WO2020019478A1 - Communication data encryption method and apparatus - Google Patents

Communication data encryption method and apparatus Download PDF

Info

Publication number
WO2020019478A1
WO2020019478A1 PCT/CN2018/107638 CN2018107638W WO2020019478A1 WO 2020019478 A1 WO2020019478 A1 WO 2020019478A1 CN 2018107638 W CN2018107638 W CN 2018107638W WO 2020019478 A1 WO2020019478 A1 WO 2020019478A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
page data
parameter
page
encryption
Prior art date
Application number
PCT/CN2018/107638
Other languages
French (fr)
Chinese (zh)
Inventor
张驰
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020019478A1 publication Critical patent/WO2020019478A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Definitions

  • the present application relates to the field of communication technologies, and in particular, to a method and an apparatus for encrypting communication data.
  • a website is an application that relies on web technology. Every information exchange in a website application involves a web client and a web server. Among them, the main task of the web client is to display information content to users. It uses html language and script programs. , CSS, plug-in technology, etc. to achieve the corresponding web page display; the web server provides business support for the web client, which specifically uses PHP, ASP, JSP and other technologies to achieve the corresponding functions.
  • the interaction process between the web server and the web client is generally: the web client sends a request to the web server, and the web server returns the data (such as html code) corresponding to the request to the web client based on the request sent by the web client.
  • This application provides a communication data encryption method and device, which solves the problem of insufficient security of a website.
  • a communication data encryption method including:
  • the first page data corresponding to the target page is obtained from a background server corresponding to the target page according to the access request, and the security plug-in uses For encrypting or decrypting data;
  • a communication data encryption device including:
  • An access request obtaining module configured to obtain an access request to a target page initiated by a terminal device
  • a page data acquisition module configured to obtain a first page corresponding to the target page from a background server corresponding to the target page according to the access request when it is determined that a security plug-in exists in the terminal device according to the access request Data, the security plug-in is used to encrypt or decrypt the data;
  • An encryption module configured to encrypt the first page data by using a first encryption method agreed with the security plug-in to obtain second page data
  • a page data sending module is configured to send the second page data to the terminal device, so that the terminal device decrypts the second page data through the security plug-in to obtain the first page data.
  • another communication data encryption device including a processor, a memory, and a communication interface.
  • the processor, the memory, and the communication interface are connected to each other.
  • the communication interface is used to receive or send data.
  • the memory The application program code for storing the communication data encryption device performing the above method, and the processor is configured to execute the method of the first aspect.
  • a computer storage medium stores a computer program, where the computer program includes program instructions, and the program instructions, when executed by a processor, cause the processor to execute the foregoing first aspect. method.
  • This technical solution can avoid that page scanning tools, such as scanners and crawling tools, directly obtain page data, and avoid page data being acquired and tampered in situations such as traffic hijacking.
  • page scanning tools such as scanners and crawling tools
  • FIG. 1 is a schematic structural diagram of a website system according to an embodiment of the present application.
  • FIG. 2 is a schematic flowchart of a communication data encryption method according to an embodiment of the present application.
  • FIG. 3 is a schematic flowchart of another communication data encryption method according to an embodiment of the present application.
  • FIG. 4 is a schematic structural diagram of a communication data encryption device according to an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of another communication data encryption device according to an embodiment of the present application.
  • the technical solution of this application is applicable to a traditional website system that transmits data in plain text.
  • the website system may include a website client and a website server.
  • the website client is a user-facing client that provides services to users.
  • the website client may be a general-purpose client, and the general-purpose client may provide services for multiple website servers, such as a browser; the website client may also be a specific client, and the specific client only uses To provide services for a specific website, such as a "Tencent Video" client.
  • the website client runs on a user's terminal device.
  • the terminal device includes, but is not limited to, a mobile phone, a computer, a tablet computer, an e-reader and other electronic devices with a website browsing function.
  • the website server is used to manage and provide resources of the website system to the website client.
  • the website server is used to provide various data to the website client so that the website client can display various pages to the user.
  • the web server can consist of one or more servers.
  • an encryption server is added to a traditional website system that transmits data in plain text, and a security plug-in corresponding to the encryption server is developed.
  • the security plug-in can be downloaded and installed in a terminal device, and the terminal device can use the security plug-in.
  • the data is encrypted or decrypted, and the data sent by the website server to the website client and the data sent by the website client to the website server are encrypted by using an encryption server and a security plug-in to achieve the purpose of ensuring the security of the website.
  • the architecture of the website system in the embodiment of the present application may be as shown in FIG. 1.
  • the website system includes a website client running on the terminal device 101, an encryption server 102, and a website server 103.
  • the encryption server 102 is used for The data sent by the website server to the terminal device is encrypted and the data sent by the terminal device to the website server is encrypted.
  • the terminal device also has a security plug-in installed, which is used to decrypt the data sent by the website server to the terminal device and decrypt the data The data sent by the terminal device to the website server is encrypted.
  • the method in the embodiment of the present application can be implemented on the system architecture shown in FIG. 1. The method in the embodiment of the present application is described below.
  • FIG. 2 is a schematic flowchart of a communication data encryption method according to an embodiment of the present application. As shown in the figure, the method includes:
  • S201 The terminal device initiates an access request to the target page, and the encryption server obtains an access request to the target page.
  • the terminal device initiates an access request to a target page through a website client running in the terminal device, and the target page is one of the pages of the website system.
  • the target page can be one page of any website system that the user wants to access; in the case where the website client is a specific client, the target page is One page of the website system corresponding to the website client.
  • the target page corresponds to a uniform resource location (URL), the access request carries the URL, the URL points to an Internet protocol (IP) address, and the IP address is the address accessed by the access request.
  • URL uniform resource location
  • IP Internet protocol
  • the IP address pointed to by the URL may have the following two designs:
  • the IP address pointed to by the URL is the IP address of the encryption server.
  • the IP address obtained by the terminal device performing domain name resolution system (DNS) analysis on the URL is the IP address of the encryption server.
  • DNS domain name resolution system
  • the terminal device initiates an access request for the target page to the encryption server according to the IP address of the encryption server, and the encryption server obtains the access request for the target page in a received manner.
  • the IP address pointed to by the URL is the IP address of the background server.
  • the IP address obtained by the terminal device parsing the URLDNS is the IP address of the background server.
  • the terminal device initiates an access request to the target page to the background server according to the IP address of the background server, and the encryption server intercepts the access request to the target page by means of traffic hijacking to obtain the access request to the target page.
  • S202 The encryption server determines whether a security plug-in exists in the terminal device.
  • the security plug-in may be a software program developed in conjunction with the encryption server, the security plug-in may communicate with the encryption server, and the security plug-in communicates with the encryption server to complete the encryption algorithm and encryption key used to encrypt the data, and Negotiation of the decryption algorithm and decryption key used to decrypt the data.
  • the security plug-in may include a software program corresponding to an operation corresponding to one or more encryption algorithms. When the security plug-in negotiates with the encryption server the encryption algorithm and encryption key used to encrypt the data, the security plug-in can perform the corresponding operation of the encryption algorithm on the encryption key and the data that needs to be encrypted to the data that needs to be encrypted. Encrypt.
  • the security plug-in When the security plug-in negotiates with the encryption server the decryption algorithm and decryption key used to decrypt the data, the security plug-in can perform the operation corresponding to the decryption algorithm on the decryption key and the data to be decrypted to the data that needs to be decrypted. Decrypt.
  • the encryption server may determine whether a security plug-in exists in the terminal device according to the access request to the target page, and the specific determination method may be as follows: the encryption server determines whether the access request to the target page is an encryption request ; If the access request is not an encryption request, it is determined that a security plug-in does not exist in the terminal device; if the access request is an encryption request, it is determined that a security plug-in exists in the terminal device.
  • the encryption server may determine whether the data in the access request to the target page is plain text data to determine whether the access request to the target page is an encryption request. If at least part of the access request to the target page is If the data is not plain text data, the access request is determined to be an encryption request. If all data in the access request to the target page is clear text data, it is determined that the access request is not an encryption request.
  • the encryption server may determine the identity of the terminal device according to the access request, determine the second decryption method agreed with the security plug-in in the terminal device according to the identity of the terminal device, and then adopt the second decryption method Decrypt the encryption request to obtain the original access request, and execute step S203.
  • the encryption server can negotiate the encryption and decryption method of the access request with the security plug-in in the terminal device before the terminal device sends the access request to the target page, that is, the security plug-in is agreed to encrypt the access request.
  • the encryption method used and the encryption server used to decrypt the access request are agreed to encrypt the access request.
  • the encryption method may specifically include an encryption algorithm and an encryption key
  • the decryption method may specifically include a decryption algorithm and a decryption key.
  • the once-encrypted encryption algorithm and decryption algorithm are corresponding algorithms
  • the once-encrypted encryption key is a key corresponding to each other.
  • the operation corresponding to the encryption algorithm and the operation corresponding to the decryption algorithm are operations that perform the same logic.
  • the operation corresponding to the encryption algorithm and the operation corresponding to the decryption algorithm are hash operations;
  • the operation corresponding to the encryption algorithm and the operation corresponding to the decryption algorithm are mutually inverse operations.
  • the encryption key is the same as the decryption key. If the encryption algorithm agreed by the encryption server and the security plug-in to decrypt the access request and the decryption algorithm to decrypt the access request are symmetric algorithms, the encryption key and the decryption key are a pair of public and private keys, where if the If the encryption key is a public key, the decryption key is a private key. If the encryption key is a private key, the decryption key is a public key.
  • the identification of the terminal device may be the identification of the terminal device itself, such as the device identification of the terminal device, the IP address of the terminal device, or the identification information assigned to the terminal device by the encryption server, such as session information and cookie information. It is the identification information agreed upon when the encryption server and the security plug-in agree on the second decryption mode. Wherein, when the identification of the terminal device is the identification information agreed upon when the encryption server and the security plug-in agree on the second decryption method, when the security plug-in encrypts the access request and encrypts the access request using the agreed encryption method, the security plug-in Add the agreed identification information to the access request.
  • the encryption server obtains the identity of the terminal device from the access request, and then, after determining the second decryption mode agreed with the security plug-in according to the identity of the terminal device, the decryption key corresponding to the second decryption mode An operation corresponding to the decryption algorithm corresponding to the second decryption method with the encrypted data in the access request is used to obtain the original access request.
  • the encryption server executes step S209.
  • the encryption server sends a resource acquisition request corresponding to the target page to the background server, and the background server receives a resource access request for the target page.
  • the background server is the background server corresponding to the target page, that is, the background server of the website system containing the target page.
  • the resource acquisition request corresponding to the target page is used to request the background server to return the first page data corresponding to the target page.
  • the website client can display the target page.
  • the encryption server sends the resource acquisition request corresponding to the target page to the background server in the following two cases:
  • the IP address of the background server can be preset in the encryption server, and the IP of the background server can be set.
  • the address is associated with the target access request.
  • the encryption server obtains the target access request
  • the resource of the page data corresponding to the target access request is determined on the background server according to the IP address associated with the target access request, so that the encryption server can
  • the IP address corresponding to the target access request initiates a resource acquisition request corresponding to the target page to the background server.
  • the target access request refers to an access request associated with the background server, that is, a related request of the website system.
  • the domain name "pingan.com” corresponds to the IP address of the backend server in advance, and the IP address of the backend server is 192.168.11.32.
  • the request carries the domain name "pingan.com” , For example, www.pingan.com/login, because this request carries "pingan.com", you can determine that the IP address of the back-end server corresponding to this request is 192.168.11.32, and the encryption server sends an IP address to 192.168.
  • the background server of .11.32 initiates the resource request corresponding to the access request.
  • the encryption server may The carried URL performs DNS resolution to obtain the IP address of the background server, and the encryption server may initiate a resource acquisition request corresponding to the target page to the background server according to the IP address of the background server obtained through analysis.
  • the resource acquisition request corresponding to the target page may be the access request to the target page.
  • the URL carried in the access request intercepted by the encryption server is www.pingan.com/login
  • the encryption server parses the URL through DNS to obtain the IP address corresponding to the URL is 202.132.11.32. .11.32
  • the server initiates a resource request corresponding to the target page.
  • the background server sends the first page data corresponding to the target page, and the encryption server obtains the first page data corresponding to the target page.
  • the background server finds the website file corresponding to the target page from the website directory according to the resource acquisition request corresponding to the target page, obtains the first page data from the website file, and then sends the first page data.
  • the background server when the URL carried in the access request is the first design described above, the background server sends the first page data corresponding to the target page to the encryption server, and the encryption server obtains the target page corresponding by receiving The first page of data; in the case that the URL carried in the access request is the second design described above, the background server sends the first page of data corresponding to the target sending page to the terminal device, and the encryption server intercepts the data by means of traffic hijacking The first page data corresponding to the pair of target pages.
  • the encryption server and the background server may communicate based on the HTTPS protocol.
  • the encryption server may send a resource acquisition request corresponding to the target page to the background server based on the HTTPS protocol, and the encryption server may send the first page data corresponding to the target page to the encryption server based on the HTTPS protocol.
  • the encryption server can be accessed only by the encryption server, that is, the access server's access whitelist includes only the encryption server's IP address or MAC address, etc. to prove the encryption server. Identity information.
  • the communication security between the encryption server and the background server is ensured, which further enhances the security of the website system.
  • the encryption server uses the first encryption method to encrypt the first page data to obtain the second page data.
  • the first encryption method is an encryption method agreed by the server and the security plug-in in the terminal device before the first page data is encrypted.
  • the encryption server and the security plug-in in the terminal device may periodically agree on an encryption and decryption manner.
  • the first encryption method may specifically be an encryption method among the encryption and decryption methods that the security server and the terminal device ’s security plug-in agreed upon before encrypting the first page data.
  • the specific content of the encryption method can be referred to the foregoing description, and is not repeated here.
  • the first encryption method may have the following situations:
  • the first encryption method is an encryption method agreed upon by the encryption server with the security plug-in in the terminal device after obtaining the first page data.
  • the encryption server can negotiate the encryption and decryption method of the first page data with the security plug-in in the terminal device, that is, the encryption method used by the encryption server to encrypt the first page data and the security plug-in decryption are agreed.
  • the first encryption method is the decryption method used for the first page data, and the encryption method adopted by the agreed encryption server to encrypt the first page data is the first encryption method.
  • the first encryption method is an encryption method agreed by the encryption server with the security plug-in in the terminal device before the terminal device sends the access request to the target page. If the encryption server does not negotiate the encryption and decryption method of the first page data with the security plug-in in the terminal device after obtaining the first page data, the encryption server will communicate with the terminal device before the terminal device sends the access request for the target page. The encryption method in the encryption and decryption method agreed upon by the security plug-in in the server serves as the first encryption method.
  • the encryption server performs an operation corresponding to the first encryption method on the encryption key corresponding to the first encryption method and the first page data to obtain the second page data.
  • the encryption server sends the second page data to the terminal device, and the terminal device receives the second page data.
  • the terminal device decrypts the second page data by using the security plug-in to obtain the first page data.
  • the security plug-in in the terminal device obtains the first page data by decrypting the second page data according to the decryption method agreed with the encryption server, and the decryption method corresponds to the first encryption method.
  • the decryption method may be a decryption method among the encryption and decryption methods agreed upon by the security plug-in of the terminal device and the encryption server for the last time before the first page data is encrypted. For details of the decryption method, refer to the foregoing description, and details are not described herein again.
  • the decryption method is the decryption method agreed with the plug-in by the security plug-in of the terminal device after the encryption server obtains the first page data; if the first encryption method is the first description above In two cases, the decryption method is the decryption method agreed with the encryption server by the security plug-in of the terminal device before the terminal device sends the access request to the target page.
  • the security plug-in in the terminal device performs the operation corresponding to the decryption method on the second page data and the decryption key corresponding to the decryption method to obtain the first page data.
  • the terminal device displays the target page according to the first page data.
  • the security plug-in of the terminal device sends the first page data to a website client in the terminal device, and the website client displays the target page according to the first page data.
  • the encryption server sends the third page data to the terminal device, and the terminal device receives the third page data.
  • the third page data is the page data corresponding to the download page corresponding to the security plug-in.
  • the encryption server may obtain the third page data from the server that provides the security plug-in download service, and then sends the third page data to the terminal device.
  • the server may be the encryption server, the background server, or another server.
  • the encryption server may also directly obtain the security plug-in from a server providing a security plug-in download service, and then send the security plug-in to the terminal device, and the terminal device performs step S211 according to the security plug-in.
  • the terminal device downloads the security plug-in from a download page corresponding to the security plug-in.
  • the terminal device installs a security plug-in in the terminal device.
  • the terminal device may execute step S201 to initiate an access request to the target page.
  • the page data is encrypted and decrypted by using an encryption server and a security plug-in respectively, the page data is transmitted in the form of ciphertext during the transmission process, which can avoid direct scanning by tools such as scanners and crawlers To page data, to avoid page data being fetched and tampered in situations such as traffic hijacking.
  • FIG. 3 is a schematic flowchart of another communication data encryption method provided by an embodiment of the present application. This method is executed when a security plug-in is installed in a terminal device. The method includes:
  • the terminal device acquires the second parameter input by the user through a parameter acquisition page.
  • the parameter acquisition page refers to a page where a user can input data and submit
  • the parameter acquisition page may specifically be a login page, a user information filling page, a user opinion submission page, and the like.
  • the second parameter is the information entered by the user.
  • the second parameter may be the user name, password, and verification code entered by the user through the login page.
  • the second parameter may also be the name, gender, age, etc. that the user fills in through the user information page.
  • the second parameter may also be a message or suggestion submitted by the user, and is not limited to the description here.
  • the terminal device encrypts the second parameter by using the security plug-in to obtain the first parameter.
  • the security plug-in of the terminal device encrypts the second parameter according to the encryption mode agreed with the encryption server to obtain the first parameter.
  • the encryption method may be an encryption method among the encryption and decryption methods that the security plug-in of the terminal device and the encryption server agree on for the last time before the terminal device encrypts the first parameter.
  • the specific content of the encryption method can be referred to the foregoing description, and is not repeated here.
  • the security plug-in in the terminal device may perform a calculation corresponding to the encryption method on the second parameter and an encryption key corresponding to the agreed encryption method to obtain the first parameter.
  • the terminal device initiates a parameter submission request, and the encryption server obtains the parameter submission request.
  • the parameter submission request includes a first parameter.
  • the parameter submission request carries a URL, the URL pointing to an IP address, and the IP address is the address of the parameter submission request submission parameter.
  • the IP address pointed to by the URL is the same as the IP address pointed to by the URL carried in the access request.
  • the encryption server uses a first decryption method to decrypt the first parameter to obtain a second parameter.
  • the first decryption method is the decryption method among the encryption and decryption methods that the security plug-in of the terminal device and the encryption server agree on for the last time before the terminal device encrypts the first parameter.
  • the decryption method refers to the foregoing description, and details are not described herein again.
  • the encryption server performs the operation corresponding to the first decryption method on the first parameter and the decryption key corresponding to the first decryption method to obtain the second parameter.
  • the encryption server sends the second parameter to the background server, and the background server receives the second parameter.
  • the sending of the second parameter by the encryption server to the background server is similar to the resource acquisition request corresponding to the target page sent by the encryption server to the background server.
  • the encryption server may submit the request to determine the parameter according to the parameter.
  • the IP address corresponding to the parameter submission request and sends the second parameter to the background server according to the IP address corresponding to the parameter submission request;
  • the encryption server parses the URL in the parameter submission request to obtain the background The IP address of the server, and then send the second parameter to the background service according to the parsed IP address.
  • the background server sends the fourth page data according to the second parameter, and the encryption service obtains the fourth page data.
  • the background server sends the fourth page data according to the second parameter and the encryption server obtains the third page data
  • the background server sends the first page data corresponding to the target page and the encryption server obtains the first page corresponding to the target page.
  • the description of the data is not repeated here.
  • the encryption server and the background server may communicate based on the HTTPS protocol.
  • the encryption server sends a second parameter to the background server based on the HTTPS protocol, and the encryption server sends the fourth page data to the encryption server based on the HTTPS protocol.
  • the access mode of the encryption server may be that only the encryption server is allowed to access. The security of the communication process between the encryption server and the background server is ensured by security means, which further enhances the security of the website system.
  • the encryption server uses the second encryption method to encrypt the fourth page data to obtain the fifth page data.
  • the encryption server sends the fifth page data to the terminal device, and the terminal device receives the fifth page data.
  • the terminal device uses the security plug-in to decrypt the fifth page data to obtain the fourth page data.
  • S310 The terminal device displays a page corresponding to the fourth page data.
  • steps S307 to S310 is similar to the specific implementation of steps S204 to S207 described above, and reference may be made to the description of steps S204 to S207 described above, which will not be repeated here.
  • the security plug-in and the encryption server in the terminal device respectively encrypt and decrypt the parameters obtained by the terminal device through the parameter acquisition page, so that these parameters are transmitted in the form of ciphertext during the transmission process, thereby avoiding these The parameters are acquired during the transmission process, ensuring the security and privacy of the parameters without changing the original website architecture.
  • FIG. 4 is a schematic structural diagram of a communication data encryption device according to an embodiment of the present application.
  • the device 40 may be the encryption server or the encryption server in the embodiment shown in FIG. 1 or FIG. 2 to FIG. 3 described above.
  • the device 40 includes:
  • An access request obtaining module 401 configured to obtain an access request for a target page initiated by a terminal device
  • the page data acquisition module 402 is configured to, when it is determined that a security plug-in exists in the terminal device according to the access request, acquire a first corresponding to the target page from a background server corresponding to the target page according to the access request. Page data, the security plug-in is used to encrypt or decrypt the data;
  • An encryption module 403, configured to encrypt the first page data by using a first encryption method agreed with the security plug-in to obtain second page data;
  • a page data sending module 404 is configured to send the second page data to the terminal device, so that the terminal device decrypts the second page data through the security plug-in to obtain the first page data.
  • the device 40 further includes:
  • a download page push module 405 is configured to send third page data to the terminal device when it is determined that a security plug-in does not exist in the terminal device according to the access request, so that the terminal device is protected from the security
  • the download page corresponding to the plug-in downloads the security plug-in and installs it into the terminal device, and the third page data is page data corresponding to the download page.
  • the device 40 further includes:
  • the submission request obtaining module 406 is configured to obtain a parameter submission request initiated by the terminal device, where the parameter submission request includes a first parameter, and the first parameter is a second parameter encrypted by the terminal device through the security plug-in.
  • the obtained parameter, the second parameter is a parameter obtained by the terminal device through a parameter acquisition page;
  • a decryption module 407 configured to decrypt the first parameter by using a first decryption method agreed with the security plug-in to obtain the second parameter;
  • the parameter sending module 408 is further configured to send the second parameter to the background server.
  • the page data obtaining module 402 is further configured to obtain fourth page data returned by the background server according to the second parameter;
  • the encryption module 403 is further configured to encrypt the fourth page data by using a second encryption method agreed with the security plug-in to obtain the fifth page data;
  • the page data sending module 404 is further configured to send the fifth page data to the terminal device, so that the terminal device decrypts the fifth page data through the security plug-in to obtain the fourth page data. .
  • the parameter sending module 408 is specifically configured to: send the second parameter to the background server based on a Secure Sockets Layer Hypertext Transfer HTTPS protocol;
  • the page data obtaining module 402 is configured to obtain the fourth page data returned by the background server based on the HTTPS protocol according to the second parameter.
  • the device further includes:
  • a judging module 409 configured to judge whether the access request is an encryption request
  • the determining module 409 determines that a security plug-in does not exist in the terminal device
  • the determining module 409 determines that a security plug-in exists in the terminal device.
  • the page data acquisition module 402 is specifically configured to:
  • the encryption server uses the second decryption method to decrypt the encryption request to obtain the original access request
  • a page scanning tool such as a scanner and a crawler tool
  • a crawler tool it is possible to prevent page data from being acquired and tampered in situations such as traffic hijacking.
  • FIG. 5 is a schematic diagram of a composition structure of another communication data encryption device according to an embodiment of the present application.
  • the device may be the encryption server or the encryption server in the embodiment shown in FIG. 1 or FIG. 2 to FIG. 3.
  • the device 50 includes a processor 501, a memory 502, and a communication interface 503.
  • the processor 501 is connected to the memory 502 and the communication interface 503.
  • the processor 501 may be connected to the memory 502 and the communication interface 503 through a bus.
  • the processor 501 is configured to support the communication data encryption device to perform a corresponding function of an encryption server in the communication data encryption method described in FIG. 2 to FIG. 3.
  • the processor 501 may be a Central Processing Unit (CPU), a Network Processor (NP), a hardware chip, or any combination thereof.
  • the above-mentioned hardware chip may be an Application-Specific Integrated Circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof.
  • the PLD may be a complex programmable logic device (Complex Programmable Logic Device, CPLD), a field programmable logic gate array (Field-Programmable Gate Array, FPGA), a universal array logic (Generic Array logic, GAL), or any combination thereof.
  • the memory 502 is used to store program code and the like.
  • the memory 502 may include volatile memory (Volatile Memory, VM), such as Random Access Memory (RAM); the memory 502 may also include non-volatile memory (Non-Volatile Memory, NVM), such as read-only Read-only memory (ROM), flash memory, hard disk drive (HDD), or solid-state drive (SSD); memory 502 may also include a combination of the above types of memories.
  • the memory 502 is configured to store a communication data encryption program, a key, and the like.
  • the communication interface 503 is configured to send or receive data.
  • the processor 501 may call the program code to perform the following operations:
  • the first page data corresponding to the target page is obtained from the background server corresponding to the target page through the communication interface 503 according to the access request.
  • the security plug-in is used to encrypt or decrypt data
  • An embodiment of the present application further provides a computer-readable storage medium.
  • the computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions, when executed by the computer, cause the computer to execute as described above.
  • the computer may be a part of the communication data encryption device mentioned above. For example, it is the processor 501 described above.
  • the program can be stored in a computer-readable storage medium.
  • the program When executed, the processes of the embodiments of the methods described above may be included.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random, Access Memory, RAM).

Abstract

Disclosed in the present application is a communication data encryption method and apparatus. The method comprises: obtaining an access request to a target page initiated by a terminal device; in the case that a security plug-in is determined to exist in the terminal device according to the access request, obtaining first page data corresponding to the target page from a background server corresponding to the target page according to the access request, the security plug-in being used for encrypting or decrypting the data; encrypting the first page data in a first encryption mode agreed with the security plug-in to obtain second page data; and sending the second page data to the terminal device so that the terminal device decrypts the second page data by means of the security plug-in to obtain the first page data. The solution can prevent a tool for scanning a page such as a scanner and a crawler tool from directly obtaining page data, and avoid that the page data is obtained and tampered in a situation such as traffic hijacking.

Description

通信数据加密方法和装置Communication data encryption method and device
本申请要求于2018年07月27日提交中国专利局、申请号为2018108525932、申请名称为“通信数据加密方法和装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority from a Chinese patent application filed on July 27, 2018 with the Chinese Patent Office, application number 2018108525932, and application name "communication data encryption method and device", the entire contents of which are incorporated herein by reference.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及通信数据加密方法和装置。The present application relates to the field of communication technologies, and in particular, to a method and an apparatus for encrypting communication data.
背景技术Background technique
网站是依赖于web技术建立的应用,网站应用中的每一次信息交换都涉及web客户端和web服务端,其中,web客户端的主要任务是向用户展现信息内容,其具体利用html语言、脚本程序、CSS、插件技术等实现对应的web页面展示;web服务端为web客户端提供业务支持,其具体利用PHP、ASP、JSP等技术实现相应的功能。web服务端和web客户端的交互流程一般为:web客户端向web服务端发送请求,web服务端基于web客户端发出的请求向web客户端返回该请求对应的数据(如html代码等)。A website is an application that relies on web technology. Every information exchange in a website application involves a web client and a web server. Among them, the main task of the web client is to display information content to users. It uses html language and script programs. , CSS, plug-in technology, etc. to achieve the corresponding web page display; the web server provides business support for the web client, which specifically uses PHP, ASP, JSP and other technologies to achieve the corresponding functions. The interaction process between the web server and the web client is generally: the web client sends a request to the web server, and the web server returns the data (such as html code) corresponding to the request to the web client based on the request sent by the web client.
为了提高网站的安全性,一般会采用一定的加密技术对网站的某些数据进行加密,在目前的一些加密设计中,主要是通过对网站的html代码进行加密以避免网站的内容结构被轻易读取。但是,目前还有一些网站的各个功能之间的交互参数(如通过post表单提交的用户名、密码等)是以明文的形式进行传输,面临被监听的风险,网站的安全性不够高。In order to improve the security of the website, certain encryption technology is generally used to encrypt some of the website's data. In some current encryption designs, the html code of the website is mainly encrypted to prevent the content structure of the website from being easily read. take. However, at present, there are still some interaction parameters between various functions of the website (such as user name and password submitted through the post form), which are transmitted in the form of clear text, facing the risk of being monitored, and the security of the website is not high enough.
发明内容Summary of the Invention
本申请提供通信数据加密方法和装置,解决网站安全性不够高的问题。This application provides a communication data encryption method and device, which solves the problem of insufficient security of a website.
第一方面,提供一种通信数据加密方法,包括:In a first aspect, a communication data encryption method is provided, including:
获取终端设备发起的对目标页面的访问请求;Obtaining an access request to a target page initiated by a terminal device;
在根据所述访问请求确定所述终端设备中存在安全插件的情况下,根据所述访问请求从所述目标页面对应的后台服务器获取所述目标页面对应的第一页面数据,所述安全插件用于加密或解密数据;When it is determined that a security plug-in exists in the terminal device according to the access request, the first page data corresponding to the target page is obtained from a background server corresponding to the target page according to the access request, and the security plug-in uses For encrypting or decrypting data;
采用与所述安全插件约定的第一加密方式对所述第一页面数据进行加密得到第二页面数据;Encrypting the first page data by using a first encryption method agreed with the security plug-in to obtain second page data;
向所述终端设备发送所述第二页面数据,以使所述终端设备通过所述安全插件对所述第二页面数据进行解密得到所述第一页面数据。Sending the second page data to the terminal device, so that the terminal device decrypts the second page data through the security plug-in to obtain the first page data.
第二方面,提供一种通信数据加密装置,包括:In a second aspect, a communication data encryption device is provided, including:
访问请求获取模块,用于获取终端设备发起的对目标页面的访问请求;An access request obtaining module, configured to obtain an access request to a target page initiated by a terminal device;
页面数据获取模块,用于在根据所述访问请求确定所述终端设备中存在安全插件的情况下,根据所述访问请求从所述目标页面对应的后台服务器获取所述目标页面对应的第一页面数据,所述安全插件用于加密或解密数据;A page data acquisition module, configured to obtain a first page corresponding to the target page from a background server corresponding to the target page according to the access request when it is determined that a security plug-in exists in the terminal device according to the access request Data, the security plug-in is used to encrypt or decrypt the data;
加密模块,用于采用与所述安全插件约定的第一加密方式对所述第一页面数据进行加密得到第二页面数据;An encryption module, configured to encrypt the first page data by using a first encryption method agreed with the security plug-in to obtain second page data;
页面数据发送模块,用于向所述终端设备发送所述第二页面数据,以使所述终端设备通过所述安全插件对所述第二页面数据进行解密得到所述第一页面数据。A page data sending module is configured to send the second page data to the terminal device, so that the terminal device decrypts the second page data through the security plug-in to obtain the first page data.
第三方面,提供另一种通信数据加密装置,包括处理器、存储器以及通信接口,所述处理器、存储器和通信接口相互连接,其中,所述通信接口用于接收或发送数据,所述存储器用于存储通信数据加密装置执行上述方法的应用程序代码,所述处理器被配置用于执行上述第一方面的方法。According to a third aspect, another communication data encryption device is provided, including a processor, a memory, and a communication interface. The processor, the memory, and the communication interface are connected to each other. The communication interface is used to receive or send data. The memory The application program code for storing the communication data encryption device performing the above method, and the processor is configured to execute the method of the first aspect.
第四方面,提供一种计算机存储介质,所述计算机存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行上述第一方面的方法。According to a fourth aspect, a computer storage medium is provided. The computer storage medium stores a computer program, where the computer program includes program instructions, and the program instructions, when executed by a processor, cause the processor to execute the foregoing first aspect. method.
本技术方案可以避免扫描器、爬虫工具等扫描页面的工具直接获取到页面数据,避免在流量劫持等情况下页面的数据被获取以及篡改。This technical solution can avoid that page scanning tools, such as scanners and crawling tools, directly obtain page data, and avoid page data being acquired and tampered in situations such as traffic hijacking.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是本申请实施例提供的一种网站系统的架构示意图;FIG. 1 is a schematic structural diagram of a website system according to an embodiment of the present application; FIG.
图2是本申请实施例提供的一种通信数据加密方法的流程示意图;2 is a schematic flowchart of a communication data encryption method according to an embodiment of the present application;
图3是本申请实施例提供的另一种通信数据加密方法的流程示意图;3 is a schematic flowchart of another communication data encryption method according to an embodiment of the present application;
图4是本申请实施例提供的一种通信数据加密装置的组成结构示意图;4 is a schematic structural diagram of a communication data encryption device according to an embodiment of the present application;
图5是本申请实施例提供的另一种通信数据加密装置的组成结构示意图。FIG. 5 is a schematic structural diagram of another communication data encryption device according to an embodiment of the present application.
具体实施方式detailed description
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In the following, the technical solutions in the embodiments of the present application will be clearly and completely described with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.
本申请的技术方案适用于传统的以明文形式传输数据的网站系统,网站系统可包括网站客户端和网站服务端。网站客户端为面向用户的客户端,用于为用户提供服务。该网站客户端可以是通用型的客户端,通用型的客户端可以为多个网站服务器提供服务,例如可以为浏览器;该网站客户端也可以特定的客户端,该特定的客户端只用于为某个特定网站提供服务,例如为“腾讯视频”客户端。一般情况下,该网站客户端运行在用户的终端设备上,其中,终端设备包括但不限于手机、电脑、平板电脑、电子阅读器等具备网站浏览功能的电子设备。网站服务端用于管理并向网站客户端提供该网站系统的资源,网站服务端用于向网站客户端提供各种数据使得该网站客户端可以向用显示各种页面。该网站服务端可以由一台或多台服务器组成。本申请实施例通过在传统的以明文形式传输数据的网站系统中增加加密服务器,并配套开发该加密服务器对应的安全插件,该安全插件可以被下载安装到终端设备中,终端设备可以该安全插件对数据进行加密或解密,利用加密服务器和 安全插件分别网站服务端向网站客户端发送的数据和网站客户端向网站服务器端发送的数据进行加密,以实现保障网站安全的目的。示例性地,本申请实施例的网站系统的架构可以如图1所示,网站系统包括运行在终端设备101上的网站客户端,加密服务器102以及网站服务器103,其中,加密服务器102用于对网站服务器发送给终端设备的数据进行加密并且对终端设备发送给网站服务器的数据进行解密,终端设备上还安装有安全插件,该安全插件用于对网站服务器发送给终端设备的数据进行解密并且对终端设备发送给网站服务器的数据进行加密。The technical solution of this application is applicable to a traditional website system that transmits data in plain text. The website system may include a website client and a website server. The website client is a user-facing client that provides services to users. The website client may be a general-purpose client, and the general-purpose client may provide services for multiple website servers, such as a browser; the website client may also be a specific client, and the specific client only uses To provide services for a specific website, such as a "Tencent Video" client. Generally, the website client runs on a user's terminal device. Among them, the terminal device includes, but is not limited to, a mobile phone, a computer, a tablet computer, an e-reader and other electronic devices with a website browsing function. The website server is used to manage and provide resources of the website system to the website client. The website server is used to provide various data to the website client so that the website client can display various pages to the user. The web server can consist of one or more servers. In the embodiment of the present application, an encryption server is added to a traditional website system that transmits data in plain text, and a security plug-in corresponding to the encryption server is developed. The security plug-in can be downloaded and installed in a terminal device, and the terminal device can use the security plug-in. The data is encrypted or decrypted, and the data sent by the website server to the website client and the data sent by the website client to the website server are encrypted by using an encryption server and a security plug-in to achieve the purpose of ensuring the security of the website. For example, the architecture of the website system in the embodiment of the present application may be as shown in FIG. 1. The website system includes a website client running on the terminal device 101, an encryption server 102, and a website server 103. The encryption server 102 is used for The data sent by the website server to the terminal device is encrypted and the data sent by the terminal device to the website server is encrypted. The terminal device also has a security plug-in installed, which is used to decrypt the data sent by the website server to the terminal device and decrypt the data The data sent by the terminal device to the website server is encrypted.
本申请实施例的方法可以实现在图1所示的系统架构上,下面介绍本申请实施例的方法。The method in the embodiment of the present application can be implemented on the system architecture shown in FIG. 1. The method in the embodiment of the present application is described below.
参见图2,图2是本申请实施例提供的一种通信数据加密方法的流程示意图;如图所示,该方法包括:Referring to FIG. 2, FIG. 2 is a schematic flowchart of a communication data encryption method according to an embodiment of the present application. As shown in the figure, the method includes:
S201,终端设备发起对目标页面的访问请求,加密服务器获取对目标页面的访问请求。S201: The terminal device initiates an access request to the target page, and the encryption server obtains an access request to the target page.
这里,终端设备通过运行在终端设备中的网站客户端发起对目标页面的访问请求,该目标页面为网站系统的其中一个页面。在该网站客户端为通用型的客户端的情况下,该目标页面可以为用户想要访问的任意一个网站系统的其中一个页面;在该网站客户端为特定的客户端的情况下,该目标页面为该网站客户端对应的网站系统的其中一个页面。Here, the terminal device initiates an access request to a target page through a website client running in the terminal device, and the target page is one of the pages of the website system. In the case where the website client is a general-purpose client, the target page can be one page of any website system that the user wants to access; in the case where the website client is a specific client, the target page is One page of the website system corresponding to the website client.
该目标页面对应一个统一资源定位符(uniform resource location,URL),该访问请求携带该URL,该URL指向一个互联网协议(Internet protocol,IP)地址,该IP地址为该访问请求访问的地址。The target page corresponds to a uniform resource location (URL), the access request carries the URL, the URL points to an Internet protocol (IP) address, and the IP address is the address accessed by the access request.
本申请实施例中,该URL指向的IP地址可以有以下两种设计:In the embodiment of the present application, the IP address pointed to by the URL may have the following two designs:
第一种设计,该URL指向的IP地址为加密服务器的IP地址。当终端设备发起对该目标页面的访问请求时,终端设备对该URL进行域名解析系统(domain name system,DNS)解析得到的IP地址为该加密服务器的IP地址。终端设备根据该加密服务器的IP地址向加密服务器发起对目标页面的访问请求,加密服务器通过接收的方式获取该对目标页面的访问请求。In the first design, the IP address pointed to by the URL is the IP address of the encryption server. When the terminal device initiates an access request to the target page, the IP address obtained by the terminal device performing domain name resolution system (DNS) analysis on the URL is the IP address of the encryption server. The terminal device initiates an access request for the target page to the encryption server according to the IP address of the encryption server, and the encryption server obtains the access request for the target page in a received manner.
第二种设计,该URL指向的IP地址为后台服务器的IP地址。当终端设备发起对该目标页面的访问请求时,终端设备对该URLDNS解析得到的IP地址为该后台服务器的IP地址。终端设备根据该后台服务器的IP地址向后台服务器发起对目标页面的访问请求,加密服务器通过流量劫持的方式截取该对目标页面的访问请求从而获取该对目标页面的访问请求。In the second design, the IP address pointed to by the URL is the IP address of the background server. When the terminal device initiates an access request to the target page, the IP address obtained by the terminal device parsing the URLDNS is the IP address of the background server. The terminal device initiates an access request to the target page to the background server according to the IP address of the background server, and the encryption server intercepts the access request to the target page by means of traffic hijacking to obtain the access request to the target page.
S202,加密服务器判断终端设备中是否存在安全插件。S202: The encryption server determines whether a security plug-in exists in the terminal device.
本申请实施例中,安全插件可以为与加密服务器配套开发的软件程序,安全插件可以与加密服务器通信,安全插件与加密服务器进行通信以完成对加密数据时所使用的加密算法和加密密钥以及解密数据时所使用的解密算法和解密密钥的协商。安全插件中可包括进行一种或多种加密算法对应的运算所对应的软件程序。当安全插件与加密服务器协商好加密数据时所使用的加密算法和加密密钥时,该安全插件可以对该加密密钥和需要加密的数据进行该加密算法对应的运算以对该需要加密的数据进行加密。当安全插件与加密服务器 协商好解密数据时所使用的解密算法和解密密钥时,该安全插件可以对该解密密钥和需要解密的数据进行该解密算法对应的运算以对该需要解密的数据进行解密。In the embodiment of the present application, the security plug-in may be a software program developed in conjunction with the encryption server, the security plug-in may communicate with the encryption server, and the security plug-in communicates with the encryption server to complete the encryption algorithm and encryption key used to encrypt the data, and Negotiation of the decryption algorithm and decryption key used to decrypt the data. The security plug-in may include a software program corresponding to an operation corresponding to one or more encryption algorithms. When the security plug-in negotiates with the encryption server the encryption algorithm and encryption key used to encrypt the data, the security plug-in can perform the corresponding operation of the encryption algorithm on the encryption key and the data that needs to be encrypted to the data that needs to be encrypted. Encrypt. When the security plug-in negotiates with the encryption server the decryption algorithm and decryption key used to decrypt the data, the security plug-in can perform the operation corresponding to the decryption algorithm on the decryption key and the data to be decrypted to the data that needs to be decrypted. Decrypt.
在一种可能的实现方式中,加密服务器可以根据该对目标页面的访问请求判断终端设备设备中是否存在安全插件,具体判断方式可以如下:加密服务器判断该对目标页面的访问请求是否为加密请求;如果该访问请求不为加密请求,则确定终端设备中不存在安全插件;如果该访问请求为加密请求,则确定终端设备中存在安全插件。In a possible implementation manner, the encryption server may determine whether a security plug-in exists in the terminal device according to the access request to the target page, and the specific determination method may be as follows: the encryption server determines whether the access request to the target page is an encryption request ; If the access request is not an encryption request, it is determined that a security plug-in does not exist in the terminal device; if the access request is an encryption request, it is determined that a security plug-in exists in the terminal device.
具体实现中,加密服务器可以通过判断该对目标页面的访问请求中的数据是否为明文数据来判断该对目标页面的访问请求是否为加密请求,如果该对目标页面的访问请求中的至少有部分数据不为明文数据,则确定该访问请求为加密请求,如果该对目标页面的访问请求中的所有数据均为明文数据,则确定该访问请求不为加密请求。In specific implementation, the encryption server may determine whether the data in the access request to the target page is plain text data to determine whether the access request to the target page is an encryption request. If at least part of the access request to the target page is If the data is not plain text data, the access request is determined to be an encryption request. If all data in the access request to the target page is clear text data, it is determined that the access request is not an encryption request.
在确定终端设备中存在安全插件的情况下,加密服务器可根据访问请求确定终端设备的标识,根据终端设备的标识确定与终端设备中的安全插件约定的第二解密方式,然后采用第二解密方式对该加密请求进行解密得到原始的访问请求,执行步骤S203。When it is determined that a security plug-in exists in the terminal device, the encryption server may determine the identity of the terminal device according to the access request, determine the second decryption method agreed with the security plug-in in the terminal device according to the identity of the terminal device, and then adopt the second decryption method Decrypt the encryption request to obtain the original access request, and execute step S203.
这里,由于终端设备中存在安全插件,加密服务器可以在终端设备发送该对目标页面的访问请求之前与终端设备中的安全插件协商该访问请求的加密解密方式,即约定该安全插件加密该访问请求采用的加密方式以及该加密服务器解密该访问请求采用的解密方式。Here, because the security plug-in exists in the terminal device, the encryption server can negotiate the encryption and decryption method of the access request with the security plug-in in the terminal device before the terminal device sends the access request to the target page, that is, the security plug-in is agreed to encrypt the access request. The encryption method used and the encryption server used to decrypt the access request.
本申请实施例中,加密方式具体可包括加密算法以及加密密钥,解密方式具体可包括解密算法以及解密密钥,一次约定的加密算法与解密算法为相互对应的算法,一次约定的加密密钥与该解密密钥为相互对应的密钥。在一些可能的实现方式中,该加密算法对应的运算与该解密算法对应的运算为一个执行逻辑相同的运算,例如,该加密算法对应的运算与该解密算法对应的运算均为hash值运算;在另一些可能的实现方式中,该加密算法对应的运算与该解密算法对应的运算互为逆运算。如果加密服务器与安全插件约定的加密该访问请求的加密算法以及解密该访问请求的解密算法为对称算法,则加密密钥与解密密钥相同。如果加密服务器与安全插件约定的解密该访问请求的加密算法以及解密该访问请求的解密算法为非对称算法,则加密密钥与解密密钥为成对的公钥和私钥,其中,如果该加密密钥为公钥,则该解密密钥为私钥,如果该加密密钥为私钥,则该解密密钥为公钥。In the embodiment of the present application, the encryption method may specifically include an encryption algorithm and an encryption key, and the decryption method may specifically include a decryption algorithm and a decryption key. The once-encrypted encryption algorithm and decryption algorithm are corresponding algorithms, and the once-encrypted encryption key. The decryption key is a key corresponding to each other. In some possible implementation manners, the operation corresponding to the encryption algorithm and the operation corresponding to the decryption algorithm are operations that perform the same logic. For example, the operation corresponding to the encryption algorithm and the operation corresponding to the decryption algorithm are hash operations; In other possible implementation manners, the operation corresponding to the encryption algorithm and the operation corresponding to the decryption algorithm are mutually inverse operations. If the encryption algorithm agreed by the encryption server and the security plug-in to encrypt the access request and the decryption algorithm to decrypt the access request are symmetric, the encryption key is the same as the decryption key. If the encryption algorithm agreed by the encryption server and the security plug-in to decrypt the access request and the decryption algorithm to decrypt the access request are asymmetric algorithms, the encryption key and the decryption key are a pair of public and private keys, where if the If the encryption key is a public key, the decryption key is a private key. If the encryption key is a private key, the decryption key is a public key.
这里,终端设备的标识可以是终端设备自身的标识,例如为终端设备的设备标识、终端设备的IP地址,也可以是加密服务器分配给终端设备的标识信息,如session信息、cookie信息,还可以是加密服务器与安全插件约定第二解密方式时约定的标识信息。其中,在终端设备的标识为加密服务器与安全插件约定第二解密方式时约定的标识信息的情况下,当该安全插件加密该访问请求采用约定的加密方式对该访问请求加密时,该安全插件在该访问请求中添加该约定的标识信息。Here, the identification of the terminal device may be the identification of the terminal device itself, such as the device identification of the terminal device, the IP address of the terminal device, or the identification information assigned to the terminal device by the encryption server, such as session information and cookie information. It is the identification information agreed upon when the encryption server and the security plug-in agree on the second decryption mode. Wherein, when the identification of the terminal device is the identification information agreed upon when the encryption server and the security plug-in agree on the second decryption method, when the security plug-in encrypts the access request and encrypts the access request using the agreed encryption method, the security plug-in Add the agreed identification information to the access request.
具体实现中,加密服务器从该访问请求中获取该终端设备的标识,然后在在根据终端设备的标识确定与该安全插件约定的第二解密方式之后,对该第二解密方式对应的解密密钥与该访问请求中被加密的数据进行该第二解密方式对应的解密算法所对应的运算得到原始的访问请求。In specific implementation, the encryption server obtains the identity of the terminal device from the access request, and then, after determining the second decryption mode agreed with the security plug-in according to the identity of the terminal device, the decryption key corresponding to the second decryption mode An operation corresponding to the decryption algorithm corresponding to the second decryption method with the encrypted data in the access request is used to obtain the original access request.
在确定终端设备不存在安全插件的情况下,加密服务器执行步骤S209。When it is determined that the terminal device does not have a security plug-in, the encryption server executes step S209.
S203,加密服务器向后台服务器发送目标页面对应的资源获取请求,后台服务器接 收对目标页面的资源访问请求。S203: The encryption server sends a resource acquisition request corresponding to the target page to the background server, and the background server receives a resource access request for the target page.
这里,后台服务器为该目标页面对应的后台服务器,也即包含该目标页面的网站系统的后台服务器。目标页面对应的资源获取请求用于请求该后台服务器返回该目标页面对应的第一页面数据,该第一页面数据被终端设备中的网站客户端运行时可以使得该网站客户端显示该目标页面。Here, the background server is the background server corresponding to the target page, that is, the background server of the website system containing the target page. The resource acquisition request corresponding to the target page is used to request the background server to return the first page data corresponding to the target page. When the first page data is run by the website client in the terminal device, the website client can display the target page.
本申请实施例中,加密服务器向后台服务器发送目标页面对应的资源获取请求有以下两种情况:In the embodiment of the present application, the encryption server sends the resource acquisition request corresponding to the target page to the background server in the following two cases:
第一种情况,在对目标页面的访问请求中携带的URL指向的IP地址为上述第一种设计的情况下,可以在加密服务器中预置该后台服务器的IP地址,并将后台服务器的IP地址与目标访问请求关联,当加密服务器获取到目标访问请求时,根据与该目标访问请求关联的IP地址确定该目标访问请求对应的页面数据的资源在该后台服务器上,从而加密服务器可以根据与该目标访问请求对应的IP地址向该后台服务器发起目标页面对应的资源获取请求,其中,目标访问请求是指与该后台服务器关联的访问请求,即该网站系统的相关请求。In the first case, when the IP address pointed to by the URL carried in the access request for the target page is the first design described above, the IP address of the background server can be preset in the encryption server, and the IP of the background server can be set. The address is associated with the target access request. When the encryption server obtains the target access request, the resource of the page data corresponding to the target access request is determined on the background server according to the IP address associated with the target access request, so that the encryption server can The IP address corresponding to the target access request initiates a resource acquisition request corresponding to the target page to the background server. The target access request refers to an access request associated with the background server, that is, a related request of the website system.
例如,预先将“pingan.com”这一域名与后台服务器的IP地址相对应,后台服务器的IP地址为192.168.11.32,当加密服务器接收到访问请求中携带“pingan.com”这一域名的请求时,例如为www.pingan.com/login,由于这个请求中携带有“pingan.com”,则可以确定与这个请求对应的后台服务器的IP地址为192.168.11.32,则加密服务器向IP地址为192.168.11.32的后台服务器发起该访问请求对应的资源请求。For example, the domain name "pingan.com" corresponds to the IP address of the backend server in advance, and the IP address of the backend server is 192.168.11.32. When the encryption server receives the access request, the request carries the domain name "pingan.com" , For example, www.pingan.com/login, because this request carries "pingan.com", you can determine that the IP address of the back-end server corresponding to this request is 192.168.11.32, and the encryption server sends an IP address to 192.168. The background server of .11.32 initiates the resource request corresponding to the access request.
第二种情况,在目标页面的访问请求中携带的URL指向的IP地址为上述第二种设计的情况下,加密服务器在截取到该对目标页面的访问请求后,可以对该访问请求中的携带的URL进行DNS解析得到该后台服务器的IP地址,加密服务器可以根据解析得到的后台服务器的IP地址向后台服务器发起目标页面对应的资源获取请求。具体地,该目标页面对应的资源获取请求可以为该对目标页面的访问请求。In the second case, when the IP address pointed to by the URL carried in the access request of the target page is the second design described above, after intercepting the access request to the target page, the encryption server may The carried URL performs DNS resolution to obtain the IP address of the background server, and the encryption server may initiate a resource acquisition request corresponding to the target page to the background server according to the IP address of the background server obtained through analysis. Specifically, the resource acquisition request corresponding to the target page may be the access request to the target page.
例如,加密服务器截取到的访问请求中携带的URL为www.pingan.com/login,加密服务器通过DNS方式解析该URL得到该URL对应的IP地址为202.132.11.32,则加密服务器向IP地址为202.132.11.32的服务器发起目标页面对应的资源请求。For example, the URL carried in the access request intercepted by the encryption server is www.pingan.com/login, and the encryption server parses the URL through DNS to obtain the IP address corresponding to the URL is 202.132.11.32. .11.32 The server initiates a resource request corresponding to the target page.
S204,后台服务器发送目标页面对应的第一页面数据,加密服务器获取目标页面对应的第一页面数据。S204. The background server sends the first page data corresponding to the target page, and the encryption server obtains the first page data corresponding to the target page.
这里,后台服务器根据该目标页面对应的资源获取请求从网站目录中找到该目标页面对应的网站文件,从该网站文件中获取第一页面数据,然后发送该第一页面数据。Here, the background server finds the website file corresponding to the target page from the website directory according to the resource acquisition request corresponding to the target page, obtains the first page data from the website file, and then sends the first page data.
本申请实施例中,在该访问请求中携带的URL为上述第一种设计的情况下,后台服务器向该加密服务器发送目标页面对应的第一页面数据,加密服务器通过接收的方式获取目标页面对应的第一页面数据;在该访问请求中携带的URL为上述第二种设计的情况下,后台服务器向该终端设备发送目标发送页面对应的第一页面数据,该加密服务器通过流量劫持的方式截取该对目标页面对应的第一页面数据。In the embodiment of the present application, when the URL carried in the access request is the first design described above, the background server sends the first page data corresponding to the target page to the encryption server, and the encryption server obtains the target page corresponding by receiving The first page of data; in the case that the URL carried in the access request is the second design described above, the background server sends the first page of data corresponding to the target sending page to the terminal device, and the encryption server intercepts the data by means of traffic hijacking The first page data corresponding to the pair of target pages.
可选地,如果该访问请求中携带的URL为上述第一种设计,在第一种可能的实现方式中,加密服务器与后台服务器可以基于HTTPS协议进行通信。其中,加密服务器可以 基于HTTPS协议向后台服务器发送目标页面对应的资源获取请求,加密服务器可以基于HTTPS协议向加密服务器发送该目标页面对应的第一页面数据。在第二种可能的实现方式中,该加密服务器的访问方式可以为只允许加密服务器访问,即该后台服务器的访问白名单中有且只有该加密服务器的IP地址或MAC地址等证明该加密服务器的身份信息。以一种安全的方式保证加密服务器与后台服务器之间的交互过程的通信安全,进一步增强了网站系统的安全性。Optionally, if the URL carried in the access request is the first design described above, in a first possible implementation manner, the encryption server and the background server may communicate based on the HTTPS protocol. The encryption server may send a resource acquisition request corresponding to the target page to the background server based on the HTTPS protocol, and the encryption server may send the first page data corresponding to the target page to the encryption server based on the HTTPS protocol. In a second possible implementation manner, the encryption server can be accessed only by the encryption server, that is, the access server's access whitelist includes only the encryption server's IP address or MAC address, etc. to prove the encryption server. Identity information. In a secure manner, the communication security between the encryption server and the background server is ensured, which further enhances the security of the website system.
S205,加密服务器采用第一加密方式对应第一页面数据进行加密得到第二页面数据。S205. The encryption server uses the first encryption method to encrypt the first page data to obtain the second page data.
这里,第一加密方式为在加密该第一页面数据之前加密服务器与终端设备中的安全插件约定的加密方式。在一些可能的实现方式中,加密服务器与终端设备中的安全插件可以周期性地约定加密解密方式。第一加密方式具体可以为加密服务器与终端设备的安全插件在加密该第一页面数据之前最后一次约定的加密解密方式中的加密方式。加密方式的具体内容可参见前述描述,此处不再赘述。Here, the first encryption method is an encryption method agreed by the server and the security plug-in in the terminal device before the first page data is encrypted. In some possible implementation manners, the encryption server and the security plug-in in the terminal device may periodically agree on an encryption and decryption manner. The first encryption method may specifically be an encryption method among the encryption and decryption methods that the security server and the terminal device ’s security plug-in agreed upon before encrypting the first page data. The specific content of the encryption method can be referred to the foregoing description, and is not repeated here.
可选地,第一加密方式可以有以下情况:Optionally, the first encryption method may have the following situations:
第一种情况,第一加密方式为加密服务器在获取到该第一页面数据之后与终端设备中的安全插件约定的加密方式。加密服务器可以在获取到该第一页面数据之后,与终端设备中的安全插件协商该第一页面数据的加密解密方式,即约定加密服务器加密该第一页面数据采用的加密方式以及该安全插件解密该第一页面数据的采用的解密方式,该约定的加密服务器加密该第一页面数据采用的加密方式即为第一加密方式。In the first case, the first encryption method is an encryption method agreed upon by the encryption server with the security plug-in in the terminal device after obtaining the first page data. After obtaining the first page data, the encryption server can negotiate the encryption and decryption method of the first page data with the security plug-in in the terminal device, that is, the encryption method used by the encryption server to encrypt the first page data and the security plug-in decryption are agreed. The first encryption method is the decryption method used for the first page data, and the encryption method adopted by the agreed encryption server to encrypt the first page data is the first encryption method.
第二种情况,第一加密方式为加密服务器在终端设备发送该对目标页面的访问请求之前与终端设备中的安全插件约定的加密方式。如果加密服务器未在获取到该第一页面数据之后与终端设备中的安全插件协商该第一页面数据的加密解密方式,则加密服务器将在终端设备发送该对目标页面的访问请求之前与终端设备中的安全插件约定的加密解密方式中的加密方式作为第一加密方式。In the second case, the first encryption method is an encryption method agreed by the encryption server with the security plug-in in the terminal device before the terminal device sends the access request to the target page. If the encryption server does not negotiate the encryption and decryption method of the first page data with the security plug-in in the terminal device after obtaining the first page data, the encryption server will communicate with the terminal device before the terminal device sends the access request for the target page. The encryption method in the encryption and decryption method agreed upon by the security plug-in in the server serves as the first encryption method.
具体实现中,加密服务器对第一加密方式对应的加密密钥与第一页面数据进行该第一加密方式对应的运算得到第二页面数据。In specific implementation, the encryption server performs an operation corresponding to the first encryption method on the encryption key corresponding to the first encryption method and the first page data to obtain the second page data.
S206,加密服务器向终端设备发送第二页面数据,终端设备接收第二页面数据。S206. The encryption server sends the second page data to the terminal device, and the terminal device receives the second page data.
S207,终端设备通过安全插件对第二页面数据进行解密得到第一页面数据。S207. The terminal device decrypts the second page data by using the security plug-in to obtain the first page data.
终端设备中的安全插件根据与加密服务器约定的解密方式对第二页面数据进行解密的得到第一页面数据,该解密方式与上述第一加密方式对应。该解密方式可以为在在加密该第一页面数据之前终端设备的安全插件与加密服务器最后一次约定的加密解密方式中的解密方式。解密方式的具体内容可参见前述描述,此处不再赘述。The security plug-in in the terminal device obtains the first page data by decrypting the second page data according to the decryption method agreed with the encryption server, and the decryption method corresponds to the first encryption method. The decryption method may be a decryption method among the encryption and decryption methods agreed upon by the security plug-in of the terminal device and the encryption server for the last time before the first page data is encrypted. For details of the decryption method, refer to the foregoing description, and details are not described herein again.
如果第一加密方式为上述第一种情况,则该解密方式为该终端设备的安全插件在该加密服务器获取到第一页面数据之后与该插件约定的解密方式;如果第一加密方式为上述第二种情况,则该解密方式为该终端设备的安全插件在终端设备发送该对目标页面的访问请求之前与加密服务器约定的解密方式。If the first encryption method is the first case described above, the decryption method is the decryption method agreed with the plug-in by the security plug-in of the terminal device after the encryption server obtains the first page data; if the first encryption method is the first description above In two cases, the decryption method is the decryption method agreed with the encryption server by the security plug-in of the terminal device before the terminal device sends the access request to the target page.
具体实现中,终端设备中的安全插件对第二页面数据以及该解密方式对应的解密密钥进行该解密方式对应的运算得到第一页面数据。In specific implementation, the security plug-in in the terminal device performs the operation corresponding to the decryption method on the second page data and the decryption key corresponding to the decryption method to obtain the first page data.
S208,终端设备根据第一页面数据显示目标页面。S208. The terminal device displays the target page according to the first page data.
具体地,终端设备的安全插件将第一页面数据发送给终端设备中的网站客户端,网站客户端根据该第一页面数据显示该目标页面。Specifically, the security plug-in of the terminal device sends the first page data to a website client in the terminal device, and the website client displays the target page according to the first page data.
S209,加密服务器将第三页面数据发送给终端设备,终端设备接收第三页面数据。S209: The encryption server sends the third page data to the terminal device, and the terminal device receives the third page data.
这里,第三页面数据为安全插件对应的下载页面所对应的页面数据,加密服务器可以从提供安全插件下载服务的服务器中获取第三页面数据,然后发送给终端设备,该提供安全插件下载服务的服务器可以为该加密服务器,也可以为该后台服务器,还可以为其他的服务器。Here, the third page data is the page data corresponding to the download page corresponding to the security plug-in. The encryption server may obtain the third page data from the server that provides the security plug-in download service, and then sends the third page data to the terminal device. The server may be the encryption server, the background server, or another server.
可选地,加密服务器也可以直接从提供安全插件下载服务的服务器中获取该安全插件,然后将该安全插件发送给终端设备,终端设备根据该安全插件执行步骤S211。Optionally, the encryption server may also directly obtain the security plug-in from a server providing a security plug-in download service, and then send the security plug-in to the terminal device, and the terminal device performs step S211 according to the security plug-in.
S210,终端设备从安全插件对应的下载页面下载安全插件。S210. The terminal device downloads the security plug-in from a download page corresponding to the security plug-in.
S211,终端设备在终端设备中安装安全插件。S211. The terminal device installs a security plug-in in the terminal device.
在安装好安全插件后,终端设备可以执行步骤S201,发起对目标页面的访问请求。After the security plug-in is installed, the terminal device may execute step S201 to initiate an access request to the target page.
本申请实施例中,由于利用加密服务器和安全插件分别对页面数据进行加密和解密,页面数据在传输过程中是以密文的形式传输,可以避免扫描器、爬虫工具等扫描页面的工具直接获取到页面数据,避免在流量劫持等情况下页面的数据被获取以及篡改。In the embodiment of the present application, since the page data is encrypted and decrypted by using an encryption server and a security plug-in respectively, the page data is transmitted in the form of ciphertext during the transmission process, which can avoid direct scanning by tools such as scanners and crawlers To page data, to avoid page data being fetched and tampered in situations such as traffic hijacking.
在上述图2对应的实施例中,在终端设备中安装有安全插件的情况下,终端设备可以获取到网站系统原始的数据,该安全插件用于对终端设备接收到的页面数据进行解密得到原始的页面数据,在一些可能的实现方式中,该安全插件还可以用于对终端设备向后台服务器提交的参数信息进行加密。参加图3,图3是本申请实施例提供的另一种通信数据加密方法的流程示意图,该方法在终端设备中安装有安全插件的情况下被执行,该方法包括:In the embodiment corresponding to FIG. 2 above, when a security plug-in is installed in the terminal device, the terminal device can obtain the original data of the website system, and the security plug-in is used to decrypt the page data received by the terminal device to obtain the original data. In some possible implementation manners, the security plug-in can also be used to encrypt the parameter information submitted by the terminal device to the background server. Participating in FIG. 3, FIG. 3 is a schematic flowchart of another communication data encryption method provided by an embodiment of the present application. This method is executed when a security plug-in is installed in a terminal device. The method includes:
S301,终端设备通过参数获取页面获取用户输入的第二参数。S301. The terminal device acquires the second parameter input by the user through a parameter acquisition page.
本申请实施例中,参数获取页面是指用户可以输入数据并进行提交的页面,参数获取页面具体可以为登录页面、用户信息填写页面、用户意见提交页面,等等。第二参数为用户输入的信息,第二参数可以为用户通过登录页面输入的用户名、密码、验证码等,第二参数也可以为用户通过用户信息填写页面填写的姓名、性别、年龄等,第二参数还可以为用户提交的留言、建议等,不限于这里的描述。In the embodiment of the present application, the parameter acquisition page refers to a page where a user can input data and submit, and the parameter acquisition page may specifically be a login page, a user information filling page, a user opinion submission page, and the like. The second parameter is the information entered by the user. The second parameter may be the user name, password, and verification code entered by the user through the login page. The second parameter may also be the name, gender, age, etc. that the user fills in through the user information page. The second parameter may also be a message or suggestion submitted by the user, and is not limited to the description here.
S302,终端设备通过安全插件对第二参数进行加密得到第一参数。S302. The terminal device encrypts the second parameter by using the security plug-in to obtain the first parameter.
这里,终端设备的安全插件根据与加密服务器约定的加密方式对第二参数进行加密得到第一参数。该加密方式可以为终端设备加密该第一参数之前终端设备的安全插件与加密服务器最后一次约定的加密解密方式中的加密方式。加密方式的具体内容可参见前述描述,此处不再赘述。Here, the security plug-in of the terminal device encrypts the second parameter according to the encryption mode agreed with the encryption server to obtain the first parameter. The encryption method may be an encryption method among the encryption and decryption methods that the security plug-in of the terminal device and the encryption server agree on for the last time before the terminal device encrypts the first parameter. The specific content of the encryption method can be referred to the foregoing description, and is not repeated here.
具体实现中,终端设备中的安全插件可以对第二参数以及该约定的加密方式对应的加密密钥进行该加密方式对应的运算得到第一参数。In specific implementation, the security plug-in in the terminal device may perform a calculation corresponding to the encryption method on the second parameter and an encryption key corresponding to the agreed encryption method to obtain the first parameter.
S303,终端设备发起参数提交请求,加密服务器获取参数提交请求,参数提交请求包括第一参数。S303. The terminal device initiates a parameter submission request, and the encryption server obtains the parameter submission request. The parameter submission request includes a first parameter.
这里,参数提交请求中携带一个URL,该URL指向一个IP地址,该IP地址为该参数提交请求提交参数的地址。该URL指向的IP地址与访问请求中携带的URL指向的IP地址相同。终端设备发起参数提交请求以及加密服务器获取参数提交请求的具体实现方式 可以参考前述终端设备发起访问请求以及加密服务器获取访问请求的描述,此处不再赘述。Here, the parameter submission request carries a URL, the URL pointing to an IP address, and the IP address is the address of the parameter submission request submission parameter. The IP address pointed to by the URL is the same as the IP address pointed to by the URL carried in the access request. For specific implementations of the terminal device initiating the parameter submission request and the encryption server obtaining parameter submission request, reference may be made to the foregoing descriptions of the terminal device initiating the access request and the encryption server obtaining the access request, which will not be repeated here.
S304,加密服务器采用第一解密方式对第一参数进行解密得到第二参数。S304. The encryption server uses a first decryption method to decrypt the first parameter to obtain a second parameter.
这里,第一解密方式为终端设备加密该第一参数之前终端设备的安全插件与加密服务器最后一次约定的加密解密方式中的解密方式。解密方式的具体内容可参见前述描述,此处不再赘述。Here, the first decryption method is the decryption method among the encryption and decryption methods that the security plug-in of the terminal device and the encryption server agree on for the last time before the terminal device encrypts the first parameter. For details of the decryption method, refer to the foregoing description, and details are not described herein again.
具体实现中,加密服务器对该第一参数以及该第一解密方式对应的解密密钥进行第一解密方式对应的运算得到第二参数。In specific implementation, the encryption server performs the operation corresponding to the first decryption method on the first parameter and the decryption key corresponding to the first decryption method to obtain the second parameter.
S305,加密服务器将第二参数发送给后台服务器,后台服务器接收第二参数。S305. The encryption server sends the second parameter to the background server, and the background server receives the second parameter.
本申请实施例中,加密服务器将第二参数发送给后台服务器与加密服务器向后台服务器发送目标页面对应的资源获取请求类似,在一种可能的情况中,加密服务器可以根据该参数提交请求确定该参数提交请求对应的IP地址,根据该参数提交请求对应的IP地址向后台服务器发送该第二参数;在另一种可能的情况中,加密服务器对该参数提交请求中的URL进行解析得到该后台服务器的IP地址,然后根据该解析得到的IP地址向后台服务发送该第二参数。In the embodiment of the present application, the sending of the second parameter by the encryption server to the background server is similar to the resource acquisition request corresponding to the target page sent by the encryption server to the background server. In one possible case, the encryption server may submit the request to determine the parameter according to the parameter. The IP address corresponding to the parameter submission request, and sends the second parameter to the background server according to the IP address corresponding to the parameter submission request; in another possible case, the encryption server parses the URL in the parameter submission request to obtain the background The IP address of the server, and then send the second parameter to the background service according to the parsed IP address.
S306,后台服务器根据第二参数发送第四页面数据,加密服务获取第四页面数据。S306. The background server sends the fourth page data according to the second parameter, and the encryption service obtains the fourth page data.
这里,后台服务器根据第二参数发送第四页面数据以及加密服务器获取第三页面数据的方式可参考前述步骤S204后台服务器发送目标页面对应的第一页面数据以及加密服务器获取目标页面对应的第一页面数据的描述,此处不再赘述。Here, for the manner in which the background server sends the fourth page data according to the second parameter and the encryption server obtains the third page data, refer to the foregoing step S204. The background server sends the first page data corresponding to the target page and the encryption server obtains the first page corresponding to the target page. The description of the data is not repeated here.
可选地,在该参数提交请求携带的URL为上述第一种设计的情况下,在第一种可能的实现方式中,加密服务器与后台服务器可以基于HTTPS协议进行通信。加密服务器基于HTTPS协议向后台服务器发送第二参数,加密服务器基于HTTPS协议向加密服务器发送该第四页面数据。在第二种可能的实现方式中,该加密服务器的访问方式可以为只允许加密服务器访问。通过安全手段保证加密服务器与后台服务器之间的交互过程的通信安全,进一步增强了网站系统的安全性。Optionally, in a case where the URL carried in the parameter submission request is the first design described above, in a first possible implementation manner, the encryption server and the background server may communicate based on the HTTPS protocol. The encryption server sends a second parameter to the background server based on the HTTPS protocol, and the encryption server sends the fourth page data to the encryption server based on the HTTPS protocol. In a second possible implementation manner, the access mode of the encryption server may be that only the encryption server is allowed to access. The security of the communication process between the encryption server and the background server is ensured by security means, which further enhances the security of the website system.
S307,加密服务器采用第二加密方式对应第四页面数据进行加密得到第五页面数据。S307. The encryption server uses the second encryption method to encrypt the fourth page data to obtain the fifth page data.
S308,加密服务器将第五页面数据发送给终端设备,终端设备接收第五页面数据。S308. The encryption server sends the fifth page data to the terminal device, and the terminal device receives the fifth page data.
S309,终端设备采用安全插件对第五页面数据进行解密得到第四页面数据。S309. The terminal device uses the security plug-in to decrypt the fifth page data to obtain the fourth page data.
S310,终端设备显示第四页面数据对应的页面。S310: The terminal device displays a page corresponding to the fourth page data.
这里,步骤S307~S310的具体实现方式与上述步骤S204~S207的具体实现方式类似,可参考前述步骤S204~S207的描述,此处不再赘述。Here, the specific implementation of steps S307 to S310 is similar to the specific implementation of steps S204 to S207 described above, and reference may be made to the description of steps S204 to S207 described above, which will not be repeated here.
本申请实施例中,终端设备中的安全插件和加密服务器分别完成对终端设备通过参数获取页面获取到的参数进行加密和解密,使得这些参数在传输的过程以密文的形式传输,从而避免这些参数在传输的过程中被获取到,在不需要改变原有网站架构的情况下保证了参数的安全性和隐私性。In the embodiment of the present application, the security plug-in and the encryption server in the terminal device respectively encrypt and decrypt the parameters obtained by the terminal device through the parameter acquisition page, so that these parameters are transmitted in the form of ciphertext during the transmission process, thereby avoiding these The parameters are acquired during the transmission process, ensuring the security and privacy of the parameters without changing the original website architecture.
上述介绍了本申请实施例的方法,下面介绍本申请实施例的装置。The method of the embodiment of the present application is described above, and the apparatus of the embodiment of the present application is described below.
参见图4,图4是本申请实施例提供的一种通信数据加密装置的组成结构示意图,该装置40可以为上述图1或图2-图3所示的实施例中的加密服务器或加密服务器的一部分,该装置40包括:Referring to FIG. 4, FIG. 4 is a schematic structural diagram of a communication data encryption device according to an embodiment of the present application. The device 40 may be the encryption server or the encryption server in the embodiment shown in FIG. 1 or FIG. 2 to FIG. 3 described above. The device 40 includes:
访问请求获取模块401,用于获取终端设备发起的对目标页面的访问请求;An access request obtaining module 401, configured to obtain an access request for a target page initiated by a terminal device;
页面数据获取模块402,用于在根据所述访问请求确定所述终端设备中存在安全插件的情况下,根据所述访问请求从所述目标页面对应的后台服务器获取所述目标页面对应的第一页面数据,所述安全插件用于加密或解密数据;The page data acquisition module 402 is configured to, when it is determined that a security plug-in exists in the terminal device according to the access request, acquire a first corresponding to the target page from a background server corresponding to the target page according to the access request. Page data, the security plug-in is used to encrypt or decrypt the data;
加密模块403,用于采用与所述安全插件约定的第一加密方式对所述第一页面数据进行加密得到第二页面数据;An encryption module 403, configured to encrypt the first page data by using a first encryption method agreed with the security plug-in to obtain second page data;
页面数据发送模块404,用于向所述终端设备发送所述第二页面数据,以使所述终端设备通过所述安全插件对所述第二页面数据进行解密得到所述第一页面数据。A page data sending module 404 is configured to send the second page data to the terminal device, so that the terminal device decrypts the second page data through the security plug-in to obtain the first page data.
在一种可能的设计中,该装置40还包括:In a possible design, the device 40 further includes:
下载页面推送模块405,用于在根据所述访问请求确定所述终端设备中不存在安全插件的情况下,将第三页面数据发送给所述终端设备,以使所述终端设备从所述安全插件对应的下载页面下载所述安全插件并安装到所述终端设备中,所述第三页面数据为所述下载页面对应的页面数据。A download page push module 405 is configured to send third page data to the terminal device when it is determined that a security plug-in does not exist in the terminal device according to the access request, so that the terminal device is protected from the security The download page corresponding to the plug-in downloads the security plug-in and installs it into the terminal device, and the third page data is page data corresponding to the download page.
在一种可能的设计中,该装置40还包括:In a possible design, the device 40 further includes:
提交请求获取模块406,用于获取所述终端设备发起的参数提交请求,所述参数提交请求包括第一参数,所述第一参数为所述终端设备通过所述安全插件对第二参数进行加密得到的参数,所述第二参数为所述终端设备通过参数获取页面获取到的参数;The submission request obtaining module 406 is configured to obtain a parameter submission request initiated by the terminal device, where the parameter submission request includes a first parameter, and the first parameter is a second parameter encrypted by the terminal device through the security plug-in. The obtained parameter, the second parameter is a parameter obtained by the terminal device through a parameter acquisition page;
解密模块407,用于采用与所述安全插件约定的第一解密方式对所述第一参数进行解密得到所述第二参数;A decryption module 407, configured to decrypt the first parameter by using a first decryption method agreed with the security plug-in to obtain the second parameter;
参数发送模块408,还用于将所述第二参数发送给所述后台服务器。The parameter sending module 408 is further configured to send the second parameter to the background server.
在一种可能的设计中,所述页面数据获取模块402还用于获取所述后台服务器根据所述第二参数返回的第四页面数据;In a possible design, the page data obtaining module 402 is further configured to obtain fourth page data returned by the background server according to the second parameter;
所述加密模块403还用于采用与所述安全插件约定的第二加密方式对所述第四页面数据进行加密得到第五页面数据;The encryption module 403 is further configured to encrypt the fourth page data by using a second encryption method agreed with the security plug-in to obtain the fifth page data;
所述页面数据发送模块404还用于向所述终端设备发送所述第五页面数据,以使所述终端设备通过所述安全插件对所述第五页面数据进行解密得到所述第四页面数据。The page data sending module 404 is further configured to send the fifth page data to the terminal device, so that the terminal device decrypts the fifth page data through the security plug-in to obtain the fourth page data. .
在一种可能的设计中,所述参数发送模块408具体用于:基于安全套接字层的超文本传输HTTPS协议将所述第二参数发送给所述后台服务器;In a possible design, the parameter sending module 408 is specifically configured to: send the second parameter to the background server based on a Secure Sockets Layer Hypertext Transfer HTTPS protocol;
所述页面数据获取模块402今日用于:获取所述后台服务器根据所述第二参数基于所述HTTPS协议返回的第四页面数据。The page data obtaining module 402 is configured to obtain the fourth page data returned by the background server based on the HTTPS protocol according to the second parameter.
在一种可能的设计中,所述装置还包括:In a possible design, the device further includes:
判断模块409,用于判断所述访问请求是否为加密请求;A judging module 409, configured to judge whether the access request is an encryption request;
如果所述访问请求不为加密请求,则所述判断模块409确定所述终端设备中不存在安全插件;If the access request is not an encryption request, the determining module 409 determines that a security plug-in does not exist in the terminal device;
如果所述访问请求为加密请求,则所述判断模块409确定所述终端设备中存在安全插件。If the access request is an encryption request, the determining module 409 determines that a security plug-in exists in the terminal device.
在一种可能的设计中,所述页面数据获取模块402具体用于:In a possible design, the page data acquisition module 402 is specifically configured to:
根据所述访问请求确定所述终端设备的标识;Determining the identity of the terminal device according to the access request;
根据所述终端设备的标识确定与所述安全插件约定的第二解密方式;Determining a second decryption mode agreed with the security plug-in according to the identifier of the terminal device;
所述加密服务器采用所述第二解密方式对所述加密请求进行解密得到原始的访问请求;The encryption server uses the second decryption method to decrypt the encryption request to obtain the original access request;
根据所述原始的访问请求从所述目标页面对应的后台服务器获取所述目标页面对应的第一页面数据。Obtaining the first page data corresponding to the target page from the background server corresponding to the target page according to the original access request.
需要说明的是,图4对应的实施例中未提及的内容可参见方法实施例的描述,这里不再赘述。It should be noted that, for the content not mentioned in the embodiment corresponding to FIG. 4, reference may be made to the description of the method embodiment, and details are not described herein again.
本申请实施例中,可以避免扫描器、爬虫工具等扫描页面的工具直接获取到页面数据,避免在流量劫持等情况下页面的数据被获取以及篡改。In the embodiment of the present application, it is possible to prevent a page scanning tool, such as a scanner and a crawler tool, from directly acquiring page data, and to prevent page data from being acquired and tampered in situations such as traffic hijacking.
参见图5,图5是本申请实施例提供的另一种通信数据加密装置的组成结构示意图,该装置可以为上述图1或图2-图3所示的实施例中的加密服务器或加密服务器的一部分,如图所示,该装置50包括处理器501、存储器502以及通信接口503。处理器501连接到存储器502和通信接口503,例如处理器501可以通过总线连接到存储器502和通信接口503。Referring to FIG. 5, FIG. 5 is a schematic diagram of a composition structure of another communication data encryption device according to an embodiment of the present application. The device may be the encryption server or the encryption server in the embodiment shown in FIG. 1 or FIG. 2 to FIG. 3. As shown in the figure, the device 50 includes a processor 501, a memory 502, and a communication interface 503. The processor 501 is connected to the memory 502 and the communication interface 503. For example, the processor 501 may be connected to the memory 502 and the communication interface 503 through a bus.
处理器501被配置为支持所述通信数据加密装置执行图2-图3所述的通信数据加密方法中加密服务器相应的功能。该处理器501可以是中央处理器(Central Processing Unit,CPU),网络处理器(Network Processor,NP),硬件芯片或者其任意组合。上述硬件芯片可以是专用集成电路(Application-Specific Integrated Circuit,ASIC),可编程逻辑器件(Programmable Logic Device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(Complex Programmable Logic Device,CPLD),现场可编程逻辑门阵列(Field-Programmable Gate Array,FPGA),通用阵列逻辑(Generic Array Logic,GAL)或其任意组合。The processor 501 is configured to support the communication data encryption device to perform a corresponding function of an encryption server in the communication data encryption method described in FIG. 2 to FIG. 3. The processor 501 may be a Central Processing Unit (CPU), a Network Processor (NP), a hardware chip, or any combination thereof. The above-mentioned hardware chip may be an Application-Specific Integrated Circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a complex programmable logic device (Complex Programmable Logic Device, CPLD), a field programmable logic gate array (Field-Programmable Gate Array, FPGA), a universal array logic (Generic Array logic, GAL), or any combination thereof.
存储器502存储器用于存储程序代码等。存储器502可以包括易失性存储器(Volatile Memory,VM),例如随机存取存储器(Random Access Memory,RAM);存储器502也可以包括非易失性存储器(Non-Volatile Memory,NVM),例如只读存储器(Read-Only Memory,ROM),快闪存储器(flash memory),硬盘(Hard Disk Drive,HDD)或固态硬盘(Solid-State Drive,SSD);存储器502还可以包括上述种类的存储器的组合。本申请实施例中,存储器502用于存储通信数据加密的程序、密钥等。The memory 502 is used to store program code and the like. The memory 502 may include volatile memory (Volatile Memory, VM), such as Random Access Memory (RAM); the memory 502 may also include non-volatile memory (Non-Volatile Memory, NVM), such as read-only Read-only memory (ROM), flash memory, hard disk drive (HDD), or solid-state drive (SSD); memory 502 may also include a combination of the above types of memories. In the embodiment of the present application, the memory 502 is configured to store a communication data encryption program, a key, and the like.
所述通信接口503用于发送或接收数据。The communication interface 503 is configured to send or receive data.
处理器501可以调用所述程序代码以执行以下操作:The processor 501 may call the program code to perform the following operations:
通过通信接口503获取终端设备发起的对目标页面的访问请求;Obtaining, through the communication interface 503, an access request to the target page initiated by the terminal device;
在根据所述访问请求确定所述终端设备中存在安全插件的情况下,通过通信接口503根据所述访问请求从所述目标页面对应的后台服务器获取所述目标页面对应的第一页面数据,所述安全插件用于加密或解密数据;When it is determined that a security plug-in exists in the terminal device according to the access request, the first page data corresponding to the target page is obtained from the background server corresponding to the target page through the communication interface 503 according to the access request. The security plug-in is used to encrypt or decrypt data;
采用与所述安全插件约定的第一加密方式对所述第一页面数据进行加密得到第二页面数据;Encrypting the first page data by using a first encryption method agreed with the security plug-in to obtain second page data;
通过通信接口503向所述终端设备发送所述第二页面数据,以使所述终端设备通过所述安全插件对所述第二页面数据进行解密得到所述第一页面数据。Sending the second page data to the terminal device through the communication interface 503, so that the terminal device decrypts the second page data through the security plug-in to obtain the first page data.
本申请实施例还提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被计算机执行时使所述计算机执行如前述实施例所述的方法,所述计算机可以为上述提到的通信数据加密装置的一部分。例如为上述的处理器501。An embodiment of the present application further provides a computer-readable storage medium. The computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions, when executed by the computer, cause the computer to execute as described above. In the method according to the embodiment, the computer may be a part of the communication data encryption device mentioned above. For example, it is the processor 501 described above.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)或随机存储记忆体(Random Access Memory,RAM)等。A person of ordinary skill in the art can understand that all or part of the processes in the methods of the foregoing embodiments can be implemented by using a computer program to instruct related hardware. The program can be stored in a computer-readable storage medium. The program When executed, the processes of the embodiments of the methods described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random, Access Memory, RAM).
以上所揭露的仅为本申请较佳实施例而已,当然不能以此来限定本申请之权利范围,因此依本申请权利要求所作的等同变化,仍属本申请所涵盖的范围。The above disclosure is only the preferred embodiments of this application, and of course, the scope of rights of this application cannot be limited by this. Therefore, equivalent changes made according to the claims of this application still fall within the scope of this application.

Claims (20)

  1. 一种通信数据加密方法,其特征在于,包括:A communication data encryption method, comprising:
    获取终端设备发起的对目标页面的访问请求;Obtaining an access request to a target page initiated by a terminal device;
    在根据所述访问请求确定所述终端设备中存在安全插件的情况下,根据所述访问请求从所述目标页面对应的后台服务器获取所述目标页面对应的第一页面数据,所述安全插件用于加密或解密数据;When it is determined that a security plug-in exists in the terminal device according to the access request, the first page data corresponding to the target page is obtained from a background server corresponding to the target page according to the access request, and the security plug-in uses For encrypting or decrypting data;
    采用与所述安全插件约定的第一加密方式对所述第一页面数据进行加密得到第二页面数据;Encrypting the first page data by using a first encryption method agreed with the security plug-in to obtain second page data;
    向所述终端设备发送所述第二页面数据,以使所述终端设备通过所述安全插件对所述第二页面数据进行解密得到所述第一页面数据。Sending the second page data to the terminal device, so that the terminal device decrypts the second page data through the security plug-in to obtain the first page data.
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, further comprising:
    在根据所述访问请求确定所述终端设备中不存在安全插件的情况下,将第三页面数据发送给所述终端设备,以使所述终端设备从所述安全插件对应的下载页面下载所述安全插件并安装到所述终端设备中,所述第三页面数据为所述下载页面对应的页面数据。If it is determined that a security plug-in does not exist in the terminal device according to the access request, sending third page data to the terminal device, so that the terminal device downloads the download page A security plug-in is installed in the terminal device, and the third page data is page data corresponding to the download page.
  3. 根据权利要求1或2所述的方法,其特征在于,所述向所述终端设备发送所述第二页面数据之后还包括:The method according to claim 1 or 2, wherein after sending the second page data to the terminal device, the method further comprises:
    获取所述终端设备发起的参数提交请求,所述参数提交请求包括第一参数,所述第一参数为所述终端设备通过所述安全插件对第二参数进行加密得到的参数,所述第二参数为所述终端设备通过参数获取页面获取到的参数;Obtaining a parameter submission request initiated by the terminal device, where the parameter submission request includes a first parameter, where the first parameter is a parameter obtained by the terminal device encrypting a second parameter through the security plugin, and the second The parameter is a parameter obtained by the terminal device through a parameter acquisition page;
    采用与所述安全插件约定的第一解密方式对所述第一参数进行解密得到所述第二参数;Decrypting the first parameter by using a first decryption method agreed with the security plug-in to obtain the second parameter;
    将所述第二参数发送给所述后台服务器。Sending the second parameter to the background server.
  4. 根据权利要求3所述的方法,所述将所述第二参数发送给所述后台服务器之后还包括:The method according to claim 3, after sending the second parameter to the background server, further comprising:
    获取所述后台服务器根据所述第二参数返回的第四页面数据;Acquiring fourth page data returned by the background server according to the second parameter;
    采用与所述安全插件约定的第二加密方式对所述第四页面数据进行加密得到第五页面数据;Encrypting the fourth page data by using a second encryption method agreed with the security plug-in to obtain fifth page data;
    向所述终端设备发送所述第五页面数据,以使所述终端设备通过所述安全插件对所述第五页面数据进行解密得到所述第四页面数据。Sending the fifth page data to the terminal device, so that the terminal device decrypts the fifth page data through the security plug-in to obtain the fourth page data.
  5. 根据权利要求4所述的方法,其特征在于,所述将所述加密服务器将所述第二参数发送给所述后台服务器包括:The method according to claim 4, wherein the sending the second parameter to the background server by the encryption server comprises:
    基于安全套接字层的超文本传输HTTPS协议将所述第二参数发送给所述后台服务器;Sending the second parameter to the background server based on the Secure Sockets Layer Hypertext Transfer HTTPS protocol;
    所述获取所述后台服务器根据所述第二参数返回的第四页面数据包括:The obtaining the fourth page data returned by the background server according to the second parameter includes:
    获取所述后台服务器根据所述第二参数基于所述HTTPS协议返回的第四页面数据。Acquiring fourth page data returned by the background server based on the HTTPS protocol according to the second parameter.
  6. 根据权利要求1或2所述的方法,其特征在于,所述获取终端设备发起的对目标页面的访问请求之后还包括:The method according to claim 1 or 2, wherein after obtaining the access request for the target page initiated by the terminal device, further comprising:
    判断所述访问请求是否为加密请求;Determining whether the access request is an encryption request;
    如果所述访问请求不为加密请求,则确定所述终端设备中不存在安全插件;If the access request is not an encryption request, determining that a security plug-in does not exist in the terminal device;
    如果所述访问请求为加密请求,则确定所述终端设备中存在安全插件。If the access request is an encryption request, it is determined that a security plug-in exists in the terminal device.
  7. 根据权利要求6所述的方法,其特征在于,所述根据所述访问请求从所述目标页面对应的后台服务器获取所述目标页面对应的第一页面数据包括:The method according to claim 6, wherein the acquiring the first page data corresponding to the target page from the background server corresponding to the target page according to the access request comprises:
    根据所述访问请求确定所述终端设备的标识;Determining the identity of the terminal device according to the access request;
    根据所述终端设备的标识确定与所述安全插件约定的第二解密方式;Determining a second decryption mode agreed with the security plug-in according to the identifier of the terminal device;
    所述加密服务器采用所述第二解密方式对所述加密请求进行解密得到原始的访问请求;The encryption server uses the second decryption method to decrypt the encryption request to obtain the original access request;
    根据所述原始的访问请求从所述目标页面对应的后台服务器获取所述目标页面对应的第一页面数据。Obtaining the first page data corresponding to the target page from the background server corresponding to the target page according to the original access request.
  8. 一种通信数据加密装置,其特征在于,包括:A communication data encryption device, comprising:
    访问请求获取模块,用于获取终端设备发起的对目标页面的访问请求;An access request obtaining module, configured to obtain an access request to a target page initiated by a terminal device;
    页面数据获取模块,用于在根据所述访问请求确定所述终端设备中存在安全插件的情况下,根据所述访问请求从所述目标页面对应的后台服务器获取所述目标页面对应的第一页面数据,所述安全插件用于加密或解密数据;A page data acquisition module, configured to obtain a first page corresponding to the target page from a background server corresponding to the target page according to the access request when it is determined that a security plug-in exists in the terminal device according to the access request Data, the security plug-in is used to encrypt or decrypt the data;
    加密模块,用于采用与所述安全插件约定的第一加密方式对所述第一页面数据进行加密得到第二页面数据;An encryption module, configured to encrypt the first page data by using a first encryption method agreed with the security plug-in to obtain second page data;
    页面数据发送模块,用于向所述终端设备发送所述第二页面数据,以使所述终端设备通过所述安全插件对所述第二页面数据进行解密得到所述第一页面数据。A page data sending module is configured to send the second page data to the terminal device, so that the terminal device decrypts the second page data through the security plug-in to obtain the first page data.
  9. 根据权利要求8所述的装置,其特征在于,所述装置还包括:The apparatus according to claim 8, further comprising:
    下载页面推送模块,用于在根据所述访问请求确定所述终端设备中不存在安全插件的情况下,将第三页面数据发送给所述终端设备,以使所述终端设备从所述安全插件对应的下载页面下载所述安全插件并安装到所述终端设备中,所述第三页面数据为所述下载页面对应的页面数据。Download a page push module, configured to send third page data to the terminal device if it is determined that a security plug-in does not exist in the terminal device according to the access request, so that the terminal device removes the security plug-in from the security plug-in The corresponding download page downloads the security plug-in and installs it into the terminal device, and the third page data is page data corresponding to the download page.
  10. 根据权利要求8或9所述的装置,其特征在于,所述装置还包括:The device according to claim 8 or 9, wherein the device further comprises:
    提交请求获取模块,用于获取所述终端设备发起的参数提交请求,所述参数提交请求包括第一参数,所述第一参数为所述终端设备通过所述安全插件对第二参数进行加密得到的参数,所述第二参数为所述终端设备通过参数获取页面获取到的参数;The submission request obtaining module is configured to obtain a parameter submission request initiated by the terminal device, where the parameter submission request includes a first parameter, where the first parameter is obtained by the terminal device encrypting a second parameter through the security plug-in. The second parameter is a parameter obtained by the terminal device through a parameter acquisition page;
    解密模块,用于采用与所述安全插件约定的第一解密方式对所述第一参数进行解密得到所述第二参数;A decryption module, configured to decrypt the first parameter by using a first decryption method agreed with the security plug-in to obtain the second parameter;
    参数发送模块,还用于将所述第二参数发送给所述后台服务器。The parameter sending module is further configured to send the second parameter to the background server.
  11. 根据权利要求10所述的装置,其特征在于,所述页面数据获取模块还用于获取所述后台服务器根据所述第二参数返回的第四页面数据;The device according to claim 10, wherein the page data obtaining module is further configured to obtain fourth page data returned by the background server according to the second parameter;
    所述加密模块还用于采用与所述安全插件约定的第二加密方式对所述第四页面数据进行加密得到第五页面数据;The encryption module is further configured to encrypt the fourth page data by using a second encryption method agreed with the security plug-in to obtain the fifth page data;
    所述页面数据发送模块还用于向所述终端设备发送所述第五页面数据,以使所述终端设备通过所述安全插件对所述第五页面数据进行解密得到所述第四页面数据。The page data sending module is further configured to send the fifth page data to the terminal device, so that the terminal device decrypts the fifth page data through the security plug-in to obtain the fourth page data.
  12. 根据权利要求11所述的装置,其特征在于,所述参数发送模块具体用于:基于安全套接字层的超文本传输HTTPS协议将所述第二参数发送给所述后台服务器;The device according to claim 11, wherein the parameter sending module is specifically configured to send the second parameter to the background server based on a secure socket layer Hypertext Transfer HTTPS protocol;
    所述页面数据获取模块具体用于:获取所述后台服务器根据所述第二参数基于所述HTTPS协议返回的第四页面数据。The page data obtaining module is specifically configured to obtain fourth page data returned by the background server based on the HTTPS protocol according to the second parameter.
  13. 根据权利要求8或9所述的装置,其特征在于,所述装置还包括:The device according to claim 8 or 9, wherein the device further comprises:
    判断模块,用于判断所述访问请求是否为加密请求;A judging module, configured to judge whether the access request is an encryption request;
    如果所述访问请求不为加密请求,则所述判断模块确定所述终端设备中不存在安全插件;If the access request is not an encryption request, the determining module determines that a security plug-in does not exist in the terminal device;
    如果所述访问请求为加密请求,则所述判断模块确定所述终端设备中存在安全插件。If the access request is an encryption request, the determining module determines that a security plug-in exists in the terminal device.
  14. 根据权利要求13所述的装置,其特征在于,所述页面数据获取模块具体用于:The apparatus according to claim 13, wherein the page data acquisition module is specifically configured to:
    根据所述访问请求确定所述终端设备的标识;Determining the identity of the terminal device according to the access request;
    根据所述终端设备的标识确定与所述安全插件约定的第二解密方式;Determining a second decryption mode agreed with the security plug-in according to the identifier of the terminal device;
    所述加密服务器采用所述第二解密方式对所述加密请求进行解密得到原始的访问请求;The encryption server uses the second decryption method to decrypt the encryption request to obtain the original access request;
    根据所述原始的访问请求从所述目标页面对应的后台服务器获取所述目标页面对应的第一页面数据。Obtaining the first page data corresponding to the target page from the background server corresponding to the target page according to the original access request.
  15. 一种通信数据加密装置,包括处理器、存储器以及通信接口,所述处理器、存储器和通信接口相互连接,其中,所述通信接口用于发送或接收数据,所述存储器用于存储程序代码,所述处理器用于调用所述程序代码,执行以下操作:A communication data encryption device includes a processor, a memory, and a communication interface. The processor, the memory, and the communication interface are connected to each other. The communication interface is used to send or receive data, and the memory is used to store program code. The processor is configured to call the program code and perform the following operations:
    获取终端设备发起的对目标页面的访问请求;Obtaining an access request to a target page initiated by a terminal device;
    在根据所述访问请求确定所述终端设备中存在安全插件的情况下,根据所述访问请求从所述目标页面对应的后台服务器获取所述目标页面对应的第一页面数据,所述安全插件用于加密或解密数据;When it is determined that a security plug-in exists in the terminal device according to the access request, the first page data corresponding to the target page is obtained from a background server corresponding to the target page according to the access request, and the security plug-in uses For encrypting or decrypting data;
    采用与所述安全插件约定的第一加密方式对所述第一页面数据进行加密得到第二页面数据;Encrypting the first page data by using a first encryption method agreed with the security plug-in to obtain second page data;
    向所述终端设备发送所述第二页面数据,以使所述终端设备通过所述安全插件对所述第二页面数据进行解密得到所述第一页面数据。Sending the second page data to the terminal device, so that the terminal device decrypts the second page data through the security plug-in to obtain the first page data.
  16. 根据权利要求15所述的装置,其特征在于,所述处理器还用于执行以下操作:The apparatus according to claim 15, wherein the processor is further configured to perform the following operations:
    在根据所述访问请求确定所述终端设备中不存在安全插件的情况下,将第三页面数据发送给所述终端设备,以使所述终端设备从所述安全插件对应的下载页面下载所述安全插件并安装到所述终端设备中,所述第三页面数据为所述下载页面对应的页面数据。If it is determined that a security plug-in does not exist in the terminal device according to the access request, sending third page data to the terminal device, so that the terminal device downloads the download page corresponding to the security plug-in A security plug-in is installed in the terminal device, and the third page data is page data corresponding to the download page.
  17. 根据权利要求15或16所述的装置,其特征在于,所述处理器还用于执行以下操作:The apparatus according to claim 15 or 16, wherein the processor is further configured to perform the following operations:
    获取所述终端设备发起的参数提交请求,所述参数提交请求包括第一参数,所述第一参数为所述终端设备通过所述安全插件对第二参数进行加密得到的参数,所述第二参数为所述终端设备通过参数获取页面获取到的参数;Obtaining a parameter submission request initiated by the terminal device, where the parameter submission request includes a first parameter, where the first parameter is a parameter obtained by the terminal device encrypting a second parameter through the security plugin, and the second The parameter is a parameter obtained by the terminal device through a parameter acquisition page;
    采用与所述安全插件约定的第一解密方式对所述第一参数进行解密得到所述第二参数;Decrypting the first parameter by using a first decryption method agreed with the security plug-in to obtain the second parameter;
    将所述第二参数发送给所述后台服务器。Sending the second parameter to the background server.
  18. 根据权利要求17所述的装置,其特征在于,所述处理器还用于执行以下操作:The apparatus according to claim 17, wherein the processor is further configured to perform the following operations:
    获取所述后台服务器根据所述第二参数返回的第四页面数据;Acquiring fourth page data returned by the background server according to the second parameter;
    采用与所述安全插件约定的第二加密方式对所述第四页面数据进行加密得到第五页面数据;Encrypting the fourth page data by using a second encryption method agreed with the security plug-in to obtain fifth page data;
    向所述终端设备发送所述第五页面数据,以使所述终端设备通过所述安全插件对所述第五页面数据进行解密得到所述第四页面数据。Sending the fifth page data to the terminal device, so that the terminal device decrypts the fifth page data through the security plug-in to obtain the fourth page data.
  19. 根据权利要求18所述的装置,其特征在于,所述处理器执行所述将所述加密服务器将所述第二参数发送给所述后台服务器的操作,包括:The device according to claim 18, wherein the processor performing the operation of sending the second parameter to the background server by the encryption server comprises:
    基于安全套接字层的超文本传输HTTPS协议将所述第二参数发送给所述后台服务器;Sending the second parameter to the background server based on the Secure Sockets Layer Hypertext Transfer HTTPS protocol;
    所述获取所述后台服务器根据所述第二参数返回的第四页面数据包括:The obtaining the fourth page data returned by the background server according to the second parameter includes:
    获取所述后台服务器根据所述第二参数基于所述HTTPS协议返回的第四页面数据。Acquiring fourth page data returned by the background server based on the HTTPS protocol according to the second parameter.
  20. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行如权利要求1-7任一项所述的方法。A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, the computer program includes program instructions, and when the program instructions are executed by a processor, the processor executes The method according to any one of 1-7 is required.
PCT/CN2018/107638 2018-07-27 2018-09-26 Communication data encryption method and apparatus WO2020019478A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810852593.2 2018-07-27
CN201810852593.2A CN109067739B (en) 2018-07-27 2018-07-27 Communication data encryption method and device

Publications (1)

Publication Number Publication Date
WO2020019478A1 true WO2020019478A1 (en) 2020-01-30

Family

ID=64831706

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/107638 WO2020019478A1 (en) 2018-07-27 2018-09-26 Communication data encryption method and apparatus

Country Status (2)

Country Link
CN (1) CN109067739B (en)
WO (1) WO2020019478A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111541758A (en) * 2020-04-17 2020-08-14 支付宝(杭州)信息技术有限公司 Page updating method and device
CN111866124A (en) * 2020-07-17 2020-10-30 北京金山云网络技术有限公司 Method, device, server and machine-readable storage medium for accessing webpage
CN114760143A (en) * 2022-04-26 2022-07-15 中国邮政储蓄银行股份有限公司 Decryption method, decryption device and decryption system for communication data

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995683A (en) * 2019-11-26 2020-04-10 深圳市思迪信息技术股份有限公司 Hardware information acquisition method and device based on Web page and computer equipment
CN113079492B (en) * 2021-03-22 2022-04-05 广东湾区智能终端工业设计研究院有限公司 Information sharing method and device
CN112948824B (en) * 2021-03-31 2022-04-26 支付宝(杭州)信息技术有限公司 Program communication method, device and equipment based on privacy protection
CN113326519A (en) * 2021-06-09 2021-08-31 支付宝(杭州)信息技术有限公司 Data acquisition method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040059945A1 (en) * 2002-09-25 2004-03-25 Henson Kevin M. Method and system for internet data encryption and decryption
CN101299753A (en) * 2008-06-17 2008-11-05 浙江大学 Web service security control mechanism based on proxy server
CN101416171A (en) * 2004-06-30 2009-04-22 塞特里克斯网络应用有限责任公司 System and method for establishing a virtual private network
CN104217173A (en) * 2014-08-27 2014-12-17 武汉理工大学 Method of encrypting data and files for browser
CN105450662A (en) * 2015-12-25 2016-03-30 小米科技有限责任公司 Encryption method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580086A (en) * 2013-10-17 2015-04-29 腾讯科技(深圳)有限公司 Information transmission method, client side, server and system
CN106412024B (en) * 2016-09-07 2019-10-15 网易无尾熊(杭州)科技有限公司 A kind of page acquisition methods and device
CN107070812A (en) * 2017-05-02 2017-08-18 武汉绿色网络信息服务有限责任公司 A kind of HTTPS protocal analysises method and its system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040059945A1 (en) * 2002-09-25 2004-03-25 Henson Kevin M. Method and system for internet data encryption and decryption
CN101416171A (en) * 2004-06-30 2009-04-22 塞特里克斯网络应用有限责任公司 System and method for establishing a virtual private network
CN101299753A (en) * 2008-06-17 2008-11-05 浙江大学 Web service security control mechanism based on proxy server
CN104217173A (en) * 2014-08-27 2014-12-17 武汉理工大学 Method of encrypting data and files for browser
CN105450662A (en) * 2015-12-25 2016-03-30 小米科技有限责任公司 Encryption method and device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111541758A (en) * 2020-04-17 2020-08-14 支付宝(杭州)信息技术有限公司 Page updating method and device
CN111541758B (en) * 2020-04-17 2023-06-16 支付宝(杭州)信息技术有限公司 Page updating method and device
CN111866124A (en) * 2020-07-17 2020-10-30 北京金山云网络技术有限公司 Method, device, server and machine-readable storage medium for accessing webpage
CN111866124B (en) * 2020-07-17 2022-06-24 北京金山云网络技术有限公司 Method, device, server and machine-readable storage medium for accessing webpage
CN114760143A (en) * 2022-04-26 2022-07-15 中国邮政储蓄银行股份有限公司 Decryption method, decryption device and decryption system for communication data

Also Published As

Publication number Publication date
CN109067739B (en) 2021-10-08
CN109067739A (en) 2018-12-21

Similar Documents

Publication Publication Date Title
WO2020019478A1 (en) Communication data encryption method and apparatus
US11647005B2 (en) Systems and methods for application pre-launch
US20220292180A1 (en) Systems and methods for offline usage of saas applications
WO2020019477A1 (en) Communication data encryption method and apparatus
US8837734B2 (en) Managing encrypted data and encryption keys
US10904227B2 (en) Web form protection
CA3112194C (en) Systems and methods for integrated service discovery for network applications
US20110302410A1 (en) Secure document delivery
EP3299990A1 (en) Electronic device server and method for communicating with server
US20120023158A1 (en) Method for secure transfer of multiple small messages
US11070533B2 (en) Encrypted server name indication inspection
US11716374B2 (en) Forced identification with automated post resubmission
CN111049832B (en) Reverse proxy method and related device
CN113364781A (en) Request processing method and system
JP2007142504A (en) Information processing system
EP3447992B1 (en) Message pushing method and terminal
JP2023532976A (en) Method and system for verification of user identity
CN116566653A (en) Verification method, verification device, electronic equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18927770

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18927770

Country of ref document: EP

Kind code of ref document: A1