WO2020019478A1 - Procédé et appareil de chiffrement de données de communication - Google Patents

Procédé et appareil de chiffrement de données de communication Download PDF

Info

Publication number
WO2020019478A1
WO2020019478A1 PCT/CN2018/107638 CN2018107638W WO2020019478A1 WO 2020019478 A1 WO2020019478 A1 WO 2020019478A1 CN 2018107638 W CN2018107638 W CN 2018107638W WO 2020019478 A1 WO2020019478 A1 WO 2020019478A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
page data
parameter
page
encryption
Prior art date
Application number
PCT/CN2018/107638
Other languages
English (en)
Chinese (zh)
Inventor
张驰
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020019478A1 publication Critical patent/WO2020019478A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Definitions

  • the present application relates to the field of communication technologies, and in particular, to a method and an apparatus for encrypting communication data.
  • a website is an application that relies on web technology. Every information exchange in a website application involves a web client and a web server. Among them, the main task of the web client is to display information content to users. It uses html language and script programs. , CSS, plug-in technology, etc. to achieve the corresponding web page display; the web server provides business support for the web client, which specifically uses PHP, ASP, JSP and other technologies to achieve the corresponding functions.
  • the interaction process between the web server and the web client is generally: the web client sends a request to the web server, and the web server returns the data (such as html code) corresponding to the request to the web client based on the request sent by the web client.
  • This application provides a communication data encryption method and device, which solves the problem of insufficient security of a website.
  • a communication data encryption method including:
  • the first page data corresponding to the target page is obtained from a background server corresponding to the target page according to the access request, and the security plug-in uses For encrypting or decrypting data;
  • a communication data encryption device including:
  • An access request obtaining module configured to obtain an access request to a target page initiated by a terminal device
  • a page data acquisition module configured to obtain a first page corresponding to the target page from a background server corresponding to the target page according to the access request when it is determined that a security plug-in exists in the terminal device according to the access request Data, the security plug-in is used to encrypt or decrypt the data;
  • An encryption module configured to encrypt the first page data by using a first encryption method agreed with the security plug-in to obtain second page data
  • a page data sending module is configured to send the second page data to the terminal device, so that the terminal device decrypts the second page data through the security plug-in to obtain the first page data.
  • another communication data encryption device including a processor, a memory, and a communication interface.
  • the processor, the memory, and the communication interface are connected to each other.
  • the communication interface is used to receive or send data.
  • the memory The application program code for storing the communication data encryption device performing the above method, and the processor is configured to execute the method of the first aspect.
  • a computer storage medium stores a computer program, where the computer program includes program instructions, and the program instructions, when executed by a processor, cause the processor to execute the foregoing first aspect. method.
  • This technical solution can avoid that page scanning tools, such as scanners and crawling tools, directly obtain page data, and avoid page data being acquired and tampered in situations such as traffic hijacking.
  • page scanning tools such as scanners and crawling tools
  • FIG. 1 is a schematic structural diagram of a website system according to an embodiment of the present application.
  • FIG. 2 is a schematic flowchart of a communication data encryption method according to an embodiment of the present application.
  • FIG. 3 is a schematic flowchart of another communication data encryption method according to an embodiment of the present application.
  • FIG. 4 is a schematic structural diagram of a communication data encryption device according to an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of another communication data encryption device according to an embodiment of the present application.
  • the technical solution of this application is applicable to a traditional website system that transmits data in plain text.
  • the website system may include a website client and a website server.
  • the website client is a user-facing client that provides services to users.
  • the website client may be a general-purpose client, and the general-purpose client may provide services for multiple website servers, such as a browser; the website client may also be a specific client, and the specific client only uses To provide services for a specific website, such as a "Tencent Video" client.
  • the website client runs on a user's terminal device.
  • the terminal device includes, but is not limited to, a mobile phone, a computer, a tablet computer, an e-reader and other electronic devices with a website browsing function.
  • the website server is used to manage and provide resources of the website system to the website client.
  • the website server is used to provide various data to the website client so that the website client can display various pages to the user.
  • the web server can consist of one or more servers.
  • an encryption server is added to a traditional website system that transmits data in plain text, and a security plug-in corresponding to the encryption server is developed.
  • the security plug-in can be downloaded and installed in a terminal device, and the terminal device can use the security plug-in.
  • the data is encrypted or decrypted, and the data sent by the website server to the website client and the data sent by the website client to the website server are encrypted by using an encryption server and a security plug-in to achieve the purpose of ensuring the security of the website.
  • the architecture of the website system in the embodiment of the present application may be as shown in FIG. 1.
  • the website system includes a website client running on the terminal device 101, an encryption server 102, and a website server 103.
  • the encryption server 102 is used for The data sent by the website server to the terminal device is encrypted and the data sent by the terminal device to the website server is encrypted.
  • the terminal device also has a security plug-in installed, which is used to decrypt the data sent by the website server to the terminal device and decrypt the data The data sent by the terminal device to the website server is encrypted.
  • the method in the embodiment of the present application can be implemented on the system architecture shown in FIG. 1. The method in the embodiment of the present application is described below.
  • FIG. 2 is a schematic flowchart of a communication data encryption method according to an embodiment of the present application. As shown in the figure, the method includes:
  • S201 The terminal device initiates an access request to the target page, and the encryption server obtains an access request to the target page.
  • the terminal device initiates an access request to a target page through a website client running in the terminal device, and the target page is one of the pages of the website system.
  • the target page can be one page of any website system that the user wants to access; in the case where the website client is a specific client, the target page is One page of the website system corresponding to the website client.
  • the target page corresponds to a uniform resource location (URL), the access request carries the URL, the URL points to an Internet protocol (IP) address, and the IP address is the address accessed by the access request.
  • URL uniform resource location
  • IP Internet protocol
  • the IP address pointed to by the URL may have the following two designs:
  • the IP address pointed to by the URL is the IP address of the encryption server.
  • the IP address obtained by the terminal device performing domain name resolution system (DNS) analysis on the URL is the IP address of the encryption server.
  • DNS domain name resolution system
  • the terminal device initiates an access request for the target page to the encryption server according to the IP address of the encryption server, and the encryption server obtains the access request for the target page in a received manner.
  • the IP address pointed to by the URL is the IP address of the background server.
  • the IP address obtained by the terminal device parsing the URLDNS is the IP address of the background server.
  • the terminal device initiates an access request to the target page to the background server according to the IP address of the background server, and the encryption server intercepts the access request to the target page by means of traffic hijacking to obtain the access request to the target page.
  • S202 The encryption server determines whether a security plug-in exists in the terminal device.
  • the security plug-in may be a software program developed in conjunction with the encryption server, the security plug-in may communicate with the encryption server, and the security plug-in communicates with the encryption server to complete the encryption algorithm and encryption key used to encrypt the data, and Negotiation of the decryption algorithm and decryption key used to decrypt the data.
  • the security plug-in may include a software program corresponding to an operation corresponding to one or more encryption algorithms. When the security plug-in negotiates with the encryption server the encryption algorithm and encryption key used to encrypt the data, the security plug-in can perform the corresponding operation of the encryption algorithm on the encryption key and the data that needs to be encrypted to the data that needs to be encrypted. Encrypt.
  • the security plug-in When the security plug-in negotiates with the encryption server the decryption algorithm and decryption key used to decrypt the data, the security plug-in can perform the operation corresponding to the decryption algorithm on the decryption key and the data to be decrypted to the data that needs to be decrypted. Decrypt.
  • the encryption server may determine whether a security plug-in exists in the terminal device according to the access request to the target page, and the specific determination method may be as follows: the encryption server determines whether the access request to the target page is an encryption request ; If the access request is not an encryption request, it is determined that a security plug-in does not exist in the terminal device; if the access request is an encryption request, it is determined that a security plug-in exists in the terminal device.
  • the encryption server may determine whether the data in the access request to the target page is plain text data to determine whether the access request to the target page is an encryption request. If at least part of the access request to the target page is If the data is not plain text data, the access request is determined to be an encryption request. If all data in the access request to the target page is clear text data, it is determined that the access request is not an encryption request.
  • the encryption server may determine the identity of the terminal device according to the access request, determine the second decryption method agreed with the security plug-in in the terminal device according to the identity of the terminal device, and then adopt the second decryption method Decrypt the encryption request to obtain the original access request, and execute step S203.
  • the encryption server can negotiate the encryption and decryption method of the access request with the security plug-in in the terminal device before the terminal device sends the access request to the target page, that is, the security plug-in is agreed to encrypt the access request.
  • the encryption method used and the encryption server used to decrypt the access request are agreed to encrypt the access request.
  • the encryption method may specifically include an encryption algorithm and an encryption key
  • the decryption method may specifically include a decryption algorithm and a decryption key.
  • the once-encrypted encryption algorithm and decryption algorithm are corresponding algorithms
  • the once-encrypted encryption key is a key corresponding to each other.
  • the operation corresponding to the encryption algorithm and the operation corresponding to the decryption algorithm are operations that perform the same logic.
  • the operation corresponding to the encryption algorithm and the operation corresponding to the decryption algorithm are hash operations;
  • the operation corresponding to the encryption algorithm and the operation corresponding to the decryption algorithm are mutually inverse operations.
  • the encryption key is the same as the decryption key. If the encryption algorithm agreed by the encryption server and the security plug-in to decrypt the access request and the decryption algorithm to decrypt the access request are symmetric algorithms, the encryption key and the decryption key are a pair of public and private keys, where if the If the encryption key is a public key, the decryption key is a private key. If the encryption key is a private key, the decryption key is a public key.
  • the identification of the terminal device may be the identification of the terminal device itself, such as the device identification of the terminal device, the IP address of the terminal device, or the identification information assigned to the terminal device by the encryption server, such as session information and cookie information. It is the identification information agreed upon when the encryption server and the security plug-in agree on the second decryption mode. Wherein, when the identification of the terminal device is the identification information agreed upon when the encryption server and the security plug-in agree on the second decryption method, when the security plug-in encrypts the access request and encrypts the access request using the agreed encryption method, the security plug-in Add the agreed identification information to the access request.
  • the encryption server obtains the identity of the terminal device from the access request, and then, after determining the second decryption mode agreed with the security plug-in according to the identity of the terminal device, the decryption key corresponding to the second decryption mode An operation corresponding to the decryption algorithm corresponding to the second decryption method with the encrypted data in the access request is used to obtain the original access request.
  • the encryption server executes step S209.
  • the encryption server sends a resource acquisition request corresponding to the target page to the background server, and the background server receives a resource access request for the target page.
  • the background server is the background server corresponding to the target page, that is, the background server of the website system containing the target page.
  • the resource acquisition request corresponding to the target page is used to request the background server to return the first page data corresponding to the target page.
  • the website client can display the target page.
  • the encryption server sends the resource acquisition request corresponding to the target page to the background server in the following two cases:
  • the IP address of the background server can be preset in the encryption server, and the IP of the background server can be set.
  • the address is associated with the target access request.
  • the encryption server obtains the target access request
  • the resource of the page data corresponding to the target access request is determined on the background server according to the IP address associated with the target access request, so that the encryption server can
  • the IP address corresponding to the target access request initiates a resource acquisition request corresponding to the target page to the background server.
  • the target access request refers to an access request associated with the background server, that is, a related request of the website system.
  • the domain name "pingan.com” corresponds to the IP address of the backend server in advance, and the IP address of the backend server is 192.168.11.32.
  • the request carries the domain name "pingan.com” , For example, www.pingan.com/login, because this request carries "pingan.com", you can determine that the IP address of the back-end server corresponding to this request is 192.168.11.32, and the encryption server sends an IP address to 192.168.
  • the background server of .11.32 initiates the resource request corresponding to the access request.
  • the encryption server may The carried URL performs DNS resolution to obtain the IP address of the background server, and the encryption server may initiate a resource acquisition request corresponding to the target page to the background server according to the IP address of the background server obtained through analysis.
  • the resource acquisition request corresponding to the target page may be the access request to the target page.
  • the URL carried in the access request intercepted by the encryption server is www.pingan.com/login
  • the encryption server parses the URL through DNS to obtain the IP address corresponding to the URL is 202.132.11.32. .11.32
  • the server initiates a resource request corresponding to the target page.
  • the background server sends the first page data corresponding to the target page, and the encryption server obtains the first page data corresponding to the target page.
  • the background server finds the website file corresponding to the target page from the website directory according to the resource acquisition request corresponding to the target page, obtains the first page data from the website file, and then sends the first page data.
  • the background server when the URL carried in the access request is the first design described above, the background server sends the first page data corresponding to the target page to the encryption server, and the encryption server obtains the target page corresponding by receiving The first page of data; in the case that the URL carried in the access request is the second design described above, the background server sends the first page of data corresponding to the target sending page to the terminal device, and the encryption server intercepts the data by means of traffic hijacking The first page data corresponding to the pair of target pages.
  • the encryption server and the background server may communicate based on the HTTPS protocol.
  • the encryption server may send a resource acquisition request corresponding to the target page to the background server based on the HTTPS protocol, and the encryption server may send the first page data corresponding to the target page to the encryption server based on the HTTPS protocol.
  • the encryption server can be accessed only by the encryption server, that is, the access server's access whitelist includes only the encryption server's IP address or MAC address, etc. to prove the encryption server. Identity information.
  • the communication security between the encryption server and the background server is ensured, which further enhances the security of the website system.
  • the encryption server uses the first encryption method to encrypt the first page data to obtain the second page data.
  • the first encryption method is an encryption method agreed by the server and the security plug-in in the terminal device before the first page data is encrypted.
  • the encryption server and the security plug-in in the terminal device may periodically agree on an encryption and decryption manner.
  • the first encryption method may specifically be an encryption method among the encryption and decryption methods that the security server and the terminal device ’s security plug-in agreed upon before encrypting the first page data.
  • the specific content of the encryption method can be referred to the foregoing description, and is not repeated here.
  • the first encryption method may have the following situations:
  • the first encryption method is an encryption method agreed upon by the encryption server with the security plug-in in the terminal device after obtaining the first page data.
  • the encryption server can negotiate the encryption and decryption method of the first page data with the security plug-in in the terminal device, that is, the encryption method used by the encryption server to encrypt the first page data and the security plug-in decryption are agreed.
  • the first encryption method is the decryption method used for the first page data, and the encryption method adopted by the agreed encryption server to encrypt the first page data is the first encryption method.
  • the first encryption method is an encryption method agreed by the encryption server with the security plug-in in the terminal device before the terminal device sends the access request to the target page. If the encryption server does not negotiate the encryption and decryption method of the first page data with the security plug-in in the terminal device after obtaining the first page data, the encryption server will communicate with the terminal device before the terminal device sends the access request for the target page. The encryption method in the encryption and decryption method agreed upon by the security plug-in in the server serves as the first encryption method.
  • the encryption server performs an operation corresponding to the first encryption method on the encryption key corresponding to the first encryption method and the first page data to obtain the second page data.
  • the encryption server sends the second page data to the terminal device, and the terminal device receives the second page data.
  • the terminal device decrypts the second page data by using the security plug-in to obtain the first page data.
  • the security plug-in in the terminal device obtains the first page data by decrypting the second page data according to the decryption method agreed with the encryption server, and the decryption method corresponds to the first encryption method.
  • the decryption method may be a decryption method among the encryption and decryption methods agreed upon by the security plug-in of the terminal device and the encryption server for the last time before the first page data is encrypted. For details of the decryption method, refer to the foregoing description, and details are not described herein again.
  • the decryption method is the decryption method agreed with the plug-in by the security plug-in of the terminal device after the encryption server obtains the first page data; if the first encryption method is the first description above In two cases, the decryption method is the decryption method agreed with the encryption server by the security plug-in of the terminal device before the terminal device sends the access request to the target page.
  • the security plug-in in the terminal device performs the operation corresponding to the decryption method on the second page data and the decryption key corresponding to the decryption method to obtain the first page data.
  • the terminal device displays the target page according to the first page data.
  • the security plug-in of the terminal device sends the first page data to a website client in the terminal device, and the website client displays the target page according to the first page data.
  • the encryption server sends the third page data to the terminal device, and the terminal device receives the third page data.
  • the third page data is the page data corresponding to the download page corresponding to the security plug-in.
  • the encryption server may obtain the third page data from the server that provides the security plug-in download service, and then sends the third page data to the terminal device.
  • the server may be the encryption server, the background server, or another server.
  • the encryption server may also directly obtain the security plug-in from a server providing a security plug-in download service, and then send the security plug-in to the terminal device, and the terminal device performs step S211 according to the security plug-in.
  • the terminal device downloads the security plug-in from a download page corresponding to the security plug-in.
  • the terminal device installs a security plug-in in the terminal device.
  • the terminal device may execute step S201 to initiate an access request to the target page.
  • the page data is encrypted and decrypted by using an encryption server and a security plug-in respectively, the page data is transmitted in the form of ciphertext during the transmission process, which can avoid direct scanning by tools such as scanners and crawlers To page data, to avoid page data being fetched and tampered in situations such as traffic hijacking.
  • FIG. 3 is a schematic flowchart of another communication data encryption method provided by an embodiment of the present application. This method is executed when a security plug-in is installed in a terminal device. The method includes:
  • the terminal device acquires the second parameter input by the user through a parameter acquisition page.
  • the parameter acquisition page refers to a page where a user can input data and submit
  • the parameter acquisition page may specifically be a login page, a user information filling page, a user opinion submission page, and the like.
  • the second parameter is the information entered by the user.
  • the second parameter may be the user name, password, and verification code entered by the user through the login page.
  • the second parameter may also be the name, gender, age, etc. that the user fills in through the user information page.
  • the second parameter may also be a message or suggestion submitted by the user, and is not limited to the description here.
  • the terminal device encrypts the second parameter by using the security plug-in to obtain the first parameter.
  • the security plug-in of the terminal device encrypts the second parameter according to the encryption mode agreed with the encryption server to obtain the first parameter.
  • the encryption method may be an encryption method among the encryption and decryption methods that the security plug-in of the terminal device and the encryption server agree on for the last time before the terminal device encrypts the first parameter.
  • the specific content of the encryption method can be referred to the foregoing description, and is not repeated here.
  • the security plug-in in the terminal device may perform a calculation corresponding to the encryption method on the second parameter and an encryption key corresponding to the agreed encryption method to obtain the first parameter.
  • the terminal device initiates a parameter submission request, and the encryption server obtains the parameter submission request.
  • the parameter submission request includes a first parameter.
  • the parameter submission request carries a URL, the URL pointing to an IP address, and the IP address is the address of the parameter submission request submission parameter.
  • the IP address pointed to by the URL is the same as the IP address pointed to by the URL carried in the access request.
  • the encryption server uses a first decryption method to decrypt the first parameter to obtain a second parameter.
  • the first decryption method is the decryption method among the encryption and decryption methods that the security plug-in of the terminal device and the encryption server agree on for the last time before the terminal device encrypts the first parameter.
  • the decryption method refers to the foregoing description, and details are not described herein again.
  • the encryption server performs the operation corresponding to the first decryption method on the first parameter and the decryption key corresponding to the first decryption method to obtain the second parameter.
  • the encryption server sends the second parameter to the background server, and the background server receives the second parameter.
  • the sending of the second parameter by the encryption server to the background server is similar to the resource acquisition request corresponding to the target page sent by the encryption server to the background server.
  • the encryption server may submit the request to determine the parameter according to the parameter.
  • the IP address corresponding to the parameter submission request and sends the second parameter to the background server according to the IP address corresponding to the parameter submission request;
  • the encryption server parses the URL in the parameter submission request to obtain the background The IP address of the server, and then send the second parameter to the background service according to the parsed IP address.
  • the background server sends the fourth page data according to the second parameter, and the encryption service obtains the fourth page data.
  • the background server sends the fourth page data according to the second parameter and the encryption server obtains the third page data
  • the background server sends the first page data corresponding to the target page and the encryption server obtains the first page corresponding to the target page.
  • the description of the data is not repeated here.
  • the encryption server and the background server may communicate based on the HTTPS protocol.
  • the encryption server sends a second parameter to the background server based on the HTTPS protocol, and the encryption server sends the fourth page data to the encryption server based on the HTTPS protocol.
  • the access mode of the encryption server may be that only the encryption server is allowed to access. The security of the communication process between the encryption server and the background server is ensured by security means, which further enhances the security of the website system.
  • the encryption server uses the second encryption method to encrypt the fourth page data to obtain the fifth page data.
  • the encryption server sends the fifth page data to the terminal device, and the terminal device receives the fifth page data.
  • the terminal device uses the security plug-in to decrypt the fifth page data to obtain the fourth page data.
  • S310 The terminal device displays a page corresponding to the fourth page data.
  • steps S307 to S310 is similar to the specific implementation of steps S204 to S207 described above, and reference may be made to the description of steps S204 to S207 described above, which will not be repeated here.
  • the security plug-in and the encryption server in the terminal device respectively encrypt and decrypt the parameters obtained by the terminal device through the parameter acquisition page, so that these parameters are transmitted in the form of ciphertext during the transmission process, thereby avoiding these The parameters are acquired during the transmission process, ensuring the security and privacy of the parameters without changing the original website architecture.
  • FIG. 4 is a schematic structural diagram of a communication data encryption device according to an embodiment of the present application.
  • the device 40 may be the encryption server or the encryption server in the embodiment shown in FIG. 1 or FIG. 2 to FIG. 3 described above.
  • the device 40 includes:
  • An access request obtaining module 401 configured to obtain an access request for a target page initiated by a terminal device
  • the page data acquisition module 402 is configured to, when it is determined that a security plug-in exists in the terminal device according to the access request, acquire a first corresponding to the target page from a background server corresponding to the target page according to the access request. Page data, the security plug-in is used to encrypt or decrypt the data;
  • An encryption module 403, configured to encrypt the first page data by using a first encryption method agreed with the security plug-in to obtain second page data;
  • a page data sending module 404 is configured to send the second page data to the terminal device, so that the terminal device decrypts the second page data through the security plug-in to obtain the first page data.
  • the device 40 further includes:
  • a download page push module 405 is configured to send third page data to the terminal device when it is determined that a security plug-in does not exist in the terminal device according to the access request, so that the terminal device is protected from the security
  • the download page corresponding to the plug-in downloads the security plug-in and installs it into the terminal device, and the third page data is page data corresponding to the download page.
  • the device 40 further includes:
  • the submission request obtaining module 406 is configured to obtain a parameter submission request initiated by the terminal device, where the parameter submission request includes a first parameter, and the first parameter is a second parameter encrypted by the terminal device through the security plug-in.
  • the obtained parameter, the second parameter is a parameter obtained by the terminal device through a parameter acquisition page;
  • a decryption module 407 configured to decrypt the first parameter by using a first decryption method agreed with the security plug-in to obtain the second parameter;
  • the parameter sending module 408 is further configured to send the second parameter to the background server.
  • the page data obtaining module 402 is further configured to obtain fourth page data returned by the background server according to the second parameter;
  • the encryption module 403 is further configured to encrypt the fourth page data by using a second encryption method agreed with the security plug-in to obtain the fifth page data;
  • the page data sending module 404 is further configured to send the fifth page data to the terminal device, so that the terminal device decrypts the fifth page data through the security plug-in to obtain the fourth page data. .
  • the parameter sending module 408 is specifically configured to: send the second parameter to the background server based on a Secure Sockets Layer Hypertext Transfer HTTPS protocol;
  • the page data obtaining module 402 is configured to obtain the fourth page data returned by the background server based on the HTTPS protocol according to the second parameter.
  • the device further includes:
  • a judging module 409 configured to judge whether the access request is an encryption request
  • the determining module 409 determines that a security plug-in does not exist in the terminal device
  • the determining module 409 determines that a security plug-in exists in the terminal device.
  • the page data acquisition module 402 is specifically configured to:
  • the encryption server uses the second decryption method to decrypt the encryption request to obtain the original access request
  • a page scanning tool such as a scanner and a crawler tool
  • a crawler tool it is possible to prevent page data from being acquired and tampered in situations such as traffic hijacking.
  • FIG. 5 is a schematic diagram of a composition structure of another communication data encryption device according to an embodiment of the present application.
  • the device may be the encryption server or the encryption server in the embodiment shown in FIG. 1 or FIG. 2 to FIG. 3.
  • the device 50 includes a processor 501, a memory 502, and a communication interface 503.
  • the processor 501 is connected to the memory 502 and the communication interface 503.
  • the processor 501 may be connected to the memory 502 and the communication interface 503 through a bus.
  • the processor 501 is configured to support the communication data encryption device to perform a corresponding function of an encryption server in the communication data encryption method described in FIG. 2 to FIG. 3.
  • the processor 501 may be a Central Processing Unit (CPU), a Network Processor (NP), a hardware chip, or any combination thereof.
  • the above-mentioned hardware chip may be an Application-Specific Integrated Circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof.
  • the PLD may be a complex programmable logic device (Complex Programmable Logic Device, CPLD), a field programmable logic gate array (Field-Programmable Gate Array, FPGA), a universal array logic (Generic Array logic, GAL), or any combination thereof.
  • the memory 502 is used to store program code and the like.
  • the memory 502 may include volatile memory (Volatile Memory, VM), such as Random Access Memory (RAM); the memory 502 may also include non-volatile memory (Non-Volatile Memory, NVM), such as read-only Read-only memory (ROM), flash memory, hard disk drive (HDD), or solid-state drive (SSD); memory 502 may also include a combination of the above types of memories.
  • the memory 502 is configured to store a communication data encryption program, a key, and the like.
  • the communication interface 503 is configured to send or receive data.
  • the processor 501 may call the program code to perform the following operations:
  • the first page data corresponding to the target page is obtained from the background server corresponding to the target page through the communication interface 503 according to the access request.
  • the security plug-in is used to encrypt or decrypt data
  • An embodiment of the present application further provides a computer-readable storage medium.
  • the computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions, when executed by the computer, cause the computer to execute as described above.
  • the computer may be a part of the communication data encryption device mentioned above. For example, it is the processor 501 described above.
  • the program can be stored in a computer-readable storage medium.
  • the program When executed, the processes of the embodiments of the methods described above may be included.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random, Access Memory, RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un procédé et un appareil de chiffrement de données de communication. Le procédé consiste à : obtenir une demande d'accès à une page cible lancée par un équipement terminal; dans le cas où il est déterminé qu'un module d'extension de sécurité doit exister dans l'équipement terminal selon la demande d'accès, obtenir, d'un serveur d'arrière-plan, des premières données de page correspondant à la page cible selon la demande d'accès, le module d'extension de sécurité étant utilisé pour chiffrer ou déchiffrer les données; chiffrer les premières données de page dans un premier mode de chiffrement en concordance avec le module d'extension de sécurité pour obtenir des secondes données de page; et envoyer les secondes données de page à l'équipement terminal de sorte que ce dernier déchiffre les secondes données de page au moyen du module d'extension de sécurité pour obtenir les premières données de page. La solution permet d'empêcher un outil de balayage d'une page tel qu'un scanner et un robot d'indexation d'obtenir directement des données de page, et d'éviter que les données de page soient obtenues et falsifiées dans une situation telle qu'un détournement de trafic.
PCT/CN2018/107638 2018-07-27 2018-09-26 Procédé et appareil de chiffrement de données de communication WO2020019478A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810852593.2 2018-07-27
CN201810852593.2A CN109067739B (zh) 2018-07-27 2018-07-27 通信数据加密方法和装置

Publications (1)

Publication Number Publication Date
WO2020019478A1 true WO2020019478A1 (fr) 2020-01-30

Family

ID=64831706

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/107638 WO2020019478A1 (fr) 2018-07-27 2018-09-26 Procédé et appareil de chiffrement de données de communication

Country Status (2)

Country Link
CN (1) CN109067739B (fr)
WO (1) WO2020019478A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111541758A (zh) * 2020-04-17 2020-08-14 支付宝(杭州)信息技术有限公司 页面更新方法及装置
CN111866124A (zh) * 2020-07-17 2020-10-30 北京金山云网络技术有限公司 访问网页页面的方法、装置、服务器和机器可读存储介质
CN114066447A (zh) * 2020-07-29 2022-02-18 新开普电子股份有限公司 一种基于浏览器的卡片加密方法
CN114760143A (zh) * 2022-04-26 2022-07-15 中国邮政储蓄银行股份有限公司 通信数据的解密方法、解密装置和解密系统
CN114066447B (zh) * 2020-07-29 2024-06-07 新开普电子股份有限公司 一种基于浏览器的卡片加密方法

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995683A (zh) * 2019-11-26 2020-04-10 深圳市思迪信息技术股份有限公司 基于Web页面的硬件信息采集方法、装置及计算机设备
CN113079492B (zh) * 2021-03-22 2022-04-05 广东湾区智能终端工业设计研究院有限公司 一种信息共享的方法及装置
CN112948824B (zh) * 2021-03-31 2022-04-26 支付宝(杭州)信息技术有限公司 一种基于隐私保护的程序通信方法、装置及设备
CN113326519A (zh) * 2021-06-09 2021-08-31 支付宝(杭州)信息技术有限公司 一种数据的获取方法和装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040059945A1 (en) * 2002-09-25 2004-03-25 Henson Kevin M. Method and system for internet data encryption and decryption
CN101299753A (zh) * 2008-06-17 2008-11-05 浙江大学 基于代理服务器的Web服务安全控制机制
CN101416171A (zh) * 2004-06-30 2009-04-22 塞特里克斯网络应用有限责任公司 用于建立虚拟专用网络的系统和方法
CN104217173A (zh) * 2014-08-27 2014-12-17 武汉理工大学 一种针对浏览器的数据和文件加密方法
CN105450662A (zh) * 2015-12-25 2016-03-30 小米科技有限责任公司 加密方法及装置

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580086A (zh) * 2013-10-17 2015-04-29 腾讯科技(深圳)有限公司 信息传输方法、客户端、服务器及系统
CN106412024B (zh) * 2016-09-07 2019-10-15 网易无尾熊(杭州)科技有限公司 一种页面获取方法和装置
CN107070812A (zh) * 2017-05-02 2017-08-18 武汉绿色网络信息服务有限责任公司 一种https协议分析方法及其系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040059945A1 (en) * 2002-09-25 2004-03-25 Henson Kevin M. Method and system for internet data encryption and decryption
CN101416171A (zh) * 2004-06-30 2009-04-22 塞特里克斯网络应用有限责任公司 用于建立虚拟专用网络的系统和方法
CN101299753A (zh) * 2008-06-17 2008-11-05 浙江大学 基于代理服务器的Web服务安全控制机制
CN104217173A (zh) * 2014-08-27 2014-12-17 武汉理工大学 一种针对浏览器的数据和文件加密方法
CN105450662A (zh) * 2015-12-25 2016-03-30 小米科技有限责任公司 加密方法及装置

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111541758A (zh) * 2020-04-17 2020-08-14 支付宝(杭州)信息技术有限公司 页面更新方法及装置
CN111541758B (zh) * 2020-04-17 2023-06-16 支付宝(杭州)信息技术有限公司 页面更新方法及装置
CN111866124A (zh) * 2020-07-17 2020-10-30 北京金山云网络技术有限公司 访问网页页面的方法、装置、服务器和机器可读存储介质
CN111866124B (zh) * 2020-07-17 2022-06-24 北京金山云网络技术有限公司 访问网页页面的方法、装置、服务器和机器可读存储介质
CN114066447A (zh) * 2020-07-29 2022-02-18 新开普电子股份有限公司 一种基于浏览器的卡片加密方法
CN114066447B (zh) * 2020-07-29 2024-06-07 新开普电子股份有限公司 一种基于浏览器的卡片加密方法
CN114760143A (zh) * 2022-04-26 2022-07-15 中国邮政储蓄银行股份有限公司 通信数据的解密方法、解密装置和解密系统

Also Published As

Publication number Publication date
CN109067739B (zh) 2021-10-08
CN109067739A (zh) 2018-12-21

Similar Documents

Publication Publication Date Title
WO2020019478A1 (fr) Procédé et appareil de chiffrement de données de communication
US11647005B2 (en) Systems and methods for application pre-launch
US20220292180A1 (en) Systems and methods for offline usage of saas applications
WO2020019477A1 (fr) Procédé et appareil de chiffrement de données de communication
US8837734B2 (en) Managing encrypted data and encryption keys
US10904227B2 (en) Web form protection
CA3112194C (fr) Systemes et procedes de decouverte de service integree pour applications de reseau
US20110302410A1 (en) Secure document delivery
EP3299990A1 (fr) Serveur de dispositif électronique et procédé de communication avec un serveur
US20120023158A1 (en) Method for secure transfer of multiple small messages
US11070533B2 (en) Encrypted server name indication inspection
US11716374B2 (en) Forced identification with automated post resubmission
CN111049832B (zh) 一种反向代理方法及相关装置
CN113364781A (zh) 请求处理方法及系统
JP2007142504A (ja) 情報処理システム
EP3447992B1 (fr) Procédé de poussée de message et terminal
JP2023532976A (ja) ユーザの身元の検証のための方法およびシステム
CN116566653A (zh) 验证方法、装置、电子设备及存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18927770

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18927770

Country of ref document: EP

Kind code of ref document: A1