CN109067803A - A kind of SSL/TLS encryption and decryption communication means, device and equipment - Google Patents

A kind of SSL/TLS encryption and decryption communication means, device and equipment Download PDF

Info

Publication number
CN109067803A
CN109067803A CN201811178354.XA CN201811178354A CN109067803A CN 109067803 A CN109067803 A CN 109067803A CN 201811178354 A CN201811178354 A CN 201811178354A CN 109067803 A CN109067803 A CN 109067803A
Authority
CN
China
Prior art keywords
encryption
decryption
client
ssl
enciphering
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811178354.XA
Other languages
Chinese (zh)
Inventor
黄峥
杨金柱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201811178354.XA priority Critical patent/CN109067803A/en
Publication of CN109067803A publication Critical patent/CN109067803A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/12Avoiding congestion; Recovering from congestion
    • H04L47/125Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

This application discloses a kind of SSL/TLS encryption and decryption communication means, applied to the network management device at the portal, comprising: receive the SSL/TLS handshake request that client is sent;It carries out SSL/TLS with client to shake hands, to determine the enciphering and deciphering algorithm and its algorithm parameter that share in this communication process with client;Receive the CIPHERING REQUEST message that client is sent;It uses enciphering and deciphering algorithm CIPHERING REQUEST message to be decrypted to generate plaintext challenge message, and is forwarded to server;After the plaintext response message for receiving server transmission, enciphering and deciphering algorithm is used to be encrypted to plaintext response message to generate encrypted response message, and be forwarded to client.The application avoids consumption of the encryption and decryption calculating to server process performance, and simplifies the maintenance work amoun of crypting component.A kind of SSL/TLS encryption and decryption communication device, equipment and computer readable storage medium is also disclosed in the application, it may have above-mentioned beneficial effect.

Description

A kind of SSL/TLS encryption and decryption communication means, device and equipment
Technical field
This application involves network encryption field of communication technology, in particular to a kind of SSL/TLS encryption and decryption communication means, dress It sets, equipment and computer readable storage medium.
Background technique
With the progress of the development of network technology, internet security problem is increasingly prominent, attention of the people to information security Degree has also obtained unprecedented promotion.
Since http protocol uses plaintext transmission information, thus there are the risk of leakage of private information, threat information is safe, Therefore, SSL (Secure Sockets Layer, Secure Socket Layer) agreement and its successor TLS (Transport Layer Security, Transport Layer Security) agreement is born in succession.In the prior art, server by utilizing security protocol TLS and SSL is being passed Defeated layer encrypts the communication data of network connection.But since the SSL/TLS encryption process carried out is related to largely Calculating process, therefore greatly consume the computing resource of server CPU, or even to enable the service feature of server be reduced to original 1/10th so that user has to expand number of servers.Also, the HTTP server of script needs to carry out complicated portion It can just be adapted as supporting the HTTPS server of SSL/TLS encryption and decryption after administration;And after deployment success, every HTTPS service Device needs continually to carry out the upgrade job of SSL/TLS encrypted component also to exclude loophole;And it can be along in escalation process Various compatibling problems and abnormal problem etc..Therefore, the maintenance work amoun of SSL/TLS encryption and decryption is extremely huge in the prior art, fortune Dimension personnel's heavy load, especially when the number of servers that user uses is larger.
It can be seen that using which kind of SSL/TLS encryption and decryption communication technology, so as to the business processing of effective guarantee server Can, and simplify the maintenance work amoun to SSL/TLS crypting component, effectively mitigate the work load of operation maintenance personnel, is this field Technical staff's technical problem urgently to be resolved.
Summary of the invention
The application's is designed to provide a kind of SSL/TLS encryption and decryption communication means, device, equipment and computer-readable deposits Storage media so as to the service process performance of effective guarantee server, and simplifies the maintenance work to SSL/TLS crypting component Amount effectively mitigates the work load of operation maintenance personnel.
In order to solve the above technical problems, the application provides a kind of SSL/TLS encryption and decryption communication means, it is applied to network and enters and leaves Network management device at mouthful, comprising:
Receive the SSL/TLS handshake request that client is sent;
SSL/TLS is carried out with the client to shake hands, and is shared to determine in this communication process with the client Enciphering and deciphering algorithm and its algorithm parameter;
The CIPHERING REQUEST message that the client is sent is received, the CIPHERING REQUEST message is as described in client use Enciphering and deciphering algorithm encryption generates;
Use the enciphering and deciphering algorithm that the CIPHERING REQUEST message is decrypted to generate plaintext challenge message, and by institute It states literary request message clearly and is forwarded to server;
After receiving the plaintext response message that the server is sent, using the enciphering and deciphering algorithm to the plaintext Response message is encrypted to generate encrypted response message, and the encrypted response message is forwarded to the client.
Optionally, SSL/TLS during shake hands, the determination this communication process are carried out with the client described In before the enciphering and deciphering algorithm and its algorithm parameter that are shared with the client, further includes:
The classification of the determining enciphering and deciphering algorithm supported jointly with the client, to determine that this is logical from the classification The enciphering and deciphering algorithm and its algorithm parameter shared during letter with the client;
Wherein, the classification for the enciphering and deciphering algorithm that the network management device is supported includes that the close enciphering and deciphering algorithm of state and the world add Decipherment algorithm.
Optionally, during described and client progress SSL/TLS shakes hands, further includes:
Determine that the encryption and decryption mode in this communication process, the encryption and decryption mode are that hardware enciphering and deciphering or software add solution It is close;To call default encryption and decryption hardware device to carry out encryption and decryption, and in institute when the encryption and decryption mode is hardware enciphering and deciphering When to state encryption and decryption mode be software encryption and decryption, default encryption and decryption processing routine is called to carry out encryption and decryption.
Optionally, the default encryption and decryption hardware device is specially FPGA or DSP.
Optionally, during described and client progress SSL/TLS shakes hands, further includes:
Obtain the client certificate information of the client;
Use the enciphering and deciphering algorithm that the CIPHERING REQUEST message is decrypted to generate plaintext challenge message described It is later, described that the plaintext challenge message is forwarded to before server, further includes:
The client certificate information is inserted into the plaintext challenge message, so that the server is from the plaintext The client certificate information is obtained in request message.
Present invention also provides a kind of SSL/TLS encryption and decryption communication devices, applied to the network management at the portal Equipment, comprising:
Handshake module: for receiving the SSL/TLS handshake request of client transmission;SSL/TLS is carried out with the client It shakes hands, to determine the enciphering and deciphering algorithm and its algorithm parameter that share in this communication process with the client;
Deciphering module: the CIPHERING REQUEST message sent for receiving the client, the CIPHERING REQUEST message is by described Client is generated using enciphering and deciphering algorithm encryption;The CIPHERING REQUEST message is decrypted using the enciphering and deciphering algorithm To generate plaintext challenge message, and the plaintext challenge message is forwarded to server;
Encrypting module: for after receiving the plaintext response message that the server is sent, using the encryption and decryption Algorithm encrypts the plaintext response message to generate encrypted response message, and the encrypted response message is forwarded to institute State client.
Optionally, the handshake module is also used to:
It is described carry out with the client SSL/TLS shake hands during, in the determination this communication process with institute Before stating the enciphering and deciphering algorithm and its algorithm parameter that client shares, the determining encryption and decryption supported jointly with the client is calculated The classification of method, so as to the enciphering and deciphering algorithm shared from this communication process determining in the classification with the client And its algorithm parameter;
Wherein, the classification for the enciphering and deciphering algorithm that the network management device is supported includes that the close enciphering and deciphering algorithm of state and the world add Decipherment algorithm.
Optionally, the handshake module is also used to:
During described and client progress SSL/TLS shakes hands, the encryption and decryption in this communication process is determined Mode, the encryption and decryption mode are hardware enciphering and deciphering or software encryption and decryption;
When the encryption and decryption mode is hardware enciphering and deciphering, the deciphering module is specifically used for calling default encryption and decryption hardware The CIPHERING REQUEST message is decrypted in device, and the encrypting module is specifically used for calling the default encryption and decryption hardware device The plaintext response message is encrypted;
When the encryption and decryption mode is software encryption and decryption, the deciphering module is specifically used for calling default encryption and decryption processing The CIPHERING REQUEST message is decrypted in program, and the encrypting module is specifically used for calling default encryption and decryption processing routine to institute Literary response message is stated clearly to be encrypted.
Present invention also provides a kind of SSL/TLS encryption and decryption communication equipments, comprising:
Memory: for storing computer program;
Processor: for executing the computer program to realize any SSL/TLS encryption and decryption communication as described above The step of method.
Present invention also provides a kind of computer readable storage medium, meter is stored in the computer readable storage medium Calculation machine program, to realize that any SSL/TLS encryption and decryption as described above is logical when the computer program is executed by processor The step of letter method.
SSL/TLS encryption and decryption communication means provided herein is applied to the network management device at the portal, It include: the SSL/TLS handshake request for receiving client and sending;It carries out SSL/TLS with the client to shake hands, to determine this The enciphering and deciphering algorithm and its algorithm parameter shared in communication process with the client;Receive the encryption that the client is sent Request message, the CIPHERING REQUEST message are generated by the client using enciphering and deciphering algorithm encryption;Using described plus solution Close algorithm is decrypted the CIPHERING REQUEST message to generate plaintext challenge message, and the plaintext challenge message is forwarded to Server;After receiving the plaintext response message that the server is sent, using the enciphering and deciphering algorithm to the plaintext Response message is encrypted to generate encrypted response message, and the encrypted response message is forwarded to the client.
As it can be seen that compared with the prior art, SSL/TLS encryption and decryption communication means provided herein will go out positioned at network The network management device of entrance replaces server to carry out adding for communication data as the communication bridge between client and server Decryption processing.The application not only effectively realizes the communication of SSL/TLS encryption and decryption as a result, but also also avoids encryption and decryption and calculated Consumption of the journey to server process performance ensures that the operating of the business service of server is not affected, and without to original HTTP server carry out biggish change.Further, since the HTTP service that the network management device is located at multiple servers enters Mouthful, therefore, as long as completing the maintenance works such as deployment and upgrading of SSL/TLS crypting component in the network management device Realize that the SSL/TLS encryption and decryption between multiple servers and client communicates, to effectively simplify to SSL/TLS encryption and decryption The maintenance work amoun of component dramatically reduces the work load of operation maintenance personnel.SSL/TLS encryption and decryption provided herein is logical Above-mentioned SSL/TLS encryption and decryption communication means may be implemented in T unit, equipment and computer readable storage medium, equally has above-mentioned Beneficial effect.
Detailed description of the invention
In order to illustrate more clearly of the technical solution in the prior art and the embodiment of the present application, below will to the prior art and Attached drawing to be used is needed to make brief introduction in the embodiment of the present application description.Certainly, in relation to the attached drawing of the embodiment of the present application below A part of the embodiment in only the application of description is not paying creativeness to those skilled in the art Under the premise of labour, other attached drawings can also be obtained according to the attached drawing of offer, other accompanying drawings obtained also belong to the application Protection scope.
Fig. 1 is a kind of flow chart of SSL/TLS encryption and decryption communication means provided herein;
Fig. 2 is a kind of process frame diagram of SSL/TLS encryption and decryption communication means provided herein;
Fig. 3 is a kind of structural block diagram of SSL/TLS encryption and decryption communication device provided herein.
Specific embodiment
The core of the application is to provide a kind of SSL/TLS encryption and decryption communication means, device, equipment and computer-readable deposits Storage media so as to the service process performance of effective guarantee server, and simplifies the maintenance work to SSL/TLS crypting component Amount effectively mitigates the work load of operation maintenance personnel.
In order to which technical solutions in the embodiments of the present application is more clearly and completely described, below in conjunction with this Shen Please attached drawing in embodiment, technical solutions in the embodiments of the present application is introduced.Obviously, described embodiment is only Some embodiments of the present application, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art Every other embodiment obtained without making creative work, shall fall in the protection scope of this application.
Fig. 1 and Fig. 2 are please referred to, Fig. 1 is a kind of flow chart of SSL/TLS encryption and decryption communication means provided herein; Fig. 2 is a kind of process frame diagram of SSL/TLS encryption and decryption communication means provided herein.
SSL/TLS encryption and decryption communication means provided herein is particularly applicable to the various nets positioned at the portal In network management equipment, such as gateway etc..It as a preferred implementation manner, can also be as shown in Fig. 2, being applied to special responsible flow The load-balancing device of distribution.
Load balancer is built upon network structure (the large-scale http network clothes being more especially made of multiple servers Business system) in, for the unified equipment for carrying out traffic distribution.It provides a kind of cheap effectively transparent method to set for network Standby and server spread bandwidth increases handling capacity, Strengthens network data-handling capacity, and then improves the flexibility of network and can be used Property.Load balancer is that each network equipment and server in network execute net according to preset load balance rule The load balance of network flow guides, and is actually the concentration entrance of HTTP application.
Below just by be applied to load balancer for, to SSL/TLS encryption and decryption communication means provided herein into Row is introduced.As shown in Figure 1, SSL/TLS encryption and decryption communication means provided herein mainly comprises the steps that
Step 1: receiving the SSL/TLS handshake request that client is sent.
Specifically, SSL/TLS encryption and decryption communication means provided herein is set by network managements such as load balancers It is standby come encryption and decryption communication data, and not as directly carrying out encryption and decryption by server in the prior art.
When realizing SSL/TLS encryption and decryption communication means provided herein using load balancer, load balancer In addition to the equipment as traffic distribution is carried out, also by as the terminal during client and server communication, communicated The encryption and decryption of data and forwarding service, that is, serve as the role of " agency ", the service request of client will all pass through load balancing Device is sent to server.According to ssl protocol or tls protocol requirement, place of being shaken hands accordingly is needed before data communication Reason, after load balancer receives the SSL handshake request or TLS handshake request of client, just correspondingly with client Progress SSL shakes hands or TLS shakes hands.
Certainly, SSL/TLS encryption and decryption provided herein is not limited in the encryption and decryption to HTTPS agreement, can also be with Encryption and decryption is carried out to other any agreements based on TCP.
Step 2: carrying out SSL/TLS with client and shake hands, shared with client in this communication process to determine Enciphering and deciphering algorithm and its algorithm parameter.
By taking SSL shakes hands as an example, load balancer and client carry out SSL according to ssl protocol and shake hands, and are shaken hands really by SSL Making in this communication process the algorithm parameter of institute's enciphering and deciphering algorithm to be used and the enciphering and deciphering algorithm, (including encryption is close Key).It is easily understood that the enciphering and deciphering algorithm is load balancer and certain encryption and decryption calculation that the client is supported jointly Method;Moreover, different enciphering and deciphering algorithms also has dedicated algorithm Handshake Protocol and different algorithm parameters, described SSL is held Depending on hand process will be according to specific used enciphering and deciphering algorithm.As for the detailed process step that SSL shakes hands, existing skill can refer to Particular content in art, the application are not limited thereto.TLS shakes hands to shake hands similar with SSL, just repeats no more here.
Step 3: receiving the CIPHERING REQUEST message that client is sent, CIPHERING REQUEST message uses enciphering and deciphering algorithm by client Encryption generates.
After load balancer completes the handshake procedure with client, client will send CIPHERING REQUEST message To load balancer.Described CIPHERING REQUEST message is exactly that client is calculated using the encryption and decryption that the both sides determined in step 2 share Method and its algorithm parameter carry out encryption generation to plaintext challenge message.
Step 4: using enciphering and deciphering algorithm that CIPHERING REQUEST message is decrypted to generate plaintext challenge message, and will be in plain text Request message is forwarded to server.
In order to mitigate the operation burden of server, CIPHERING REQUEST message can be decrypted by load balancer.Certainly, The foundation of decryption is still enciphering and deciphering algorithm and its algorithm parameter that the both sides determined in step 2 share.After the completion of decryption, load The plaintext challenge message that decryption obtains can be sent to server by server, be responded by server.
Step 5: after the plaintext response message for receiving server transmission, using enciphering and deciphering algorithm to plaintext response report Text is encrypted to generate encrypted response message, and encrypted response message is forwarded to client.
Specifically, after server, which carries out response to the request of client, generates plaintext response message, load balancer The plaintext response message can be encrypted using described enciphering and deciphering algorithm, and encrypted encrypted response message is sent out It send to client, to complete entire coded communication process, ensures the safety of communication data, prevent the monitoring of significant data from letting out Dew.
As previously mentioned, SSL/TLS encryption and decryption communication means described above can also be applied to positioned at the portal Other network management devices, those skilled in the art can voluntarily select and be arranged according to practical situations.
As it can be seen that SSL/TLS encryption and decryption communication means provided herein, the network management for being located at the portal is set It is standby to be handled as the communication bridge between client and server, and instead of the encryption and decryption that server carries out communication data.As a result, originally Application not only effectively realizes the communication of SSL/TLS encryption and decryption, but also also avoids encryption and decryption calculating process to server process The consumption of energy, ensures that the operating of the business service of server is not affected, and without carrying out to original HTTP server Biggish change.Further, since the network management device is located at the HTTP service entrance of multiple servers, therefore, as long as completing The maintenance works such as deployment and upgrading of SSL/TLS crypting component in the network management device, can be realized multiple servers with SSL/TLS encryption and decryption communication between client, to effectively simplify the maintenance work to SSL/TLS crypting component Amount, dramatically reduces the work load of operation maintenance personnel.
SSL/TLS encryption and decryption communication means provided herein, on the basis of the above embodiments:
As a kind of preferred embodiment, during shaking hands with client progress SSL/TLS, this communication process is determined In before the enciphering and deciphering algorithm and its algorithm parameter that are shared with client, further includes:
The classification of the determining enciphering and deciphering algorithm supported jointly with client, to be determined in this communication process from classification The enciphering and deciphering algorithm and its algorithm parameter shared with client;
Wherein, the classification for the enciphering and deciphering algorithm that network management device is supported includes the close enciphering and deciphering algorithm of state and international encryption and decryption Algorithm.
Specifically, in SSL/TLS encryption and decryption communication means provided herein, in advance for positioned at the net of the portal Network management equipment has carried out related setting, and the close enciphering and deciphering algorithm of state can be supported by making it not only, but also can support international enciphering and deciphering algorithm.Its In, the close enciphering and deciphering algorithm of state is the commercial cipher enciphering and deciphering algorithm promulgated by State Commercial Cryptography Administration of China, including SM1, SM2, SM3 and SM4;International enciphering and deciphering algorithm is enciphering and deciphering algorithm general in the world, including DES, 3DES, AES, RSA, SHA and ECDSA Deng.Specifically, which can pass through the agreement in handshake request, that is, Client hello packet of client transmission Version and the algorithm field of carrying are the close enciphering and deciphering algorithms of international enciphering and deciphering algorithm or state to confirm used in client.
Enciphering and deciphering algorithm close for state, State Commercial Cryptography Administration only give relevant criterion, and developer simultaneously can not obtain open source Code;Also, it is needed using the server that the close enciphering and deciphering algorithm of state carries out coded communication by programs such as related examination & approval, therefore, It is not only to execute encryption and decryption calculating by server in existing encryption and decryption communication means, and generally only supports to use state Border enciphering and deciphering algorithm uses the close enciphering and deciphering algorithm of state without supporting.
But in fact, being to need while using a variety of enciphering and deciphering algorithms further to mention for some special industries High security.For example, in the application scenarios such as Web bank, online trading, having to safety higher for financial industry Demand, so therefore general requirement need to use these three enciphering and deciphering algorithms of SM2, RSA and ECDSA simultaneously.And it is provided herein Network management device can support international enciphering and deciphering algorithm and the close enciphering and deciphering algorithm of state simultaneously, met financial this kind of high security It is required that the application demand of industry, has preferable compatibility, has effectively expanded SSL/TLS enciphering and deciphering algorithm provided herein The scope of application.
In addition, SSL/TLS agreement used at present also has all multi versions, for example, SSL3.0, TLS1.0, TLS1.1, TLS1.2 etc., and the network management device in the application can support the various release protocols of current main-stream, also, can be same Various enciphering and deciphering algorithms are supported in SSL/TLS encrypted tunnel.It can effective guarantee to the compatibility of various enciphering and deciphering algorithms and agreement The network management device can preferably agree with requirement of the user to operation system function and safety.
As a kind of preferred embodiment, during shaking hands with client progress SSL/TLS, further includes:
Determine that the encryption and decryption mode in this communication process, encryption and decryption mode are hardware enciphering and deciphering or software encryption and decryption; To call default encryption and decryption hardware device to carry out encryption and decryption, and in encryption and decryption side when encryption and decryption mode is hardware enciphering and deciphering When formula is software encryption and decryption, default encryption and decryption processing routine is called to carry out encryption and decryption.
Specifically, the network management device in SSL/TLS encryption and decryption communication means provided herein is being communicated When the encryption and decryption of data calculates, hardware specifically can be used and calculate and two methods of software calculating.For hardware calculation method, pass through It calls default encryption and decryption hardware device specifically to execute the calculating of encryption and decryption, undertakes encryption and decryption and calculate bring performance consumption, it can Effectively improve the process performance of the network management device.
It is easily understood that due to the close enciphering and deciphering algorithm of state and the corresponding different algorithm protocol of international enciphering and deciphering algorithm, recognizing Certificate and interface are demonstrate,proved, therefore, can be respectively arranged to carry out the default encryption and decryption hardware device of the close encryption and decryption of state and be used to carry out The default encryption and decryption hardware device of international encryption and decryption.By taking international enciphering and deciphering algorithm RSA as an example, using 2048bit key when, adopt 4~6 times of performance can be effectively improved compared to software calculation method with hardware calculation method.
As a kind of preferred embodiment, presetting encryption and decryption hardware device is specially FPGA or DSP.
Specifically, FPGA (Field Programmable Gate Array, field programmable gate array) be PAL, The product further developed on the basis of the programming devices such as GAL, CPLD.As a kind of parallel processing device, can effectively be promoted The computational efficiency of encryption and decryption improves the service performance of system entirety, therefore, SSL/TLS encryption and decryption communication provided herein Described default encryption and decryption hardware device can specifically use FPGA in method.Certainly, those skilled in the art can also use If other devices such as DSP (Digital Signal Processing, Digital Signal Processing) are as default encryption and decryption hardware device Part, the application are not limited thereto.
As a kind of preferred embodiment, during shaking hands with client progress SSL/TLS, further includes:
Obtain the client certificate information of client;
Use enciphering and deciphering algorithm that CIPHERING REQUEST message is decrypted with after generating plaintext challenge message, will ask in plain text Message is asked to be forwarded to before server, further includes:
Client certificate information is inserted into plaintext challenge message, so that server obtains visitor from plaintext challenge message Family end certificate information.
Specifically, in the communication process of client and server, server generally requires the identity letter for obtaining client The i.e. described client certificate information of breath.Therefore, in SSL/TLS encryption and decryption communication process provided herein, just specifically by The network management device is come the client certificate information that forwards it to get to server.In SSL/TLS handshake procedure, generally Will carry out proof of identity to client can be by the visitor after network management device gets client certificate information Family end certificate information is added in the plaintext challenge message for being transmitted to server, so that server therefrom obtains client certificate letter Breath.Specifically, which can be inserted into client certificate information the HTTP header or URL of plaintext challenge message In (Uniform Resource Locator, uniform resource locator) or message text content, those skilled in the art can Voluntarily to select to be arranged, the application is not limited thereto.
SSL/TLS encryption and decryption communication device provided herein is introduced below.
Referring to Fig. 3, Fig. 3 is a kind of structural block diagram of SSL/TLS encryption and decryption communication device provided herein;Using Network management device at the portal, including handshake module 1, deciphering module 2 and encrypting module 3;
Handshake module 1 is used to receive the SSL/TLS handshake request of client transmission;SSL/TLS is carried out with client to shake hands, To determine the enciphering and deciphering algorithm and its algorithm parameter that share in this communication process with client;
Deciphering module 2 is used to receive the CIPHERING REQUEST message of client transmission, and CIPHERING REQUEST message is used by client to be added Decipherment algorithm encryption generates;Use enciphering and deciphering algorithm that CIPHERING REQUEST message is decrypted to generate plaintext challenge message, and will Plaintext challenge message is forwarded to server;
Encrypting module 3 is used for after the plaintext response message for receiving server transmission, using enciphering and deciphering algorithm to bright Literary response message is encrypted to generate encrypted response message, and encrypted response message is forwarded to client.
As it can be seen that SSL/TLS encryption and decryption communication device provided herein, the network management for being located at the portal is set It is standby to be handled as the communication bridge between client and server, and instead of the encryption and decryption that server carries out communication data.As a result, originally Application not only effectively realizes the communication of SSL/TLS encryption and decryption, but also also avoids encryption and decryption calculating process to server process The consumption of energy, ensures that the operating of the business service of server is not affected, and without carrying out to original HTTP server Biggish change.Further, since the network management device is located at the HTTP service entrance of multiple servers, therefore, as long as completing The maintenance works such as deployment and upgrading of SSL/TLS crypting component in the network management device, can be realized multiple servers with SSL/TLS encryption and decryption communication between client, to effectively simplify the maintenance work to SSL/TLS crypting component Amount, dramatically reduces the work load of operation maintenance personnel.
SSL/TLS encryption and decryption communication device provided herein, on the basis of the above embodiments:
As a kind of preferred embodiment, handshake module 1 is also used to:
With client carry out SSL/TLS shake hands during, determine and shared with client in this communication process Before enciphering and deciphering algorithm and its algorithm parameter, the classification of the determining enciphering and deciphering algorithm supported jointly with client, so as to from classification The enciphering and deciphering algorithm and its algorithm parameter shared in this communication process of middle determination with client;
Wherein, the classification for the enciphering and deciphering algorithm which supports includes the close enciphering and deciphering algorithm of state and international plus solution Close algorithm.
As a kind of preferred embodiment, handshake module 1 is also used to:
During shaking hands with client progress SSL/TLS, determines the encryption and decryption mode in this communication process, add solution Close mode is hardware enciphering and deciphering or software encryption and decryption;
When encryption and decryption mode is hardware enciphering and deciphering, deciphering module 2 is specifically used for calling default encryption and decryption hardware device pair CIPHERING REQUEST message is decrypted, encrypting module 3 be specifically used for calling default encryption and decryption hardware device to plaintext response message into Row encryption;
When encryption and decryption mode is software encryption and decryption, deciphering module 2 is specifically used for calling default encryption and decryption processing routine pair CIPHERING REQUEST message is decrypted, encrypting module 3 be specifically used for calling default encryption and decryption processing routine to plaintext response message into Row encryption.
As a kind of preferred embodiment, handshake module 1 is also used to:
Obtain the client certificate information of client;
Deciphering module 2 is also used to:
Use enciphering and deciphering algorithm that CIPHERING REQUEST message is decrypted with after generating plaintext challenge message, will ask in plain text It asks message to be forwarded to before server, client certificate information is inserted into plaintext challenge message, so that server obtains visitor Family end certificate information.
Present invention also provides a kind of SSL/TLS encryption and decryption communication equipments, comprising:
Memory: for storing computer program;
Processor: for executing the computer program to realize any SSL/TLS encryption and decryption communication as described above The step of method.
Present invention also provides a kind of computer readable storage medium, meter is stored in the computer readable storage medium Calculation machine program, to realize that any SSL/TLS encryption and decryption as described above is logical when the computer program is executed by processor The step of letter method.
The specific reality of SSL/TLS encryption and decryption communication device provided herein, equipment and computer readable storage medium Reference can be corresponded to each other with SSL/TLS encryption and decryption communication means as described above by applying mode, just be repeated no more here.
Each embodiment is described in a progressive manner in the application, the highlights of each of the examples are with other realities The difference of example is applied, the same or similar parts in each embodiment may refer to each other.For device disclosed in embodiment Speech, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is referring to method part illustration ?.
It should be noted that in present specification, the relational terms of such as " first " and " second " etc are used merely to One entity or operation and another entity or operate is distinguished, without necessarily requiring or implying these entities or There are any actual relationship or orders between person's operation.In addition, the terms "include", "comprise" or its any other Variant is intended to non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only It including those elements, but also including other elements that are not explicitly listed, or further include for this process, method, object Product or the intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", It is not precluded in the process, method, article or apparatus that includes the element that there is also other identical elements.
Technical solution provided herein is described in detail above.Specific case used herein is to this Shen Principle and embodiment please is expounded, the present processes that the above embodiments are only used to help understand and its Core concept.It should be pointed out that for those skilled in the art, in the premise for not departing from the application principle Under, can also to the application, some improvement and modification can also be carried out, these improvement and modification also fall into the protection of the claim of this application In range.

Claims (10)

1. a kind of SSL/TLS encryption and decryption communication means, which is characterized in that applied to the network management device at the portal, Include:
Receive the SSL/TLS handshake request that client is sent;
It carries out SSL/TLS with the client to shake hands, to determine that is shared in this communication process with the client adds Decipherment algorithm and its algorithm parameter;
The CIPHERING REQUEST message that the client is sent is received, the CIPHERING REQUEST message is by the client using described plus solution Close algorithm for encryption generates;
It uses the enciphering and deciphering algorithm CIPHERING REQUEST message to be decrypted to generate plaintext challenge message, and will be stated clearly Literary request message is forwarded to server;
After receiving the plaintext response message that the server is sent, using the enciphering and deciphering algorithm to the plaintext response Message is encrypted to generate encrypted response message, and the encrypted response message is forwarded to the client.
2. SSL/TLS encryption and decryption communication means according to claim 1, which is characterized in that in the described and client Carry out SSL/TLS shake hands during, the enciphering and deciphering algorithm that is shared in the determination this communication process with the client And its before algorithm parameter, further includes:
The classification of the determining enciphering and deciphering algorithm supported jointly with the client, to determine that this was communicated from the classification The enciphering and deciphering algorithm and its algorithm parameter that client described in Cheng Zhongyu shares;
Wherein, the classification for the enciphering and deciphering algorithm that the network management device is supported includes the close enciphering and deciphering algorithm of state and international encryption and decryption Algorithm.
3. SSL/TLS encryption and decryption communication means according to claim 1, which is characterized in that in the described and client During progress SSL/TLS shakes hands, further includes:
Determine that the encryption and decryption mode in this communication process, the encryption and decryption mode are hardware enciphering and deciphering or software encryption and decryption; To call default encryption and decryption hardware device to carry out encryption and decryption, and described when the encryption and decryption mode is hardware enciphering and deciphering When encryption and decryption mode is software encryption and decryption, default encryption and decryption processing routine is called to carry out encryption and decryption.
4. SSL/TLS encryption and decryption communication means according to claim 3, which is characterized in that the default encryption and decryption hardware Device is specially FPGA or DSP.
5. SSL/TLS encryption and decryption communication means according to any one of claims 1 to 4, which is characterized in that in described and institute Client is stated to carry out during SSL/TLS shakes hands, further includes:
Obtain the client certificate information of the client;
It is described use the enciphering and deciphering algorithm that the CIPHERING REQUEST message is decrypted with after generating plaintext challenge message, It is described that the plaintext challenge message is forwarded to before server, further includes:
The client certificate information is inserted into the plaintext challenge message, so that the server is from the plaintext challenge The client certificate information is obtained in message.
6. a kind of SSL/TLS encryption and decryption communication device, which is characterized in that applied to the network management device at the portal, Include:
Handshake module: for receiving the SSL/TLS handshake request of client transmission;SSL/TLS is carried out with the client to shake hands, To determine the enciphering and deciphering algorithm and its algorithm parameter that share in this communication process with the client;
Deciphering module: the CIPHERING REQUEST message sent for receiving the client, the CIPHERING REQUEST message is by the client End is generated using enciphering and deciphering algorithm encryption;Use the enciphering and deciphering algorithm that the CIPHERING REQUEST message is decrypted with life Server is forwarded at plaintext challenge message, and by the plaintext challenge message;
Encrypting module: for after receiving the plaintext response message that the server is sent, using the enciphering and deciphering algorithm The plaintext response message is encrypted to generate encrypted response message, and the encrypted response message is forwarded to the visitor Family end.
7. SSL/TLS encryption and decryption communication device according to claim 6, which is characterized in that the handshake module is also used to:
It is described carry out with the client SSL/TLS shake hands during, in the determination this communication process with the visitor Before enciphering and deciphering algorithm and its algorithm parameter that family end shares, the determining enciphering and deciphering algorithm supported jointly with the client Classification, so as to from determined in the classification in this communication process the enciphering and deciphering algorithm that is shared with the client and its The algorithm parameter;
Wherein, the classification for the enciphering and deciphering algorithm that the network management device is supported includes the close enciphering and deciphering algorithm of state and international encryption and decryption Algorithm.
8. SSL/TLS encryption and decryption communication device according to claim 6, which is characterized in that the handshake module is also used to:
During described and client progress SSL/TLS shakes hands, the encryption and decryption mode in this communication process is determined, The encryption and decryption mode is hardware enciphering and deciphering or software encryption and decryption;
When the encryption and decryption mode is hardware enciphering and deciphering, the deciphering module is specifically used for calling default encryption and decryption hardware device The CIPHERING REQUEST message is decrypted, the encrypting module is specifically used for calling the default encryption and decryption hardware device to institute Literary response message is stated clearly to be encrypted;
When the encryption and decryption mode is software encryption and decryption, the deciphering module is specifically used for calling default encryption and decryption processing routine The CIPHERING REQUEST message is decrypted, the encrypting module is specifically used for calling default encryption and decryption processing routine to being stated clearly Literary response message is encrypted.
9. a kind of SSL/TLS encryption and decryption communication equipment characterized by comprising
Memory: for storing computer program;
Processor: for executing the computer program to realize that SSL/TLS described in any one of claim 1 to 5 such as adds solution The step of close communication means.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer in the computer readable storage medium Program, to realize that SSL/TLS described in any one of claim 1 to 5 such as adds when the computer program is executed by processor The step of decrypting communication means.
CN201811178354.XA 2018-10-10 2018-10-10 A kind of SSL/TLS encryption and decryption communication means, device and equipment Pending CN109067803A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811178354.XA CN109067803A (en) 2018-10-10 2018-10-10 A kind of SSL/TLS encryption and decryption communication means, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811178354.XA CN109067803A (en) 2018-10-10 2018-10-10 A kind of SSL/TLS encryption and decryption communication means, device and equipment

Publications (1)

Publication Number Publication Date
CN109067803A true CN109067803A (en) 2018-12-21

Family

ID=64763717

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811178354.XA Pending CN109067803A (en) 2018-10-10 2018-10-10 A kind of SSL/TLS encryption and decryption communication means, device and equipment

Country Status (1)

Country Link
CN (1) CN109067803A (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109818939A (en) * 2018-12-29 2019-05-28 深圳市创梦天地科技有限公司 A kind of data processing method and equipment
CN110381043A (en) * 2019-07-08 2019-10-25 杭州迪普科技股份有限公司 Server health detecting method, device, electronic equipment based on SSL
CN111245814A (en) * 2020-01-07 2020-06-05 深信服科技股份有限公司 Data auditing method and device, electronic equipment and storage medium
CN111327634A (en) * 2020-03-09 2020-06-23 深信服科技股份有限公司 Website access supervision method, secure socket layer agent device, terminal and system
CN111711598A (en) * 2020-04-23 2020-09-25 中国电子科技网络信息安全有限公司 Sensitive data detection system for large-scale SSL/TLS encrypted session stream
CN111865995A (en) * 2020-07-24 2020-10-30 芯河半导体科技(无锡)有限公司 Communication mode using hardware cryptographic algorithm in TR069
CN112235274A (en) * 2020-09-30 2021-01-15 上海艾融软件股份有限公司 Bank-enterprise direct connection system and method supporting multiple encryption algorithms to carry out secure communication
CN112714053A (en) * 2020-12-25 2021-04-27 北京天融信网络安全技术有限公司 Communication connection method and device
CN112787986A (en) * 2019-11-11 2021-05-11 千寻位置网络有限公司 Multi-path bidirectional authentication method and device
CN113179323A (en) * 2021-04-29 2021-07-27 杭州迪普科技股份有限公司 HTTPS request processing method, device and system for load balancing equipment
CN113364776A (en) * 2021-06-04 2021-09-07 北银金融科技有限责任公司 Method and system for verifying block link point usage cryptographic algorithm communication
CN113746807A (en) * 2021-08-11 2021-12-03 北银金融科技有限责任公司 Block chain node point support cryptographic algorithm communication detection method
CN114531272A (en) * 2022-01-10 2022-05-24 网宿科技股份有限公司 HTTPS request processing method and device based on national password and international algorithm
CN114553957A (en) * 2022-01-10 2022-05-27 网宿科技股份有限公司 Service system and method compatible with national password and international HTTPS transmission
CN114553476A (en) * 2022-01-10 2022-05-27 网宿科技股份有限公司 HTTPS request processing method and device based on national secret and international algorithm
CN114844693A (en) * 2022-04-27 2022-08-02 深圳云创数安科技有限公司 Lightweight communication data encryption method, device, equipment and storage medium
CN115086034A (en) * 2022-06-15 2022-09-20 北京鼎普科技股份有限公司 Method and system for realizing national cryptographic algorithm communication based on proxy and reverse proxy
CN115085949A (en) * 2021-03-10 2022-09-20 航天信息股份有限公司 Data communication method and device based on national secret SSL transparent proxy
CN117081840A (en) * 2023-09-19 2023-11-17 中科驭数(北京)科技有限公司 Secure socket layer communication method, device, special data processor and medium
CN117938549A (en) * 2024-03-22 2024-04-26 道普信息技术有限公司 User non-perception decryption method for TLS and SSL encryption connection

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101621509A (en) * 2009-07-31 2010-01-06 浪潮电子信息产业股份有限公司 Design architecture and method for secure load balancing by utilizing SSL communication protocol
CN102811224A (en) * 2012-08-02 2012-12-05 天津赢达信科技有限公司 Method, device and system for implementation of SSL (secure socket layer)/TLS (transport layer security) connection
CN106506147A (en) * 2016-10-27 2017-03-15 国网江苏省电力公司南京供电公司 A kind of method that IPsec VPN are realized based on the close algorithm of state
CN106790049A (en) * 2016-12-19 2017-05-31 北京中电普华信息技术有限公司 Data safe transmission method and device based on mixed cipher external member middleware

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101621509A (en) * 2009-07-31 2010-01-06 浪潮电子信息产业股份有限公司 Design architecture and method for secure load balancing by utilizing SSL communication protocol
CN102811224A (en) * 2012-08-02 2012-12-05 天津赢达信科技有限公司 Method, device and system for implementation of SSL (secure socket layer)/TLS (transport layer security) connection
CN106506147A (en) * 2016-10-27 2017-03-15 国网江苏省电力公司南京供电公司 A kind of method that IPsec VPN are realized based on the close algorithm of state
CN106790049A (en) * 2016-12-19 2017-05-31 北京中电普华信息技术有限公司 Data safe transmission method and device based on mixed cipher external member middleware

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109818939A (en) * 2018-12-29 2019-05-28 深圳市创梦天地科技有限公司 A kind of data processing method and equipment
CN110381043A (en) * 2019-07-08 2019-10-25 杭州迪普科技股份有限公司 Server health detecting method, device, electronic equipment based on SSL
CN110381043B (en) * 2019-07-08 2022-03-01 杭州迪普科技股份有限公司 SSL-based server health detection method and device and electronic equipment
CN112787986A (en) * 2019-11-11 2021-05-11 千寻位置网络有限公司 Multi-path bidirectional authentication method and device
CN112787986B (en) * 2019-11-11 2023-04-07 千寻位置网络有限公司 Multi-path bidirectional authentication method and device
CN111245814A (en) * 2020-01-07 2020-06-05 深信服科技股份有限公司 Data auditing method and device, electronic equipment and storage medium
CN111245814B (en) * 2020-01-07 2022-08-09 深信服科技股份有限公司 Data auditing method and device, electronic equipment and storage medium
CN111327634A (en) * 2020-03-09 2020-06-23 深信服科技股份有限公司 Website access supervision method, secure socket layer agent device, terminal and system
CN111711598A (en) * 2020-04-23 2020-09-25 中国电子科技网络信息安全有限公司 Sensitive data detection system for large-scale SSL/TLS encrypted session stream
CN111711598B (en) * 2020-04-23 2022-07-05 中国电子科技网络信息安全有限公司 Sensitive data detection system for large-scale SSL/TLS encrypted session stream
CN111865995A (en) * 2020-07-24 2020-10-30 芯河半导体科技(无锡)有限公司 Communication mode using hardware cryptographic algorithm in TR069
CN112235274A (en) * 2020-09-30 2021-01-15 上海艾融软件股份有限公司 Bank-enterprise direct connection system and method supporting multiple encryption algorithms to carry out secure communication
CN112235274B (en) * 2020-09-30 2023-01-24 上海艾融软件股份有限公司 Bank-enterprise direct connection system and method supporting multiple encryption algorithms to carry out secure communication
CN112714053A (en) * 2020-12-25 2021-04-27 北京天融信网络安全技术有限公司 Communication connection method and device
CN112714053B (en) * 2020-12-25 2022-09-16 北京天融信网络安全技术有限公司 Communication connection method and device
CN115085949A (en) * 2021-03-10 2022-09-20 航天信息股份有限公司 Data communication method and device based on national secret SSL transparent proxy
CN113179323A (en) * 2021-04-29 2021-07-27 杭州迪普科技股份有限公司 HTTPS request processing method, device and system for load balancing equipment
CN113364776A (en) * 2021-06-04 2021-09-07 北银金融科技有限责任公司 Method and system for verifying block link point usage cryptographic algorithm communication
CN113746807A (en) * 2021-08-11 2021-12-03 北银金融科技有限责任公司 Block chain node point support cryptographic algorithm communication detection method
CN114531272A (en) * 2022-01-10 2022-05-24 网宿科技股份有限公司 HTTPS request processing method and device based on national password and international algorithm
CN114553476A (en) * 2022-01-10 2022-05-27 网宿科技股份有限公司 HTTPS request processing method and device based on national secret and international algorithm
CN114553957A (en) * 2022-01-10 2022-05-27 网宿科技股份有限公司 Service system and method compatible with national password and international HTTPS transmission
CN114531272B (en) * 2022-01-10 2024-02-23 网宿科技股份有限公司 HTTPS request processing method and device based on national secret and international algorithm
CN114553957B (en) * 2022-01-10 2024-05-24 网宿科技股份有限公司 Service system and method compatible with national cipher and international HTTPS transmission
CN114844693A (en) * 2022-04-27 2022-08-02 深圳云创数安科技有限公司 Lightweight communication data encryption method, device, equipment and storage medium
CN114844693B (en) * 2022-04-27 2024-03-26 深圳云创数安科技有限公司 Lightweight communication data encryption method, device, equipment and storage medium
CN115086034A (en) * 2022-06-15 2022-09-20 北京鼎普科技股份有限公司 Method and system for realizing national cryptographic algorithm communication based on proxy and reverse proxy
CN117081840A (en) * 2023-09-19 2023-11-17 中科驭数(北京)科技有限公司 Secure socket layer communication method, device, special data processor and medium
CN117938549A (en) * 2024-03-22 2024-04-26 道普信息技术有限公司 User non-perception decryption method for TLS and SSL encryption connection

Similar Documents

Publication Publication Date Title
CN109067803A (en) A kind of SSL/TLS encryption and decryption communication means, device and equipment
US9961103B2 (en) Intercepting, decrypting and inspecting traffic over an encrypted channel
CN104580190B (en) The implementation method and secure browser device of secure browser
CN104243419B (en) Data processing method, apparatus and system based on safety shell protocol
CN107124281B (en) Data security method and related system
CN106790090A (en) Communication means, apparatus and system based on SSL
CN108401011A (en) The accelerated method of handshake request, equipment and fringe node in content distributing network
CN109245993A (en) Instant communication method and device based on block chain
US10505984B2 (en) Exchange of control information between secure socket layer gateways
CN107800675A (en) A kind of data transmission method, terminal and server
CN101299753A (en) Web service security control mechanism based on proxy server
CN108156178A (en) A kind of SSL/TLS data monitoring systems and method
CN101436933B (en) HTTPS encipher access method, system and apparatus
CN108200104A (en) The method and system that a kind of progress SSL shakes hands
CN108566361A (en) A kind of safety parameter negotiation method and system based on SSL/TLS agreements
CN106972919B (en) Key negotiation method and device
CN108234526A (en) A kind of method, apparatus, equipment and readable medium that https data are obtained in sandbox
CN107124385B (en) Mirror flow-based SSL/TLS protocol plaintext data acquisition method
CN106603388B (en) Mail sending, viewing and viewing control method and equipment thereof
CN106656939A (en) State cryptography SSL protocol and standard SSL protocol forwarding system and method
CN107276996A (en) The transmission method and system of a kind of journal file
US10015208B2 (en) Single proxies in secure communication using service function chaining
CN106169990A (en) A kind of encrypt data on flows monitoring method, Apparatus and system
CN112291248A (en) Method and equipment for protecting HTTPS DDoS attack
US20200177566A1 (en) Method and system for cooperative inspection of encrypted sessions

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181221

RJ01 Rejection of invention patent application after publication