CN104580172A - Data communication method and device based on https (hypertext transfer protocol over secure socket layer) - Google Patents

Data communication method and device based on https (hypertext transfer protocol over secure socket layer) Download PDF

Info

Publication number
CN104580172A
CN104580172A CN201410823078.3A CN201410823078A CN104580172A CN 104580172 A CN104580172 A CN 104580172A CN 201410823078 A CN201410823078 A CN 201410823078A CN 104580172 A CN104580172 A CN 104580172A
Authority
CN
China
Prior art keywords
certificate
server
digital
browser
root
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410823078.3A
Other languages
Chinese (zh)
Other versions
CN104580172B (en
Inventor
熊鹏
王天平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201410823078.3A priority Critical patent/CN104580172B/en
Publication of CN104580172A publication Critical patent/CN104580172A/en
Application granted granted Critical
Publication of CN104580172B publication Critical patent/CN104580172B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a data communication method and device based on the https (hypertext transfer protocol over secure socket layer). The method comprises steps as follows: an access request for a server is initiated on a browser side on the basis of the Https; a digital certificate, returned by the server, of the server for the access request is received; whether a root certificate of the digital certificate of the server is issued by a root certificate authority trusted by a current operating system where a browser is located or not is judged; if no, whether the root certificate of the digital certificate of the server is issued by the root certificate authority trusted by the browser or not is judged; if yes, the browser and the server determine an encrypted communication message and communicate with each other through the encrypted communication message. With the adoption of the data communication method and device, authentication modes of the digital certificates are enriched, and the authentication passing probability of the digital certificates of the server is increased.

Description

A kind of data communications method based on https agreement and device
Technical field
The present invention relates to the technical field of browser, be specifically related to a kind of data communications method based on https agreement and a kind of data communication equipment based on https agreement.
Background technology
Along with the fast development of the Internet and universal, increasing business depends on network technology, and in a network, most popular is exactly browser, and user can use browser browsing page, carry out uploading or down operation etc.Under normal circumstances, by HTTP (Hypertext transfer protocol between browser and server, HTTP) communicate, but http protocol is in default situations without any encryption measures, all message is all transmit on network with plaintext version, is easy to cause secret sensitive information to be revealed.In order to strengthen the safety applications of browser, HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer take safety as the HTTP passage of target) arises at the historic moment.HTTPS is a kind of safe http protocol proposed on HTTP basis, therefore can be called safe HTML (Hypertext Markup Language).Http protocol is directly placed on Transmission Control Protocol, and HTTPS proposes to add last layer encryption layer SSL (Secure Socket Layer, safe socket character) in the middle of HTTP and TCP.From transmitting terminal, this one deck delivers to the TCP of lower floor after being responsible for the content-encrypt HTTP, and from recipient, the data deciphering that this one deck is responsible for being sent here by TCP is reduced into the content of HTTP.
HTTPS needs once to shake hands between SSL client (browser) and SSL service end before transmitting the data, to establish the encrypted message of both sides' encrypted transmission data, in handshake procedure, the SSL digital certificate of oneself can be returned SSL client by SSL server, after SSL client receives certificate information, whether the digital certificate of authentication server is CA (the Certificate Authority trusted, certification authority) issue, if not, the source Bu Shi authoritative institution of digital certificate is described (such as, individual can make certificate, be used for being deployed in fishing website, disguise oneself as regular webpage), the safe and reliable of webpage cannot be ensured, then SSL client can provide indicating risk warning on interface.
At present, client is preserved by operating system, reliable certification authority through operating system certification carrys out the digital certificate legitimacy of authentication server, after client obtains the root certificate of the digital certificate of server, search server root certificate in the root authority can trusted in operating system, if search successfully, then illustrate that the digital certificate that this server returns is reliable, otherwise, illustrate that the digital certificate that server returns is untrustworthy.
But the root certificate that yet there will be some reliable CA does not obtain the situation of the certification of operating system, the site certificate causing client these reliable ca authentications is the most at last risk website.Such as, for " https//kyfw.12306.cn ", the issuer of its certificate is Sinorail Certification Authority, but it does not obtain the certification of operating system, so inside its root authority of not trusted in operating system, therefore client can provide risk reminder alerting.But in fact, the certificate of kyfw.12306.cn website and website itself are under the jurisdiction of the Chinese Ministry of Railways, are trusty.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of overcoming the problems referred to above or a kind of data communications method based on https agreement solved the problem at least in part and a kind of data communication equipment based on https agreement accordingly.
According to one aspect of the present invention, provide a kind of data communications method based on https agreement, described method comprises:
The access request to server is initiated based on Https agreement in browser side;
Receive the digital certificate of the described server that described server returns for described access request;
Judge that the root authority whether the root certificate of the digital certificate of described server is trusted by browser place current operation system issued;
If not, then judge that the root certificate of the digital certificate of described server is that the root authority that browser is trusted issued;
Issuing if the root certificate of the digital certificate of described server is the root authority that browser is trusted, described browser is with described server determination communication encryption information and adopt described communication encryption information to communicate.
Alternatively, the root authority that described browser is trusted is stored in trusted certificate white list with the form of digital finger-print, and the root certificate of the digital certificate of the described server of described judgement is that the step that root authority that browser is trusted is issued comprises:
Secure Hash Algorithm SHA1 is adopted to calculate the digital finger-print of the root certificate of the digital certificate of described server;
Judge whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server in described trusted certificate white list.
Alternatively, described trusted certificate white list is stored in this locality and/or first server, describedly judges that the step that whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server in described trusted certificate white list comprises:
The trusted certificate white list stored in this locality searches whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server;
If so, then judge that the root certificate of the digital certificate of described server is that the root authority that browser is trusted issued;
If not, then according to the digital finger-print generated query request of the root certificate of the digital certificate of described server;
Described inquiry request is sent to first server, described first server is used in the up-to-date trusted certificate white list of first server, searching the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server according to described inquiry request, and described digital finger-print is sent to browser;
Receive the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server that first server returns for described inquiry request, and described digital finger-print is stored in the trusted certificate white list of this locality storage, continue to perform the trusted certificate white list stored in this locality and searches the step that whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server.
Alternatively, describedly judge that the step that whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server in described trusted certificate white list also comprises:
If search less than the consistent digital finger-print of the digital finger-print of the root certificate of the digital certificate with described server in the trusted certificate white list that first server is up-to-date, then judge that the root certificate of the digital certificate of described server is not that the root authority that browser is trusted issued.
Alternatively, described browser is to having second server, described second server is the root authority of being trusted through operating system certification, described second server be used for browser judge the root certificate of the digital certificate of described server be not root authority that browser is trusted issue time, supplementary certification is carried out to described server, and for again to issue digital certificate by the server of certification.
Alternatively, described method also comprises:
Issued if the root certificate of the digital certificate of described server is not the root authority that browser is trusted, then generated warning prompt information;
Described warning prompt information is shown in browser side.
Alternatively, the digital certificate of described server also has digital certificate attribute information, and adopt before described communication encryption information carries out the step communicated at described browser with described server determination communication encryption information, described method also comprises:
Judge that whether described digital certificate attribute information is legal;
If described digital certificate attribute information is legal, then performing described browser with described server determination communication encryption information adopts described communication encryption information to carry out the step communicated.
Alternatively, described digital certificate attribute information at least comprises the one of following information: the useful life scope of described digital certificate, the website information of server;
Describedly judge described digital certificate attribute information whether legal step comprise:
Judge that current time information is within the scope of the useful life of described digital certificate, if so, then judge that the useful life of described digital certificate is legal;
And/or
If the website information of described server is consistent with the website information of current accessed, then judge that the website information of described server is legal.
Alternatively, described method also comprises:
If judge, the root certificate of the digital certificate of described server is that the root authority of being trusted issued, in the address field of browser, then show the authenticating party information of the root certificate of the digital certificate of described server being carried out to certification, described authenticating party information comprises operating system certification or browser certification.
According to a further aspect in the invention, provide a kind of data communication equipment based on https agreement, described device comprises:
Access request initiation module, is suitable for initiating the access request to server in browser side based on Https agreement;
Digital certificate receiver module, is suitable for the digital certificate receiving the described server that described server returns for described access request;
First judge module, the root authority whether the root certificate being suitable for the digital certificate judging described server is trusted by browser place current operation system issued;
Second judge module, be suitable for judge the root certificate of digital certificate of described server be not the root authority of being trusted by browser place current operation system issued time, judge that the root certificate of the digital certificate of described server is that the root authority that browser is trusted issued;
Communication module, be suitable for the root certificate of the digital certificate of described server be root authority that browser is trusted issue time, described browser is with described server determination communication encryption information and adopt described communication encryption information to communicate.
Alternatively, the root authority that described browser is trusted is stored in trusted certificate white list with the form of digital finger-print, and described second judge module comprises:
Digital finger-print calculating sub module, is suitable for adopting Secure Hash Algorithm SHA1 to calculate the digital finger-print of the root certificate of the digital certificate of described server;
Digital finger-print matched sub-block, is suitable for judging whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server in described trusted certificate white list.
Alternatively, described trusted certificate white list is stored in this locality and/or first server, and described digital finger-print matched sub-block is also suitable for:
The trusted certificate white list stored in this locality searches whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server;
If so, then judge that the root certificate of the digital certificate of described server is that the root authority that browser is trusted issued;
If not, then according to the digital finger-print generated query request of the root certificate of the digital certificate of described server;
Described inquiry request is sent to first server, described first server is used in the up-to-date trusted certificate white list of first server, searching the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server according to described inquiry request, and described digital finger-print is sent to browser;
Receive the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server that first server returns for described inquiry request, and described digital finger-print is stored in the trusted certificate white list of this locality storage, continue to perform the trusted certificate white list stored in this locality and searches the step that whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server.
Alternatively, described digital finger-print matched sub-block also comprises:
If search less than the consistent digital finger-print of the digital finger-print of the root certificate of the digital certificate with described server in the trusted certificate white list that first server is up-to-date, then judge that the root certificate of the digital certificate of described server is not that the root authority that browser is trusted issued.
Alternatively, described browser is to having second server, described second server is the root authority of being trusted through operating system certification, described second server be used for browser judge the root certificate of the digital certificate of described server be not root authority that browser is trusted issue time, supplementary certification is carried out to described server, and for again to issue digital certificate by the server of certification.
Alternatively, described device also comprises:
Information generation module, be suitable for the root certificate of the digital certificate of described server be not root authority that browser is trusted issue time, generate warning prompt information;
Reminding module, is suitable for showing described warning prompt information in browser side.
Alternatively, the digital certificate of described server also has digital certificate attribute information, and adopt before described communication encryption information carries out the step communicated at described browser with described server determination communication encryption information, described device also comprises:
3rd judge module, is suitable for judging that whether described digital certificate attribute information is legal.
Alternatively, described digital certificate attribute information at least comprises the one of following information: the useful life scope of described digital certificate, the website information of server;
Described 3rd judge module is also suitable for:
Judge that current time information is within the scope of the useful life of described digital certificate, if so, then judge that the useful life of described digital certificate is legal;
And/or
If the website information of described server is consistent with the website information of current accessed, then judge that the website information of described server is legal.
Alternatively, described device also comprises:
Authenticating party information display module, being suitable at the root certificate of the digital certificate judging described server is that the root authority of being trusted issued, in the address field of browser, then show the authenticating party information of the root certificate of the digital certificate of described server being carried out to certification, described authenticating party information comprises operating system certification or browser certification.
In embodiments of the present invention, when browser receives the digital certificate of the server that server returns, if browser judges that the root certificate of the digital certificate of server is not that the root authority of being trusted by browser place current operation system issued, then browser judges that the root certificate of the digital certificate of server is that the root authority that browser is trusted issued further, if, then judge that the digital certificate of this server is trusted, and then browser adopts described communication encryption information to communicate with described server determination communication encryption information.By in current operation system under the prerequisite of the certification of the root certificate of the digital certificate of server, increase the supplementary verification process of browser, enrich the mode of digital certificate being carried out to certification, add the probability of digital certificate by certification of server, decrease because of slow to the certification renewal speed by trust certification authority in operating system, some servers of originally being trusted caused are not by operating system certification, and the situation being considered to dangerous server occurs.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows a kind of according to an embodiment of the invention flow chart of steps of the data communications method embodiment one based on https agreement;
Fig. 2 shows a kind of according to an embodiment of the invention flow chart of steps of the data communications method embodiment two based on https agreement;
Fig. 3 shows a kind of according to an embodiment of the invention digital certificate path schematic diagram of the data communications method embodiment two based on https agreement;
Fig. 4 shows a kind of according to an embodiment of the invention certificate management interface schematic diagram of the data communications method embodiment two based on https agreement;
Fig. 5 shows a kind of according to an embodiment of the invention alarm prompt interface one schematic diagram of the data communications method embodiment two based on https agreement;
Fig. 6 shows a kind of according to an embodiment of the invention alarm prompt interface two schematic diagram of the data communications method embodiment two based on https agreement;
Fig. 7 shows a kind of according to an embodiment of the invention structured flowchart of the data communication equipment embodiment based on https agreement.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
With reference to Fig. 1, show the flow chart of steps of a kind of data communications method embodiment one based on https agreement of one embodiment of the invention, can comprise the steps:
Step 101, initiates the access request to server in browser side based on Https agreement;
Step 102, receives the digital certificate of the described server that described server returns for described access request;
Step 103, judges that the root authority whether the root certificate of the digital certificate of described server is trusted by browser place current operation system issued;
Step 104, issued if the root certificate of the digital certificate of described server is not the root authority of being trusted by browser place current operation system, then judged that the root certificate of the digital certificate of described server is that the root authority that browser is trusted issued;
Step 105, issued if the root certificate of the digital certificate of described server is the root authority that browser is trusted, and described browser is with described server determination communication encryption information and adopt described communication encryption information to communicate.
In embodiments of the present invention, when browser receives the digital certificate of the server that server returns, if browser judges that the root certificate of the digital certificate of server is not that the root authority of being trusted by browser place current operation system issued, then browser judges that the root certificate of the digital certificate of server is that the root authority that browser is trusted issued further, if, then judge that the digital certificate of this server is trusted, and then browser adopts described communication encryption information to communicate with described server determination communication encryption information.By in current operation system under the prerequisite of the certification of the root certificate of the digital certificate of server, increase the supplementary verification process of browser, enrich the mode of digital certificate being carried out to certification, add the probability of digital certificate by certification of server, decrease because of slow to the certification renewal speed by trust certification authority in operating system, some servers of originally being trusted caused are not by operating system certification, and the situation being considered to dangerous server occurs.
With reference to Fig. 2, show the flow chart of steps of a kind of data communications method embodiment two based on https agreement of one embodiment of the invention, can comprise the steps:
Step 201, initiates the access request to server in browser side based on Https agreement;
Https agreement is by the procotol of the be encrypted transmission of SSL and Http protocol construction, authentication, than Http protocol security.
In specific implementation, when user triggers Https link (such as in browser side, click Https link or link at address field input Https) time, browser generates the access request based on Https agreement for this trigger action, and this access request is sent in 443 ports (Https uses port 443, instead of uses port 80 to communicate as Http) of server corresponding to this Https link.Wherein, Https link is a kind of with the URL of https beginning, such as " https//kyfw.12306.cn ".
In specific implementation, browser is sent to the access request of server except comprising Https link, the encryption rule that browser can be supported can also be comprised, and the most information such as top version number, compression algorithm list of SSL that browser can be supported, wherein, this encryption rule can comprise one or more enciphering and deciphering algorithms.
Step 202, receives the digital certificate of the described server that described server returns for described access request;
Adopt the server of HTTPS agreement must have a set of digital certificate, after server receives access request, for this access request, to the digital certificate of browser return service device.Wherein, digital certificate is exactly the string number indicating communication each side identity information in internet communication, provides a kind of mode verifying communication entity identity on the internet, and it acts on the identity card in the driving license or daily life being similar to driver.
The digital certificate of server is installed on server apparatus, and being used for proves the identity of server and carry out communication encryption, to prevent swindle fishing website.
Digital certificate is by certificate authority (Certificate Authority is called for short CA) center distribution.Digital certificate can comprise following information: attribute information of the information (mark of such as CA) of the group encryption/decryption algorithm that server is selected from the encryption rule that browser is sent and HASH algorithm, PKI, Certificate Authority CA, digital certificate path and digital certificate etc.
Wherein, the attribute information of digital certificate can comprise the useful life scope (comprising the time interval of effective initial time and effective termination time composition) of digital certificate, the website information of server etc.
As shown in the digital certificate path schematic diagram of Fig. 3, the certification path of the digital certificate that server returns can comprise two parts, a part is that (root certificate is the certificate that Certificate Authority CA issues to oneself for the root certificate of this digital certificate, installation root certificate means the trust to this CA), namely the SRCA in Fig. 3, another part is the sub-certificate based on this root certificate, i.e. the digital certificate of this station server of KYFW.12306.cn use.
After browser receives the digital certificate of the server that server returns, the safe transmission layer protocol (TLS) of browser can be adopted to resolve digital certificate, to judge that whether digital certificate is effective, such as, judge whether digital certificate is that the certification authority CA trusted by browser issues; And judge that whether the attribute information of digital certificate is legal etc.Wherein, in the embodiment of the present invention, browser judges that whether digital certificate is that the process issued of the certification authority CA trusted by browser is as shown in step 203-step 204.
Step 203, judges that the root authority whether the root certificate of the digital certificate of described server is trusted by browser place current operation system issued; If not, then step 204 is performed; If so, then step 206 is performed;
After browser receives the digital certificate of the server that server returns, corresponding root certificate can be obtained according to this digital certificate, such as, from certification path, obtain root certificate.And then judge that the root authority whether the root certificate of the digital certificate that server returns is trusted by browser place current operation system issued.
Specifically, have the module of certificate management in operating system, this module saves the certificate issued through the authoritative CA of operating system certification, and these certificates are all reliable.Such as, in windows system, run certmgr.msc order, open the interface of certificate management, as shown in Figure 4, in certificate management interface, list of cert below " root authority of being trusted " node, the certificate that the authoritative CA being through windows system authentication issues.
Browser is by reading the data in the module of the certificate management of browser current operation system, judge whether the root certificate of the digital certificate that server returns is present in the node of " root authority of being trusted " in this module, if, then judge that this digital certificate is that the CA that current operation system is trusted issues, otherwise, then judge that this digital certificate is not that the CA that current operation system is trusted issues.
Step 204, judges that the root certificate of the digital certificate of described server is that the root authority that browser is trusted issued; If not, then step 205 is performed; If so, then step 206 is performed;
Be applied to the embodiment of the present invention, store the trusted certificate white list that browser is trusted in browser, this trusted certificate white list stores the information of the certification authority that one or more browser through browser certification is trusted.Trusted certificate white list can be that artificial verification book issuing organization carries out auditing and including obtaining.In one embodiment, trusted certificate white list can also obtain in the following way: browser is to having second server, this second server is one of the root authority CA trusted through operating system certification, when the root certificate of the digital certificate that browser determining server returns be not CA that browser place current operation system is trusted issue time, the information of this server recorded by browser, and the information of this server is sent to second server, by second server, supplementary certification is carried out to described server, and for again to issue digital certificate by the server of certification, and the trusted certificate white list that the digital certificate store again to be obtained by this server is trusted at browser.Certainly, trusted certificate white list also can obtain by other means, the embodiment of the present invention to this without the need to being limited.
In a kind of preferred embodiment of the embodiment of the present invention, step 204 can comprise following sub-step:
Sub-step S11, adopts Secure Hash Algorithm SHA1 to calculate the digital finger-print of the root certificate of the digital certificate of described server;
Obtain the root certificate of the digital certificate that server returns at browser after, browser can adopt Secure Hash Algorithm (Secure Hash Algorithm is called for short SHA1) to calculate the digital finger-print of the root certificate of this digital certificate.Wherein, SHA1 is mainly applicable to the Digital Signature Algorithm (Digital Signature Algorithm DSA) of DSS (Digital Signature Standard, DSS) the inside definition.Length is less than to the message of 2^64 position, SHA1 can produce the eap-message digest (i.e. digital finger-print) of 160, can be used for the integrality of verification msg.
Sub-step S12, judges whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server in described trusted certificate white list.
In trusted certificate white list, the root authority of trusting by browser stores with the form of digital finger-print.When calculate server digital certificate root certificate digital finger-print after, browser mates the digital finger-print of the root certificate of this digital certificate further in trusted certificate white list.
In a kind of preferred embodiment of the embodiment of the present invention, sub-step S12 may further include following sub-step:
Sub-step S121, searches whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server in the trusted certificate white list that this locality stores; If so, then perform sub-step S122, if not, then perform sub-step S123;
Sub-step S122, judges that the root certificate of the digital certificate of described server is that the root authority that browser is trusted issued;
Sub-step S123, according to the digital finger-print generated query request of the root certificate of the digital certificate of described server;
Sub-step S124, described inquiry request is sent to first server, described first server is used in the up-to-date trusted certificate white list of first server, searching the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server according to described inquiry request, and described digital finger-print is sent to browser;
Sub-step S125, receive the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server that first server returns for described inquiry request, and described digital finger-print is stored in the trusted certificate white list of this locality storage, continue to perform sub-step S121.
In actual applications, the trusted certificate white list that browser is trusted can be stored in this locality and/or first server corresponding to browser.In order to save interaction times, reduce the inquiry pressure of first server, first browser searches whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server in the trusted certificate white list of this locality storage, if so, then the root certificate of the digital certificate of browser determining server is that the root authority that browser is trusted issued; Otherwise inquiry request according to the digital finger-print generated query request of the root certificate of the digital certificate of server, and is sent to first server by browser.
After first server receives inquiry request, in the up-to-date trusted certificate white list of first server, search the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server according to this inquiry request, and described consistent digital finger-print is back to browser.Store described consistent digital finger-print in the trusted certificate white list that browser stores in this locality, and continue to use the digital finger-print mating the root certificate of this digital certificate in local trusted certificate white list.Now, owing to storing the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of server in the trusted certificate white list of browser this locality, then browser can the root certificate of digital certificate of determining server be that the root authority that browser is trusted issued.
Issued if the root certificate of the digital certificate of browser determining server is the root authority that browser is trusted, then the digital certificate of browser determining server is trusted.
Step 205, browser generates alarm prompt, and shows described alarm prompt in browser side;
If search in the trusted certificate white list that first server is up-to-date less than the consistent digital finger-print of the digital finger-print of the root certificate of the digital certificate with described server, then first server can generation error coupling information, and the information of this erroneous matching is sent to browser, according to the information of erroneous matching, browser judges that the root certificate of the digital certificate of described server is not that the root authority that browser is trusted issued, now, browser can generate warning prompt information, this warning prompt information is prompted to user, the digital certificate that this server of warning user is corresponding can not be trusted, and inquire that user is the need of continuation.In one embodiment, the alarm prompt that browser generates can be able to be added not by trusting mark to the https link in address field for browser, as described in Figure 5.In another embodiment, alarm prompt can as shown in Figure 6, if user selects to accept the server of this not trusted in alarm prompt, as shown in Figure 6, selects to continue to browse web sites, then continue to perform step 206.
Further, issued if the root certificate of the digital certificate of browser determining server is not the root authority that browser is trusted, browser can also record the domain name of this digital certificate and/or server, and the domain name of this digital certificate and/or server is sent to second server, by second server, supplementary certification is carried out to it, and after certification is passed through, for this server issues digital certificate again.By the mode of this supplementary certification, enrich the channel of the digital certificate authentication of server, improve authentication efficiency.
Step 206, described browser is with described server determination communication encryption information and adopt described communication encryption information to communicate.
Browser judges that the digital certificate of the server of current accessed is after being trusted, and judges that whether the attribute information of this digital certificate is legal further.Its mode can be at least one of following mode: judge that current time information is within the scope of the useful life of described digital certificate, if so, then judge that the useful life of digital certificate is legal; And, if the website information of described server and the website information of current accessed consistent, then judge that the website information of described server is legal.
If browser judge the digital certificate of server of current accessed be attribute information that is that trusted and that judge this digital certificate legal after, then browser judges that the digital certificate of this server is effective.Now, browser can show the authenticating party information of the root certificate of the digital certificate of described server being carried out to certification in the address field of browser, and described authenticating party information comprises operating system certification or browser certification.
Meanwhile, if browser judges that the digital certificate of this server is effective, browser and server determination communication encryption information.The mode of browser and server determination communication encryption information can be:
If browser judges that digital certificate is trusted, or user receives the digital certificate of not trusted, and browser can generate the password of a string random number, and with the public key encryption provided in digital certificate; Then browser uses the HASH algorithm appointed to calculate handshake information, and uses the random number generated to be encrypted handshake information, the random number finally will crossed with public key encryption, and sends to server by the handshake information of random number encryption; After server receives the message of browser transmission, the private key of oneself is used decrypt messages to be taken out the password of random number, the handshake information that the deciphering browser that accesses to your password is sent, and use HASH algorithm to calculate the HASH value of this handshake information, verify that whether it send with browser consistent, if consistent, server uses this random number encryption one section of handshake information, sends to browser; Browser is deciphered and is calculated the HASH of handshake information, if consistent with the HASH that service end is sent, now handshake procedure terminates, and the random cipher generated by browser before utilizes symmetric encipherment algorithm to be encrypted by all communication datas of browser and server afterwards.
In embodiments of the present invention, by in current operation system under the prerequisite of the certification of the root certificate of the digital certificate of server, increase the supplementary verification process of browser, enrich the mode of digital certificate being carried out to certification, add the probability of digital certificate by certification of server, under the prerequisite ensureing user's Internet Security, decrease the number of times of user's receiving alarm information, ensure that user surfs the Net smooth and easy, improve Consumer's Experience.
For embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not by the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in specification all belongs to preferred embodiment, and involved action and module might not be that the present invention is necessary.
With reference to Fig. 7, show the structured flowchart of a kind of data communication equipment embodiment based on https agreement of one embodiment of the invention, can comprise as lower module:
Access request initiation module 701, is suitable for initiating the access request to server in browser side based on Https agreement;
Digital certificate receiver module 702, is suitable for the digital certificate receiving the described server that described server returns for described access request;
First judge module 703, the root authority whether the root certificate being suitable for the digital certificate judging described server is trusted by browser place current operation system issued;
Second judge module 704, be suitable for judge the root certificate of digital certificate of described server be not the root authority of being trusted by browser place current operation system issued time, judge that the root certificate of the digital certificate of described server is that the root authority that browser is trusted issued;
Communication module 705, be suitable for the root certificate of the digital certificate of described server be root authority that browser is trusted issue time, described browser is with described server determination communication encryption information and adopt described communication encryption information to communicate.
In a kind of preferred embodiment of the embodiment of the present invention, the root authority that described browser is trusted is stored in trusted certificate white list with the form of digital finger-print, and described second judge module 704 comprises:
Digital finger-print calculating sub module, is suitable for adopting Secure Hash Algorithm SHA1 to calculate the digital finger-print of the root certificate of the digital certificate of described server;
Digital finger-print matched sub-block, is suitable for judging whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server in described trusted certificate white list.
In a kind of preferred embodiment of the embodiment of the present invention, described trusted certificate white list is stored in this locality and/or first server, and described digital finger-print matched sub-block is also suitable for:
The trusted certificate white list stored in this locality searches whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server;
If so, then judge that the root certificate of the digital certificate of described server is that the root authority that browser is trusted issued;
If not, then according to the digital finger-print generated query request of the root certificate of the digital certificate of described server;
Described inquiry request is sent to first server, described first server is used in the up-to-date trusted certificate white list of first server, searching the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server according to described inquiry request, and described digital finger-print is sent to browser;
Receive the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server that first server returns for described inquiry request, and described digital finger-print is stored in the trusted certificate white list of this locality storage, continue to perform the trusted certificate white list stored in this locality and searches the step that whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server.
In a kind of preferred embodiment of the embodiment of the present invention, described digital finger-print matched sub-block also comprises:
If search less than the consistent digital finger-print of the digital finger-print of the root certificate of the digital certificate with described server in the trusted certificate white list that first server is up-to-date, then judge that the root certificate of the digital certificate of described server is not that the root authority that browser is trusted issued.
In a kind of preferred embodiment of the embodiment of the present invention, described browser is to having second server, described second server is the root authority of being trusted through operating system certification, described second server be used for browser judge the root certificate of the digital certificate of described server be not root authority that browser is trusted issue time, supplementary certification is carried out to described server, and for again to issue digital certificate by the server of certification.
In a kind of preferred embodiment of the embodiment of the present invention, described device also comprises:
Information generation module, be suitable for the root certificate of the digital certificate of described server be not root authority that browser is trusted issue time, generate warning prompt information;
Reminding module, is suitable for showing described warning prompt information in browser side.
In a kind of preferred embodiment of the embodiment of the present invention, the digital certificate of described server also has digital certificate attribute information, adopt before described communication encryption information carries out the step communicated at described browser with described server determination communication encryption information, described device also comprises:
3rd judge module, is suitable for judging that whether described digital certificate attribute information is legal.
In a kind of preferred embodiment of the embodiment of the present invention, described digital certificate attribute information at least comprises the one of following information: the useful life scope of described digital certificate, the website information of server;
Described 3rd judge module is also suitable for:
Judge that current time information is within the scope of the useful life of described digital certificate, if so, then judge that the useful life of described digital certificate is legal;
And/or
If the website information of described server is consistent with the website information of current accessed, then judge that the website information of described server is legal.
In a kind of preferred embodiment of the embodiment of the present invention, described device also comprises:
Authenticating party information display module, being suitable at the root certificate of the digital certificate judging described server is that the root authority of being trusted issued, in the address field of browser, then show the authenticating party information of the root certificate of the digital certificate of described server being carried out to certification, described authenticating party information comprises operating system certification or browser certification.
For the device embodiment of Fig. 7, due to the embodiment of the method basic simlarity of itself and Fig. 2, thus describe fairly simple, relevant part illustrates see the part of embodiment of the method.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions based on the some or all parts in the data communications equipment of https agreement that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
Embodiments of the invention disclose A1, a kind of data communications method based on https agreement, and described method comprises:
The access request to server is initiated based on Https agreement in browser side;
Receive the digital certificate of the described server that described server returns for described access request;
Judge that the root authority whether the root certificate of the digital certificate of described server is trusted by browser place current operation system issued;
If not, then judge that the root certificate of the digital certificate of described server is that the root authority that browser is trusted issued;
Issuing if the root certificate of the digital certificate of described server is the root authority that browser is trusted, described browser is with described server determination communication encryption information and adopt described communication encryption information to communicate.
A2, method as described in A1, the root authority that described browser is trusted is stored in trusted certificate white list with the form of digital finger-print, and the root certificate of the digital certificate of the described server of described judgement is that the step that root authority that browser is trusted is issued comprises:
Secure Hash Algorithm SHA1 is adopted to calculate the digital finger-print of the root certificate of the digital certificate of described server;
Judge whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server in described trusted certificate white list.
A3, method as described in A2, described trusted certificate white list is stored in this locality and/or first server, describedly judges that the step that whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server in described trusted certificate white list comprises:
The trusted certificate white list stored in this locality searches whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server;
If so, then judge that the root certificate of the digital certificate of described server is that the root authority that browser is trusted issued;
If not, then according to the digital finger-print generated query request of the root certificate of the digital certificate of described server;
Described inquiry request is sent to first server, described first server is used in the up-to-date trusted certificate white list of first server, searching the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server according to described inquiry request, and described digital finger-print is sent to browser;
Receive the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server that first server returns for described inquiry request, and described digital finger-print is stored in the trusted certificate white list of this locality storage, continue to perform the trusted certificate white list stored in this locality and searches the step that whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server.
A4, method as described in A3, describedly judge that the step that whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server in described trusted certificate white list also comprises:
If search less than the consistent digital finger-print of the digital finger-print of the root certificate of the digital certificate with described server in the trusted certificate white list that first server is up-to-date, then judge that the root certificate of the digital certificate of described server is not that the root authority that browser is trusted issued.
A5, method as described in A3 or A4, described browser is to having second server, described second server is the root authority of being trusted through operating system certification, described second server be used for browser judge the root certificate of the digital certificate of described server be not root authority that browser is trusted issue time, supplementary certification is carried out to described server, and for again to issue digital certificate by the server of certification.
A6, method as described in A1 or A2 or A3 or A4, also comprise:
Issued if the root certificate of the digital certificate of described server is not the root authority that browser is trusted, then generated warning prompt information;
Described warning prompt information is shown in browser side.
A7, method as described in A1 or A2, the digital certificate of described server also has digital certificate attribute information, adopt before described communication encryption information carries out the step communicated at described browser with described server determination communication encryption information, described method also comprises:
Judge that whether described digital certificate attribute information is legal;
If described digital certificate attribute information is legal, then performing described browser with described server determination communication encryption information adopts described communication encryption information to carry out the step communicated.
A8, method as described in A7, described digital certificate attribute information at least comprises the one of following information: the useful life scope of described digital certificate, the website information of server;
Describedly judge described digital certificate attribute information whether legal step comprise:
Judge that current time information is within the scope of the useful life of described digital certificate, if so, then judge that the useful life of described digital certificate is legal;
And/or
If the website information of described server is consistent with the website information of current accessed, then judge that the website information of described server is legal.
A9, method as described in A1, also comprise:
If judge, the root certificate of the digital certificate of described server is that the root authority of being trusted issued, in the address field of browser, then show the authenticating party information of the root certificate of the digital certificate of described server being carried out to certification, described authenticating party information comprises operating system certification or browser certification.
Embodiments of the invention disclose B10, a kind of data communication equipment based on https agreement, and described device comprises:
Access request initiation module, is suitable for initiating the access request to server in browser side based on Https agreement;
Digital certificate receiver module, is suitable for the digital certificate receiving the described server that described server returns for described access request;
First judge module, the root authority whether the root certificate being suitable for the digital certificate judging described server is trusted by browser place current operation system issued;
Second judge module, be suitable for judge the root certificate of digital certificate of described server be not the root authority of being trusted by browser place current operation system issued time, judge that the root certificate of the digital certificate of described server is that the root authority that browser is trusted issued;
Communication module, be suitable for the root certificate of the digital certificate of described server be root authority that browser is trusted issue time, described browser is with described server determination communication encryption information and adopt described communication encryption information to communicate.
B11, device as described in B10, the root authority that described browser is trusted is stored in trusted certificate white list with the form of digital finger-print, and described second judge module comprises:
Digital finger-print calculating sub module, is suitable for adopting Secure Hash Algorithm SHA1 to calculate the digital finger-print of the root certificate of the digital certificate of described server;
Digital finger-print matched sub-block, is suitable for judging whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server in described trusted certificate white list.
B12, device as described in B11, described trusted certificate white list is stored in this locality and/or first server, and described digital finger-print matched sub-block is also suitable for:
The trusted certificate white list stored in this locality searches whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server;
If so, then judge that the root certificate of the digital certificate of described server is that the root authority that browser is trusted issued;
If not, then according to the digital finger-print generated query request of the root certificate of the digital certificate of described server;
Described inquiry request is sent to first server, described first server is used in the up-to-date trusted certificate white list of first server, searching the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server according to described inquiry request, and described digital finger-print is sent to browser;
Receive the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server that first server returns for described inquiry request, and described digital finger-print is stored in the trusted certificate white list of this locality storage, continue to perform the trusted certificate white list stored in this locality and searches the step that whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server.
B13, device as described in B12, described digital finger-print matched sub-block also comprises:
If search less than the consistent digital finger-print of the digital finger-print of the root certificate of the digital certificate with described server in the trusted certificate white list that first server is up-to-date, then judge that the root certificate of the digital certificate of described server is not that the root authority that browser is trusted issued.
B14, device as described in B12 or B13, described browser is to having second server, described second server is the root authority of being trusted through operating system certification, described second server be used for browser judge the root certificate of the digital certificate of described server be not root authority that browser is trusted issue time, supplementary certification is carried out to described server, and for again to issue digital certificate by the server of certification.
B15, device as described in B10 or B11 or B12 or B13, also comprise:
Information generation module, be suitable for the root certificate of the digital certificate of described server be not root authority that browser is trusted issue time, generate warning prompt information;
Reminding module, is suitable for showing described warning prompt information in browser side.
B16, device as described in B10 or B11, the digital certificate of described server also has digital certificate attribute information, adopt before described communication encryption information carries out the step communicated at described browser with described server determination communication encryption information, described device also comprises:
3rd judge module, is suitable for judging that whether described digital certificate attribute information is legal.
B17, device as described in B16, described digital certificate attribute information at least comprises the one of following information: the useful life scope of described digital certificate, the website information of server;
Described 3rd judge module is also suitable for:
Judge that current time information is within the scope of the useful life of described digital certificate, if so, then judge that the useful life of described digital certificate is legal;
And/or
If the website information of described server is consistent with the website information of current accessed, then judge that the website information of described server is legal.
B18, device as described in B1, also comprise:
Authenticating party information display module, being suitable at the root certificate of the digital certificate judging described server is that the root authority of being trusted issued, in the address field of browser, then show the authenticating party information of the root certificate of the digital certificate of described server being carried out to certification, described authenticating party information comprises operating system certification or browser certification.

Claims (10)

1., based on a data communications method for https agreement, described method comprises:
The access request to server is initiated based on Https agreement in browser side;
Receive the digital certificate of the described server that described server returns for described access request;
Judge that the root authority whether the root certificate of the digital certificate of described server is trusted by browser place current operation system issued;
If not, then judge that the root certificate of the digital certificate of described server is that the root authority that browser is trusted issued;
Issuing if the root certificate of the digital certificate of described server is the root authority that browser is trusted, described browser is with described server determination communication encryption information and adopt described communication encryption information to communicate.
2. the method for claim 1, it is characterized in that, the root authority that described browser is trusted is stored in trusted certificate white list with the form of digital finger-print, and the root certificate of the digital certificate of the described server of described judgement is that the step that root authority that browser is trusted is issued comprises:
Secure Hash Algorithm SHA1 is adopted to calculate the digital finger-print of the root certificate of the digital certificate of described server;
Judge whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server in described trusted certificate white list.
3. method as claimed in claim 2, it is characterized in that, described trusted certificate white list is stored in this locality and/or first server, describedly judges that the step that whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server in described trusted certificate white list comprises:
The trusted certificate white list stored in this locality searches whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server;
If so, then judge that the root certificate of the digital certificate of described server is that the root authority that browser is trusted issued;
If not, then according to the digital finger-print generated query request of the root certificate of the digital certificate of described server;
Described inquiry request is sent to first server, described first server is used in the up-to-date trusted certificate white list of first server, searching the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server according to described inquiry request, and described digital finger-print is sent to browser;
Receive the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server that first server returns for described inquiry request, and described digital finger-print is stored in the trusted certificate white list of this locality storage, continue to perform the trusted certificate white list stored in this locality and searches the step that whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server.
4. method as claimed in claim 3, is characterized in that, describedly judges that the step that whether there is the digital finger-print consistent with the digital finger-print of the root certificate of the digital certificate of described server in described trusted certificate white list also comprises:
If search less than the consistent digital finger-print of the digital finger-print of the root certificate of the digital certificate with described server in the trusted certificate white list that first server is up-to-date, then judge that the root certificate of the digital certificate of described server is not that the root authority that browser is trusted issued.
5. the method as described in claim 3 or 4, it is characterized in that, described browser is to having second server, described second server is the root authority of being trusted through operating system certification, described second server be used for browser judge the root certificate of the digital certificate of described server be not root authority that browser is trusted issue time, supplementary certification is carried out to described server, and for again to issue digital certificate by the server of certification.
6. method as claimed in claim 1 or 2 or 3 or 4, is characterized in that, also comprise:
Issued if the root certificate of the digital certificate of described server is not the root authority that browser is trusted, then generated warning prompt information;
Described warning prompt information is shown in browser side.
7. method as claimed in claim 1 or 2, it is characterized in that, the digital certificate of described server also has digital certificate attribute information, and adopt before described communication encryption information carries out the step communicated at described browser with described server determination communication encryption information, described method also comprises:
Judge that whether described digital certificate attribute information is legal;
If described digital certificate attribute information is legal, then performing described browser with described server determination communication encryption information adopts described communication encryption information to carry out the step communicated.
8. method as claimed in claim 7, it is characterized in that, described digital certificate attribute information at least comprises the one of following information: the useful life scope of described digital certificate, the website information of server;
Describedly judge described digital certificate attribute information whether legal step comprise:
Judge that current time information is within the scope of the useful life of described digital certificate, if so, then judge that the useful life of described digital certificate is legal;
And/or
If the website information of described server is consistent with the website information of current accessed, then judge that the website information of described server is legal.
9. the method for claim 1, is characterized in that, also comprises:
If judge, the root certificate of the digital certificate of described server is that the root authority of being trusted issued, in the address field of browser, then show the authenticating party information of the root certificate of the digital certificate of described server being carried out to certification, described authenticating party information comprises operating system certification or browser certification.
10., based on a data communication equipment for https agreement, described device comprises:
Access request initiation module, is suitable for initiating the access request to server in browser side based on Https agreement;
Digital certificate receiver module, is suitable for the digital certificate receiving the described server that described server returns for described access request;
First judge module, the root authority whether the root certificate being suitable for the digital certificate judging described server is trusted by browser place current operation system issued;
Second judge module, be suitable for judge the root certificate of digital certificate of described server be not the root authority of being trusted by browser place current operation system issued time, judge that the root certificate of the digital certificate of described server is that the root authority that browser is trusted issued;
Communication module, be suitable for the root certificate of the digital certificate of described server be root authority that browser is trusted issue time, described browser is with described server determination communication encryption information and adopt described communication encryption information to communicate.
CN201410823078.3A 2014-12-24 2014-12-24 A kind of data communications method and device based on https agreements Active CN104580172B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410823078.3A CN104580172B (en) 2014-12-24 2014-12-24 A kind of data communications method and device based on https agreements

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410823078.3A CN104580172B (en) 2014-12-24 2014-12-24 A kind of data communications method and device based on https agreements

Publications (2)

Publication Number Publication Date
CN104580172A true CN104580172A (en) 2015-04-29
CN104580172B CN104580172B (en) 2017-12-12

Family

ID=53095353

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410823078.3A Active CN104580172B (en) 2014-12-24 2014-12-24 A kind of data communications method and device based on https agreements

Country Status (1)

Country Link
CN (1) CN104580172B (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105634744A (en) * 2015-12-31 2016-06-01 北京元心科技有限公司 Root certificate storage device and safety access method
CN106789897A (en) * 2016-11-15 2017-05-31 沃通电子认证服务有限公司 For the digital certificate authentication method and system of application program for mobile terminal
CN107566393A (en) * 2017-09-26 2018-01-09 山东浪潮商用***有限公司 A kind of dynamic rights checking system and method based on trust certificate
CN107682371A (en) * 2017-11-21 2018-02-09 北京安博通科技股份有限公司 A kind of malice AP detection method and device
CN107707508A (en) * 2016-08-09 2018-02-16 中兴通讯股份有限公司 Applied business recognition methods and device
CN107800675A (en) * 2016-09-07 2018-03-13 深圳市腾讯计算机***有限公司 A kind of data transmission method, terminal and server
CN107864159A (en) * 2017-12-21 2018-03-30 有米科技股份有限公司 Communication means and device based on certificate and trust chain
CN108259406A (en) * 2016-12-28 2018-07-06 中国电信股份有限公司 Examine the method and system of SSL certificate
CN108881484A (en) * 2018-07-26 2018-11-23 杭州云缔盟科技有限公司 A method of whether detection terminal can access internet
CN109101813A (en) * 2018-09-03 2018-12-28 郑州云海信息技术有限公司 A kind of application program hold-up interception method and relevant apparatus
CN109657170A (en) * 2018-10-17 2019-04-19 平安普惠企业管理有限公司 Webpage loading method, device, computer equipment and storage medium
CN109660530A (en) * 2018-12-08 2019-04-19 公安部第三研究所 A kind of protecting information safety method based on hardware certificate
CN109861947A (en) * 2017-11-30 2019-06-07 腾讯科技(武汉)有限公司 A kind of network abduction processing method and processing device, electronic equipment
CN110166470A (en) * 2019-05-28 2019-08-23 北京奇安信科技有限公司 A kind of network service analogy method and device
CN110557255A (en) * 2018-05-31 2019-12-10 北京京东尚科信息技术有限公司 certificate management method and device
CN110581829A (en) * 2018-06-08 2019-12-17 ***通信集团有限公司 Communication method and device
CN111181912A (en) * 2019-08-27 2020-05-19 腾讯科技(深圳)有限公司 Browser identifier processing method and device, electronic equipment and storage medium
CN112073401A (en) * 2020-08-28 2020-12-11 苏州浪潮智能科技有限公司 Method, program and medium for automatically updating certificate based on HTTPS protocol web application
CN113328980A (en) * 2020-02-29 2021-08-31 杭州迪普科技股份有限公司 TLS authentication method, device and system, electronic equipment and readable medium
CN114143034A (en) * 2021-11-01 2022-03-04 清华大学 Network access security detection method and device

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111683089B (en) * 2020-06-08 2022-12-30 绿盟科技集团股份有限公司 Method, server, medium and computer equipment for identifying phishing website

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141447A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 HTTPS communication tunnel security check and content filtering system and method
CN101616165A (en) * 2009-07-28 2009-12-30 江苏先安科技有限公司 A kind of method of inquiring and authenticating issue of novel X 509 digital certificate white list
CN102611707A (en) * 2012-03-21 2012-07-25 北龙中网(北京)科技有限责任公司 Credible website identity installation and identification method
US8707028B2 (en) * 2011-07-13 2014-04-22 International Business Machines Corporation Certificate-based cookie security

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141447A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 HTTPS communication tunnel security check and content filtering system and method
CN101616165A (en) * 2009-07-28 2009-12-30 江苏先安科技有限公司 A kind of method of inquiring and authenticating issue of novel X 509 digital certificate white list
US8707028B2 (en) * 2011-07-13 2014-04-22 International Business Machines Corporation Certificate-based cookie security
CN102611707A (en) * 2012-03-21 2012-07-25 北龙中网(北京)科技有限责任公司 Credible website identity installation and identification method

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105634744A (en) * 2015-12-31 2016-06-01 北京元心科技有限公司 Root certificate storage device and safety access method
CN105634744B (en) * 2015-12-31 2020-01-21 北京元心科技有限公司 Root certificate storage device and secure access method
CN107707508A (en) * 2016-08-09 2018-02-16 中兴通讯股份有限公司 Applied business recognition methods and device
CN107800675B (en) * 2016-09-07 2020-04-07 深圳市腾讯计算机***有限公司 Data transmission method, terminal and server
CN107800675A (en) * 2016-09-07 2018-03-13 深圳市腾讯计算机***有限公司 A kind of data transmission method, terminal and server
WO2018090481A1 (en) * 2016-11-15 2018-05-24 沃通电子认证服务有限公司 Method and system for verifying digital certificate of mobile terminal application
CN106789897A (en) * 2016-11-15 2017-05-31 沃通电子认证服务有限公司 For the digital certificate authentication method and system of application program for mobile terminal
CN108259406B (en) * 2016-12-28 2020-12-29 中国电信股份有限公司 Method and system for verifying SSL certificate
CN108259406A (en) * 2016-12-28 2018-07-06 中国电信股份有限公司 Examine the method and system of SSL certificate
CN107566393A (en) * 2017-09-26 2018-01-09 山东浪潮商用***有限公司 A kind of dynamic rights checking system and method based on trust certificate
CN107682371A (en) * 2017-11-21 2018-02-09 北京安博通科技股份有限公司 A kind of malice AP detection method and device
CN109861947A (en) * 2017-11-30 2019-06-07 腾讯科技(武汉)有限公司 A kind of network abduction processing method and processing device, electronic equipment
CN109861947B (en) * 2017-11-30 2022-03-22 腾讯科技(武汉)有限公司 Network hijacking processing method and device and electronic equipment
CN107864159A (en) * 2017-12-21 2018-03-30 有米科技股份有限公司 Communication means and device based on certificate and trust chain
CN110557255A (en) * 2018-05-31 2019-12-10 北京京东尚科信息技术有限公司 certificate management method and device
CN110581829A (en) * 2018-06-08 2019-12-17 ***通信集团有限公司 Communication method and device
CN108881484A (en) * 2018-07-26 2018-11-23 杭州云缔盟科技有限公司 A method of whether detection terminal can access internet
CN109101813A (en) * 2018-09-03 2018-12-28 郑州云海信息技术有限公司 A kind of application program hold-up interception method and relevant apparatus
CN109657170A (en) * 2018-10-17 2019-04-19 平安普惠企业管理有限公司 Webpage loading method, device, computer equipment and storage medium
CN109660530A (en) * 2018-12-08 2019-04-19 公安部第三研究所 A kind of protecting information safety method based on hardware certificate
CN110166470A (en) * 2019-05-28 2019-08-23 北京奇安信科技有限公司 A kind of network service analogy method and device
CN110166470B (en) * 2019-05-28 2022-07-19 奇安信科技集团股份有限公司 Network service simulation method and device
CN111181912A (en) * 2019-08-27 2020-05-19 腾讯科技(深圳)有限公司 Browser identifier processing method and device, electronic equipment and storage medium
CN111181912B (en) * 2019-08-27 2021-10-15 腾讯科技(深圳)有限公司 Browser identifier processing method and device, electronic equipment and storage medium
CN113328980B (en) * 2020-02-29 2022-05-17 杭州迪普科技股份有限公司 TLS authentication method, device and system, electronic equipment and readable medium
CN113328980A (en) * 2020-02-29 2021-08-31 杭州迪普科技股份有限公司 TLS authentication method, device and system, electronic equipment and readable medium
CN112073401A (en) * 2020-08-28 2020-12-11 苏州浪潮智能科技有限公司 Method, program and medium for automatically updating certificate based on HTTPS protocol web application
CN112073401B (en) * 2020-08-28 2022-05-10 苏州浪潮智能科技有限公司 Method, program and medium for automatically updating certificate based on HTTPS (Hypertext transfer protocol secure) protocol web application
CN114143034A (en) * 2021-11-01 2022-03-04 清华大学 Network access security detection method and device

Also Published As

Publication number Publication date
CN104580172B (en) 2017-12-12

Similar Documents

Publication Publication Date Title
CN104580172A (en) Data communication method and device based on https (hypertext transfer protocol over secure socket layer)
US11777911B1 (en) Presigned URLs and customer keying
AU2016218340B2 (en) Secure and delegated distribution of private keys via domain name service
US8185942B2 (en) Client-server opaque token passing apparatus and method
US20090077373A1 (en) System and method for providing verified information regarding a networked site
CN111241533A (en) Block chain-based password management method and device and computer-readable storage medium
WO2015074547A1 (en) Method for authenticating webpage content and browser
WO2018025991A1 (en) Communication system, communication client, communication server, communication method, and program
CN104038486A (en) System and method for realizing user login identification based on identification type codes
CN105340213A (en) Method and apparatus for secure data transmissions
CN107864677B (en) Content access authentication system and method
KR20210112359A (en) Browser Cookie Security
JP4698239B2 (en) Web site impersonation detection method and program
CN104811421A (en) Secure communication method and secure communication device based on digital rights management
Gruschka et al. Analysis of the current state in website certificate validation
KR102209531B1 (en) Method for Storing Digital Certificate and Priviate Key in Cloud Environment and for Downloading the Certificate and Private Key
KR100892609B1 (en) System and method for secure communication, and a medium having computer readable program executing the method
TWI677806B (en) User data encryption device and method for blocking man-in-the-middle attack
KR20190099898A (en) Method for verifying integrity of cookies in https
KR101101190B1 (en) System and method for secure communication, and a medium having computer readable program executing the method
US20230188364A1 (en) Partial payload encryption with integrity protection
Petrică Servers configuration and testing for secure exchange of information over the Internet
Pennanen Signing Aauthentication tokens using TPM API PROXY
EP3061205B1 (en) A system and method for certifying information
Ojamaa et al. Securing Customer Email Communication in E-Commerce

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220718

Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Address before: Room 112, block D, No. 28, Xinjiekou outer street, Xicheng District, Beijing 100088 (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.