CN103905384A - Embedded inter-terminal session handshake realization method based on security digital certificate - Google Patents
Embedded inter-terminal session handshake realization method based on security digital certificate Download PDFInfo
- Publication number
- CN103905384A CN103905384A CN201210574593.3A CN201210574593A CN103905384A CN 103905384 A CN103905384 A CN 103905384A CN 201210574593 A CN201210574593 A CN 201210574593A CN 103905384 A CN103905384 A CN 103905384A
- Authority
- CN
- China
- Prior art keywords
- session
- terminal
- certificate
- message
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses an embedded inter-terminal session handshake realization method based on a security digital certificate. Digital signing is firstly performed on the related session request data by a session request terminal. A session message 1 is organized to be sent to a target terminal to initiate a session request. After validity of a request terminal certificate and a signature of the session message 1 is verified by the target terminal, a new session message 2 is organized to be returned to the request terminal. Then a pre-main session key is generated by the request terminal so that a final session key is obtained, and a new session message 3 is organized to be sent to the target terminal according to the pre-main session key. Finally the pre-main session key is obtained by the target terminal via calculation according to the session message 3, the final session key is generated and negotiation of the session key is completed. Establishment of communication sessions between embedded terminals without limitation of session requestors is realized, and security of the communication process is ensured via digital signing and verification modes.
Description
Technical field
The present invention relates to the safety verification technical field of terminal session, be specifically related to the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate.
Background technology
Digital certificate is also digital certificates, or is called for short certificate, and in many instances, digital certificate, digital certificates and certificate are all the synonyms of public key certificate X.509, and it meets X.509V3 standard of ITU-T.Certificate is the security mechanism that new development is got up with the formation of PKI, and it realizes discriminating and identification (authentication), integrality, confidentiality and the non-repudiation security service (demand for security) of identity; Digital certificate is the proof of the online identity of each entity in ecommerce, and the identity that its proof entity is stated and the matching relationship of its PKI, bind entity identities and the PKI on certificate mutually; From the mechanism of public key management, digital certificate is the medium of public key system key management, and, in public key system, the distribution of PKI, transmission realize by certificate mechanism.So sometimes also digital certificate is called to public key certificate; Digital certificate is a kind of authoritative electronic document, and it is issued by the third-party institution with authority, credible wilfulness and fairness (CA).Digital certificate is the proof of identification that all kinds of entities (holder/individual, trade company/enterprise, gateway/bank etc.) carry out information interchange and commercial activity on the net, at the links of electronic transaction, the each side of transaction all needs to verify the validity of the other side's certificate, thereby solves mutual trust problem.Briefly, digital certificate is one section of data that comprise subscriber identity information, client public key information and authentication mechanism digital signature.The digital signature of authentication mechanism can be guaranteed the authenticity of certificate information.
On network, information can be through other computers in the transmitting procedure that is arrived destination host by source host.Generally, middle computer can not monitored the information of passing by.But in the time accessing Web bank or carry out credit card trade, the information on network is likely monitored by illegal molecule, thereby cause the leakage of individual privacy.Because Internet and Internet architecture exist some security breaches, always have some people and can intercept and capture and replace the raw information that user sends.Along with the development of ecommerce, people are also more and more higher to the requirement of information security, so Netscape(Netscape) company proposed SSL(ServerSocket Layer) agreement, be intended to reach the object at the upper safety of developing network (Internet), the ground transmission information of maintaining secrecy, this agreement obtains a wide range of applications on Web.SSL security protocol mainly provides the service of three aspects::
Authenticated user and server, make them can be sure of that data will be sent in correct client-server;
Enciphered data is to hide the data that are transmitted;
The integrality of service data, guarantees that data are not changed in transmitting procedure.
But in SSL interaction flow, mutual initiator always sends service request by user end to server, the terminal of initiation session is restricted.In addition, ssl protocol is the part in TCP/IP procotol alternately, at present in the interactive sessions flow process in the limited built-in network terminal of internal memory, also secure digital certificate is not applied to the case in the interactive sessions flow process in built-in network terminal, mutual between built-in terminal, all to develop appointment according to different demands, a not standard.
Summary of the invention
For the defect existing in prior art, the object of the present invention is to provide the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate, realized the communication session of the limited built-in terminal of internal memory by the method.
For achieving the above object, the technical solution used in the present invention is as follows:
An implementation method for session handshake between the built-in terminal based on secure digital certificate, comprises the following steps:
(1) session requesting terminal organizes session message 1 to send to object terminal, initiates a session request; Described session message 1 comprises the digital signature S1 of terminal certificate, session ciphertext EKS1 and the session message 1 of requesting terminal;
(2) object terminal receives session message 1, terminal certificate and the digital signature S1 legitimacy of checking requesting terminal, and organize new session message 2 to return to requesting terminal; Described session message 2 comprises the digital signature S2 of terminal certificate, session ciphertext EKS2 and the session message 2 of object terminal;
(3) requesting terminal receives session message 2, and the terminal certificate of checking object terminal and the legitimacy of digital signature, generate pre-master session key R3, obtains final session key, and organize new session message 3 to send to object terminal according to pre-master session key;
(4) object terminal receives session message 3, and calculates pre-master session key R3 according to session message 3, generates final session key.
Further, the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as above, in step (1), organize the concrete mode of session message 1 to be:
(1-1) requesting terminal generates session data R1, and session data R1 is encrypted and obtains session ciphertext EKS1;
(1-2) requesting terminal Dui QiSSL version number, terminal certificate and session data R1 carry out digital signature and form signature S1;
(1-3) by the SSL version number of requesting terminal, terminal certificate, session ciphertext EKS1 and signature S1 composition session message 1.
Further, the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as above, in step (2), organize the concrete mode of session message 2 to be:
(2-1) the session ciphertext EKS1 that object terminal deciphering receives obtains session data R1;
(2-2) object terminal generates session data R2, and session data R2 is encrypted and obtains session ciphertext EKS2;
(2-3) object terminal is carried out digital signature to its SSL version number, terminal certificate, session data R2 and session data R1 and is formed signature S2;
(2-4) by the SSL version number of object terminal, terminal certificate, session ciphertext EKS2 and signature S2 composition session message 2.
Further, the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as above, described requesting terminal and object terminal are built-in network terminal, and requesting terminal is client, and object terminal is server end or client.
Further, the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as above, described SSL version number comprises the version of ssl protocol and the cryptographic algorithm of employing.
Further, the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as above, requesting terminal and object terminal are all used symmetric cryptographic key pre-buried in its terminal to be encrypted and to obtain session ciphertext session data.
Further, the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as above, in step (2), the concrete mode of the legitimacy of object terminal checking requesting terminal certificate and signature S1 is:
Object terminal receives after session message 1, verifies the legitimacy of requesting terminal certificate by CA certificate chain; Use pre-buried symmetric cryptographic key decrypted session ciphertext EKS1, obtain session data R1; Use the legitimacy of the public key verifications signature S1 of requesting terminal.
Further, the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as above, the effective status of terminal certificate comprises effective and invalid two states; If the effective status of certificate is effectively, proceed next step, if the effective status of certificate is invalid, the terminal that receives message is returned to the terminal miscue information that sends message, conversation end; When the legitimacy of certifying signature, if it is legal to sign, proceed next step; Illegal if signed, the terminal that receives message is returned to the terminal miscue information that sends message, conversation end.
Further, the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as above, in step (3), requesting terminal organizes the concrete mode of new session message 3 to be:
Requesting terminal generates pre-master session key R3, and the public key encryption of R3 application target terminal is obtained to session ciphertext M1, the certificate effective status of session ciphertext M1 and object terminal is carried out to digital signature and obtain the S3 that signs, and signature S3 is as session message 3.
Further, the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as above, in step (4), the concrete mode that object terminal is calculated the final session key of generation according to session message 3 is:
Object terminal receives session message 3, and the PKI deciphering of use requesting terminal obtains session message 3 and obtains ciphertext M1, and the PKI decrypting ciphertext M1 of application target terminal obtains pre-master session key R3, according to pre-master session key, generates final session key.
Further again, the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as above, described final session key is to calculate and obtain by the combination of pre-master session key R3, requesting terminal session data R1, object terminal session data R2 and count value C being carried out to Hash, and computing formula is:
The final pre-master session key R3+ of session key KCV=Hash(requesting terminal session data R1+ object terminal session data R2+C);
Count value C is along with session establishment flow process adds 1.
Further, the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as above, the random number that the terminal that requesting terminal session data R1, object terminal session data R2 and pre-master session key R3 are corresponding generation session data generates.
Beneficial effect of the present invention is: method of the present invention has realized the foundation of secured session flow process between the limited intelligent built-in terminal of internal memory, for example hand-held set, intelligent ammeter module etc., the method is not limited between built-in network terminal principal and subordinate or from the handshake session flow process between slave, can initiates the request of setting up communication session by either party; And by introduce the function such as digital certificate signature, checking in session flow process, form and interaction flow to session message are protected, and communication media is not only confined to TCP/IP Internet Transmission, can comprise other wireless transmission.
Accompanying drawing explanation
Fig. 1 is the schematic diagram of SSL one-sided server authentication in shaking hands in prior art;
Fig. 2 is the shake hands schematic diagram of middle two-way authentication of SSL in prior art;
Fig. 3 is the flow chart of the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate of the present invention;
Fig. 4 is the schematic diagram of setting up session handshake in embodiment between built-in terminal.
Embodiment
Below in conjunction with Figure of description and embodiment, the present invention is described in further detail.
Ssl protocol is between ICP/IP protocol and various application layer protocol, for data communication provides safe support.In SSL interactive sessions flow process, interactive sessions is always sent service request by user end to server, and flow process is as follows:
According to different application, SSL is also different to the requirement of certificate, can be folk prescription authentication (such as HTTP, FTP), can be also mutual authentication (such as Web bank).Under normal circumstances, the certificate of server end must possess, and the certificate of client not necessarily.As shown in Figures 1 and 2, Key[s_pub in figure] (message) represent the public key encryption message of server, Key[c_pub] (message) represent the public key encryption message of client.Folk prescription server authentication schematic diagram shown in Fig. 1, in this session flow process, only have server to there is certificate, client is by sending " Hello to server, I ' m client " initiate a session request, server is replied client and server certificate is sent to client, client verifies and obtains server public key to server identity, client is used server public key to encrypt the session key of this session, and the session key after this encryption is sent to server, its private key of server by utilizing is deciphered the information of obtaining and is obtained session key, set up the call of client and server.Shown in Fig. 2 is the schematic diagram of two-way authentication, and in this session flow process, server and client side needs to install digital certificate, and client verifies server, and server is also verified client.
Because intelligent built-in terminal internal memory is limited, also secure digital certificate is not applied in the prior art in the interactive sessions flow process in built-in network terminal, the present invention has proposed the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate just for this problem, the method is by the SSL session handshake agreement after improving, utilize PKI(Public Key Infrastructure, PKIX) secure digital certificate function in system, complete the foundation of secure interactive handshake procedure between built-in terminal.Fig. 3 shows the flow chart of the method, and Fig. 4 shows the schematic diagram of setting up inter-terminal session based on the method, and as can be seen from Figure, the method comprises the following steps:
Step S11: requesting terminal organizes message to send to object terminal, initiates a session request;
Terminal in the present invention is built-in terminal, and the foundation of session flow process is not limited to send service request by user end to server end in existing SSL, can be initiated to set up by either party the request of communication reply.In present embodiment, the terminal of initiation session is called to requesting terminal, another terminal of communication is called to object terminal.First, organize session message 1 to send to object terminal by requesting terminal, to initiate a session request.Wherein, session message 1 comprises the digital signature S1 of terminal certificate, session ciphertext EKS1 and the session message 1 of requesting terminal.In present embodiment, session message 1 is organized in requesting terminal, and to the concrete mode that session message 1 carries out digital signature is:
Generate session data R1 by requesting terminal, session data is encrypted and obtains encrypting ciphertext EKS1; Requesting terminal Dui QiSSL version number, terminal certificate and session data R1 carry out digital signature and form digital signature S1, form session message 1 by SSL version number, terminal certificate, encryption ciphertext EKS1 and the digital signature S1 of requesting terminal.Wherein, session data in present embodiment (comprising that the session data R1 of this step S11 is with the session message in subsequent step) is by the random number that terminal was generated that generates message, and session ciphertext (the session ciphertext in this step and the session ciphertext of subsequent step) is session data to be encrypted and to be obtained by using at the pre-buried symmetric cryptographic key in two terminals of communicating by letter by the generation terminal of message.In this step, in the rear use terminal of requesting terminal generation random number R 1, pre-buried symmetric cryptographic key is encrypted and obtains session ciphertext EKSI session data.SSL version number represents the version of ssl protocol and the cryptographic algorithm of employing.It is as follows that in present embodiment, message 1 detailed step is organized in requesting terminal:
1) requesting terminal A generates random number R 1;
2) use pre-buried symmetric cryptographic key to encrypt and obtain session ciphertext EKS1(R1 random number R 1);
3) obtain requesting terminal version number;
4) obtain the terminal certificate CM of requesting terminal A;
5) version number, terminal certificate CM, R1 are carried out to digital signature and form signature S1;
6) by session ciphertext EKS1 and signature S1 composition session message 1.
Step S12: object terminal receives the message that requesting terminal sends, checking requesting terminal certificate and signature legitimacy, organize new message to send back to requesting terminal;
Object terminal receives after the session message 1 of requesting terminal transmission, first verifies the legitimacy of requesting terminal certificate and digital signature, and organizes new session message 2 to return to requesting terminal.Equally, session message 2 comprises in the digital signature S2 present embodiment of terminal certificate, session ciphertext EKS2 and session message 2 of object terminal and organizes the concrete mode of session message 2 to be:
First object terminal is used pre-buried symmetric cryptographic key to decipher the session ciphertext EKS1 receiving and obtains session data R1; Then object terminal generates session data R2, and session data R2 is encrypted and obtains session ciphertext EKS2; Finally by object terminal, its SSL version number, terminal certificate, session data R2 and session data R1 are carried out to digital signature and form signature S2, by its SSL version number, terminal certificate, session ciphertext EKS2 and digital signature S2 composition session message 2.
The concrete mode of the legitimacy of object terminal checking requesting terminal certificate and signature S1 is:
Object terminal receives after session message 1, verifies the legitimacy of requesting terminal certificate by CA certificate chain, uses its pre-buried symmetric cryptographic key decrypted session ciphertext EKS1, obtains session data R1; Use the legitimacy of the public key verifications signature S1 of requesting terminal.Due to signature, S1 is the digital signature that SSL version number, terminal certificate and session data R1 to requesting terminal carry out, therefore use the public key verifications signature S1 of requesting terminal, corresponding data in related signature data and the session message 1 of SSL version number, terminal certificate and the session data R1 of the requesting terminal that checking is obtained is verified and is compared, if unanimously, illustrate that signature is legal, on the contrary illegal.。Wherein, the validity of the checking certificate CM of requesting terminal main website, verify by CA certificate chain, the effective status of terminal certificate can be divided into effectively and invalid two kinds, (effectively) continues subsequent step if the verification passes, if authentication failed (invalid), the terminal that receives message is returned to the terminal miscue information that sends message, conversation end; When the legitimacy of certifying signature, if it is legal to sign, proceed next step.If it is illegal to sign when certifying signature legitimacy, the terminal that receives message is returned to the terminal miscue information that sends message, conversation end.The detailed step that this step reception session message 1 sends session message 2 is again as follows:
1) object terminal receives session message 1, verification terminal certificate validity; Be verified continuation, otherwise session establishment finishes;
2), after requesting terminal certification authentication is passed through, object terminal is used pre-buried symmetric cryptographic key deciphering EKS1(R1) obtain session data R1;
3) by terminal A PKI decrypted signature S1, the legitimacy of certifying signature S1; Legal if signed, continue, can not connect if do not conform to rule prompting, session establishment finishes;
4) object terminal B generates random number R 2(session data);
5) utilize symmetric key pre-buried in object terminal to encrypt and generate session ciphertext EKS2(R2 random number R 2);
6) terminal certificate Cd, session data R2 and the session data R1 of the SSL version number to object terminal, object terminal B) carry out digital signature and obtain the S2 that signs;
7) by session ciphertext EKS2 and signature 2 composition session messages 2.
Wherein, digital signature in the present invention is all to use the certificate private key of the terminal that sends session message to carry out, be in step S11, to use the certificate private key of requesting terminal to carry out digital signature to obtain the S1 that signs, in step S12, the certificate private key of application target terminal B carries out digital signature and obtains the S2 that signs.
Step S13: requesting terminal receives the new message that object terminal is returned, the effective status of checking object terminal certificate and the legitimacy of its digital signature, generate pre-master session key, generates final session key, and organize new message to send to object terminal;
Step S14: object terminal receives the new message that requesting terminal sends, and deciphers new message and obtains pre-master session key, generates final session key.
Requesting terminal receives after the session message 2 that object terminal returns, first verify the legitimacy of object terminal certificate and signature S2, generate pre-master session key R3, obtain final session key, and organize new session message 3 to send to object terminal according to pre-master session key.Requesting terminal organizes the concrete mode of new session message 3 to be: requesting terminal generates pre-master session key R3, the public key encryption of R3 application target terminal is obtained to session ciphertext M1, the certificate effective status of session ciphertext M1 and object terminal is carried out to digital signature and obtain the S3 that signs, signature S3 sends to object terminal as session message 3.
The concrete mode that object terminal generates final session key according to session message 3 is: object terminal receives session message 3, the PKI deciphering of use requesting terminal obtains session message 3 and obtains ciphertext M1, the PKI decrypting ciphertext M1 of application target terminal obtains pre-master session key R3, according to pre-master session key, generate final session key.
Final session key in present embodiment is to calculate and obtain by the combination of pre-master session key R3, requesting terminal session data R1, object terminal session data R2 and count value C being carried out to Hash, and computing formula is:
The final pre-master session key R3+ of session key KCV=Hash(requesting terminal session data R1+ object terminal session data R2+C);
Count value C is along with the initial value that session establishment flow process adds 1, C can be set as required by user, and in present embodiment, the initial value of C is 00000001.Wherein, the pre-master session key R3 in present embodiment is the same with requesting terminal session data R1 and object terminal session data R2, is the random number that the terminal of corresponding generation session data generates.
In present embodiment, step S13 obtains final session key and organizes the concrete steps of session message 3 as follows:
1) requesting terminal receives session message 2, verifies object terminal B digital certificate validity, returns to the effective status of terminal B digital certificate; If certificate is effective, enter next step; If invalid, session establishment finishes;
2) utilize pre-buried symmetric key decrypted session EKS2 to solve random number R 2;
3) certifying signature S2 legitimacy; Legal if signed, enter next step; If illegal, session establishment finishes;
4) requesting terminal A generates random number R 3, as pre-master session key, uses terminal B PKI Kud to encrypt and obtains ciphertext M1;
5) M1 and object terminal B effective status signature are generated to session message 3;
6) generate final session key, the final pre-master session key R3+ of session key KCV=Hash(random number R 1+ random number R 2+00000001).
The concrete steps that step S14 reception session message 3 generates final session key are as follows:
1) object terminal receives session message 3, the validity of checking S3;
2) utilize object terminal B PKI Kud deciphering M1 to obtain pre-master session key R3;
3) the final pre-master key R3+ of session key KCV=Hash random number R 1+ random number R 2+00000001).
By above 4 steps, complete the negotiation to final session key KCV, set up transfer of data flow process backward.In the method for the invention, not only support the algorithms library that SSL supports, and expanded SM1, SM2, SM3, SM4, SSF33, SCB2 algorithm through the close authentication of state, as shown in the table:
Can realize in the limited intelligent built-in terminal of internal memory by method of the present invention, for example hand-held set, intelligent ammeter modules etc., copy the SSL interaction flow in http protocol, utilize the secure digital certificate function in PKI system, complete the foundation to terminal room secured session flow process.
Obviously, those skilled in the art can carry out various changes and modification and not depart from the spirit and scope of the present invention the present invention.Like this, if within of the present invention these are revised and modification belongs to the scope of the claims in the present invention and equivalent technology thereof, the present invention is also intended to comprise these changes and modification interior.
Claims (12)
1. an implementation method for session handshake between the built-in terminal based on secure digital certificate, comprises the following steps:
(1) session requesting terminal organizes session message 1 to send to object terminal, initiates a session request; Described session message 1 comprises the digital signature S1 of terminal certificate, session ciphertext EKS1 and the session message 1 of requesting terminal;
(2) object terminal receives session message 1, terminal certificate and the digital signature S1 legitimacy of checking requesting terminal, and organize new session message 2 to return to requesting terminal; Described session message 2 comprises the digital signature S2 of terminal certificate, session ciphertext EKS2 and the session message 2 of object terminal;
(3) requesting terminal receives session message 2, and the terminal certificate of checking object terminal and the legitimacy of digital signature, generate pre-master session key R3, obtains final session key, and organize new session message 3 to send to object terminal according to pre-master session key;
(4) object terminal receives session message 3, and calculates pre-master session key R3 according to session message 3, generates final session key.
2. the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as described in right 1, is characterized in that: in step (1), organize the concrete mode of session message 1 to be:
(1-1) requesting terminal generates session data R1, and session data R1 is encrypted and obtains session ciphertext EKS1;
(1-2) requesting terminal Dui QiSSL version number, terminal certificate and session data R1 carry out digital signature and form signature S1;
(1-3) by the SSL version number of requesting terminal, terminal certificate, session ciphertext EKS1 and signature S1 composition session message 1.
3. the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as described in right 2, is characterized in that: in step (2), organize the concrete mode of session message 2 to be:
(2-1) the session ciphertext EKS1 that object terminal deciphering receives obtains session data R1;
(2-2) object terminal generates session data R2, and session data R2 is encrypted and obtains session ciphertext EKS2;
(2-3) object terminal is carried out digital signature to its SSL version number, terminal certificate, session data R2 and session data R1 and is formed signature S2;
(2-4) by the SSL version number of object terminal, terminal certificate, session ciphertext EKS2 and signature S2 composition session message 2.
4. the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as described in one of claims 1 to 3, it is characterized in that: described requesting terminal and object terminal are built-in network terminal, requesting terminal is client, and object terminal is server end or client.
5. the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as claimed in claim 4, is characterized in that: described SSL version number comprises the version of ssl protocol and the cryptographic algorithm of employing.
6. the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as claimed in claim 5, is characterized in that: requesting terminal and object terminal are all used symmetric cryptographic key pre-buried in its terminal to be encrypted and to obtain session ciphertext session data.
7. the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as claimed in claim 6, is characterized in that: in step (2), the concrete mode of the legitimacy of object terminal checking requesting terminal certificate and signature S1 is:
Object terminal receives after session message 1, verifies the legitimacy of requesting terminal certificate by CA certificate chain; Use pre-buried symmetric cryptographic key decrypted session ciphertext EKS1, obtain session data R1; Use the legitimacy of the public key verifications signature S1 of requesting terminal.
8. the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as claimed in claim 7, is characterized in that: the effective status of terminal certificate comprises effective and invalid two states; If the effective status of certificate is effectively, proceed next step, if the effective status of certificate is invalid, the terminal that receives message is returned to the terminal miscue information that sends message, conversation end; When the legitimacy of certifying signature, if it is legal to sign, proceed next step; Illegal if signed, the terminal that receives message is returned to the terminal miscue information that sends message, conversation end.
9. the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as claimed in claim 7, is characterized in that: in step (3), requesting terminal organizes the concrete mode of new session message 3 to be:
Requesting terminal generates pre-master session key R3, and the public key encryption of R3 application target terminal is obtained to session ciphertext M1, the certificate effective status of session ciphertext M1 and object terminal is carried out to digital signature and obtain the S3 that signs, and signature S3 is as session message 3.
10. the implementation method of session handshake between a kind of built-in terminal based on secure digital certificate as claimed in claim 9, is characterized in that: in step (4), the concrete mode that object terminal is calculated the final session key of generation according to session message 3 is:
Object terminal receives session message 3, and the PKI deciphering of use requesting terminal obtains session message 3 and obtains ciphertext M1, and the PKI decrypting ciphertext M1 of application target terminal obtains pre-master session key R3, according to pre-master session key, generates final session key.
The implementation method of session handshake between 11. a kind of built-in terminals based on secure digital certificate as claimed in claim 10, it is characterized in that: described final session key is to calculate and obtain by the combination of pre-master session key R3, requesting terminal session data R1, object terminal session data R2 and count value C being carried out to Hash, and computing formula is:
The final pre-master session key R3+ of session key KCV=Hash(requesting terminal session data R1+ object terminal session data R2+C);
Count value C is along with session establishment flow process adds 1.
The implementation method of session handshake between 12. a kind of built-in terminals based on secure digital certificate as claimed in claim 11, is characterized in that: the random number that the terminal that requesting terminal session data R1, object terminal session data R2 and pre-master session key R3 are corresponding generation session data generates.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210574593.3A CN103905384B (en) | 2012-12-26 | 2012-12-26 | The implementation method of session handshake between built-in terminal based on secure digital certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210574593.3A CN103905384B (en) | 2012-12-26 | 2012-12-26 | The implementation method of session handshake between built-in terminal based on secure digital certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103905384A true CN103905384A (en) | 2014-07-02 |
| CN103905384B CN103905384B (en) | 2017-11-24 |
Family
ID=50996540
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210574593.3A Expired - Fee Related CN103905384B (en) | 2012-12-26 | 2012-12-26 | The implementation method of session handshake between built-in terminal based on secure digital certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103905384B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104394123A (en) * | 2014-11-06 | 2015-03-04 | 成都卫士通信息产业股份有限公司 | A data encryption transmission system and method based on an HTTP |
| CN104917753A (en) * | 2015-05-04 | 2015-09-16 | 北京奇艺世纪科技有限公司 | Method and system for communication based on symmetric keys |
| CN105306493A (en) * | 2015-11-26 | 2016-02-03 | 北京奇虎科技有限公司 | Method and system for implementing IPC (IP Camera) service based on encryption mechanism |
| CN107707508A (en) * | 2016-08-09 | 2018-02-16 | 中兴通讯股份有限公司 | Applied business recognition methods and device |
| CN109343515A (en) * | 2018-11-30 | 2019-02-15 | 深圳市元征科技股份有限公司 | Car fault diagnosis method, system, equipment and computer readable storage medium |
| CN109391618A (en) * | 2018-10-18 | 2019-02-26 | 平安科技(深圳)有限公司 | A kind of method for building up and system of communication link |
| CN109740321A (en) * | 2018-12-25 | 2019-05-10 | 北京深思数盾科技股份有限公司 | Revoke method, encryption equipment and the vendor server of encryption equipment administrator lock |
| CN110099063A (en) * | 2019-05-08 | 2019-08-06 | 杭州健康在线信息技术有限公司 | A kind of generation method of meeting registration voucher |
| CN112861156A (en) * | 2021-02-26 | 2021-05-28 | 上海升途智能***有限公司 | Secure communication method and device for display data, electronic equipment and storage medium |
| CN113259096A (en) * | 2021-04-27 | 2021-08-13 | 江南信安(北京)科技有限公司 | Key online negotiation method and system suitable for communication environment of Internet of things |
| CN115426344A (en) * | 2022-08-29 | 2022-12-02 | 高翔水表有限公司 | Instrument remote communication control method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127604A (en) * | 2007-09-25 | 2008-02-20 | 中兴通讯股份有限公司 | Information secure transmission method and system |
| US20090210712A1 (en) * | 2008-02-19 | 2009-08-20 | Nicolas Fort | Method for server-side detection of man-in-the-middle attacks |
| CN101567784A (en) * | 2008-04-21 | 2009-10-28 | 成都市华为赛门铁克科技有限公司 | Method, system and equipment for acquiring key |
| CN101860548A (en) * | 2010-06-17 | 2010-10-13 | 北京握奇数据***有限公司 | Method, device and system for verifying data signature |
| CN102065125A (en) * | 2010-11-18 | 2011-05-18 | 广州致远电子有限公司 | Method for realizing embedded secure socket layer virtual private network (SSL VPN) |
-
2012
- 2012-12-26 CN CN201210574593.3A patent/CN103905384B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127604A (en) * | 2007-09-25 | 2008-02-20 | 中兴通讯股份有限公司 | Information secure transmission method and system |
| US20090210712A1 (en) * | 2008-02-19 | 2009-08-20 | Nicolas Fort | Method for server-side detection of man-in-the-middle attacks |
| CN101567784A (en) * | 2008-04-21 | 2009-10-28 | 成都市华为赛门铁克科技有限公司 | Method, system and equipment for acquiring key |
| CN101860548A (en) * | 2010-06-17 | 2010-10-13 | 北京握奇数据***有限公司 | Method, device and system for verifying data signature |
| CN102065125A (en) * | 2010-11-18 | 2011-05-18 | 广州致远电子有限公司 | Method for realizing embedded secure socket layer virtual private network (SSL VPN) |
Non-Patent Citations (1)
| Title |
|---|
| 《张梅等》: "《基于PKI的SSL协议的描述及安全性分析》", 《微计算机信息》 * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104394123A (en) * | 2014-11-06 | 2015-03-04 | 成都卫士通信息产业股份有限公司 | A data encryption transmission system and method based on an HTTP |
| CN104917753A (en) * | 2015-05-04 | 2015-09-16 | 北京奇艺世纪科技有限公司 | Method and system for communication based on symmetric keys |
| CN104917753B (en) * | 2015-05-04 | 2018-07-10 | 北京奇艺世纪科技有限公司 | A kind of method and system to be communicated based on symmetric key |
| CN105306493A (en) * | 2015-11-26 | 2016-02-03 | 北京奇虎科技有限公司 | Method and system for implementing IPC (IP Camera) service based on encryption mechanism |
| CN105306493B (en) * | 2015-11-26 | 2019-02-15 | 北京奇虎科技有限公司 | IPC service implementing method and system based on encryption mechanism |
| CN107707508A (en) * | 2016-08-09 | 2018-02-16 | 中兴通讯股份有限公司 | Applied business recognition methods and device |
| CN109391618B (en) * | 2018-10-18 | 2021-09-03 | 平安科技(深圳)有限公司 | Method and system for establishing communication link |
| CN109391618A (en) * | 2018-10-18 | 2019-02-26 | 平安科技(深圳)有限公司 | A kind of method for building up and system of communication link |
| CN109343515A (en) * | 2018-11-30 | 2019-02-15 | 深圳市元征科技股份有限公司 | Car fault diagnosis method, system, equipment and computer readable storage medium |
| CN109740321A (en) * | 2018-12-25 | 2019-05-10 | 北京深思数盾科技股份有限公司 | Revoke method, encryption equipment and the vendor server of encryption equipment administrator lock |
| CN110099063A (en) * | 2019-05-08 | 2019-08-06 | 杭州健康在线信息技术有限公司 | A kind of generation method of meeting registration voucher |
| CN110099063B (en) * | 2019-05-08 | 2020-05-26 | 杭州健康在线信息技术有限公司 | Method for generating conference registration certificate |
| CN112861156A (en) * | 2021-02-26 | 2021-05-28 | 上海升途智能***有限公司 | Secure communication method and device for display data, electronic equipment and storage medium |
| CN113259096A (en) * | 2021-04-27 | 2021-08-13 | 江南信安(北京)科技有限公司 | Key online negotiation method and system suitable for communication environment of Internet of things |
| CN115426344A (en) * | 2022-08-29 | 2022-12-02 | 高翔水表有限公司 | Instrument remote communication control method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103905384B (en) | 2017-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111083131B (en) | Lightweight identity authentication method for power Internet of things sensing terminal | |
| US20220224551A1 (en) | Mutual authentication of confidential communication | |
| US9794249B1 (en) | Using a digital certificate with multiple cryptosystems | |
| CN103905384B (en) | The implementation method of session handshake between built-in terminal based on secure digital certificate | |
| CN102594558B (en) | Anonymous digital certificate system and verification method of trustable computing environment | |
| US6839841B1 (en) | Self-generation of certificates using secure microprocessor in a device for transferring digital information | |
| US7366905B2 (en) | Method and system for user generated keys and certificates | |
| CN101212293B (en) | Identity authentication method and system | |
| US20020038420A1 (en) | Method for efficient public key based certification for mobile and desktop environments | |
| US20050216736A1 (en) | System and method for combining user and platform authentication in negotiated channel security protocols | |
| CN107105060A (en) | A kind of method for realizing electric automobile information security | |
| CN1980121B (en) | Electronic signing mobile terminal, system and method | |
| CN108243166A (en) | A kind of identity identifying method and system based on USBKey | |
| WO2000045241A2 (en) | Self-generation of certificates using a secure microprocessor in a device for transferring digital information | |
| CN102404347A (en) | Mobile internet access authentication method based on public key infrastructure | |
| CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
| WO2015158172A1 (en) | User identity identification card | |
| CN105610773A (en) | Communication encryption method of electric energy meter remote meter reading | |
| CN114036539A (en) | Safety auditable Internet of things data sharing system and method based on block chain | |
| CN103684798A (en) | Authentication system used in distributed user service | |
| CN114331456A (en) | Communication method, device, system and readable storage medium | |
| CN110611679A (en) | Data transmission method, device, equipment and system | |
| GB2543359A (en) | Methods and apparatus for secure communication | |
| CN115174277B (en) | Data communication and file exchange method based on block chain | |
| CN113676330B (en) | Digital certificate application system and method based on secondary secret key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100102 Beijing city Chaoyang District Wangjing Lize Park No. 101 Qiming International Building 7 Patentee after: BEIJING WATCHDATA Co.,Ltd. Address before: 100102 Beijing city Chaoyang District Wangjing Lize Park No. 101 Qiming International Building 7 Patentee before: BEIJING WATCH DATA SYSTEM Co.,Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20171124 Termination date: 20211226 |