机数、预主密钥和伪随机函数生成会话密钥,如,将所述第一随机数、所述第二随机数和所述预主密钥作为所述伪随机函数的自变量,通过所述伪随机函数计算所述会话密钥。
结合第二方面或第二方面的第一种可能的实现方式,在第二方面的第二种可能的实现方式中,密钥信息包括会话密钥。
结合第二方面或第二方面的上述任一种可能的实现方式,在第二方面的第三种可能的实现方式中,在中间盒子网络设备通过第一安全通道接收密钥管理器发送的TLS安全通道的密钥信息之前,该方法还包括:中间盒子网络设备通过第一安全通道向密钥管理器发送密钥请求消息,密钥请求消息包括五元组信息,密钥请求消息用于请求密钥信息;其中,中间盒子网络设备通过第一安全通道接收密钥管理器发送的TLS安全通道的密钥信息,包括:中间盒子网络设备通过第一安全通道接收密钥管理器根据密钥请求消息发送的密钥信息。
结合第二方面或第二方面的上述任一种可能的实现方式,在第二方面的第四种可能的实现方式中,在中间盒子网络设备根据TLS安全通道的五元组信息获取通过TLS安全通道传输的加密的应用数据之前,该方法还包括:中间盒子网络设备通过第一安全通道接收密钥管理器发送的五元组信息。
第三方面,提供了一种加密内容检测的方法,该方法应用于通信网络,该通信网络 包括中间盒子网络设备、密钥管理器和服务器,中间盒子网络设备位于客户端和服务器之间建立的安全传输层协议TLS安全通道上,包括:服务器确定TLS安全通道的密钥信息;服务器通过第二安全通道向密钥管理器发送密钥信息,以便于密钥管理器通过第一安全通道向中间盒子网络设备发送密钥信息,以使中间盒子网络设备采用与密钥信息对应的会话密钥对通过TLS安全通道传输的加密的应用数据进行解密,和对解密后的应用数据进行检测,其中,加密的应用数据是客户端或服务器基于会话密钥对应用数据加密生成的,第一安全通道为密钥管理器与中间盒子网络设备之间建立的安全通道,第二安全通道为密钥管理器和服务器之间建立的安全通道。
本发明实施例的加密内容检测的方法,通过中间盒子网络设备对加密的应用数据进行解密,并对解密后的应用数据进行检测,使得对加密内容进行检测不再依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。
结合第三方面,在第三方面的第一种可能的实现方式中,在服务器通过第二安全通道向密钥管理器发送密钥信息之前,该方法还包括:服务器通过TLS安全通道向客户端发送检测询问消息,检测询问消息用于确定客户端是否同意中间盒子网络设备对加密的应用数据进行加密内容检测;服务器接收客户端发送的对检测询问消息反馈的同意检测消息,同意检测消息用于指示客户端同意中间盒子网络设备对加密的应用数据进行加密内容检测。
通过在确定所述客户端同意对所述客户端和所述服务器之间传输的加密内容进行检测的情况下进行加密内容检测,可以减少安全风险。
结合第三方面或第三方面的第一种可能的实现方式,在第三方面的第二种可能的实现方式中,在服务器确定TLS安全通道的密钥信息之前,该方法还包括:服务器接收密钥管理器通过第二安全通道发送的密钥请求消息,密钥请求消息包括TLS安全通道的五元组信息,密钥请求消息用于请求密钥信息,五元组信息包括客户端的网际协议IP地址、客户端的端口号、服务器的IP地址,服务器的端口号、传输层协议;其中,服务器确定密钥信息,包括:服务器根据五元组信息确定五元组信息所标识的TLS安全通道的密钥信息。
结合第三方面或第三方面的第一种可能的实现方式,在第三方面的第三种可能的实现方式中,该方法还包括:服务器确定TLS安全通道的五元组信息,五元组信息包括客户端的网际协议IP地址、客户端的端口号、服务器的IP地址,服务器的端口号、传输层协议;服务器向密钥管理器发送五元组信息。
第四方面,提供了一种加密内容检测的方法,该方法应用于通信网络,该通信网络包括中间盒子网络设备、密钥管理器和服务器,中间盒子网络设备位于客户端和服务器之间建立的安全传输层协议TLS安全通道上,包括:客户端接收服务器通过TLS安全通道发送的检测询问消息,检测询问消息用于确定客户端是否同意中间盒子网络设备对加密的应用数据进行加密内容检测,加密的应用数据是客户端或服务器基于TLS安全通道的会话密钥对应用数据加密生成的;在客户端同意中间盒子网络设备对加密的应用数据进行加密内容检测时,通过TLS安全通道向服务器发送同意检测消息。
通过在确定所述客户端同意对所述客户端和所述服务器之间传输的加密内容进行检测的情况下进行加密内容检测,可以减少安全风险。
第五方面,提供了一种加密内容检测的方法,该方法应用于通信网络,该通信网络 包括中间盒子网络设备、密钥管理器、SDN控制器和服务器,中间盒子网络设备位于客户端和服务器之间建立的安全传输层协议TLS安全通道上,密钥管理器和SDN控制器之间相连接,SDN控制器与中间盒子网络设备之间相连接,包括:SDN控制器接收密钥管理器发送的设备请求消息,设备请求消息包括TLS安全通道的五元组信息,五元组信息包括客户端的网际协议IP地址、客户端的端口号、服务器的IP地址,服务器的端口号、传输层协议;SDN控制器根据设备请求消息确定经过所述五元组信息所标识的TLS安全通道的中间盒子网络设备的设备信息;SDN控制器向密钥管理器发送设备信息,以便于密钥管理器根据所述中间盒子网络设备的设备信息通过第一安全通道向所述中间盒子网络设备发送五元组信息和TLS安全通道的密钥信息,以使中间盒子网络设备根据五元组信息获取客户端和服务器之间通过TLS安全通道传输的加密的应用数据,并采用与密钥信息对应的会话密钥对加密的应用数据进行解密,并对解密后的应用数据进行检测,其中,加密的应用数据是客户端或服务器基于会话密钥对应用数据加密生成的,第一安全通道为中间盒子网络设备与密钥管理器之间建立的安全通道。
本发明实施例的加密内容检测的方法,通过SDN控制器确定的中间盒子网络设备对加密的应用数据进行解密,并对解密后的应用数据进行检测,使得对加密内容进行检测不再依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。
第六方面,提供了一种密钥管理器,用于执行第一方面或第一方面的任意可能的实现方式中的方法。具体地,该密钥管理器包括用于执行第一方面或第一方面的任意可能的实现方式中的方法的单元。
第七方面,提供了一种中间盒子网络设备,用于执行第二方面或第二方面的任意可能的实现方式中的方法。具体地,该中间盒子网络设备包括用于执行第二方面或第二方面的任意可能的实现方式中的方法的单元。
第八方面,提供了一种服务器,用于执行第三方面或第三方面的任意可能的实现方式中的方法。具体地,该服务器包括用于执行第三方面或第三方面的任意可能的实现方式中的方法的单元。
第九方面,提供了一种客户端,用于执行第四方面或第四方面的任意可能的实现方式中的方法。具体地,该客户端包括用于执行第四方面或第四方面的任意可能的实现方式中的方法的单元。
第十方面,提供了一种SDN控制器,用于执行第五方面或第五方面的任意可能的实现方式中的方法。具体地,该SDN控制器包括用于执行第五方面或第五方面的任意可能的实现方式中的方法的单元。
第十一方面,提供了一种密钥管理器,该密钥管理器包括接收器、发送器、处理器、存储器和总线系统。其中,接收器、发送器、处理器和存储器通过总线系统相连,存储器用于存储指令,处理器用于执行存储器存储的指令,以控制接收器接收信号和控制发送器发送信号。并且当处理器执行存储器存储的指令时,使得处理器执行第一方面或第一方面的任意可能的实现方式中的方法。
第十二方面,提供了一种中间盒子网络设备,该中间盒子网络设备包括接收器、发送器、处理器、存储器和总线系统。其中,接收器、发送器、处理器和存储器通过总线系统相连,存储器用于存储指令,处理器用于执行存储器存储的指令,以控制接收器接收信号和控制发送器发送信号。并且当处理器执行存储器存储的指令时,使得处理器执 行第二方面或第二方面的任意可能的实现方式中的方法。
第十三方面,提供了一种服务器,该服务器包括接收器、发送器、处理器、存储器和总线系统。其中,接收器、发送器、处理器和存储器通过总线系统相连,存储器用于存储指令,处理器用于执行存储器存储的指令,以控制接收器接收信号和控制发送器发送信号。并且当处理器执行存储器存储的指令时,使得处理器执行第三方面或第三方面的任意可能的实现方式中的方法。
第十四方面,提供了一种客户端,该客户端包括接收器、发送器、处理器、存储器和总线系统。其中,接收器、发送器、处理器和存储器通过总线系统相连,存储器用于存储指令,处理器用于执行存储器存储的指令,以控制接收器接收信号和控制发送器发送信号。并且当处理器执行存储器存储的指令时,使得处理器执行第四方面或第四方面的任意可能的实现方式中的方法。
第十五方面,提供了一种SDN控制器,该SDN控制器包括接收器、发送器、处理器、存储器和总线系统。其中,接收器、发送器、处理器和存储器通过总线系统相连,存储器用于存储指令,处理器用于执行存储器存储的指令,以控制接收器接收信号和控制发送器发送信号。并且当处理器执行存储器存储的指令时,使得处理器执行第五方面或第五方面的任意可能的实现方式中的方法。
第十六方面,本申请提供一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第一方面或第一方面的任意可能的实现方式中的方法的指令。
第十七方面,本申请提供一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第二方面或第二方面的任意可能的实现方式中的方法的指令。
第十八方面,本申请提供一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第三方面或第三方面的任意可能的实现方式中的方法的指令。
第十九方面,本申请提供一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第四方面或第四方面的任意可能的实现方式中的方法的指令。
第二十方面,本申请提供一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第五方面或第五方面的任意可能的实现方式中的方法的指令。
附图说明
为了更清楚地说明本发明实施例的技术方案,下面将对本发明实施例中所需要使用的附图作简单地介绍,显而易见地,下面所描述的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1是现有技术中对加密内容进行检测的方法。
图2是一个TLS握手阶段流程的示意性流程图。
图3是根据本发明实施例的系统架构的示意性框图。
图4是根据本发明实施例的加密内容检测的方法的示意性流程图。
图5是根据本发明一个实施例的加密内容检测的方法的示意性流程图。
图6是根据本发明另一实施例的加密内容检测的方法的示意性流程图。
图7是根据本发明实施例的密钥管理器的示意性框图。
图8是根据本发明实施例的中间盒子网络设备的示意性框图。
图9是根据本发明实施例的服务器的示意性框图。
图10是根据本发明实施例的密钥管理器的示意性结构图。
图11是根据本发明实施例的中间盒子网络设备的示意性结构图。
图12是根据本发明实施例的服务器的示意性结构图。
具体实施方式
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。
安全传输层协议TLS用于在两个通信应用程序之间提供保密性和数据完整性。TLS协议的基本过程是:(1)客户端向服务器索要并验证公钥;(2)双方协商生成"会话密钥"(“会话密钥”也称为“主密钥”);(3)双方采用"会话密钥"进行加密通信。上述的过程的前两步又称为“握手阶段”。两个通信应用程序,即客户端和服务器之间握手阶段的一个流程如图2所示。
201,客户端向服务器发送客户端握手(client_hello)消息,启动TLS会话。
首先,客户端(通常是浏览器)先向服务器发出加密通信的请求,称为client_hello。在该步骤中,客户端主要向服务器提供以下信息:
(1)支持的协议版本,比如TLS 1.0版。
(2)一个客户端生成的随机数,稍后用于生成"会话密钥"。为了描述方便,在以下的描述中将客户端生成的随机数称为“第一随机数”。
(3)支持的加密方法,比如RSA公钥加密。
(4)支持的压缩方法。
202,服务器向客户端发送服务器握手(server_hello)消息。
服务器收到客户端握手消息后,向客户端发送服务器握手消息,称为server_hello。服务器握手消息主要包括以下内容:
(1)确认使用的加密通信协议版本,比如TLS 1.0版本。如果浏览器与服务器支持的版本不一致,服务器终止加密通信。
(2)一个服务器生成的随机数,稍后用于生成"会话密钥"。为了描述方便,在以下的描述中将服务器生成的随机数称为“第二随机数”。
(3)确认使用的加密方法,比如RSA公钥加密。
(4)确认的压缩方法。
203,服务器向客户端发送数字证书(certificate)。
服务器的数字证书中包括服务器的公钥。客户端收到服务器发送的数字证书后,对该数字证书进行认证。如果认证通过,客户端将获得服务器的公钥。
204、服务器向客户端发送服务器握手下线(serve_hello_done)消息。
服务器握手下线消息表示服务器的Hello消息已发送完毕。
205,客户端向服务器发送密钥交换(client_key_exchange)消息。
密钥交换消息采用服务器的公钥进行加密。密钥交换消息包括客户端生成的随机数,这个随机数是握手阶段的第三个随机数,也称为“预主密钥”。有了预主密钥以后,客户 端和服务器就同时有了三个随机数。接着双方将三个随机数作为伪随机函数的三个自变量,可以各自生成本次会话所用的同一把"会话密钥"。
206,客户端向服务器发送客户端完成(finished)消息。
该客户端完成消息包括步骤201~205发送的所有内容的哈希hash值,用来供服务器校验。
207,服务器向客户端发送服务器完成(finished)消息。
服务器收到客户端的第三个随机数,即预主密钥之后,计算生成本次会话所用的"会话密钥"。然后,向客户端发送服务器完成消息。服务器完成消息包括步骤201~206发送的所有内容的哈希hash值,用来供客户端校验。至此,整个握手阶段全部结束。
握手阶段完成后,TLS安全通道建立成功,客户端与服务器之间就可以通过所述TLS安全通道传输应用数据(application data),即客户端与服务器进入加密通信。客户端与服务器中一方采用"会话密钥"加密传输内容时,另一方可以采用会话密钥对接收到的加密内容进行解密。在客户端与服务器的加密通信过程中,由于病毒、木马、恶意软件等可能隐藏于加密内容中,因此需要对TLS加密内容进行检测。现有技术采用的如图1所示的解决方案,需要依赖TLS代理服务器,这样会造成检测复杂度高以及成本较高的问题。
为了解决上述问题,本发明实施例提供了一种加密内容检测的方法,该方法不需要依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。
本发明实施例的加密内容检测的方法可以应用于通信网络,例如,数据中心网络DCN,广域网(Wide Area Network,WAN)等。本发明实施例以通信网络为数据中心网络DCN为例,结合图3所示的系统结构,具体阐述根据本发明实施例的加密内容检测的方法。
如图3所示,该系统架构包括数据中心网络DCN 300和客户端310。其中,DCN 300包括服务器320、SDN控制器330、密钥管理器340和中间盒子网络设备350。服务器320、SDN控制器330、密钥管理器340和中间盒子网络设备350之间存在信任关系。SDN控制器330和密钥管理器340是逻辑分离的两个组件,物理上密钥管理器340可以是SDN控制器330的一个部分,也可以是独立分开的设备。本发明实施例中主要以密钥管理器340和SDN控制器330作为两个独立的设备来描述根据本发明实施例的加密内容检测的方法。需要说明的是,当密钥管理器340和SDN控制器330为两个独立的设备时,密钥管理器340和SDN控制器330之间相连接,例如,通过传输控制协议(Transmission Control Protocol,TCP)连接、或通过用户数据报协议(User Datagram Protocol,UDP)连接,SDN控制器330和中间盒子网络设备350之间相连接(例如,通过TCP连接或UDP连接)。
具体来说,本发明实施例中,客户端310和服务器320是访问业务的TLS会话的两个端点,并通过建立TLS安全通道进行通信。密钥管理器340负责集中式管控TLS会话参数(例如五元组信息)和密钥参数(例如,第一随机数、第二随机数、预主密钥和伪随机函数,或会话密钥)。此外,DCN 300可以包括多个中间盒子网络设备350,例如FW、IDS、IPS等。中间盒子网络设备350在TLS安全通道上。中间盒子网络设备350可以获取客户端310和服务器320之间的通信内容(包括握手阶段的明文和采用公钥加密的加密内容和完成握手阶段后的加密内容),并负责对加密内容进行检测。SDN控制 器330向密钥管理器340提供设备信息,即告知密钥管理器340,TLS安全通道上经过的哪些中间盒子网络设备350需要对加密内容进行检测。密钥管理器340与每个需要对加密内容进行检测的中间盒子网络设备350之间各建立一条第一安全通道用于密钥管理器340与中间盒子网络设备350之间传输TLS会话参数和密钥参数等。第一安全通道可以是TLS安全通道、数据包传输层安全性协议(Datagram Transport Layer Security,DTLS)安全通道等。密钥管理器340与服务器320之间建立一条第二安全通道用于密钥管理器340与服务器320之间传输TLS会话参数和密钥参数等。第二安全通道可以是TLS安全通道、DTLS安全通道等。
应理解,第一安全通道和第二安全通道的建立过程可以参照图2所示的方法,为了简洁,此处不再详述。
还应理解,在本发明实施例中,编号“第一”和“第二”等仅仅为了区分不同的对象,例如,为了区分不同设备之间建立的安全通道,不应对本发明实施例的保护范围构成任何限定。
需要说明的是,本发明实施例中的所描述的对加密内容检测指示的是对加密的应用数据解密以及对解密后的应用数据进行检测。
下面将结合图3和图4,对根据本发明实施例的加密内容检测的方法进行详细描述。应理解,图4中的各执行主体可以分别对应于图3所示的各设备。
本发明实施例中,需要对通过TLS安全通道传输的加密的应用数据进行加密内容检测的中间盒子网络设备可能有多个,例如IPS、IDS、DDoS等都需要进行加密内容检测,图4中仅以一个中间盒子网络设备为例进行说明。需要对通过TLS安全通道传输的加密的应用数据进行加密内容检测的其他中间盒子网络设备可以参照对图4所示的中间盒子网络设备的描述,下述中将不再详述。
401,密钥管理器获取TLS安全通道的密钥信息。
应理解,所述TLS安全通道可以是图3所示的TLS安全通道。
可选地,密钥信息可以包括第一随机数、第二随机数、预主密钥和伪随机函数。对于第一随机数、预主密钥、第二随机数的具体介绍可以参照现有协议或上文中对图2的描述,为了简洁,此处不再赘述。
可选地,密钥信息可以包括会话密钥。
会话密钥可以参照现有协议或上文中对图2的描述,为了简洁,此处不再赘述。
在本发明实施例中,密钥信息可以是服务器向密钥管理器发送的,也可以是密钥管理器之前存储的。
例如,当其中一个中间盒子网络设备需要对通过该TLS安全通道传输的加密的应用数据进行加密内容检测时,密钥管理器可以从服务器获取该TLS安全通道密钥信息,并将获取到的密钥信息发送给中间盒子网络设备。同时,密钥管理器也可以在本地存储该TLS安全通道的密钥信息。那么,在其他中间盒子网络设备也需要对通过该TLS安全通道传输的加密的应用数据进行加密内容检测时,密钥管理器可以直接向这些中间盒子网络设备发送之前存储的该TLS安全通道密钥信息,而不需要再向服务器索取。
可选地,如果密钥信息是服务器向密钥管理器发送的,在服务器向密钥管理器发送密钥信息之前,该方法还可以包括:服务器通过TLS安全通道向客户端发送检测询问消息,检测询问消息用于确定客户端是否同意中间盒子网络设备对加密的应用数据进行加 密内容检测;服务器接收客户端发送的对检测询问消息反馈的同意检测消息,同意检测消息用于指示客户端同意中间盒子网络设备对加密的应用数据进行加密内容检测。
具体地,服务器先询问客户端是否同意中间盒子网络设备对加密的应用数据进行加密内容检测,如果客户端同意中间盒子网络设备对加密的应用数据进行加密内容检测,服务器才可以向密钥管理器发送密钥信息。如果客户端不同意中间盒子网络设备对加密的应用数据进行检测,服务器不向密钥管理器发送密钥信息,或者告知密钥管理器,服务器不能向密钥管理器提供密钥信息。
402,密钥管理器通过第一安全通道向中间盒子网络设备发送密钥信息。
应理解,所述第一安全通道可以是图3所示的第一安全通道。
403,客户端与服务器之间通过TLS安全通道传输加密的应用数据。
客户端与服务器之间通过TLS安全通道传输应用数据时,发送端采用会话密钥对应用数据进行加密,生成加密的应用数据进行传输。
404,中间盒子网络设备根据TLS安全通道的五元组信息获取加密的应用数据。
在TLS安全通道建立的过程中,中间盒子网络设备可以得到TLS安全通道的五元组信息。五元组信息唯一地确定了该TLS安全通道。五元组信息包括客户端的网际协议IP地址、客户端的端口号、服务器的IP地址,服务器的端口号、传输层协议。中间盒子网络设备通过该五元组信息可以获取通过该TLS传输的加密的应用数据。
405,中间盒子网络设备采用与密钥信息对应的会话密钥对加密的应用数据进行解密,并对解密后的应用数据进行检测。
在本发明实施例中,一种情况是,密钥管理器向中间盒子网络设备发送的密钥信息包括第一随机数、第二随机数、预主密钥和伪随机函数,那么在403之前,中间盒子网络设备可以根据密钥管理器发送的第一随机数、第二随机数、预主密钥和伪随机函数生成会话密钥。具体地,中间盒子网络设备可以将密钥管理器发送的第一随机数、第二随机数、预主密钥作为伪随机函数的三个自变量,来计算会话密钥。这样,当客户端与服务器之间通过TLS安全通道传输加密的应用数据时,中间盒子网络设备根据五元组信息获取加密的应用数据后,可以采用之前通过计算得到的会话密钥对该加密的应用数据进行解密,并对解密后的应用数据进行检测。在这种情况下,与密钥信息对应的会话密钥指的是根据密钥信息包括的第一随机数、第二随机数、预主密钥和伪随机函数生成的会话密钥。
对于第一种情况,所述密钥管理器向中间盒子网络设备发送的第一随机数、第二随机数、预主密钥和伪随机函数,可以是从所述服务器接收的。
在本发明实施例中,第二种情况是,密钥管理器向中间盒子网络设备发送的密钥信息包括会话密钥。那么在这种情况下,与密钥信息对应的会话密钥指的是密钥信息包括的会话密钥,中间盒子网络设备根据五元组信息获取加密的应用数据后,可以直接采用该会话密钥对该加密的应用数据进行解密,并对解密后的应用数据进行检测。
对于第二种情况,所述密钥管理器向中间盒子网络设备发送的所述会话密钥,可以是从所述服务器接收的,也可以是根据从所述服务器接收的第一随机数、第二随机数、预主密钥和伪随机函数生成的。
在上述两种情况下,如果检测到解密后的应用数据对DCN没有威胁,例如解密后的应用数据中没有病毒、木马等,则进行正常的接收和发送。如果解密后的应用数据对DCN 存在威胁,在加密的应用数据没有到达服务器时,DCN可以控制停止传输该加密的应用数据,在加密的应用数据已到达服务器时,DCN可以控制不再传输后续待传输的应用数据。
因此,本发明实施例的加密内容检测的方法,通过中间盒子网络设备对加密的应用数据进行解密,并对解密后的应用数据进行检测,使得对加密内容进行检测不再依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。
下面将结合具体实施例,对根据本发明实施例的加密内容检测的方法进行详细描述。
图5是根据本发明一个实施例的加密内容检测的方法的示意性流程图。应理解,图5中所示的中间盒子网络设备1~中间盒子网络设备N为需要对通过TLS安全通道传输的加密的应用数据进行加密内容检测的N个中间盒子网络设备。在具体实现时,需要对某一TLS安全通道传输的加密的应用数据进行加密内容检测的中间盒子网络设备可以是一个或多个。
501,服务器向客户端发送检测询问消息。
服务器通过所述TLS安全通道向客户端发送检测询问消息,以确定客户端是否同意中间盒子网络设备对加密的应用数据进行加密内容检测。加密的应用数据是客户端或服务器基于会话密钥对应用数据加密生成的。
应理解,所述第二安全通道可以是图3所示的第二安全通道。
502,客户端向服务器发送同意检测消息。
客户端接收到检测询问消息后,如果同意中间盒子网络设备对加密的应用数据进行加密内容检测,则回应同意检测消息。
503,服务器向密钥管理器发送会话信息。
客户端如果同意中间盒子网络设备对加密的应用数据进行加密内容检测,服务器可以通过第二安全通道主动向密钥管理器提供会话信息。另外,在服务器向密钥管理器发送会话信息之前,也可以不询问客户端的意见而直接向密钥管理器发送会话信息。
会话信息可以包括密钥信息和五元组信息。具体地,密钥信息和五元组信息的具体内容可以分别参照步骤401中对密钥信息以及步骤404中对五元组信息的描述,为了简洁,此处不再赘述。
504,密钥管理器获取密钥信息。
具体地,密钥管理器接收到会话信息后,可以获取会话信息中的密钥信息。
505,密钥管理器根据五元组信息确定中间盒子网络设备。
具体地,密钥管理器确定经过所述五元组信息所标识的TLS安全通道的中间盒子网络设备。
在本发明实施例中,密钥管理器可以是SDN控制器的一个模块,也可以是独立于SDN控制器的一个设备。
所述SDN控制器用于控制所述客户端与所述服务器之间传输数据的路径。在SDN控制器控制的转发路径上,转发设备收到客户端和服务器握手阶段的第一个报文并向SDN控制器上报该报文SDN控制器根据该报文中的信息可以确定该报文是属于该服务器的,进而可以确定后续的应用数据需要经过的中间网络设备以及需要对加密内容做检测的中间网络设备。并且,SDN控制器会存储五元组信息和中间盒子网络设备的映射关系,该映射关系表示五元组信息和对加密内容做检测的中间网络设备的对应关系。
在密钥管理器是SDN控制器的一个模块时,显然,密钥管理器可以直接确定中间盒子网络设备。
可选地,在密钥管理器和SDN控制器是两个独立的设备时,密钥管理器在确定中间盒子网络设备时,具体可以包括以下步骤:
506,密钥管理器向SDN控制器发送设备请求消息,设备请求消息包括五元组信息,设备请求消息用于请求经过五元组信息所标识的TLS安全通道的中间盒子网络设备的设备信息。所述中间盒子网络设备的设备信息具体可以包括所述中间盒子网络设备的IP地址。
507,密钥管理器接收SDN控制器根据设备请求消息发送的设备信息。
具体地,在密钥管理器和SDN控制器是两个独立的设备时,密钥管理器向SDN控制器发送设备请求消息,以确定需要对加密的应用数据进行加密内容检测的中间盒子网络设备。SDN控制器接收到设备请求消息后,根据存储的五元组信息和中间盒子网络设备的映射关系,可以确定密钥管理器请求的设备信息。SDN控制器向密钥管理器发送信息,密钥管理器接收到信息后,根据设备信息,可以确定这N个中间盒子网络设备。
508,密钥管理器向中间盒子网络设备发送会话信息。
密钥管理器通过N个第一安全通道向这N个中间盒子网络设备发送会话信息,告知这N个中间盒子网络设备服务器提供的五元组信息和密钥信息。
509,中间盒子网络设备根据密钥信息获取会话密钥。
例如,在会话信息中的密钥信息包括第一随机数、第二随机数、预主密钥和伪随函数的情况下,密钥管理器将第一随机数、第二随机数、预主密钥作为伪随机函数的三个自变量,通过计算得到会话密钥。或者,密钥管理器直接从会话信息中提取会话密钥。
510,客户端与服务器之间通过TLS安全通道传输加密的应用数据。
511,中间盒子网络设备根据五元组信息获取加密的应用数据。
512,中间盒子网络设备采用会话密钥对加密的应用数据进行解密,并对解密后的应用数据进行检测。
在本发明实施例中,步骤510~512可以参照图4所示的方法中的步骤403~405,为了简洁,在此不再详述。
本发明实施例的加密内容检测的方法,通过中间盒子网络设备对加密的应用数据进行解密,并对解密后的应用数据进行检测,使得对加密内容进行检测不再依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。
图6是根据本发明另一实施例的加密内容检测的方法的示意性流程图。
应理解,图6中所示的中间盒子网络设备1~中间盒子网络设备N为需要对通过TLS安全通道传输的加密的应用数据进行加密内容检测的N个中间盒子网络设备。在具体实现时,需要对某一TLS安全通道传输的加密的应用数据进行加密内容检测的中间盒子网络设备可以是一个或多个。
601,中间盒子网络设备向密钥管理器发送第一密钥请求消息。
密钥请求消息包括TLS安全通道的五元组信息。五元组信息的具体内容可以参照上述对图4所示的方法中的步骤404中对五元组信息的描述,为了简洁,此处不再赘述。
在客户端与服务器的握手阶段的明文阶段,中间盒子网络设备可以检测到客户端与服务器之间是在建立TLS安全通道,并且可以获取到五元组信息。中间盒子网络设备获 取到五元组信息后,可以通过第一密钥请求消息携带该五元组信息。通过向密钥管理器发送第一密钥请求消息,可以请求密钥信息,以获取会话密钥。密钥管理器接收到第一密钥请求消息后,查看自己是否存储了与该五元组信息对应的密钥信息。如果密钥管理器已存储了该密钥信息,可以执行步骤607,即向中间盒子网络设备发送密钥信息,如果密钥管理器没有存储该密钥信息,可以执行步骤602。
602,密钥管理器向服务器发送第二密钥请求消息。
第二密钥请求消息包括五元组信息。密钥管理器通过第二安全通道向服务器发送第二密钥请求消息索取密钥信息。
603,服务器向客户端发送检测询问消息。
服务器接收到密钥管理器发送的第二密钥请求消息后,可以通过向客户端发送检测询问消息,询问客户端是否同意中间盒子网络设备对加密的应用数据进行加密内容检测。加密的应用数据是客户端或服务器基于会话密钥对应用数据加密生成的。
另外,服务器接收到密钥管理器发送的密钥请求消息后,也可以不询问客户端的意见,直接执行步骤605。
604,客户端向服务器发送同意检测消息。
客户端接收到检测询问消息后,如果同意中间盒子网络设备对加密的应用数据进行加密内容检测,则回应同意检测消息。
605,服务器确定密钥信息。
具体地,服务器可以根据第二密钥请求消息中的五元组信息确定密钥管理器需要的密钥信息。这个密钥信息是服务器在建立TLS安全通道的握手阶段得到的。
密钥信息可以参照上述对图4所示的方法中的步骤401中的密钥信息的描述,为了简洁,此处不再赘述。
606,服务器通过第二安全通道向密钥管理器发送密钥信息。
需要说明的是,所述服务器还可以向所述密钥管理器发送所述五元组信息,具体可以将所述密钥信息和所述五元组携带在同一个消息(如所述第二密钥请求消息对应的响应消息)中发送给所述密钥管理器,相应地,所述密钥管理器接收到所述消息即可获知所述消息中携带的密钥信息为所述五元组信息对应的密钥信息。
所述服务器也可以不向所述密钥管理器发送所述五元组信息,在发送所述密钥信息时具体可以通过所述第二密钥请求消息对应的响应消息发送,相应地,所述密钥管理器可以根据所述第二密钥请求消息和所述响应消息的对应关系确定所述密钥信息是所述第二密钥请求消息包括的五元组信息对应的密钥信息。
607,密钥管理器向中间盒子网络设备发送密钥信息。
密钥管理器将接收到的密钥信息通过第一安全通道发送至中间盒子网络设备。
需要说明的是,所述密钥管理器还可以向所述中间盒子网络设备发送所述五元组信息,具体可以将所述密钥信息和所述五元组携带在同一个消息(如所述第一密钥请求消息对应的响应消息)中发送给所述中间盒子网络设备,相应地,所述中间盒子网络设备接收到所述消息即可获知所述消息中携带的密钥信息为所述五元组信息对应的密钥信息。
所述密钥管理器也可以不向所述中间盒子网络设备发送所述五元组信息,在发送所述密钥信息时具体可以通过所述第一密钥请求消息对应的响应消息发送,相应地,所述 中间盒子网络设备可以根据所述第一密钥请求消息和所述响应消息的对应关系确定所述密钥信息是所述第一密钥请求消息包括的五元组信息对应的密钥信息。
608,中间盒子网络设备根据密钥信息获取会话密钥。
例如,在密钥信息包括第一随机数、第二随机数、预主密钥和伪随函数的情况下,密钥管理器将第一随机数、第二随机数、预主密钥作为伪随机函数的三个自变量,通过计算得到会话密钥。或者,密钥管理器直接从会话信息中提取会话密钥。
609,客户端与服务器之间通过TLS安全通道传输加密的应用数据。
610,中间盒子网络设备根据五元组信息获取加密的应用数据。
611,中间盒子网络设备采用会话密钥对加密的应用数据进行解密,并对解密后的应用数据进行检测。
在本发明实施例中,步骤609~611可以参照图4所示的方法中的步骤403~405,为了简洁,在此不再详述。
本发明实施例的加密内容检测的方法,通过中间盒子网络设备对加密的应用数据进行解密,并对解密后的应用数据进行检测,使得对加密内容进行检测不再依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。
上文中结合图1至图6详细描述了根据本发明实施例的加密内容检测的方法,下面将结合图7至9具体阐述根据本发明实施例的密钥管理器、中间盒子网络设备和服务器。
图7是根据本发明实施例的密钥管理器700的示意性框图。如图7所示,密钥管理器700包括:获取单元710和发送单元720。
获取单元710,用于获取安全传输层协议TLS安全通道的密钥信息,所述TLS安全通道为客户端与服务器之间建立的安全通道。
发送单元720,用于通过第一安全通道向中间盒子网络设备发送所述获取单元710获取的所述密钥信息,以便于所述中间盒子网络设备采用与所述密钥信息对应的会话密钥对通过所述TLS安全通道传输的加密的应用数据进行解密,和对解密后的应用数据进行检测,其中,所述加密的应用数据是所述客户端或所述服务器基于所述会话密钥对应用数据加密生成的,所述中间盒子网络设备位于所述TLS安全通道上,所述第一安全通道为所述密钥管理器与所述盒子网络设备之间建立的安全通道。
根据本发明实施例的密钥管理器700的各单元和上述其它操作或功能分别为了实现图4至图6所示的方法中的由密钥管理器执行的相应流程。为了简洁,此处不再赘述。
因此,本发明实施例的密钥管理器,通过向中间盒子网络设备提供密钥信息,使得中间盒子网络设备可以采用与密钥信息对应的会话密钥对加密的应用数据进行解密,并对解密后的应用数据进行检测,进而使得对加密内容进行检测不再依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。
图8是根据本发明实施例的中间盒子网络设备800的示意性框图。如图8所示,中间盒子网络设备800包括:接收单元810、获取单元820和解密检测单元830。
接收单元810,用于通过第一安全通道接收密钥管理器发送的所述TLS安全通道的密钥信息,其中,所述第一安全通道为所述中间盒子网络设备与所述密钥管理器之间建立的安全通道。
获取单元820,用于根据所述TLS安全通道的五元组信息获取通过所述TLS安全通道传输的加密的应用数据,所述五元组信息包括所述客户端的网际协议IP地址、所述客 户端的端口号、所述服务器的IP地址,所述服务器的端口号、传输层协议,所述加密的应用数据是所述客户端或所述服务器基于与所述密钥信息对应的会话密钥对应用数据加密生成的。
解密检测单元830,用于采用所述会话密钥对所述加密的应用数据进行解密,并对解密后的应用数据进行检测。
根据本发明实施例的中间盒子网络设备800的各单元和上述其它操作或功能分别为了实现图4至图6所示的方法中的由中间盒子网络设备执行的相应流程。为了简洁,此处不再赘述。
因此,本发明实施例的中间盒子网络设备,通过对加密的应用数据进行解密,并对解密后的应用数据进行检测,进而使得对加密内容进行检测不再依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。
图9是根据本发明实施例的服务器900的示意性框图。如图9所示,服务器900包括:确定单元910和发送单元920。
确定单元910,用于确定客户端和服务器之间建立的安全传输层协议TLS安全通道的密钥信息。
发送单元920,用于通过第二安全通道向密钥管理器发送所述确定单元910确定的所述密钥信息,以便于所述密钥管理器通过第一安全通道向位于所述TLS安全通道上的中间盒子网络设备发送所述密钥信息,以使所述中间盒子网络设备采用与所述密钥信息对应的会话密钥对通过所述TLS安全通道传输的加密的应用数据进行解密,和对解密后的应用数据进行检测,其中,所述加密的应用数据是所述客户端或所述服务器基于所述会话密钥对应用数据加密生成的,所述第一安全通道为所述密钥管理器与所述中间盒子网络设备之间建立的安全通道,所述第二安全通道为所述密钥管理器和所述服务器之间建立的安全通道。
根据本发明实施例的服务器900的各单元和上述其它操作或功能分别为了实现图4至图6所示的方法中的由服务器900执行的相应流程。为了简洁,此处不再赘述。
因此,本发明实施例的服务器,通过向密钥管理器进而向中间盒子网络设备提供密钥信息,使得中间盒子网络设备可以采用与密钥信息对应的会话密钥对加密的应用数据进行解密,并对解密后的应用数据进行检测,进而使得对加密内容进行检测不再依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。
本发明实施例还提供了一种客户端,该客户端包括接收单元和发送单元。
接收单元,用于通过客户端和服务器之间建立的安全传输层协议TLS安全通道发送的检测询问消息,检测询问消息用于确定客户端是否同意中间盒子网络设备对加密的应用进行加密内容检测,加密的应用数据是客户端或服务器基于TLS安全通道的会话密钥对应用数据加密生成的。
发送单元,用于在客户端同意中间盒子网络设备对加密的应用数据进行加密内容检测时,通过TLS安全通道向服务器发送同意检测消息。
本发明实施例中,通过在确定所述客户端同意对所述客户端和所述服务器之间传输的加密内容进行检测的情况下进行加密内容检测,可以减少安全风险。
本发明实施例还提供了一种SDN控制器,该SDN控制器包括接收单元、确定单元和发送单元。
接收单元,用于接收密钥管理器发送的设备请求消息,设备请求消息包括客户端和服务器之间建立的安全传输层协议TLS安全通道的五元组信息,五元组信息包括客户端的网际协议IP地址、客户端的端口号、服务器的IP地址,服务器的端口号、传输层协议。
确定单元,用于根据设备请求消息确定经过所述五元组信息所标识的TLS安全通道的中间盒子网络设备的设备信息。
发送单元,用于向密钥管理器发送设备信息,以便于密钥管理器根据所述中间盒子网络设备的设备信息通过第一安全通道向中间盒子网络设备发送五元组信息和TLS安全通道的密钥信息,以使中间盒子网络设备根据五元组信息获取客户端和服务器之间通过TLS安全通道传输的加密的应用数据,并采用与密钥信息对应的会话密钥对加密的应用数据进行解密,并对解密后的应用数据进行检测,其中,加密的应用数据是客户端或服务器基于会话密钥对应用数据加密生成的,第一安全通道为中间盒子网络设备与密钥管理器之间建立的安全通道。
本发明实施例通过SDN控制器确定的中间盒子网络设备对加密的应用数据进行解密,并对解密后的应用数据进行检测,使得对加密内容进行检测不再依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。
上文中结合图1至图6详细描述了根据本发明实施例的加密内容检测的方法,下面将结合图10至12对根据本发明实施例的密钥管理器、中间盒子网络设备和服务器进行说明。
图10是根据本发明实施例的密钥管理器1000的示意性框图。如图10所示,密钥管理器1000包括:接收器1010、发送器1020、处理器1030、存储器1040和总线系统1050。其中,接收器1010、发送器1020、处理器1030和存储器1040通过总线系统1050相连,该存储器1040用于存储指令,该处理器1030用于执行该存储器1040存储的指令,以控制接收器1010接收信号,并控制发送器1020发送信号,其中,
处理器1030,用于获取安全传输层协议TLS安全通道的密钥信息,所述TLS安全通道为客户端与服务器之间建立的安全通道;
发送器1020,用于通过第一安全通道向中间盒子网络设备发送所述处理器1030获取的所述密钥信息,以便于所述中间盒子网络设备采用与所述密钥信息对应的会话密钥对通过所述TLS安全通道传输的加密的应用数据进行解密,和对解密后的应用数据进行检测,其中,所述加密的应用数据是所述客户端或所述服务器基于所述会话密钥对应用数据加密生成的,所述中间盒子网络设备位于所述TLS安全通道上,所述第一安全通道为所述密钥管理器与所述盒子网络设备之间建立的安全通道。
应理解,在本发明实施例中,该处理器1030可以是中央处理单元(central processing unit,简称为“CPU”),该处理器1030还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。
该存储器1040可以包括只读存储器和随机存取存储器,并向处理器1030提供指令和数据。存储器1040的一部分还可以包括非易失性随机存取存储器。例如,存储器1040还可以存储五元组信息与密钥信息的映射关系的信息。
该总线系统1050除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统1050。
在实现过程中,上述方法的各步骤可以通过处理器1030中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的加密内容检测的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器1040,处理器1030读取存储器1040中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。
根据本发明实施例的密钥管理器1000的各单元和上述其它操作或功能分别为了实现图4至图6所示的方法中的由密钥管理器执行的相应流程。为了简洁,此处不再赘述。
因此,本发明实施例的密钥管理器,通过向中间盒子网络设备提供密钥信息,使得中间盒子网络设备可以采用与密钥信息对应的会话密钥对加密的应用数据进行解密,并对解密后的内容进行检测,进而使得对加密内容进行检测不再依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。
图11是根据本发明实施例的中间盒子网络设备1100的示意性框图。如图11所示,中间盒子网络设备1100包括:接收器1110、发送器1120、处理器1130、存储器1140和总线系统1150。其中,接收器1110、发送器1120、处理器1130和存储器1140通过总线系统1150相连,该存储器1140用于存储指令,该处理器1130用于执行该存储器1140存储的指令,以控制接收器1110接收信号,并控制发送器1120发送信号,其中,
接收器1110,用于通过第一安全通道接收密钥管理器发送的所述TLS安全通道的密钥信息,其中,所述第一安全通道为所述中间盒子网络设备与所述密钥管理器之间建立的安全通道。
处理器1130,用于根据所述TLS安全通道的五元组信息获取通过所述TLS安全通道传输的加密的应用数据,所述五元组信息包括所述客户端的网际协议IP地址、所述客户端的端口号、所述服务器的IP地址,所述服务器的端口号、传输层协议,所述加密的应用数据是所述客户端或所述服务器基于与所述密钥信息对应的会话密钥对应用数据加密生成的。
处理器1130还用于,采用所述会话密钥对所述加密的应用数据进行解密,并对解密后的应用数据进行检测。
应理解,在本发明实施例中,该处理器1130可以是中央处理单元(central processing unit,简称为“CPU”),该处理器1130还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。
该存储器1140可以包括只读存储器和随机存取存储器,并向处理器1130提供指令和数据。存储器1140的一部分还可以包括非易失性随机存取存储器。
该总线系统1150除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统1150。
在实现过程中,上述方法的各步骤可以通过处理器1130中的硬件的集成逻辑电路或 者软件形式的指令完成。结合本发明实施例所公开的加密内容检测的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器1140,处理器1130读取存储器1140中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。
根据本发明实施例的中间盒子网络设备1100的各单元和上述其它操作或功能分别为了实现图4至图6所示的方法中的由中间盒子网络设备执行的相应流程。为了简洁,此处不再赘述。
因此,本发明实施例的中间盒子网络设备,通过对加密的应用数据进行解密,并对解密后的内容进行检测,进而使得对加密内容进行检测不再依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。
图12是根据本发明实施例的服务器1200的示意性框图。如图12所示,服务器1200包括:接收器1210、发送器1220、处理器1230、存储器1240和总线系统1250。其中,接收器1210、发送器1220、处理器1230和存储器1240通过总线系统1250相连,该存储器1240用于存储指令,该处理器1230用于执行该存储器1240存储的指令,以控制接收器1210接收信号,并控制发送器1220发送信号,其中,
处理器1230,用于确定客户端和服务器之间建立的安全传输层协议TLS安全通道的密钥信息。
发送器1220,用于通过第二安全通道向密钥管理器发送所述处理器1230确定的所述密钥信息,以便于所述密钥管理器通过第一安全通道向位于所述TLS安全通道上的中间盒子网络设备发送所述密钥信息,以使所述中间盒子网络设备采用与所述密钥信息对应的会话密钥对通过所述TLS安全通道传输的加密的应用数据进行解密,和对解密后的应用数据进行检测,其中,所述加密的应用数据是所述客户端或所述服务器基于所述会话密钥对应用数据加密生成的,所述第一安全通道为所述密钥管理器与所述中间盒子网络设备之间建立的安全通道,所述第二安全通道为所述密钥管理器和所述服务器之间建立的安全通道。
应理解,在本发明实施例中,该处理器1230可以是中央处理单元(central processing unit,简称为“CPU”),该处理器1230还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。
该存储器1240可以包括只读存储器和随机存取存储器,并向处理器1230提供指令和数据。存储器1240的一部分还可以包括非易失性随机存取存储器。
该总线系统1250除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统1250。
在实现过程中,上述方法的各步骤可以通过处理器1230中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的加密内容检测的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程 存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器1240,处理器1230读取存储器1240中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。
根据本发明实施例的服务器1200的各单元和上述其它操作或功能分别为了实现图4至图6所示的方法中的由服务器执行的相应流程。为了简洁,此处不再赘述。
因此,本发明实施例的服务器,通过向密钥管理器进而向中间盒子网络设备提供密钥信息,使得中间盒子网络设备可以采用与密钥信息对应的会话密钥对加密的应用数据进行解密,并对解密后的内容进行检测,进而使得对加密内容进行检测不再依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。
本发明实施例还提供了一种客户端,该客户端包括接收器、发送器、处理器、存储器和总线系统。其中,接收器、发送器、处理器和存储器通过总线系统相连,该存储器用于存储指令,该处理器用于执行该存储器存储的指令,以控制接收器接收信号,并控制发送器发送信号,其中,
接收器,用于通过客户端和服务器之间建立的安全传输层协议TLS安全通道发送的检测询问消息,检测询问消息用于确定客户端是否同意中间盒子网络设备对加密的应用数据进行加密内容检测,加密的应用数据是客户端或服务器基于TLS安全通道的会话密钥对应用数据加密生成的。
发送器,用于在客户端同意中间盒子网络设备对加密的应用数据进行加密内容检测时,通过TLS安全通道向服务器发送同意检测消息。
应理解,在本发明实施例中,该处理器可以是中央处理单元(central processing unit,简称为“CPU”),该处理器还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。
该存储器可以包括只读存储器和随机存取存储器,并向处理器提供指令和数据。存储器的一部分还可以包括非易失性随机存取存储器。
该总线系统除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统。
在实现过程中,上述方法的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的加密内容检测的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器,处理器读取存储器中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。
根据本发明实施例的客户端的各单元和上述其它操作或功能分别为了实现图4至图6所示的方法中的由客户端执行的相应流程。为了简洁,此处不再赘述。
通过在确定所述客户端同意对所述客户端和所述服务器之间传输的加密内容进行检测的情况下进行加密内容检测,可以减少安全风险。
本发明实施例还提供了一种SDN控制器,该SDN控制器包括接收器、发送器、处理器、存储器和总线系统。其中,接收器、发送器、处理器和存储器通过总线系统相连, 该存储器用于存储指令,该处理器用于执行该存储器存储的指令,以控制接收器接收信号,并控制发送器发送信号,其中,
接收器,用于接收密钥管理器发送的设备请求消息,设备请求消息包括客户端和服务器之间建立的安全传输层协议TLS安全通道的五元组信息,五元组信息包括客户端的网际协议IP地址、客户端的端口号、服务器的IP地址,服务器的端口号、传输层协议,设备信息请求消息用于请求与五元组信息所标识的TLS安全通道的中间盒子网络设备的设备信息。
处理器,用于根据设备请求消息确定经过所述五元组信息所标识的TLS安全通道的中间盒子网络设备的设备信息。
发送器,用于向密钥管理器发送设备信息,以便于密钥管理器根据所述中间盒子网络设备的设备信息通过第一安全通道向中间盒子网络设备发送五元组信息和TLS安全通道的密钥信息,以使中间盒子网络设备根据五元组信息获取客户端和服务器之间通过TLS安全通道传输的加密的应用数据,并采用与密钥信息对应的会话密钥对加密的应用数据进行解密,并对解密后的应用数据进行检测,其中,加密的应用数据是客户端或服务器基于会话密钥对应用数据加密生成的,第一安全通道为中间盒子网络设备与密钥管理器之间建立的安全通道。
应理解,在本发明实施例中,该处理器可以是中央处理单元(central processing unit,简称为“CPU”),该处理器还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。
该存储器可以包括只读存储器和随机存取存储器,并向处理器提供指令和数据。存储器的一部分还可以包括非易失性随机存取存储器。
该总线系统除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统。
在实现过程中,上述方法的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的加密内容检测的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器,处理器读取存储器中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。
根据本发明实施例的SDN控制器的各单元和上述其它操作或功能分别为了实现图4至图6所示的方法中的由SDN控制器执行的相应流程。为了简洁,此处不再赘述。
本发明实施例通过SDN控制器确定的中间盒子网络设备对加密的应用数据进行解密,并对解密后的应用数据进行检测,使得对加密内容进行检测不再依赖TLS代理服务器,从而能够降低检测复杂度,并且能够降低检测成本。
应理解,本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。
应理解,在本发明的各种实施例中,上述各过程的序号的大小并不意味着执行顺序 的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以所述权利要求的保护范围为准。

Claims (34)

  1. 一种加密内容检测的方法,其特征在于,所述方法应用于通信网络,所述通信网络包括中间盒子网络设备、密钥管理器和服务器,所述中间盒子网络设备位于客户端和所述服务器之间建立的安全传输层协议TLS安全通道上,包括:
    所述密钥管理器获取所述TLS安全通道的密钥信息;
    所述密钥管理器通过第一安全通道向所述中间盒子网络设备发送所述密钥信息,以便于所述中间盒子网络设备采用与所述密钥信息对应的会话密钥对通过所述TLS安全通道传输的加密的应用数据进行解密,和对解密后的应用数据进行检测,其中,所述加密的应用数据是所述客户端或所述服务器基于所述会话密钥对应用数据加密生成的,所述第一安全通道为所述密钥管理器与所述盒子网络设备之间建立的安全通道。
  2. 如权利要求1所述的方法,其特征在于,在所述密钥管理器获取所述TLS安全通道的密钥信息之前,所述方法还包括:
    所述密钥管理器接收所述中间盒子网络设备通过所述第一安全通道发送的第一密钥请求消息,所述第一密钥请求消息包括所述TLS安全通道的五元组信息,所述第一密钥请求消息用于请求所述密钥信息,所述五元组信息包括所述客户端的网际协议IP地址、所述客户端的端口号、所述服务器的IP地址,所述服务器的端口号、传输层协议;
    其中,所述密钥管理器获取所述TLS安全通道的密钥信息,包括:
    所述密钥管理器根据所述五元组信息获取所述密钥信息。
  3. 如权利要求2所述的方法,其特征在于,所述密钥管理器根据所述五元组信息获取所述密钥信息,包括:
    所述密钥管理器通过第二安全通道向所述服务器发送第二密钥请求消息,所述第二密钥请求消息包括所述五元组信息,所述第二安全通道为所述密钥管理器与所述服务器之间建立的安全通道;
    所述密钥管理器接收所述服务器根据所述第二密钥请求消息发送的所述密钥信息。
  4. 如权利要求1所述的方法,其特征在于,所述密钥管理器获取所述TLS安全通道的密钥信息,包括:
    所述密钥管理器通过第二安全通道接收所述服务器发送的会话信息,所述会话信息包括所述TLS安全通道的五元组信息和所述密钥信息,所述五元组信息包括所述客户端的网际协议IP地址、所述客户端的端口号、所述服务器的IP地址,所述服务器的端口号、传输层协议,所述第二安全通道为所述密钥管理器和所述服务器之间建立的安全通道;
    所述密钥管理器获取所述会话信息中的所述密钥信息;
    其中,在所述密钥管理器通过第一安全通道向所述中间盒子网络设备发送所述密钥信息之前,所述方法还包括:
    所述密钥管理器确定经过所述五元组信息所标识的所述TLS安全通道的所述中间盒子网络设备;
    所述方法还包括:
    所述密钥管理器向所述中间盒子网络设备发送所述五元组信息。
  5. 如权利要求4所述的方法,其特征在于,所述通信网络还包括软件定义网络SDN控制器,其中,所述密钥管理器和所述SDN控制器之间相连接,所述SDN控制器与所述中间盒子网络设备之间相连接;
    所述密钥管理器根据所述五元组信息确定所述中间盒子网络设备,包括:
    所述密钥管理器向所述SDN控制器发送设备请求消息,所述设备请求消息包括所述五元组信息,所述设备请求消息用于请求经过所述五元组信息所标识的所述TLS安全通道的所述中间盒子网络设备的设备信息;
    所述密钥管理器接收所述SDN控制器根据所述设备请求消息发送的所述设备信息。
  6. 如权利要求1至5中任一项所述的方法,其特征在于,所述密钥信息包括第一随机数、第二随机数、预主密钥和伪随机函数,所述第一随机数和所述预主密钥为所述客户端生成的随机数,所述第二随机数为所述服务器生成的随机数,所述伪随机函数用于根据所述第一随机数、所述第二随机数和所述预主密钥生成所述会话密钥。
  7. 如权利要求1至5中任一项所述的方法,其特征在于,所述密钥信息包括所述会话密钥。
  8. 如权利要求1所述的方法,其特征在于,所述密钥信息包括所述会话密钥,
    所述密钥管理器获取所述TLS安全通道的密钥信息,包括:
    所述密钥管理器根据从所述服务器接收的第一随机数、第二随机数、预主密钥和伪随机函数生成所述会话密钥,所述第一随机数和所述预主密钥为所述客户端生成的随机数,所述第二随机数为所述服务器生成的随机数,所述伪随机函数用于根据所述第一随机数、所述第二随机数和所述预主密钥生成所述会话密钥。
  9. 一种加密内容检测的方法,其特征在于,所述方法应用于通信网络,所述通信网络包括中间盒子网络设备、密钥管理器和服务器,所述中间盒子网络设备位于客户端和所述服务器之间建立的安全传输层协议TLS安全通道上,包括:
    所述中间盒子网络设备通过第一安全通道接收所述密钥管理器发送的所述TLS安全通道的密钥信息,其中,所述第一安全通道为所述中间盒子网络设备与所述密钥管理器之间建立的安全通道;
    所述中间盒子网络设备根据所述TLS安全通道的五元组信息获取通过所述TLS安全通道传输的加密的应用数据,所述五元组信息包括所述客户端的网际协议IP地址、所述客户端的端口号、所述服务器的IP地址,所述服务器的端口号、传输层协议,所述加密的应用数据是所述客户端或所述服务器基于与所述密钥信息对应的会话密钥对应用数据加密生成的;
    所述中间盒子网络设备采用所述会话密钥对所述加密的应用数据进行解密,并对解密后的应用数据进行检测。
  10. 如权利要求9所述的方法,其特征在于,所述密钥信息包括第一随机数、第二随机数、预主密钥和伪随机函数,所述第一随机数和所述预主密钥为所述客户端生成的随机数,所述第二随机数为所述服务器生成的随机数,所述伪随机函数用于根据所述第一随机数、所述第二随机数和所述预主密钥生成所述会话密钥,
    其中,在所述中间盒子网络设备采用所述会话密钥对所述加密的应用数据进行解密之前,所述方法还包括:
    所述中间盒子网络设备根据所述第一随机数、所述第二随机数、所述预主密钥和所 述伪随机函数生成所述会话密钥。
  11. 如权利要求9或10所述的方法,其特征在于,所述密钥信息包括所述会话密钥。
  12. 如权利要求9至11中任一项所述的方法,其特征在于,在所述中间盒子网络设备通过第一安全通道接收所述密钥管理器发送的所述TLS安全通道的密钥信息之前,所述方法还包括:
    所述中间盒子网络设备通过所述第一安全通道向所述密钥管理器发送密钥请求消息,所述密钥请求消息包括所述五元组信息,所述密钥请求消息用于请求所述密钥信息;
    其中,所述中间盒子网络设备通过第一安全通道接收所述密钥管理器发送的所述TLS安全通道的密钥信息,包括:
    所述中间盒子网络设备通过所述第一安全通道接收所述密钥管理器根据所述密钥请求消息发送的所述密钥信息。
  13. 如权利要求9至12中任一项所述的方法,其特征在于,在所述中间盒子网络设备根据所述TLS安全通道的五元组信息获取通过所述TLS安全通道传输的加密的应用数据之前,所述方法还包括:
    所述中间盒子网络设备通过所述第一安全通道接收所述密钥管理器发送的所述五元组信息。
  14. 一种加密内容检测的方法,其特征在于,所述方法应用于通信网络,所述通信网络包括中间盒子网络设备、密钥管理器和服务器,所述中间盒子网络设备位于客户端和所述服务器之间建立的安全传输层协议TLS安全通道上,包括:
    所述服务器确定所述TLS安全通道的密钥信息;
    所述服务器通过第二安全通道向所述密钥管理器发送所述密钥信息,以便于所述密钥管理器通过第一安全通道向所述中间盒子网络设备发送所述密钥信息,以使所述中间盒子网络设备采用与所述密钥信息对应的会话密钥对通过所述TLS安全通道传输的加密的应用数据进行解密,和对解密后的应用数据进行检测,其中,所述加密的应用数据是所述客户端或所述服务器基于所述会话密钥对应用数据加密生成的,所述第一安全通道为所述密钥管理器与所述中间盒子网络设备之间建立的安全通道,所述第二安全通道为所述密钥管理器和所述服务器之间建立的安全通道。
  15. 如权利要求14所述的方法,其特征在于,在所述服务器通过第二安全通道向所述密钥管理器发送所述密钥信息之前,所述方法还包括:
    所述服务器通过所述TLS安全通道向所述客户端发送检测询问消息,所述检测询问消息用于确定所述客户端是否同意所述中间盒子网络设备对所述加密的应用数据进行加密内容检测;
    所述服务器接收所述客户端发送的对所述检测询问消息反馈的同意检测消息,所述同意检测消息用于指示所述客户端同意所述中间盒子网络设备对所述加密的应用数据进行加密内容检测。
  16. 如权利要求14或15所述的方法,其特征在于,在所述服务器确定所述TLS安全通道的密钥信息之前,所述方法还包括:
    所述服务器接收所述密钥管理器通过所述第二安全通道发送的密钥请求消息,所述密钥请求消息包括所述TLS安全通道的五元组信息,所述密钥请求消息用于请求所述密钥信息,所述五元组信息包括所述客户端的网际协议IP地址、所述客户端的端口号、所 述服务器的IP地址,所述服务器的端口号、传输层协议;
    其中,所述服务器确定密钥信息,包括:
    所述服务器根据所述五元组信息确定所述五元组信息所标识的所述TLS安全通道的所述密钥信息。
  17. 如权利要求14或15所述的方法,其特征在于,所述方法还包括:
    所述服务器确定所述TLS安全通道的五元组信息,所述五元组信息包括所述客户端的网际协议IP地址、所述客户端的端口号、所述服务器的IP地址,所述服务器的端口号、传输层协议;
    所述服务器向所述密钥管理器发送所述五元组信息。
  18. 一种密钥管理器,其特征在于,包括:
    获取单元,用于获取安全传输层协议TLS安全通道的密钥信息,所述TLS安全通道为客户端与服务器之间建立的安全通道;
    发送单元,用于通过第一安全通道向中间盒子网络设备发送所述获取单元获取的所述密钥信息,以便于所述中间盒子网络设备采用与所述密钥信息对应的会话密钥对通过所述TLS安全通道传输的加密的应用数据进行解密,和对解密后的应用数据进行检测,其中,所述加密的应用数据是所述客户端或所述服务器基于所述会话密钥对应用数据加密生成的,所述中间盒子网络设备位于所述TLS安全通道上,所述第一安全通道为所述密钥管理器与所述盒子网络设备之间建立的安全通道。
  19. 如权利要求18所述的密钥管理器,其特征在于,所述密钥管理器还包括:
    接收单元,用于接收所述中间盒子网络设备通过所述第一安全通道发送的第一密钥请求消息,所述第一密钥请求消息包括所述TLS安全通道的五元组信息,所述第一密钥请求消息用于请求所述密钥信息,所述五元组信息包括所述客户端的网际协议IP地址、所述客户端的端口号、所述服务器的IP地址,所述服务器的端口号、传输层协议;
    其中,所述获取单元具体用于:
    根据所述接收单元接收的所述第一密钥请求消息中的所述五元组信息获取所述密钥信息。
  20. 如权利要求19所述的密钥管理器,其特征在于,所述获取单元具体用于:
    通过第二安全通道向所述服务器发送第二密钥请求消息,所述第二密钥请求消息包括所述五元组信息,所述第二安全通道为所述密钥管理器与所述服务器之间建立的安全通道;
    接收所述服务器根据所述第二密钥请求消息发送的所述密钥信息。
  21. 如权利要求18所述的密钥管理器,其特征在于,所述获取单元具体用于:
    通过第二安全通道接收所述服务器发送的会话信息,所述会话信息包括所述TLS安全通道的五元组信息和所述密钥信息,所述五元组信息包括所述客户端的网际协议IP地址、所述客户端的端口号、所述服务器的IP地址,所述服务器的端口号、传输层协议,所述第二安全通道为所述密钥管理器和所述服务器之间建立的安全通道;
    获取所述会话信息中的所述密钥信息;
    其中,所述密钥管理器还包括:
    确定单元,用于确定经过所述五元组信息所标识的所述TLS安全通道的所述中间盒子网络设备;
    所述发送单元还用于,向所述中间盒子网络设备发送所述五元组信息。
  22. 如权利要求21所述的密钥管理器,其特征在于,所述确定单元具体用于:
    向软件定义网络SDN控制器发送设备请求消息,所述设备请求消息包括所述五元组信息,所述设备请求消息用于请求经过所述五元组信息所标识的所述TLS安全通道的所述中间盒子网络设备的设备信息,其中,所述密钥管理器和所述SDN控制器之间相连接,所述SDN控制器与所述中间盒子网络设备之间相连接;
    接收所述SDN控制器根据所述设备请求消息发送的所述设备信息。
  23. 如权利要求17至22中任一项所述的密钥管理器,其特征在于,所述密钥信息包括第一随机数、第二随机数、预主密钥和伪随机函数,所述第一随机数和所述预主密钥为所述客户端生成的随机数,所述第二随机数为所述服务器生成的随机数,所述伪随机函数用于根据所述第一随机数、所述第二随机数和所述预主密钥生成所述会话密钥。
  24. 如权利要求17至22中任一项所述的密钥管理器,其特征在于,所述密钥信息包括所述会话密钥。
  25. 如权利要求17所述的密钥管理器,其特征在于,所述密钥信息包括所述会话密钥,
    所述获取单元具体用于:
    根据从所述服务器接收的第一随机数、第二随机数、预主密钥和伪随机函数生成所述会话密钥,所述第一随机数和所述预主密钥为所述客户端生成的随机数,所述第二随机数为所述服务器生成的随机数,所述伪随机函数用于根据所述第一随机数、所述第二随机数和所述预主密钥生成所述会话密钥。
  26. 一种中间盒子网络设备,其特征在于,所述中间盒子网络设备位于客户端和服务器之间建立的安全传输层协议TLS安全通道上,包括:
    接收单元,用于通过第一安全通道接收密钥管理器发送的所述TLS安全通道的密钥信息,其中,所述第一安全通道为所述中间盒子网络设备与所述密钥管理器之间建立的安全通道;
    获取单元,用于根据所述TLS安全通道的五元组信息获取通过所述TLS安全通道传输的加密的应用数据,所述五元组信息包括所述客户端的网际协议IP地址、所述客户端的端口号、所述服务器的IP地址,所述服务器的端口号、传输层协议,所述加密的应用数据是所述客户端或所述服务器基于与所述密钥信息对应的会话密钥对应用数据加密生成的;
    解密检测单元,用于采用所述会话密钥对所述加密的应用数据进行解密,并对解密后的应用数据进行检测。
  27. 如权利要求26所述的中间盒子网络设备,其特征在于,所述密钥信息包括第一随机数、第二随机数、预主密钥和伪随机函数,所述第一随机数和所述预主密钥为所述客户端生成的随机数,所述第二随机数为所述服务器生成的随机数,所述伪随机函数用于根据所述第一随机数、所述第二随机数和所述预主密钥生成所述会话密钥,
    其中,所述中间盒子网络设备还包括:
    生成单元,用于根据所述第一随机数、所述第二随机数、所述预主密钥和所述伪随机函数生成所述会话密钥。
  28. 如权利要求26或27所述的中间盒子网络设备,其特征在于,所述密钥信息包 括所述会话密钥。
  29. 如权利要求26至28中任一项所述的中间盒子网络设备,其特征在于,所述中间盒子网络设备还包括:
    发送单元,用于通过所述第一安全通道向所述密钥管理器发送密钥请求消息,所述密钥请求消息包括所述五元组信息,所述密钥请求消息用于请求所述密钥信息;
    其中,所述接收单元具体用于:
    通过所述第一安全通道接收所述密钥管理器根据所述发送单元发送的所述密钥请求消息发送的所述密钥信息。
  30. 如权利要求26至29中任一项所述的中间盒子网络设备,其特征在于,所述接收单元还用于:
    通过所述第一安全通道接收所述密钥管理器发送的所述五元组信息。
  31. 一种服务器,其特征在于,包括:
    确定单元,用于确定客户端和服务器之间建立的安全传输层协议TLS安全通道的密钥信息;
    发送单元,用于通过第二安全通道向密钥管理器发送所述确定单元确定的所述密钥信息,以便于所述密钥管理器通过第一安全通道向位于所述TLS安全通道上的中间盒子网络设备发送所述密钥信息,以使所述中间盒子网络设备采用与所述密钥信息对应的会话密钥对通过所述TLS安全通道传输的加密的应用数据进行解密,和对解密后的应用数据进行检测,其中,所述加密的应用数据是所述客户端或所述服务器基于所述会话密钥对应用数据加密生成的,所述第一安全通道为所述密钥管理器与所述中间盒子网络设备之间建立的安全通道,所述第二安全通道为所述密钥管理器和所述服务器之间建立的安全通道。
  32. 如权利要求31所述的服务器,其特征在于,所述发送单元还用于:
    通过所述TLS安全通道向所述客户端发送检测询问消息,所述检测询问消息用于确定所述客户端是否同意所述中间盒子网络设备对所述加密的应用数据进行加密内容检测;
    所述服务器还包括:
    第一接收单元,用于接收所述客户端发送的对所述发送单元发送的所述检测询问消息反馈的同意检测消息,所述同意检测消息用于指示所述客户端同意所述中间盒子网络设备对所述加密的应用数据进行加密内容检测。
  33. 如权利要求31或32所述的服务器,所述服务器还包括:
    第二接收单元,用于接收所述密钥管理器通过所述第二安全通道发送的密钥请求消息,所述密钥请求消息包括所述TLS安全通道的五元组信息,所述密钥请求消息用于请求所述密钥信息,所述五元组信息包括所述客户端的网际协议IP地址、所述客户端的端口号、所述服务器的IP地址,所述服务器的端口号、传输层协议;
    其中,所述确定单元具体用于:
    根据所述五元组信息确定所述五元组信息所标识的所述TLS安全通道的所述密钥信息。
  34. 如权利要求31或32所述的服务器,其特征在于,所述确定单元还用于:
    确定所述TLS安全通道的五元组信息,所述五元组信息包括所述客户端的网际协议IP地址、所述客户端的端口号、所述服务器的IP地址,所述服务器的端口号、传输层协议;
    所述发送单元还用于,向所述密钥管理器发送所述五元组信息。
PCT/CN2017/087989 2016-06-15 2017-06-13 加密内容检测的方法和设备 WO2017215582A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP17812693.4A EP3461097B1 (en) 2016-06-15 2017-06-13 Encrypted content detection method and apparatus
US16/222,152 US20190140823A1 (en) 2016-06-15 2018-12-17 Method for Detecting Encrypted Content, and Device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610428384.6 2016-06-15
CN201610428384.6A CN107517183B (zh) 2016-06-15 2016-06-15 加密内容检测的方法和设备

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/222,152 Continuation US20190140823A1 (en) 2016-06-15 2018-12-17 Method for Detecting Encrypted Content, and Device

Publications (1)

Publication Number Publication Date
WO2017215582A1 true WO2017215582A1 (zh) 2017-12-21

Family

ID=60663147

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/087989 WO2017215582A1 (zh) 2016-06-15 2017-06-13 加密内容检测的方法和设备

Country Status (4)

Country Link
US (1) US20190140823A1 (zh)
EP (1) EP3461097B1 (zh)
CN (1) CN107517183B (zh)
WO (1) WO2017215582A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114679314A (zh) * 2022-03-23 2022-06-28 腾讯科技(深圳)有限公司 数据解密的方法、装置、设备及存储介质

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10932129B2 (en) * 2017-07-24 2021-02-23 Cisco Technology, Inc. Network access control
CN110048850A (zh) * 2019-03-26 2019-07-23 重庆邮电大学 一种基于改进ssl/tls协议的车联网数据安全传输技术
CN110839036B (zh) * 2019-11-19 2021-09-03 武汉思普崚技术有限公司 一种sdn网络的攻击检测方法及系统
CN110933063B (zh) * 2019-11-25 2022-02-18 中国联合网络通信集团有限公司 数据加密方法、数据解密方法及设备
CN112995119A (zh) * 2019-12-18 2021-06-18 北京国双科技有限公司 一种数据监测方法及装置
US11658944B2 (en) * 2020-03-13 2023-05-23 Arm Ip Limited Methods and apparatus for encrypted communication
CN111431887B (zh) * 2020-03-19 2022-09-30 深信服科技股份有限公司 一种反向Shell的监测方法、装置、终端设备及介质
US11258774B1 (en) 2020-08-24 2022-02-22 Juniper Networks, Inc. Adaptive control of secure sockets layer proxy
CN112165494B (zh) * 2020-09-30 2023-04-28 厦门亿联网络技术股份有限公司 报文分析方法、装置、电子设备及存储介质
CN114629671B (zh) * 2020-12-10 2023-08-08 腾讯科技(深圳)有限公司 一种数据检测系统
CN114928503B (zh) * 2022-07-21 2022-11-15 北京安盟信息技术股份有限公司 一种安全通道的实现方法及数据传输方法

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101695038A (zh) * 2009-10-27 2010-04-14 联想网御科技(北京)有限公司 检测ssl加密数据安全性的方法及装置
CN104468560A (zh) * 2014-12-02 2015-03-25 中国科学院声学研究所 网络保密数据明文的采集方法及系统
CN105429962A (zh) * 2015-11-03 2016-03-23 清华大学 一种通用的面向加密数据的中间网络服务构建方法与体系

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7992200B2 (en) * 2007-07-16 2011-08-02 International Business Machines Corporation Secure sharing of transport layer security session keys with trusted enforcement points
US9197616B2 (en) * 2010-03-19 2015-11-24 Cisco Technology, Inc. Out-of-band session key information exchange

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101695038A (zh) * 2009-10-27 2010-04-14 联想网御科技(北京)有限公司 检测ssl加密数据安全性的方法及装置
CN104468560A (zh) * 2014-12-02 2015-03-25 中国科学院声学研究所 网络保密数据明文的采集方法及系统
CN105429962A (zh) * 2015-11-03 2016-03-23 清华大学 一种通用的面向加密数据的中间网络服务构建方法与体系

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3461097A4 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114679314A (zh) * 2022-03-23 2022-06-28 腾讯科技(深圳)有限公司 数据解密的方法、装置、设备及存储介质
CN114679314B (zh) * 2022-03-23 2023-01-31 腾讯科技(深圳)有限公司 数据解密的方法、装置、设备及存储介质

Also Published As

Publication number Publication date
CN107517183A (zh) 2017-12-26
EP3461097B1 (en) 2022-08-24
EP3461097A4 (en) 2019-05-01
EP3461097A1 (en) 2019-03-27
US20190140823A1 (en) 2019-05-09
CN107517183B (zh) 2021-02-12

Similar Documents

Publication Publication Date Title
WO2017215582A1 (zh) 加密内容检测的方法和设备
JP6407926B2 (ja) ネットワーク環境における暗号化データ検査
US10003616B2 (en) Destination domain extraction for secure protocols
US11483292B2 (en) Engagement and disengagement of transport layer security proxy services with encrypted handshaking
US9961103B2 (en) Intercepting, decrypting and inspecting traffic over an encrypted channel
US11658949B2 (en) Secure publish-subscribe communication methods and apparatus
CN110190955B (zh) 基于安全套接层协议认证的信息处理方法及装置
CN104219041A (zh) 一种适用于移动互联网的数据传输加密方法
US10291600B2 (en) Synchronizing secure session keys
US10560433B2 (en) Vertical cloud service
CN105429962A (zh) 一种通用的面向加密数据的中间网络服务构建方法与体系
US11784980B2 (en) Secure low-latency trapdoor proxy
US10015208B2 (en) Single proxies in secure communication using service function chaining
Zhou et al. Enabling security analysis of IoT device-to-cloud traffic
US11539755B1 (en) Decryption of encrypted network traffic using an inline network traffic monitor
Keïta et al. S-WANE model designed to improve Security Association negotiation process in IPv6

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17812693

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2017812693

Country of ref document: EP

Effective date: 20181221