WO2018018640A1 - Procédé, dispositif et système d'interaction d'informations - Google Patents

Procédé, dispositif et système d'interaction d'informations Download PDF

Info

Publication number
WO2018018640A1
WO2018018640A1 PCT/CN2016/092436 CN2016092436W WO2018018640A1 WO 2018018640 A1 WO2018018640 A1 WO 2018018640A1 CN 2016092436 W CN2016092436 W CN 2016092436W WO 2018018640 A1 WO2018018640 A1 WO 2018018640A1
Authority
WO
WIPO (PCT)
Prior art keywords
proxy
server
proxy server
client
https
Prior art date
Application number
PCT/CN2016/092436
Other languages
English (en)
Chinese (zh)
Inventor
陈华东
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2016/092436 priority Critical patent/WO2018018640A1/fr
Publication of WO2018018640A1 publication Critical patent/WO2018018640A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to an information interaction method, apparatus, and system.
  • HTTPS hypertext transfer protocol over secure socket layer
  • SSL secure sockets layer
  • a secure channel is established between the source server and the proxy server.
  • the source server trusts the proxy server
  • the source server sends the session password to the proxy server over a secure channel.
  • the proxy server uses the session password to parse the HTTPS packet sent by the client to obtain the HTTPS packet content, and determines the HTTPS service data corresponding to the HTTPS packet content. Then, the proxy server encrypts the HTTPS service data by using the session password, and sends the encrypted HTTPS service data to the client to provide an HTTPS service for the client.
  • the source server needs to send the session password to the proxy server in advance, and in the case where there are many proxy servers, the session password is easily leaked.
  • the embodiment of the present invention provides an information interaction method, device and system.
  • the technical solution is as follows:
  • an information interaction method is provided, which is applied to a source server, the method comprising: receiving a session password acquisition request sent by a proxy server; determining whether the proxy server proxy is allowed; and determining that the proxy server proxy is allowed Sending a session password to the proxy server.
  • the session password is a session password agreed by the source server and the client in establishing an HTTPS connection, and the session password is used to trigger the proxy server to provide an HTTPS service for the client.
  • the source server determines whether to allow the proxy server proxy when receiving the session password acquisition request sent by the proxy server. When determining that the proxy proxy is allowed, the source server sends the session password to the proxy server, which solves the related art.
  • the source server needs to send the session password to the proxy server in advance. In the case of a large number of proxy servers, the problem of session password leakage is easily caused, and the security of the session password is improved.
  • the determining whether to allow the proxy server proxy comprises: obtaining reference information from the session password acquisition request, the reference information including at least an agent At least one of information of the server, information of the client included in the session password acquisition request, and a local state of the source server; determining whether to allow the proxy server proxy according to the reference information and the local policy of the source server, A first determination result is obtained, wherein the first determination result is that the proxy server agent is allowed, or whether the proxy server proxy is allowed to be based on the content of the HTTPS message or the proxy proxy is prohibited.
  • the determining, according to the reference information and the local policy of the source server, whether to allow the proxy server proxy to obtain the first The determining result includes: acquiring the number of HTTPS connections established by the source server, determining, when the quantity is greater than the first predetermined threshold, the first determination result to allow the proxy server proxy; or acquiring the The load rate of the source server, when the load rate is greater than a second predetermined threshold, determining the first determination result to allow the proxy server proxy.
  • the determining according to the reference information and the local policy of the source server Whether the proxy server agent is allowed to obtain the first determination result includes: obtaining a blacklist and/or a whitelist defined by the source server; and when the information included in the reference information is located in the whitelist, Determining, by the first determination result, that the proxy server agent is allowed; or, when the reference information includes information located in the blacklist, determining the first determination result as disabling the proxy server proxy; or, when When the information included in the reference information is not located in the white list and is not located in the blacklist, determining the first determination result that it is required to determine whether to allow the proxy server proxy based on the HTTPS message content, where The information contained in the reference information includes at least one of information of the proxy server and information of the client.
  • the method further comprising: when the first determination result is to allow the proxy server proxy, to the proxy server Sending a session password agreed with the client; or, when the first determination result is that it is determined whether to allow the proxy server proxy based on the content of the HTTPS packet, waiting to receive the client transparently transmitted by the proxy server Sending an HTTPS message, after receiving the HTTPS message sent by the client transparently transmitted by the proxy server, determining whether to allow the proxy server according to the received HTTPS message, and determining that the proxy is allowed When the server proxyes, the session password agreed with the client is sent to the proxy server.
  • the proxy server can use the session password instead of the source server to provide the HTTPS service to the client. .
  • the method further includes: when determining to prohibit the proxy server proxy, to the proxy server Sending a second determination result indicating that the proxy server agent is prohibited, and the second determination result is used to trigger the proxy server to delete the cached HTTPS message of the client.
  • the second determination result is that the proxy server agent is prohibited
  • the second determination result indicating that the proxy server proxy is prohibited is sent to the proxy server, and after receiving the second determination result, the proxy server becomes transparent between the source server and the client. The proxy transparently transmits data between the source server and the client so that the source server can provide the HTTPS service to the client.
  • the second aspect provides an information interaction method, which is applied to a proxy server, where the method includes: receiving a setup request sent by a client for requesting to establish an HTTPS connection; and sending a session password acquisition request to the source server, where the session password is Obtaining a request for triggering the source server to determine whether to permit the proxy server proxy; when the source server allows the proxy server proxy, obtaining the source server and the client from the source server are establishing the The session password agreed upon in the HTTPS connection process; the HTTPS service is provided to the client by using the session password. Because the session password acquisition request is sent to the source server, the session password acquisition request triggers the source server to determine whether to allow the proxy server proxy in real time.
  • the proxy server can obtain the session password from the source server, and the related technology is solved.
  • the medium source server needs to send the session password to the proxy server in advance.
  • the session password is easily leaked. The effect of improving session password security is achieved.
  • the obtaining, by the source server, the session password that is agreed between the source server and the client in establishing the HTTPS connection includes: Receiving the session password sent by the source server, where the session password is sent after the source server determines to allow the proxy server proxy and the session password is agreed with the client; or, the received session
  • the HTTPS packet sent by the client is transparently transmitted to the source server, and the session password is sent by the source server.
  • the session password is obtained by the source server after receiving the HTTPS packet according to the HTTPS.
  • the message content is determined to be sent when the proxy server is allowed to proxy.
  • the method further includes: after the sending the session password acquisition request to the source server, the method further The method includes: receiving a first determination result sent by the source server, where the first determination result is a first determination that is obtained when the source server determines whether to allow the proxy server proxy after receiving the session password acquisition request.
  • the first determination result is that the proxy server agent is allowed to determine whether to allow the proxy server proxy based on the HTTPS message content
  • the received HTTPS packet sent by the client is cached.
  • the HTTPS message sent by the received client is cached, so that the subsequent proxy server receives the source.
  • the HTTPS message is parsed by the session password to provide the HTTPS service for the client.
  • the method further includes: receiving a second determination result sent by the source server, where the second determination result is that the source server receives the HTTPS packet, according to the The content of the HTTPS message is determined whether the proxy server is allowed to be obtained.
  • the second determination result is that the proxy proxy is disabled
  • the cached HTTPS packet sent by the client is deleted.
  • the second determination result is that the proxy server proxy is disabled, the cached HTTPS packet is deleted, which saves the storage space of the proxy server.
  • the slave Obtaining, by the source server, the source server and the client during a process of establishing the HTTPS connection
  • the session password includes: determining whether the agent negotiation process needs to be started according to the local policy, and acquiring, when the agent negotiation process needs to be started, acquiring, by the source server, the source server and the client in the process of establishing the HTTPS connection
  • the session password further comprising: updating the local policy with the cause information when the first determination result is that the proxy server agent is prohibited and the reason information of the proxy server agent is prohibited.
  • the third aspect provides an information interaction apparatus, which is applied to a source server, where the apparatus includes: a receiving unit, configured to receive a session password acquisition request sent by the proxy server; and an execution unit, configured to determine whether the proxy server proxy is allowed a sending unit, configured to send a session password to the proxy server when determining that the proxy server agent is allowed, the session password being a session password agreed by the source server and the client in establishing an HTTPS connection, The session password is used to trigger the proxy server to provide an HTTPS service for the client.
  • the performing unit is further configured to obtain reference information from the session password obtaining request, where the reference information includes at least information of a proxy server, Determining at least one of information of a client included in the session password acquisition request and a local state of the source server; the execution unit determining whether to allow the proxy server proxy according to the reference information and a local policy of the source server, A first determination result is obtained, wherein the first determination result is that the proxy server agent is allowed, or whether the proxy server proxy is allowed to be based on the content of the HTTPS message or the proxy proxy is prohibited.
  • the executing unit is further configured to: acquire the number of HTTPS connections established by the source server, when When the quantity is greater than the first predetermined threshold, determining the first determination result to allow the proxy server agent; or acquiring the load rate of the source server, when the load rate is greater than a second predetermined threshold, The first determination result is determined to allow the proxy server proxy.
  • the execution unit is further configured to: acquire the source server a defined blacklist and/or whitelist; when the information contained in the reference information is located in the whitelist, determining the first determination result to allow the proxy server proxy; or, when the reference information includes When the information of the blacklist is located, the first determination result is determined to prohibit the proxy server proxy; or when the information included in the reference information is not located in the whitelist and is not located in the blacklist Determining, by the first determination result, that it is required to determine whether to allow the proxy server proxy based on the content of the HTTPS message, wherein the information included in the reference information includes the proxy service At least one of information of the device and information of the client.
  • the transmitting And a unit configured to: when the first determination result is that the proxy server agent is allowed, send a session password agreed with the client to the proxy server; or, when the first determination result is required to be based on
  • the HTTPS message content determines whether the proxy server proxy is allowed, waiting to receive the HTTPS packet sent by the client transparently transmitted by the proxy server, and receiving the HTTPS sent by the client transparently transmitted by the proxy server After the message, it is determined whether the proxy server is allowed according to the received HTTPS message, and when it is determined that the proxy server agent is allowed, the session password agreed with the client is sent to the proxy server.
  • the sending unit is further configured to: when determining that the proxy server proxy is disabled, send a second determination result to the proxy server for indicating that the proxy proxy is prohibited, The second determination result is used to trigger the proxy server to delete the cached HTTPS message of the client.
  • the fourth aspect provides an information interaction apparatus, which is applied to a proxy server, where the apparatus includes: a receiving unit, configured to receive a setup request sent by a client for requesting to establish an HTTPS connection; and a sending unit, configured to send to the source
  • the server sends a session password acquisition request, the session password acquisition request is used to trigger the source server to determine whether to permit the proxy server proxy, and an execution unit is configured to: when the source server allows the proxy server proxy, The source server obtains the session password agreed by the source server and the client in establishing the HTTPS connection; the execution unit is further configured to provide the client with an HTTPS service by using the session password.
  • the device further includes: the receiving unit, configured to send a session password acquisition request to the source server; the receiving unit is further configured to: Receiving the session password sent by the source server, where the session password is sent after the source server determines to allow the proxy server proxy and the session password is agreed with the client; or, the receiving unit, And the method further comprises: transmitting, by the source server, the HTTPS message sent by the client to the source server, and receiving the session password sent by the source server, where the session password is that the source server receives the HTTPS After the message is received, it is determined according to the content of the HTTPS message that the proxy server is allowed to be sent.
  • the receiving unit is further configured to receive a first determination result sent by the source server, where the first determination is The result is that the source server determines, after receiving the session password acquisition request, whether to allow the proxy server to obtain the first determination result; the execution unit is further configured to: when the first determination result is allowed The proxy server proxy or caches the received HTTPS packet sent by the client when it is determined whether to allow the proxy server proxy based on the HTTPS message content.
  • the receiving unit is further configured to receive the source server to send a second determination result, the second determination result is obtained when the source server receives the HTTPS message, and determines whether to allow the proxy server proxy according to the content of the HTTPS message; And when the second determination result is that the proxy server proxy is disabled, deleting the cached HTTPS packet sent by the client.
  • the performing And the unit is further configured to determine, according to the local policy, whether to start the proxy negotiation process, and when the proxy negotiation process needs to be started, obtain, from the source server, the session agreed by the source server and the client during the HTTPS connection establishment process.
  • the execution unit is further configured to update the local policy by using the reason information when the first determination result is that the proxy server proxy is prohibited and the cause information of the proxy proxy is prohibited.
  • a proxy server comprising: a processor, a memory coupled to the processor, a transmitter and a receiver, the memory for storing one or more instructions configured to be processed Executing, the processor is configured to implement the information interaction method provided in the above first aspect by executing instructions in the memory.
  • a source server comprising: a processor, a memory coupled to the processor, a transmitter, and a receiver, the memory for storing one or more instructions configured to be processed Executing, the processor is configured to implement the information interaction method provided in the second aspect above by executing instructions in the memory.
  • an information interaction system comprising: a proxy server and a source server, the proxy server comprising an information interaction device applied to the source server as provided by the third aspect, and the fourth aspect is provided An information interaction device applied to a proxy server.
  • FIG. 1 is a schematic structural diagram of an information interaction system according to an exemplary embodiment of the present invention.
  • FIG. 2 is a schematic structural diagram of a proxy server according to an exemplary embodiment of the present invention.
  • FIG. 3 is a schematic structural diagram of a source server according to an exemplary embodiment of the present invention.
  • FIG. 4 is a flowchart of an information interaction method according to an exemplary embodiment of the present invention.
  • FIG. 5 is a flowchart of an information interaction method according to another exemplary embodiment of the present invention.
  • FIG. 6A is a flowchart of an information interaction method according to still another exemplary embodiment of the present invention.
  • 6B is a flowchart of a method for a source server to allow a proxy server to proxy an HTTPS service according to still another exemplary embodiment of the present invention
  • FIG. 7A is a flowchart of an information interaction method according to still another exemplary embodiment of the present invention.
  • FIG. 7B is a flowchart of a method for determining a proxy proxy proxy based on HTTPS message content provided by a source server according to still another exemplary embodiment of the present invention.
  • FIG. 8A is a flowchart of an information interaction method according to still another exemplary embodiment of the present invention.
  • FIG. 8B is a flowchart of a method for determining a proxy proxy prohibition proxy based on HTTPS packet content according to another exemplary embodiment of the present invention.
  • FIG. 9A is a flowchart of an information interaction method according to still another exemplary embodiment of the present invention.
  • 9B is a flowchart of a method for a source server to prohibit a proxy server to proxy an HTTPS service according to still another exemplary embodiment of the present invention.
  • FIG. 9C is a flowchart of determining, by a source server, whether to allow a proxy server proxy according to still another exemplary embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of an information interaction apparatus according to an exemplary embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of an information interaction apparatus according to another exemplary embodiment of the present invention.
  • FIG. 1 is a schematic structural diagram of an information interaction system according to an exemplary embodiment of the present invention.
  • the information interaction system includes a proxy server 120 and a source server 140.
  • the proxy server 120 is a device having a data caching function.
  • the proxy server 120 may be a cache server, a gateway with a data cache function, a router with a data cache function, and other devices with a data cache function.
  • the proxy server 120 establishes a communication connection with the source server 140.
  • the source server 140 is a server computer system that provides network data, typically a cluster of multiple servers, each of which is used to implement one or more functional modules.
  • the information interaction system may further include a client 160, a routing device 180,
  • Client 160 establishes a communication connection with routing device 180.
  • the routing device 180 can be a router, and can also be a gateway, such as a public data network gate (PGW) gateway, a gateway GPRS support bode (GGSN) gateway, and the like.
  • PGW public data network gate
  • GGSN gateway GPRS support bode
  • Routing device 180 configures policy routing between client 160 and proxy server 120 for client 160 so that client 160 can route to proxy server 120 via the above-described policies.
  • Routing device 180 typically determines a proxy server that is closer to routing device 180 as proxy server 120, which establishes a communication connection with routing device 180.
  • the proxy server 120 includes a processor 21, a network interface 22, and a memory 23.
  • the processor 21 includes one or more processing cores, and the processor 21 executes various functional applications and data processing by running software programs and modules.
  • the memory 23 is coupled to the processor 21, for example, the memory 23 can be coupled to the processor 21 via a bus; the memory 23 can be used to store software programs and modules.
  • the memory 23 can store an application module 24 required for at least one function, and the application module 24 can include a transmitting module 241, an executing module 242, a receiving module 243, and the like.
  • the sending module 241, the executing module 242, and the receiving module 243 can perform the corresponding steps in FIG. 4, FIG. 6A, FIG. 6B, FIG. 7A, FIG. 7B, FIG. 8A, FIG. 8B, FIG. 9A, and FIG. 4.
  • the memory 23 can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read only memory ( English: electrically erasable programmable read-only memory (EEPROM), erasable programmable read only memory (EPROM), programmable read only memory (English: programmable read only memory, PROM), only Read memory (English: read only memory image, ROM), magnetic memory, flash memory, disk or optical disk.
  • SRAM static random access memory
  • EEPROM electrically erasable programmable read only memory
  • EPROM erasable programmable read only memory
  • PROM programmable read only memory
  • only Read memory English: read only memory image, ROM
  • magnetic memory magnetic memory
  • flash memory disk or optical disk.
  • the structure of the proxy server 120 shown in FIG. 1 does not constitute a limitation to the proxy server 120, and may include more or less components than those illustrated, or combine some components, or different. Parts layout.
  • FIG. 3 is a schematic structural diagram of a source server 140 according to an exemplary embodiment of the present invention.
  • the source server 140 includes a processor 31, a network interface 32, and a memory 33.
  • the processor 31 includes one or more processing cores, and the processor 31 executes various functional applications and data processing by running software programs and modules.
  • the memory 33 is coupled to the processor 31.
  • the memory 33 can be coupled to the processor 31 via a bus; the memory 33 can be used to store software programs and modules.
  • the memory 33 can store an application module 34 required for at least one function, and the application module 34 can include a transmitting module 341, an executing module 342, a receiving module 343, and the like.
  • the sending module 341, the executing module 342, and the receiving module 343 can perform the corresponding steps in FIG. 5, FIG. 6A, FIG. 6B, FIG. 7A, FIG. 7B, FIG. 8A, FIG. 8B, FIG. 9A and FIG. 5. Description of FIGS. 6A, 6B, 7A, 7B, 8A, 8B, 9A, and 9B.
  • Memory 33 can be implemented by any type of volatile or non-volatile storage device, or a combination thereof, such as SRAM, EEPROM, EPROM, PROM, ROM, magnetic memory, flash memory, magnetic disk, or optical disk.
  • the structure of the source server 140 shown in FIG. 1 does not constitute a limitation of the source server 140, and may include more or less components than those illustrated, or may combine some parts. Pieces, or different parts arrangement.
  • Embodiment 1 please refer to FIG. 4, which shows a flowchart of an information interaction method provided by an exemplary embodiment of the present invention.
  • This embodiment is exemplified by the information interaction method used in the proxy server 120 shown in FIG. 1.
  • the processor 21 of the proxy server 120 shown in FIG. 1 performs the following steps, and the method includes the following steps. :
  • Step 401 Receive an establishment request sent by the client to request to establish an HTTPS connection.
  • Step 402 Send a session password acquisition request to the source server, where the session password acquisition request is used to trigger the source server to determine whether to allow the proxy server proxy.
  • Step 403 When the source server allows the proxy server proxy, obtain the session password agreed by the source server and the client during the establishment of the HTTPS connection from the source server.
  • Step 404 using the session password to provide an HTTPS service for the client.
  • the method for information interaction sends a session password acquisition request to the source server, and the session password acquisition request triggers the source server to determine whether to allow the proxy server proxy in real time, in the case that the source server allows the proxy server proxy.
  • the proxy server can obtain the session password from the source server, and solves the problem that the source server needs to send the session password to the proxy server in advance in the related art. In the case that there are many proxy servers, the session password is easily leaked, and the session password is improved. The effect of security.
  • Embodiment 2 Please refer to FIG. 5, which shows a flowchart of an information interaction method provided by another exemplary embodiment of the present invention.
  • This embodiment uses the information interaction method for the source server 140 shown in FIG. 1 as an example.
  • the processor 31 of the source server 140 shown in FIG. 1 performs the following steps, and the method includes the following steps. :
  • Step 501 Receive a session password acquisition request sent by the proxy server.
  • Step 502 Determine whether the proxy server agent is allowed.
  • Step 503 when it is determined that the proxy server agent is allowed, sending a session password to the proxy server, where the session password is a session password agreed by the source server and the client in establishing an HTTPS connection, and the session password is used to trigger the proxy server as The client provides an HTTPS service.
  • the method for information interaction is: when receiving the session password acquisition request sent by the proxy server, the source server dynamically determines whether the proxy server proxy is allowed, and when determining that the proxy proxy is allowed, the source The server sends a session password to the proxy server to resolve
  • the source server needs to send the session password to the proxy server in advance, and in the case where there are many proxy servers, the problem of the session password is easily leaked, and the effect of improving the security of the session password is achieved.
  • the source server when the source server allows the proxy server to proxy the HTTPS service, the source server sends the session password to the proxy server through the secure channel. After receiving the session password, the proxy server uses the session password to provide the client with an HTTPS service.
  • the information interaction method provided by the present invention will be described below with reference to FIG. 6A.
  • FIG. 6A shows a flowchart of an information interaction method provided by still another exemplary embodiment of the present invention.
  • This embodiment is exemplified by the information interaction method used in the information interaction system shown in FIG. 1, and the method includes the following steps:
  • Step 601 The proxy server receives a setup request sent by the client for requesting to establish an HTTPS connection, and determines, according to the local policy, whether the proxy negotiation process needs to be started.
  • the client When the client needs to access network data through the HTTPS protocol, the client needs to establish an HTTPS connection with the source server.
  • the client sends a client hello message Client Hello to the proxy server, and the client Hello can be used as an establishment request for establishing an HTTPS connection.
  • the proxy server receives the Client Hello sent by the client, the proxy server determines whether it needs to start the proxy negotiation process according to the local policy.
  • the client and the source server use the SSL handshake protocol to agree on the session password.
  • the routing device that establishes a communication connection with the client configures a routing policy for the client, so that the SSL handshake message sent by the client is sent to the proxy server of the source server according to the policy route.
  • the SSL handshake message is transparently transmitted between the client and the source server by the proxy server, so that the client completes the session password agreement with the source server and establishes an HTTPS connection.
  • the routing device configures the policy routing according to the port number 443 of the web browsing port and the white/black list of the destination address.
  • the destination address whitelist is a list of routers that can be used as policy routes.
  • the destination address blacklist is a list of routers that are prohibited as policy routes.
  • the method for the client to use the SSL handshake protocol to stipulate the session password with the source server is implemented by a person skilled in the art.
  • the SSL handshake process between the client and the source server is not performed. Narration.
  • the proxy negotiation process is initiated by the proxy server, and the proxy server asks the source server whether The process that allows the proxy server proxy (whether or not the proxy server is allowed to replace the source server to provide HTTPS services to the client). Specifically, the proxy server determines whether it is necessary to start the proxy negotiation process according to the local policy.
  • the local policy includes at least one of a negotiation whitelist, a negotiation blacklist, and a local state of the proxy server.
  • the negotiated whitelist is a list of source servers that allow the proxy server to proxy the HTTPS service, and the negotiated whitelist is a list of source servers that prohibit the proxy server from proxying the HTTPS service.
  • the proxy server can initiate a proxy negotiation process to ask the server whether to allow the proxy proxy.
  • the proxy server may not initiate the proxy negotiation process, and directly becomes a transparent proxy between the client and the source server, and transparently transmit data between the client and the source server.
  • the HTTPS service is provided by the source server to the client. Specifically, the proxy server obtains the HTTPS service data from the source server, and transparently transmits the HTTPS service data to the client.
  • the local state can be the running state of the proxy server.
  • the negotiation process may not be started.
  • the proxy server can directly become a transparent proxy between the client and the source server, and transparently transmit data between the client and the source server.
  • the HTTPS service is provided by the source server to the client. Specifically, the proxy server obtains the HTTPS service data from the source server, and transparently transmits the HTTPS service data to the client.
  • a local policy of multiple proxy servers may be established to determine whether the proxy negotiation process needs to be started.
  • the policies included in the local policies may be different in different implementation scenarios, and the proxy negotiation process needs to be started according to different local policies.
  • the method may be different, and will not be repeated here, depending on the actual situation.
  • Step 602 When the agent negotiation process needs to be started, the proxy server sends a session password acquisition request to the source server.
  • the proxy server determines that the proxy negotiation process needs to be started according to the local policy, it is detected whether a secure channel has been established between the proxy server and the source server.
  • the proxy server When a secure channel has been established between the proxy server and the source server, the proxy server passes security. The channel sends a session password acquisition request to the source server.
  • a secure channel is established between the proxy server and the source server, and the proxy server sends a session password acquisition request to the source server through the secure channel. It should be noted that the method for establishing a secure channel can be implemented by those skilled in the art, and details are not described herein.
  • Step 603 The source server receives a session password acquisition request sent by the proxy server, and determines whether the proxy server proxy is allowed.
  • the reference information is obtained from the session password acquisition request, and the source server determines whether to allow the proxy server proxy according to the reference information and the local policy of the source server, to obtain the first determination result.
  • the first decision result is to allow the proxy server proxy, or to determine whether to allow the proxy proxy based on the HTTPS message content, or to disable the proxy proxy.
  • the HTTPS message is an HTTPS service request sent by the client.
  • the reference information mentioned herein includes at least one of the information of the proxy server, the information of the client, the local state of the source server, and the local policy of the source server.
  • the source server may also use other reference information to determine whether to allow proxy proxy.
  • the source server may directly allow the proxy server proxy without considering other reference information, and the first determination result is that the proxy server proxy is allowed.
  • the source server needs to further determine whether to allow the proxy server proxy according to the content of the proxy requested by the proxy server (the content of the HTTPS packet sent by the client).
  • the first determination result is that it is necessary to determine whether to allow the proxy server proxy based on the HTTPS message content.
  • the source server may disable the proxy server proxy, and the first determination result is to disable the proxy server proxy.
  • the source server may determine the first determination result according to multiple reference information, and the reference information adopted by different implementation scenarios may be different, and the method for determining the first determination result according to different reference information may also be different.
  • the source server After determining the first determination result, the source server sends the first determination result to the proxy server through the secure channel. Correspondingly, the proxy server receives the first determination result sent by the source server.
  • the proxy server cache receives The HTTPS packet sent by the client is waiting to receive the session password sent by the source server.
  • the HTTPS packet sent by the client is transparently transmitted to the source server.
  • the client uses the session password to send an HTTPS message to the proxy server.
  • the proxy server receives the HTTPS message from the client.
  • Step 604 The source server sends a session password to the proxy server when determining that the proxy server proxy is allowed.
  • the source server sends the session password to the proxy server through a secure channel.
  • Step 605 The proxy server receives the session password sent by the source server, and provides the HTTPS service to the client by using the session password.
  • the proxy server uses the session password to parse the HTTPS packet to obtain the HTTPS packet content.
  • the proxy server queries the HTTPS service data corresponding to the HTTPS message content in the local cache. That is, the proxy server queries whether the HTTPS service data requested by the client is stored in the local cache.
  • the proxy server If there is HTTPS service data requested by the client in the local cache of the proxy server, the proxy server encrypts the HTTPS service data by using the session password, and sends the encrypted HTTPS service data to the client. This enables the proxy server to provide HTTPS services to the client.
  • the HTTPS packet obtained from the client is transparently transmitted to the source server.
  • the source server uses the session password to parse HTTPS packets to provide HTTPS service data to the client. Specifically, the source server encrypts the HTTPS service data by using the session password, and sends the encrypted HTTPS service data to the proxy server. After receiving the encrypted HTTPS service data sent by the source server, the proxy server transparently transmits the encrypted HTTPS service data to the client. At the same time, the proxy server determines whether to store the HTTPS service data in the local cache according to the caching policy.
  • the HTTPS service data may be stored according to a plurality of cache policies. For example, when the number of times the HTTPS service data is acquired by the client reaches a third predetermined threshold, the proxy server stores the HTTPS service data in the local cache. Store.
  • the policies included in the caching policy may be different in different implementation scenarios.
  • the method for judging whether to store HTTPS service data in the local cache may be different according to different caching policies. According to the actual situation.
  • the method for information interaction provided by this embodiment is provided by each client and source service.
  • the source server dynamically determines whether the proxy server proxy is allowed.
  • the proxy server obtains the session password from the source server, and solves the related problem that the source server needs the session password. It is sent to the proxy server in advance.
  • it is easy to cause the session password to leak, and the effect of improving the security of the session password is achieved.
  • the proxy server can use the session password instead of the source server to provide the HTTPS service to the client.
  • the proxy server caches the HTTPS message sent by the received client when the first determination result is that the proxy server is allowed to proxy.
  • the session password is used to resolve the HTTPS message, and the client is provided with the HTTPS service.
  • Embodiment 4 In a possible implementation, the process of establishing an HTTPS connection between the client and the source server is combined with the process of obtaining the session password from the source server when the source server allows the proxy server to proxy.
  • FIG. 6B illustrates a flow chart of a method for a source server to allow a proxy server to proxy an HTTPS service according to still another exemplary embodiment of the present invention.
  • the method in which the source server allows the proxy server to proxy the HTTPS service is used in the information interaction system shown in FIG. 1 , and the method includes the following steps:
  • the client establishes an HTTPS connection with the source server, which can be implemented through the following sub-steps.
  • step 606a1 the client sends a client hello message Client Hello to the proxy server.
  • step 606a2 the proxy server transparently transmits the client hello message Client Hello to the source server.
  • step 606b1 the source server sends a server hello message Server Hello to the proxy server.
  • step 606b2 the proxy server transparently transmits the server hello message Server Hello to the client.
  • step 606c1 the source server sends a certificate certificate to the proxy server.
  • step 606c2 the proxy server transparently transmits the certificate certificate to the client.
  • step 606d1 the source server sends a server hello to the proxy server to end the Server Hello Done message.
  • step 606d2 the proxy server transparently transmits the server hello end Server Hello Done message to the client.
  • step 606e1 the client sends a client key exchange Client Key Exchange to the proxy server.
  • step 606e2 the proxy server transparently transmits the client key exchange Client Key Exchange to the source server.
  • step 606fl the client sends a password change statement Change Cipher Spec to the proxy server.
  • step 606f2 the proxy server transparently transmits the password change statement Change Cipher Spec to the source server.
  • step 606g1 the client sends an end Finished message to the server.
  • step 606g2 the proxy server will end the Passed message to the source server.
  • step 606hl the source server sends a password change statement Change Cipher Spec to the proxy server.
  • step 606h2 the proxy server transparently transmits the password change statement Change Cipher Spec to the client.
  • step 606i1 the source server sends an end Finished message to the proxy server.
  • step 606i2 the proxy server will end the Passed message to the client.
  • the foregoing sub-steps are the processes required for the client to establish an HTTPS connection with the source server.
  • the process of establishing the HTTPS connection between the client and the source server can be implemented by a person skilled in the art.
  • the HTTPS is established between the client and the source server.
  • the various sub-steps involved in the connection process are not described again.
  • Step 607 The proxy server determines, according to the local policy, whether the agent negotiation process needs to be started.
  • step 607 For the description of step 607, refer to the explanation of step 601, and details are not described herein again.
  • the proxy server determines, according to the local policy, whether the proxy negotiation process needs to be started.
  • Step 608 When the agent negotiation process needs to be started, the proxy server sends a session password acquisition request to the source server through the secure channel.
  • step 608 For the description of step 608, refer to the explanation of step 602, and details are not described herein again.
  • Step 609 The source server receives the session password acquisition request sent by the proxy server, determines whether the proxy server proxy is allowed, and obtains the first determination result.
  • step 608 For the description of step 608, refer to the explanation of step 603, and details are not described herein again.
  • step 610 the source server sends the first determination result to the proxy server through the secure channel.
  • Step 611 when the first determination result received by the proxy server is to allow the proxy server proxy, The proxy server waits to receive the session password sent by the source server.
  • the secure channel is used to send a message to the source server confirming that the first determination result has been received.
  • steps 607 to 611 and the execution of each sub-step in step 606 are in no particular order.
  • the execution of steps 607 to 611 needs to be performed in sequential order, and the execution of each sub-step in step 606 is generally performed in the order of the above-mentioned processes.
  • step 612 the client sends an HTTPS message to the proxy server.
  • the client After the client establishes an HTTPS connection with the source server, the client sends an HTTPS packet to the proxy server. Specifically, after the client receives the Finished message sent by the proxy server, the client sends an HTTPS packet to the proxy server.
  • the proxy server when the proxy server receives the HTTPS packet and does not receive the session password sent by the source server, the proxy sends the HTTPS packet to the source server.
  • step 613 the source server sends the session password to the proxy server through the secure channel.
  • step 612 and step 613 are in no particular order, and the specific execution order is determined according to actual conditions.
  • Step 614 The proxy server receives the session password sent by the source server, and provides the HTTPS service to the client by using the session password.
  • the proxy server parses the HTTPS packet by using the session password, and determines whether the corresponding HTTPS service data exists in the local cache.
  • the proxy server transparently transmits the HTTPS message sent by the client to the source server, and the source server uses the session password to parse the HTTPS message to provide the HTTPS service to the client.
  • the proxy server uses the session password to parse the HTTPS message to provide the HTTPS service to the client. Specifically, the HTTPS packet is parsed by the session password to provide the HTTPS service for the client. For details, refer to the description of step 605, and details are not described herein.
  • the proxy server when the proxy server does not need to initiate the negotiation process, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server, and the source server provides the client with the transparent transmission.
  • HTTPS service when the proxy server does not need to initiate the negotiation process, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server, and the source server provides the client with the transparent transmission.
  • HTTPS service HyperText Transfer Protocol Secure
  • the proxy server obtains the session password from the source server through dynamic negotiation, and solves the related problem that the source server needs to send the session password to the proxy server in advance, and the proxy server has more In the case of a problem, it is easy to cause a session password to be leaked. The effect of improving session password security is achieved.
  • the source server when the source server needs to determine whether to allow the proxy server proxy based on the content of the HTTPS packet, the source server obtains the HTTPS packet from the proxy server. In the case where the source server determines that the proxy server is allowed to proxy the HTTPS service based on the HTTPS message content, the source server sends the session password to the proxy server, so that the proxy server provides the HTTPS service to the client by using the session password.
  • the information interaction method provided by the present invention will be described below with reference to FIG. 7A.
  • FIG. 7A shows a flowchart of an information interaction method provided by still another exemplary embodiment of the present invention.
  • This embodiment is exemplified by the information interaction method used in the information interaction system shown in FIG. 1, and the method includes the following steps:
  • Step 701 The proxy server receives a setup request sent by the client for requesting to establish an HTTPS connection, and determines, according to the local policy, whether the proxy negotiation process needs to be started.
  • Step 702 When the agent negotiation process needs to be started, the proxy server sends a session password acquisition request to the source server.
  • Step 703 The source server receives the session password acquisition request sent by the proxy server, determines whether the proxy server proxy is allowed according to the reference information, and obtains a first determination result.
  • Step 704 When the first determination result is that it is determined whether the proxy server proxy is allowed based on the content of the HTTPS packet, the source server sends the first determination result to the proxy server, and waits for the HTTPS packet sent by the client transparently received by the proxy server.
  • the source server sends the first determination result to the proxy server by using a secure channel.
  • Step 705 When the first determination result received by the proxy server is that it is determined whether to allow the proxy server proxy based on the HTTPS packet content, the proxy server caches the received HTTPS packet sent by the client, and sends the HTTPS packet sent by the client. The text is transmitted to the source server.
  • the client After the client establishes an HTTPS connection with the source server, the client sends an HTTPS packet to the proxy server. That is, after the client establishes an HTTPS connection with the source server, the proxy server can receive the HTTPS packet sent by the client.
  • the received HTTPS packet sent by the client is cached. So that the source server determines that the proxy server proxy is allowed based on the HTTPS message content. After receiving the session password sent by the source server, the server uses the session password to provide the client with an HTTPS service. At the same time, the proxy server transparently transmits the HTTPS packet to the source server, so that the source server parses the HTTPS packet to determine the content of the HTTPS packet, and determines whether to allow the proxy server proxy based on the content of the HTTPS packet.
  • Step 706 After receiving the HTTPS packet sent by the client transparently transmitted by the proxy server, the source server determines whether the proxy server is allowed according to the received HTTPS packet.
  • the source server receives the HTTPS packet transparently transmitted by the proxy server through the secure channel, and uses the session password to parse the HTTPS packet to determine the content of the HTTPS packet. After the source server learns the content of the HTTPS packet, it determines whether the proxy server is allowed according to the content of the HTTPS packet, and obtains the second determination result.
  • the source server determines that the proxy server proxy is prohibited based on the content of the HTTPS message.
  • the source server learns that the content of the HTTPS message is a novel resource download, and the novel service may be proxyed by the proxy server, and the source server determines that the proxy server proxy is allowed based on the content of the HTTPS message.
  • the method for determining whether to allow the proxy server according to the content of the HTTPS packet is not described in detail in this embodiment, and the specific method may be determined according to actual conditions.
  • Step 707 The source server sends a session password agreed with the client to the proxy server when determining that the proxy server proxy is allowed.
  • the source server sends a session password agreed with the client to the proxy server by using a secure channel.
  • Step 708 The proxy server receives the session password sent by the source server, and provides the HTTPS service to the client by using the session password.
  • step 708 For the description of step 708, refer to the description of step 605, and details are not described herein again.
  • the proxy server when the proxy server does not need to initiate the negotiation process, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server, and the source server provides the client with the transparent transmission.
  • HTTPS service when the proxy server does not need to initiate the negotiation process, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server, and the source server provides the client with the transparent transmission.
  • HTTPS service HyperText Transfer Protocol Secure
  • the method for information interaction is that, in each process of establishing an HTTPS connection between the client and the source server, the source server dynamically determines whether the proxy server proxy is allowed, and the proxy server proxy is allowed on the source server. Next, the proxy server obtains the session secret from the source server.
  • the code solves the problem that the source server needs to send the session password to the proxy server in advance in the related art, and in the case that there are many proxy servers, the problem of the session password is easily leaked, and the effect of improving the security of the session password is achieved.
  • the source server sends the session password to the proxy server by determining whether the proxy server proxy is allowed based on the HTTPS message content in the first determination result, so that the proxy server can use the session password instead of the source server to provide the HTTPS service to the client.
  • the proxy server caches the HTTPS message sent by the received client by determining whether the proxy server proxy is allowed based on the content of the HTTPS message. In order for the subsequent proxy server to receive the session password sent by the source server, the session password is used to resolve the HTTPS message, and the client is provided with the HTTPS service.
  • the HTTPS packet is sent to the source server, so that the source server determines whether to allow the proxy server proxy according to the content of the HTTPS packet.
  • Embodiment 6 the process of establishing an HTTPS connection between the client and the source server is combined with the process of obtaining the session password from the source server when the source server allows the proxy server to proxy based on the content of the HTPPS message. for example.
  • FIG. 7B is a flowchart of a method for determining a proxy proxy proxy based on HTTPS message content provided by a source server according to still another exemplary embodiment of the present invention.
  • the source server needs to determine that the proxy server proxy method is used in the information interaction system shown in FIG. 1 based on the HTTPS packet content, and the method includes the following steps:
  • the client establishes an HTTPS connection with the source server, which can be implemented through the following sub-steps.
  • step 709a1 the client sends a client hello message Client Hello to the proxy server.
  • step 709a2 the proxy server transparently transmits the client hello message Client Hello to the source server.
  • step 709b1 the source server sends a server hello message Server Hello to the proxy server.
  • step 709b2 the proxy server transparently transmits the server hello message Server Hello to the client.
  • step 709c1 the source server sends a certificate certificate to the proxy server.
  • step 709c2 the proxy server transparently transmits the certificate certificate to the client.
  • step 709d1 the source server sends a server hello to the proxy server to end the Server Hello Done message.
  • Step 709d2 the proxy server transparently transmits the server hello end Server Hello Done message to Client.
  • step 709e1 the client sends a client key exchange Client Key Exchange to the proxy server.
  • the proxy server transparently transmits the client key exchange Client Key Exchange to the source server.
  • step 709f1 the client sends a password change statement Change Cipher Spec to the proxy server.
  • step 709f2 the proxy server transparently transmits the password change statement Change Cipher Spec to the source server.
  • step 709g1 the client sends an end Finished message to the server.
  • step 709g2 the proxy server will end the Passed message to the source server.
  • step 709h1 the source server sends a password change statement Change Cipher Spec to the proxy server.
  • step 709h2 the proxy server transparently transmits the password change statement Change Cipher Spec to the client.
  • step 709i1 the source server sends an end Finished message to the proxy server.
  • step 709i2 the proxy server will end the Passed message to the client.
  • the proxy server determines whether it is necessary to start the proxy negotiation process according to the local policy.
  • step 710 For the description of step 710, refer to the explanation of step 601, and details are not described herein again.
  • the proxy server determines, according to the local policy, whether the proxy negotiation process needs to be started.
  • step 710 For the description of step 710, refer to the explanation of step 602, and details are not described herein again.
  • Step 711 When the agent negotiation process needs to be started, the proxy server sends a session password acquisition request to the source server through the secure channel.
  • Step 712 The source server receives the session password acquisition request sent by the proxy server, determines whether the proxy server proxy is allowed according to the reference information, and obtains the first determination result.
  • step 712 For the description of step 712, refer to the explanation of step 603, and details are not described herein again.
  • Step 713 the first determination result is sent to the proxy server through the secure channel.
  • Step 714 when the first determination result received by the proxy server is required to be based on the HTTPS message
  • the content of the proxy server is allowed to be determined, the received HTTPS packet sent by the client is cached.
  • Step 715 The HTTPS packet sent by the client is transparently transmitted to the source server.
  • step 714 and step 715 refer to the explanation of step 705, and details are not described herein again.
  • Step 716 After receiving the HTTPS packet sent by the client transparently transmitted by the proxy server, the source server determines whether to allow the proxy server according to the received HTTPS packet, obtains a second determination result, and sends the second determination result to the proxy server. .
  • the second determination result is that the proxy server proxy is allowed, or the proxy proxy is prohibited.
  • step 716 For the description of step 716, refer to the explanation of step 706, and details are not described herein again.
  • Step 717 When the second determination result is that the proxy server agent is allowed, the source service sends the session password agreed with the client to the proxy server.
  • the source server sends the second determination result to the proxy server by using the secure channel.
  • the second determination result received by the proxy server is to allow the proxy server proxy, a message is sent to the source server confirming that the second determination result has been received.
  • Step 718 The proxy server receives the session password sent by the source server, and provides the HTTPS service to the client by using the session password.
  • the proxy server when the proxy server does not need to initiate the negotiation process, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server, and the source server provides the client with the transparent transmission.
  • HTTPS service when the proxy server does not need to initiate the negotiation process, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server, and the source server provides the client with the transparent transmission.
  • HTTPS service HyperText Transfer Protocol Secure
  • the proxy server obtains the session password from the source server through dynamic negotiation, and the source server determines whether to allow the proxy server proxy based on the content of the HTTPS message, and solves the problem that the source server needs to be related in the related art.
  • the session password is sent to the proxy server in advance. In the case of a large number of proxy servers, the problem of session password leakage is easily caused, and the security of the session password is improved.
  • the HTTPS packet is obtained from the proxy server.
  • the source server determines whether to allow the proxy server proxy based on the HTTPS message content.
  • the source server session password provides the client with an HTTPS service.
  • FIG. 8A shows a flowchart of an information interaction method provided by still another exemplary embodiment of the present invention.
  • This embodiment is exemplified by the information interaction method used in the information interaction system shown in FIG. 1, and the method includes the following steps:
  • Step 801 The proxy server receives a setup request sent by the client for requesting to establish an HTTPS connection, and determines, according to the local policy, whether the proxy negotiation process needs to be started.
  • Step 802 When the agent negotiation process needs to be started, the proxy server sends a session password acquisition request to the source server.
  • Step 803 The source server receives the session password acquisition request sent by the proxy server, determines whether the proxy server proxy is allowed according to the reference information, and obtains the first determination result.
  • Step 804 When the first determination result is that it is determined whether the proxy server proxy is allowed to be based on the content of the HTTPS packet, the source server sends the first determination result to the proxy server, and waits for the HTTPS packet sent by the client transparently received by the proxy server.
  • the source server sends the first determination result to the proxy server by using a secure channel.
  • Step 805 When the first determination result received by the proxy server is that it is required to determine whether to allow the proxy server proxy based on the HTTPS packet content, the proxy server caches the received HTTPS packet sent by the client, and sends the HTTPS packet sent by the client. The text is transmitted to the source server.
  • step 805 For the description of step 805, refer to the explanation of step 705, and details are not described herein again.
  • Step 806 After receiving the HTTPS message sent by the client transparently transmitted by the proxy server, the source server determines whether to allow the proxy server proxy according to the received HTTPS packet.
  • step 805 For the description of step 805, refer to the explanation of step 706, and details are not described herein again.
  • Step 807 When the source server determines that the proxy server proxy is disabled, the source server sends a second determination result indicating that the proxy proxy is prohibited to the proxy server, and provides the HTTPS service to the client.
  • the second determination result is that the proxy server proxy is allowed, or the proxy proxy is prohibited.
  • the source server determines whether the proxy proxy is allowed according to the received HTTPS packet.
  • Step 808 When the proxy server receives the second determination result that the proxy server proxy is disabled, the HTTPS packet of the client is sent to the source server, and the HTTPS packet of the cached client is deleted.
  • the proxy server When the proxy server receives the second determination result as disabling the proxy server proxy, it sends a message to the source server confirming that the second determination result has been received.
  • the source server is sending a proxy server
  • the confirmation has received the message of the second determination result, and the source server is informed that the agent negotiation process has ended.
  • the source server uses the session password to provide the HTTPS service to the client.
  • the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server.
  • the proxy server when the proxy server does not need to initiate the negotiation process, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server, and the source server provides the client with the transparent transmission.
  • HTTPS service when the proxy server does not need to initiate the negotiation process, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server, and the source server provides the client with the transparent transmission.
  • HTTPS service HyperText Transfer Protocol Secure
  • the method for information interaction obtains a session password from a source server through dynamic negotiation, and the source server determines whether to allow a proxy server proxy based on the content of the HTTPS packet, and solves the problem that the source server needs to use the session password in the related art. It is sent to the proxy server in advance. When there are many proxy servers, it is easy to cause the session password to leak, and the effect of improving the security of the session password is achieved.
  • the second determination result is that the proxy server proxy is disabled
  • the second determination result indicating that the proxy server proxy is prohibited is sent to the proxy server, and after receiving the second determination result, the proxy server becomes between the source server and the client.
  • a transparent proxy that transparently passes data between the source server and the client so that the source server can provide HTTPS services to the client.
  • the proxy server deletes the cached HTTPS packet, which saves the storage space of the proxy server.
  • the process of establishing an HTTPS connection between the client and the source server, and the process of providing the HTTPS service by the source server to the client when the source server prohibits the proxy server based on the HTPPS packet content give an example.
  • FIG. 8B is a flowchart showing a method for determining a proxy proxy proxy proxy based on HTTPS message content provided by a source server according to still another exemplary embodiment of the present invention.
  • the source server determines that the proxy proxy proxy proxy method is used in the information interaction system shown in FIG. 1 based on the HTTPS packet content.
  • the method includes the following steps:
  • the client establishes an HTTPS connection with the source server, which can be implemented through the following sub-steps.
  • step 809a1 the client sends a client hello message Client Hello to the proxy server.
  • step 809a2 the proxy server transparently transmits the client hello message Client Hello to the source server.
  • step 809b1 the source server sends a server hello message Server Hello to the proxy server.
  • step 809b2 the proxy server transparently transmits the server hello message Server Hello to the client.
  • step 809c1 the source server sends a certificate certificate to the proxy server.
  • step 809c2 the proxy server transparently transmits the certificate certificate to the client.
  • step 809d1 the source server sends a server hello to the proxy server to end the Server Hello Done message.
  • step 809d2 the proxy server transparently transmits the server hello end Server Hello Done message to the client.
  • step 809e1 the client sends a client key exchange Client Key Exchange to the proxy server.
  • step 809e2 the proxy server transparently transmits the client key exchange Client Key Exchange to the source server.
  • step 809f1 the client sends a password change statement Change Cipher Spec to the proxy server.
  • step 809f2 the proxy server transparently transmits the password change statement Change Cipher Spec to the source server.
  • step 809g1 the client sends an end Finished message to the server.
  • step 809g2 the proxy server will end the Passed message to the source server.
  • step 809h1 the source server sends a password change statement Change Cipher Spec to the proxy server.
  • step 809h2 the proxy server transparently transmits the password change statement Change Cipher Spec to the client.
  • step 809i1 the source server sends an end Finished message to the proxy server.
  • step 809i2 the proxy server will end the Passed message to the client.
  • step 810 the proxy server determines whether it is necessary to start the proxy negotiation process according to the local policy.
  • step 810 For the description of step 810, refer to the explanation of step 601, and details are not described herein again.
  • the proxy server determines, according to the local policy, whether the proxy negotiation process needs to be started.
  • step 810 For the description of step 810, refer to the explanation of step 602, and details are not described herein again.
  • Step 811 When the agent negotiation process needs to be started, the proxy server sends a session password acquisition request to the source server through the secure channel.
  • Step 812 The source server receives the session password acquisition request sent by the proxy server, determines whether the proxy server proxy is allowed, and obtains the first determination result.
  • step 812 For the description of step 812, refer to the explanation of step 603, and details are not described herein again.
  • step 813 the first determination result is sent to the proxy server through the secure channel.
  • Step 814 When the first determination result received by the proxy server is that it is required to determine whether to allow the proxy server proxy based on the content of the HTTPS packet, the HTTPS packet sent by the received client is cached.
  • Step 815 The HTTPS packet sent by the client is transparently transmitted to the source server.
  • step 814 and step 815 refer to the explanation of step 705, and details are not described herein again.
  • Step 816 After receiving the HTTPS packet sent by the client transparently transmitted by the proxy server, the source server determines whether the proxy server is allowed according to the received HTTPS packet, and obtains a second determination result.
  • the second determination result is that the proxy server proxy is allowed, or the proxy proxy is prohibited.
  • step 816 For the description of step 816, refer to the explanation of step 706, and details are not described herein again.
  • Step 817 When the proxy server receives the second determination result that the proxy server proxy is disabled, the HTTPS packet of the cached client is transparently transmitted to the source server, and the HTTPS packet of the cached client is deleted.
  • the source server sends the second determination result to the proxy server by using the secure channel.
  • the second determination result received by the proxy server is to disable the proxy server proxy, a message is sent to the source server confirming that the second determination result has been received.
  • the source server receives the HTTPS packet sent by the proxy server, and uses the session password to parse the HTTPS packet to provide the HTTPS service for the client.
  • the proxy server when the proxy server does not need to initiate the negotiation process, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server, and the source server provides the client with the transparent transmission.
  • HTTPS service when the proxy server does not need to initiate the negotiation process, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server, and the source server provides the client with the transparent transmission.
  • HTTPS service HyperText Transfer Protocol Secure
  • the method for information interaction obtains a session password from a source server through dynamic negotiation.
  • the source server determines to prohibit the proxy server proxy based on the content of the HTTPS packet, the source server still provides the HTTPS service for the client.
  • the proxy server becomes a transparent proxy between the client and the source server.
  • the proxy server when the source server prohibits the proxy server from proxying the HTTPS service, the proxy server provides the HTTPS service to the client by using the session password.
  • the information interaction method provided by the present invention will be described below with reference to FIG. 9A.
  • FIG. 9A shows a flowchart of an information interaction method provided by still another exemplary embodiment of the present invention.
  • This embodiment is exemplified by the information interaction method used in the information interaction system shown in FIG. 1, and the method includes the following steps:
  • Step 901 The proxy server receives a setup request sent by the client for requesting to establish an HTTPS connection, and determines, according to the local policy, whether the proxy negotiation process needs to be started.
  • Step 902 When the agent negotiation process needs to be started, the proxy server sends a session password acquisition request to the source server.
  • Step 903 The source server receives the session password acquisition request sent by the proxy server, determines whether the proxy server proxy is allowed, and obtains the first determination result.
  • step 904 the source server sends the first determination result to the proxy server.
  • the source server when determining that the proxy server proxy is disabled, sends the first determination result to the proxy server and the reason information of the proxy server proxy.
  • the local information of the proxy server is updated by using the cause information.
  • the proxy server will block the source server of the proxy from being determined to be a blacklist.
  • Step 905 When the first determination result received by the proxy server is prohibiting the proxy server proxy, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server.
  • the proxy server after receiving the first determination result of prohibiting the proxy server proxy, the proxy server becomes a transparent proxy between the client and the source server. Specifically, the proxy server sends the HTTPS packet sent by the client to the source server, and the source server sends the HTTPS service data to the proxy server, and the proxy server transparently transmits the HTTPS service data to the client.
  • the source server prohibits the first determination result of the proxy server proxy and the reason for prohibiting the proxy server proxy.
  • the proxy server receives the first determination result as disabling the proxy server proxy and including the reason information for disabling the proxy server proxy, the local policy is updated with the cause information.
  • the proxy server can save the source server as a negotiated blacklist to the proxy server's local policy.
  • the proxy server when the proxy server does not need to initiate the negotiation process, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server, and the source server provides the client with the transparent transmission.
  • HTTPS service when the proxy server does not need to initiate the negotiation process, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server, and the source server provides the client with the transparent transmission.
  • HTTPS service HyperText Transfer Protocol Secure
  • the method for information interaction obtains a session password from a source server through dynamic negotiation, and the source server determines whether to allow a proxy server proxy based on the content of the HTTPS packet, and solves the problem that the source server needs to use the session password in the related art. It is sent to the proxy server in advance. When there are many proxy servers, it is easy to cause the session password to leak, and the effect of improving the security of the session password is achieved.
  • the process of establishing an HTTPS connection between the client and the source server is combined with the process of the source server providing the HTTPS service to the client when the source server prohibits the proxy server from being proxyed.
  • FIG. 9B a flowchart of a method for a source server to prohibit a proxy server to proxy an HTTPS service according to still another exemplary embodiment of the present invention is shown.
  • This embodiment is exemplified by the information interaction method used in the information interaction system shown in FIG. 1, and the method includes the following steps:
  • the client establishes an HTTPS connection with the source server, which can be implemented through the following sub-steps.
  • step 909a1 the client sends a client hello message Client Hello to the proxy server.
  • step 909a2 the proxy server transparently transmits the client hello message Client Hello to the source server.
  • step 909b1 the source server sends a server hello message Server Hello to the proxy server.
  • step 909b2 the proxy server transparently transmits the server hello message Server Hello to the client.
  • step 909c1 the source server sends a certificate certificate to the proxy server.
  • step 909c2 the proxy server transparently transmits the certificate certificate to the client.
  • step 909d1 the source server sends a server hello to the proxy server to end the Server Hello Done message.
  • step 909d2 the proxy server transparently transmits the server hello end Server Hello Done message to the client.
  • step 909e1 the client sends a client key exchange Client Key Exchange to the proxy server.
  • step 909e2 the proxy server transparently transmits the client key exchange Client Key Exchange to the source server.
  • step 909f1 the client sends a password change statement Change Cipher Spec to the proxy server.
  • step 909f2 the proxy server transparently transmits the password change statement Change Cipher Spec to the source server.
  • step 909g1 the client sends an end Finished message to the server.
  • step 909g2 the proxy server will end the Passed message to the source server.
  • step 909h1 the source server sends a password change statement Change Cipher Spec to the proxy server.
  • step 909h2 the proxy server transparently transmits the password change statement Change Cipher Spec to the client.
  • step 909i1 the source server sends an end Finished message to the proxy server.
  • step 909i2 the proxy server will end the Passed message to the client.
  • the proxy server determines whether it is necessary to start the proxy negotiation process according to the local policy.
  • step 910 For the description of the step 910, refer to the explanation of the step 601, and details are not described herein again.
  • Step 911 When the agent negotiation process needs to be started, the proxy server sends a session password acquisition request to the source server through the secure channel.
  • Step 912 The source server receives the session password acquisition request sent by the proxy server, determines whether the proxy server proxy is allowed, and obtains the first determination result.
  • step 912 For the description of step 912, refer to the explanation of step 603, and details are not described herein again.
  • step 913 the first determination result is sent to the proxy server through the secure channel.
  • Step 914 When the first determination result received by the proxy server is to disable the proxy server proxy, it becomes a transparent proxy between the client and the source server.
  • step 905 For the description of this step, refer to step 905, and details are not described herein again.
  • the proxy server sends a message to the source server confirming that the first determination result has been received.
  • the proxy server when the proxy server does not need to initiate the negotiation process, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server, and the source server provides the client with the transparent transmission.
  • HTTPS service when the proxy server does not need to initiate the negotiation process, the proxy server becomes a transparent proxy between the client and the source server, and data is transparently transmitted between the client and the source server, and the source server provides the client with the transparent transmission.
  • HTTPS service HyperText Transfer Protocol Secure
  • the method for information interaction updates the local policy of the proxy server by prohibiting the cause information of the proxy server proxy, so that the proxy association is not directly started in the subsequent process.
  • Business process to improve the efficiency of agent negotiation.
  • the source server determines whether to allow the proxy server proxy, which can be implemented by several steps as shown in FIG. 9C.
  • Step 915 Obtain reference information from the session password acquisition request, where the reference information includes at least one of information of the proxy server, information of the client included in the session password acquisition request, and a local state of the source server.
  • the proxy server information mentioned here is information that uniquely identifies the proxy server.
  • the information of the proxy server may be the identifier of the proxy server; for example, the information of the proxy server may be the internet protocol of the proxy server (English: internet protocol, IP) address.
  • the client information mentioned here is information that uniquely identifies the client.
  • the information of the client may be the identifier of the client; for example, the information of the client may be the IP address of the client.
  • Step 916 determining whether to allow the proxy server proxy according to the reference information and the local policy of the source server, to obtain a first determination result.
  • This step can be implemented by the following possible implementations.
  • the number of HTTPS connections established by the source server is obtained, and when the number is greater than the first predetermined threshold, the first determination result is determined to be a proxy server proxy.
  • the first predetermined threshold is set by the system developer and is used to determine the local state of the source server.
  • the proxy server may provide the HTTPS service for the client instead of the source server to reduce the load of the source server, and the first determination is performed. The result is determined to allow the proxy server proxy.
  • a load rate of the source server is obtained, and when the load rate is greater than a second predetermined threshold, the first determination result is determined to be a proxy server proxy.
  • the second predetermined threshold is set by the system developer and is used to determine the local state of the source server.
  • the load rate of the server is greater than the second predetermined threshold, the source server is considered to be heavily loaded, and the proxy server may provide the HTTPS service to the client instead of the source server to reduce the load of the source server, and determine the first determination result as the proxy server proxy.
  • the blacklist and/or whitelist defined by the source server is obtained, and when the information included in the reference information is in the whitelist, the first determination result is determined to be the proxy server proxy.
  • the blacklist includes at least one of a proxy server blacklist and a client blacklist
  • the whitelist includes at least one of a proxy server whitelist and a client whitelist.
  • the source server defines a blacklist and/or a whitelist.
  • the first determination result is determined to be a proxy proxy proxy.
  • the first determination result is determined to be determined whether the proxy server proxy is allowed to be based on the HTTPS message content.
  • the steps performed by the proxy server in the third, fourth, fifth, and sixth embodiments may be implemented in a programming language, and the programming language is packaged into a software development toolkit, and the proxy server directly invokes the software development toolkit.
  • the steps performed by the source servers in the third, fourth, fifth and sixth embodiments are implemented in a programming language, and the programming language is packaged into a software development toolkit, and the source server directly invokes the software development toolkit to implement the above information interaction method. .
  • FIG. 10 is a block diagram of an information interaction apparatus according to an embodiment of the present invention.
  • the information interaction device can be implemented as all or part of the proxy server by software, hardware or a combination of both. This embodiment is exemplified by the apparatus used in the proxy server 120 shown in FIG. 1.
  • the information interaction apparatus may include: a sending unit 1010 and an executing unit 1020.
  • the sending unit 1010 is configured to implement the foregoing step 401 function.
  • the executing unit 1020 is configured to implement the foregoing step 402 function.
  • the information interaction device further includes: a receiving unit 1030.
  • the sending unit 1010 is configured to perform step 602
  • the executing unit 1020 is configured to perform step 601
  • the receiving unit 1030 is configured to perform steps 604 and 605.
  • the sending unit 1010 is configured to perform step 608, the executing unit 1020 is configured to perform step 607, step 611, and step 614, and the receiving unit 1030 is configured to perform step 612 and step 614.
  • the sending unit 1010 is configured to perform step 702 and step 705
  • the executing unit 1020 is configured to perform step 701 and step 708, and the receiving unit 1030 is configured to perform step 705.
  • the sending unit 1010 is configured to perform step 711 and step 715
  • the executing unit 1020 is configured to perform step 710, step 714 and step 718
  • the receiving unit 1030 is configured to perform step 714.
  • the sending unit 1010 is configured to perform step 802 and step 805
  • the executing unit 1020 is configured to perform step 801 and step 808, and the receiving unit 1030 is configured to perform step 808.
  • the sending unit 1010 is configured to perform step 811 and step 815
  • the executing unit 1020 is configured to perform step 810 and step 814
  • the receiving unit 1030 is configured to perform step 814.
  • the sending unit 1010 is configured to perform step 902
  • the executing unit 1020 is configured to perform step 901 and step 904
  • the receiving unit 1030 is configured to perform step 904.
  • the sending unit 1010 is configured to perform step 910
  • the executing unit 1020 is configured to perform step 911
  • the receiving unit 1030 is configured to perform step 914.
  • the transmitting unit 1010 is executed by the transmitting module of the proxy server 120 shown in FIG. 2
  • the executing unit 1020 is executed by the executing module of the proxy server 120 shown in FIG. 2
  • the receiving unit 1030 is executed by the receiving module of the proxy server 120 shown in FIG. 2.
  • FIG. 11 is a block diagram of an information interaction apparatus according to an embodiment of the present invention.
  • the information interaction device can be implemented as all or part of the user equipment by software, hardware or a combination of both. This embodiment is illustrated by using the apparatus in the source server 140 shown in FIG. 1.
  • the information interaction apparatus may include: a receiving unit 1110, an executing unit 1120, and a sending unit 1130.
  • the receiving unit 1110 is configured to implement the foregoing step 501 function.
  • the executing unit 1120 is configured to implement the foregoing step 502 function.
  • the sending unit 1130 is configured to implement the foregoing step 503 function.
  • the receiving unit 1110 is configured to perform step 603
  • the executing unit 1120 is configured to perform step 603
  • the sending unit 1130 is configured to perform step 604.
  • the receiving unit 1110 is configured to perform step 609
  • the executing unit 1120 is configured to perform step 609
  • the sending unit 1130 is configured to perform step 613 and step 610.
  • the receiving unit 1110 is configured to perform step 706, the executing unit 1120 is configured to perform step 706, and the sending unit 1130 is configured to perform step 704 and step 707.
  • the receiving unit 1110 is configured to perform step 712
  • the executing unit 1120 is configured to perform step 712 and step 716
  • the sending unit 1130 is configured to perform step 713 and step 717.
  • the receiving unit 1110 is configured to perform step 806, the executing unit 1120 is configured to perform step 806, and the sending unit 1130 is configured to perform step 804 and step 807.
  • the receiving unit 1110 is configured to perform step 815 and step 817
  • the executing unit 1120 is configured to perform step 812, step 816, and step 818
  • the sending unit 1130 is configured to perform step 813.
  • the receiving unit 1110 is configured to perform step 903
  • the executing unit 1120 is configured to perform step 903
  • the sending unit 1130 is configured to perform step 904.
  • the receiving unit 1110 is configured to perform step 912
  • the executing unit 1120 is configured to perform step 912
  • the sending unit 1130 is configured to perform step 913.
  • the receiving unit 1110 is executed by the receiving module of the source server 140 shown in FIG. 3, the executing unit 1120 is executed by the executing module of the source server 140 shown in FIG. 3, and the transmitting unit 1130 is executed by the transmitting module of the source server 140 shown in FIG.
  • a person skilled in the art may understand that all or part of the steps of implementing the above embodiments may be completed by hardware, or may be instructed by a program to execute related hardware, and the program may be stored in a computer readable storage medium.
  • the storage medium mentioned may be a read only memory, a magnetic disk or an optical disk or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L'invention appartient au domaine technique des communications, et concerne un procédé, un dispositif et un système d'interaction d'informations. Le procédé comprend les étapes suivantes : un serveur source reçoit une demande d'acquisition de mot de passe de session envoyée par un serveur mandataire ; le serveur source détermine s'il faut autoriser ou non le proxy du serveur mandataire ; et lorsqu'il est déterminé que le proxy du serveur mandataire est autorisé, le serveur source envoie un mot de passe de session au serveur mandataire, le mot de passe de session étant un mot de passe de session désigné par le serveur source et un client durant le processus d'établissement d'une connexion HTTPS (Hyper Text Transfer Protocol over Secure socket layer), et le mot de passe de session étant utilisé pour commander au serveur mandataire de fournir un service HTTPS au client. L'invention résout le problème lié, dans l'état de la technique, au fait que lorsqu'un serveur source doit d'abord envoyer un mot de passe de session à un serveur mandataire, une fuite de mot de passe de session est facilement provoquée lorsqu'il existe plus de serveurs mandataires. L'invention améliore ainsi la sécurité d'un mot de passe de session.
PCT/CN2016/092436 2016-07-29 2016-07-29 Procédé, dispositif et système d'interaction d'informations WO2018018640A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/092436 WO2018018640A1 (fr) 2016-07-29 2016-07-29 Procédé, dispositif et système d'interaction d'informations

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/092436 WO2018018640A1 (fr) 2016-07-29 2016-07-29 Procédé, dispositif et système d'interaction d'informations

Publications (1)

Publication Number Publication Date
WO2018018640A1 true WO2018018640A1 (fr) 2018-02-01

Family

ID=61015702

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/092436 WO2018018640A1 (fr) 2016-07-29 2016-07-29 Procédé, dispositif et système d'interaction d'informations

Country Status (1)

Country Link
WO (1) WO2018018640A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995798A (zh) * 2019-11-21 2020-04-10 上海龙旗科技股份有限公司 一种用于功能手机网络应用的数据通信方法和系统

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141244A (zh) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 网络加密数据病毒检测和消除系统和代理服务器及方法
CN101345741A (zh) * 2007-07-13 2009-01-14 盛大计算机(上海)有限公司 基于互联网的代理系统及代理连接方法
CN102075537A (zh) * 2011-01-19 2011-05-25 华为技术有限公司 一种实现虚拟机间数据传输的方法和系统
US20130312054A1 (en) * 2012-05-17 2013-11-21 Cisco Technology, Inc. Transport Layer Security Traffic Control Using Service Name Identification
CN104283841A (zh) * 2013-07-02 2015-01-14 阿里巴巴集团控股有限公司 对第三方应用进行服务访问控制的方法、装置及系统
CN104980419A (zh) * 2014-09-11 2015-10-14 腾讯科技(深圳)有限公司 一种代理通信方法及装置

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141244A (zh) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 网络加密数据病毒检测和消除系统和代理服务器及方法
CN101345741A (zh) * 2007-07-13 2009-01-14 盛大计算机(上海)有限公司 基于互联网的代理系统及代理连接方法
CN102075537A (zh) * 2011-01-19 2011-05-25 华为技术有限公司 一种实现虚拟机间数据传输的方法和系统
US20130312054A1 (en) * 2012-05-17 2013-11-21 Cisco Technology, Inc. Transport Layer Security Traffic Control Using Service Name Identification
CN104283841A (zh) * 2013-07-02 2015-01-14 阿里巴巴集团控股有限公司 对第三方应用进行服务访问控制的方法、装置及系统
CN104980419A (zh) * 2014-09-11 2015-10-14 腾讯科技(深圳)有限公司 一种代理通信方法及装置

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995798A (zh) * 2019-11-21 2020-04-10 上海龙旗科技股份有限公司 一种用于功能手机网络应用的数据通信方法和系统

Similar Documents

Publication Publication Date Title
US11652792B2 (en) Endpoint security domain name server agent
US11190489B2 (en) Methods and systems for establishing a connection between a first device and a second device across a software-defined perimeter
WO2020057163A1 (fr) Procédé et dispositif de déploiement d'une plate-forme mec
US9674173B2 (en) Automatic certificate enrollment in a special-purpose appliance
US8997208B2 (en) Gateway device for terminating a large volume of VPN connections
CA2912608C (fr) Execution de maniere selective d'un man dans le dechiffrement central
US8887296B2 (en) Method and system for object-based multi-level security in a service oriented architecture
US11792202B2 (en) TLS policy enforcement at a tunnel gateway
US11539695B2 (en) Secure controlled access to protected resources
US20150188779A1 (en) Split-application infrastructure
US9473298B2 (en) Simplifying IKE process in a gateway to enable datapath scaling using a two tier cache configuration
US10587579B2 (en) Varying encryption level of traffic through network tunnels
US20140020062A1 (en) Techniques for protecting mobile applications
WO2018010146A1 (fr) Procédé, appareil et système de réponse dans une authentification informatique de réseau virtuel, et serveur mandataire
WO2019062666A1 (fr) Procédé et appareil permettant d'accéder de manière sécurisée à un réseau interne
US11411731B2 (en) Secure API flow
CN113727341A (zh) 安全通信方法、相关装置及系统
US11736516B2 (en) SSL/TLS spoofing using tags
WO2018018640A1 (fr) Procédé, dispositif et système d'interaction d'informations
CN114301967B (zh) 窄带物联网控制方法、装置及设备
WO2018001042A1 (fr) Procédé, dispositif et système de transmission de paquets
US11277379B2 (en) Modification of application-provided turn servers
CN115865384A (zh) 中台微服务授权方法、装置、电子设备及存储介质
US20150089058A1 (en) System and method for software defined adaptation of broadband network gateway services
KR101068359B1 (ko) 인터넷 키 교환 프로토콜 관리 시스템 및 방법, 그리고 이에 적용되는 장치

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16910220

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16910220

Country of ref document: EP

Kind code of ref document: A1