WO2011076008A1 - System and method for transmitting files between wapi teminal and application sever - Google Patents

System and method for transmitting files between wapi teminal and application sever Download PDF

Info

Publication number
WO2011076008A1
WO2011076008A1 PCT/CN2010/075406 CN2010075406W WO2011076008A1 WO 2011076008 A1 WO2011076008 A1 WO 2011076008A1 CN 2010075406 W CN2010075406 W CN 2010075406W WO 2011076008 A1 WO2011076008 A1 WO 2011076008A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
application server
wapi
content
digital signature
Prior art date
Application number
PCT/CN2010/075406
Other languages
French (fr)
Chinese (zh)
Inventor
施元庆
康望星
梁洁辉
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011076008A1 publication Critical patent/WO2011076008A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • the present invention relates to the field of wireless local area network authentication and privacy infrastructure (WAPI), and specifically relates to a system and method for transmitting files by a WAPI terminal and an application server.
  • WAPI wireless local area network authentication and privacy infrastructure
  • WAPI Wired Equivalent Privacy
  • the MAC Service Data Unit (MSDU) of the Media Access Control (MAC) sublayer performs addition and decryption processing.
  • An access point (AP) refers to any entity that has a site function to provide distributed services to associated sites through wireless media;
  • ASUE authentication supplicant entity
  • AE authenticator entity
  • the entity resides in the access point or the terminal;
  • the basic function of the authentication service unit (ASU) is to implement the management of the user certificate and the identification of the user identity, etc., which is based on the WAI authentication of the public key cryptography technology.
  • an authentication service entity that provides an identity authentication service for the discriminator and the authentication requester.
  • the entity resides in the authentication service unit, and the node in the corresponding network of the authentication service unit is the WAPI authentication server 11, as shown in FIG.
  • the user certificate is a public key certificate, which is an important part of the WAI system construction.
  • the public key certificate is the digital identity of the network user. It is verified that the identity of the network user can be uniquely determined by private key authentication.
  • Network storage is a common Internet service that provides upload, download, and retrieval of various file contents.
  • WAPI more and more mobile terminals support wireless LAN access, and will also support more and more Internet service functions.
  • Network storage has considerable value for mobile terminals.
  • the current mobile terminal has gradually evolved into a multimedia information platform with personal communication as the core.
  • the powerful multimedia information collection function of the terminal is bound to require a reliable memory storage platform.
  • Considering the content sharing among multiple devices, network storage is undoubtedly a Very promising mobile internet business.
  • Web-based network storage applications usually have their own login mechanism in the Internet environment. Users need to provide a username and password to identify themselves. How to effectively ensure the security of the contents of the transmitted file is an important issue that needs to be solved.
  • the mobile terminal has completed the identity authentication process when accessing the network. If the access authentication capability can be fully utilized, the operation of the terminal user is simplified on the one hand, and the application provider can reuse the public key on which the WAPI depends.
  • the Public Key Infrastructure which includes resources such as the certificate issuing system and the certificate on the client, can also provide customers with integrity and confidentiality protection of the stored content.
  • the technical problem to be solved by the present invention is to provide a system and method for transmitting files by a WAPI terminal and an application server, thereby effectively ensuring the security of the content of the transmitted file.
  • the present invention provides a method for transmitting a file by a WAPI terminal and an application server, including:
  • the sender uses the wireless local area network security infrastructure WPI algorithm to encrypt the transmitted file content, and digitally signs the transmitted file content through HTTP.
  • the receiving end parses the content of the file and verifies the digital signature. If the digital signature is verified, the content of the transmitted file is not changed.
  • the method before the step of transmitting the file content, the method further includes: when the terminal sends an HTTP Get (GET) request to the application server, setting a field value of the HTTP GET request For a preset value, the terminal is a WAPI terminal, and after the application server receives the HTTP GET request, if the header field value is the preset value, it is determined that the terminal is a WAPI terminal.
  • HTTP Get HTTP Get
  • the method further includes:
  • the step of generating the digital signature includes: calculating a returned page using a wireless local area network authentication infrastructure WAI hash algorithm, and using a private key of the application server WAPI certificate Encrypting the hash calculation result using WAI's elliptic curve algorithm to generate the digital signature;
  • the terminal parses the digital signature, obtains the public key of the application server WAPI certificate pre-stored on the terminal, decrypts the digital signature, and hashes the page content by using a WAI hash function, and compares Whether the result of the hash calculation is consistent with the decrypted digital signature. If the result of the hash calculation is consistent with the decrypted digital signature, the authentication is performed on the application server, and if the result of the hash calculation is inconsistent with the decrypted digital signature, the authentication is not by.
  • the sending end when the sending end is a WAPI terminal and the receiving end is an application server, the sending end encrypts the transmitted file content by using a wireless local area network security infrastructure WPI algorithm, and digitally signs the transmitted file content.
  • the HTTP message transmission step includes: when the WAPI terminal transmits the file content, first generates a 128-bit random number as the temporary session key, and uses the symmetric key algorithm SMS4 in the WPI to encrypt the transmitted file content to obtain the ciphertext;
  • the public key of the server WAPI certificate encrypts the temporary session key by the public key algorithm to obtain the encrypted key; digitally signs the transmitted file content; and the ciphertext, digital signature, encrypted key, and terminal WAPI
  • the certificate information is encapsulated together, and the encapsulated content is sent to the application server through HTTP submission (POST), where the terminal WAPI certificate information includes a terminal WAPI certificate identifier or a terminal WAPI certificate;
  • the receiving end After receiving the HTTP message containing the file content, the receiving end parses the file content and verifies the digital signature. If the digital signature verification is passed, the step of transmitting the file content is not changed.
  • the application server After receiving the HTTP POST, the application server separates the terminal WAPI certificate identifier or the terminal WAPI certificate, and if the terminal WAPI certificate identifier is separated, the terminal WAPI certificate is obtained.
  • the encrypted key is decrypted by the public key algorithm to obtain a temporary session key, and the ciphertext in the transmitted file content is decrypted by a symmetric key algorithm to obtain a text, and decrypted.
  • the text of the output is hashed to obtain a hash value; the application server decrypts the digital signature by using the public key of the terminal WAPI certificate to obtain another hash value; whether the obtained two hash values are consistent, If the two hash values are consistent, the verification of the WAPI terminal is passed, and the content of the received file is not changed;
  • the sending end is an application server and the receiving end is a WAPI terminal
  • the HTTP GET message is sent to the application server, and the uniform resource locator corresponding to the content to be acquired is carried;
  • the sending end encrypts the transmitted file content by using the wireless local area network security infrastructure WPI algorithm, and performs digital signature on the transmitted file content and then transmits the HTTP message through the following steps: the application server receives the HTTP GET message and then according to the The uniform resource locator is known
  • the file content requested by the WAPI terminal and then generating a 128-bit random number as a temporary session key, and using the temporary session key to perform SMS4 encryption on the file content requested by the WAPI terminal to obtain a ciphertext, and digitally signing the content of the file, Encrypting the temporary session key using a public key of the terminal WAPI certificate to obtain an encrypted key, the encrypted key, ciphertext and digital signature being encapsulated in a fixed format or in the form of a form as a 200 OK message Return to the WAPI terminal;
  • the receiving end After receiving the HTTP message containing the file content, the receiving end parses the file content and verifies the digital signature. If the digital signature verification is passed, the step of transmitting the file content is not changed.
  • the WAPI terminal After receiving the 200 OK message, the WAPI terminal decrypts the encrypted key by using the private key of the terminal WAPI certificate to obtain a temporary session key, and then uses the temporary session key to perform the ciphertext.
  • the symmetric key algorithm decrypts the text, and hashes the decrypted text to obtain a hash value.
  • the public key of the application server WAPI certificate is used to decrypt the digital signature to obtain another hash value. Whether the two hash values are the same, if two If the hash value is consistent, the verification is passed, and the contents of the received file are not changed.
  • the WAPI terminal sends an HTTP GET message to the application server
  • the step of carrying the uniform resource locator corresponding to the content is
  • the terminal sends an HTTP GET message to the application server
  • the unified resource locator is digitally signed, and the digital signature and the terminal WAPI certificate identifier are sent to the application server by using an HTTP GET message as a uniform resource locator parameter;
  • the method further includes:
  • the application server After receiving the HTTP GET message, the application server separates the terminal WAPI certificate identifier, obtains the terminal WAPI certificate, and decrypts the digital signature by using the public key in the terminal WAPI certificate; hashing the page content by using the WAI hash function Whether the result of the comparison hash calculation is consistent with the decrypted digital signature, and if the result of the hash calculation is consistent with the decrypted digital signature, the terminal is authenticated.
  • the step of digitally signing the content of the transmitted file by the WAPI terminal comprises: performing hash calculation on the content of the file, and performing public key algorithm encryption on the hashed value by using a private key of the terminal WAPI certificate. .
  • the step of the application server digitally signing the file content comprises: performing hash calculation on the file content, and performing a public key algorithm encryption on the hash calculated value by using a private key of the application server WAPI certificate.
  • the invention also provides a wireless local area network authentication and security infrastructure WAPI terminal and an application server for transmitting files, including a transmitting end and a receiving end;
  • the sending end is configured to encrypt the transmitted file content by using a wireless local area network security infrastructure WPI algorithm, and digitally sign the transmitted file content through a hypertext transfer protocol.
  • the receiving end is configured to parse out the content of the file after receiving the HTTP message and verify the digital signature, and if the digital signature is verified, the content of the transmitted file is not changed.
  • the sending end is a WAPI terminal, and the receiving end is an application server; or the sending end is an application server, and the receiving end is a WAPI terminal;
  • the WAPI terminal includes a setting module;
  • the setting module of the WAPI terminal is configured to: when sending an HTTP get (GET) request to the application server before transmitting the file content, setting a field value of the HTTP GET request to a preset value indicates that the terminal is a WAPI terminal;
  • the application server is further configured to determine that the terminal is a WAPI terminal if the header field value is a preset value after receiving the HTTP GET request.
  • the application server includes an encryption module and a sending module
  • the WAPI terminal further includes a decryption module
  • the encryption module of the application server is configured to calculate a returned page by using a wireless local area network authentication WAI hash algorithm, and encrypt the hash calculation result by using a WAI elliptic curve algorithm using a private key of the application server WAPI certificate. Calculate the generated digital signature;
  • the sending module of the application server is configured to carry the digital signature when returning a 200 response (OK) message to the terminal;
  • the decryption module of the WAPI terminal is configured to parse the digital signature after receiving the 200 OK message, obtain the public key of the application server WAPI certificate pre-stored on the WAPI terminal, decrypt the digital signature, and use the WAI hash function pair.
  • the content of the page is hashed, and the result of the hash calculation is consistent with the decrypted digital signature. If the result of the hash calculation is consistent with the decrypted digital signature, the result of the hash calculation and the decryption are determined by the authentication of the application server. If the digital signatures are inconsistent, the authentication fails.
  • the terminal when the terminal uploads the file content to the application server, the terminal is a sending end, and the application server is a receiving end;
  • the terminal includes an encryption module and a sending module
  • the encryption module of the terminal is configured to generate a 128-bit random number as a temporary session key, and encrypt the uploaded file content using the symmetric key algorithm SMS4 in the WPI to obtain a ciphertext; use the public key of the application server WAPI certificate Encrypting the temporary session key by public key algorithm to obtain the encrypted key; and digitally signing the content of the uploaded file;
  • the sending module of the terminal is configured to encapsulate the ciphertext, the digital signature, the encrypted key and the terminal WAPI certificate information, and send the encapsulated content through HTTP submission (POST).
  • the terminal WAPI certificate information includes a terminal WAPI certificate identifier or a terminal WAPI certificate;
  • the application server includes a receiving module and a decryption module
  • the receiving module of the application server is configured to: after receiving the HTTP POST, separate the terminal WAPI certificate identifier or the terminal WAPI certificate, and if the terminal WAPI certificate identifier is separated, obtain the terminal WAPI certificate;
  • the decryption module of the application server is configured to decrypt the encrypted key by using a private key of the WAPI certificate of the application server to obtain a temporary session key, and use the temporary session key pair to transfer the file content.
  • the ciphertext is decrypted by the symmetric key algorithm to obtain the body text, and the decrypted text is hashed to obtain a hash value; and the public key of the terminal WAPI certificate is used to decrypt the signature to obtain another hash value. And compare whether the obtained two hash values are consistent. If the two hash values are consistent, the verification of the terminal is passed, and the content of the received file is not changed.
  • the terminal acquires file content from an application server
  • the application server is a sending end
  • the terminal is a receiving end
  • the terminal includes a sending module, a receiving module, and a decrypting module
  • the sending module of the terminal is configured to: when sending an HTTP GET message to the application server, carry a uniform resource locator corresponding to the content of the file;
  • the application server includes a receiving module, an encryption module, and a sending module;
  • the receiving module of the application server is configured to: after receiving the HTTP GET message, learn the file content requested by the terminal according to the unified resource locator;
  • the encryption module of the application server is configured to generate a 128-bit random number as a temporary session key, and use the temporary session key to perform SMS4 encryption on the file content requested by the terminal to form a ciphertext, and digitally sign the content of the file, and Encrypting the temporary session key using a public key of the terminal WAPI certificate to obtain an encrypted key;
  • the sending module of the application server is configured to send the ciphertext, the digital signature, and the encrypted key to the terminal as a 200 OK message;
  • the receiving module of the terminal is configured to send the received 200 OK message to the solution of the terminal.
  • the encryption module of the terminal is further configured to digitally sign the uniform resource locator when sending an HTTP GET message to the application server;
  • the sending module of the terminal is further configured to: send the digital signature and the user certificate identifier as a uniform resource locator parameter to the application server when sending the HTTP GET message to the application server; the decryption module of the application server is further configured to be separated Extracting the terminal WAPI certificate identifier in the HTTP GET message, and obtaining the terminal WAPI certificate, and decrypting the digital signature using the public key in the terminal WAPI certificate; hashing the page content using the WAI hash function; comparing hash calculation Whether the result is consistent with the decrypted digital signature, if the result of the hash calculation is consistent with the decrypted digital signature, the terminal is authenticated.
  • the encryption module of the terminal is configured to perform hash calculation on the file content, and use a private key of the terminal WAPI certificate to perform a public key algorithm encryption on the hashed value to transmit the file content. Make a digital signature.
  • the encryption module of the application server is configured to perform hash calculation on the file content, and use a private key of the application server WAPI certificate to perform a public key algorithm encryption on the hashed value to the file content. Make a digital signature.
  • the public key certificate authority and the client WAPI certificate provided by the WAPI infrastructure are fully utilized.
  • the WAPI terminal user relies on the WAPI authentication service to implement the user login process.
  • the login process does not require the user to input a username and password.
  • the client saves the content
  • the temporary session key and the symmetric encryption algorithm negotiated in the certificate authentication process encrypt the stored content to ensure content confidentiality
  • the client uses the private function of the hash function and the public certificate to store the content.
  • the client decrypts the obtained content through the temporary session key negotiated in the certificate authentication process and the symmetric encryption algorithm.
  • Figure 1 is the network system structure
  • Figure 2 is a schematic structural view of the system of the present invention.
  • FIG. 3 is a flow chart of the terminal of the present invention uploading content to an application server
  • FIG. 4 is a flow chart of the terminal of the present invention when acquiring content from an application server
  • FIG. 5 is a process diagram of a process when a terminal of the present invention uploads content
  • FIG. 6 is a process diagram of the application server when the content is delivered by the application server
  • FIG. 7 is a process diagram of the terminal and the application server of the present invention after receiving the file content;
  • FIG. 8 is a process diagram of the terminal of the present invention for authenticating the application server. Preferred embodiment of the invention
  • the present invention provides a system for transmitting files by a WAPI terminal and an application server, as shown in FIG. 2, the system includes a transmitting end and a receiving end;
  • the sender is the WAPI terminal 21 or the application server 22, and the receiving end is the application server 22 or the WAPI terminal 21;
  • the sending end is configured to encrypt the transmitted file content by using the WPI algorithm, and digitally sign the transmitted content, and then send the content to the receiving end through a hypertext transfer protocol (HTTP) message; the receiving end is set to receive the HTTP message.
  • HTTP hypertext transfer protocol
  • the WAPI terminal 21 includes a setting module 211, a first encryption module 212, a first decryption module 213, a first sending module 214, and a first receiving module 215;
  • the application server 22 includes a second encryption module 221, a second decryption module 222, a second sending module 223, and a second receiving module 224;
  • the setting module of the WAPI terminal is configured to: when sending an HTTP get (GET) request to the application server before transmitting the file content, indicating a field value of the request as a preset value indicates that the terminal is a WAPI terminal, and the application server receives the HTTP After the GET request, if the header field value is a preset value, it is determined that the terminal is a WAPI terminal.
  • the second encryption module is configured to calculate the returned page by using a WAI hash algorithm, and use the private key of the application server WAPI certificate to perform an encryption calculation on the hash calculation result to generate a digital signature by using an elliptic curve algorithm of WAI;
  • the second sending module is configured to carry the digital signature when returning the 200 OK message to the WAPI terminal;
  • the first decryption module is configured to parse the digital signature after receiving the 200 OK message, obtain the public key pre-stored in the WAPI certificate of the application server on the terminal, decrypt the digital signature, and hash the webpage content by using a WAI hash function. The calculation then compares the result of the hash calculation with the decrypted digital signature. If it is consistent, it authenticates the application server, otherwise the authentication fails.
  • the terminal uploads content to the application server
  • the terminal is the sending end
  • the application server is the receiving end
  • the first encryption module is configured to generate a 128-bit random number as a temporary session key, and encrypt the uploaded file content using the symmetric key algorithm (SMS4) in WPI to obtain a ciphertext, using the public key of the application server WAPI certificate.
  • SMS4 symmetric key algorithm
  • the public session key algorithm encrypts the temporary session key to obtain the encrypted key, and digitally signs the uploaded file content;
  • the first sending module is configured to encapsulate the encrypted ciphertext, the digital signature, the encrypted random number together with the user WAPI certificate identifier or the WAPI certificate, and send the encapsulated content to the application server through HTTP submission (POST);
  • the second receiving module is configured to: after receiving the HTTP POST, separate the WAPI certificate identifier or the WAPI certificate of the user, and if the WAPI certificate identifier is separated, obtain the WAPI certificate;
  • the second decryption module is configured to decrypt the encrypted key by using a public key of the WAPI certificate of the application server to obtain a temporary session key, and use the temporary session key to symmetrically encrypt the ciphertext in the uploaded content.
  • the key algorithm decrypts the body, and hashes the decrypted body to obtain a hash value, and uses the public key of the terminal WAPI certificate to publicize the signature.
  • the algorithm decrypts to obtain another hash value, and compares whether the obtained two hash values are consistent. If they are consistent, the verification of the terminal passes, and the received file content is not changed.
  • the first encryption module digitally signs the content of the uploaded file, and performs hash calculation on the content of the file, and then uses the private key of the terminal WAPI certificate to encrypt the hashed value with the public key algorithm.
  • the first sending module is configured to: when sending an HTTP GET message to the application server, carry a uniform resource locator corresponding to the content to be obtained;
  • the second receiving module is configured to: after receiving the HTTP GET message, learn, according to the uniform resource locator, the content of the document requested by the terminal;
  • the second encryption module is configured to generate a 128-bit random number as a temporary session key, and use the temporary session key to encrypt the document content requested by the terminal by using a symmetric key algorithm (SMS4) to form a ciphertext, and to digitally mark the content of the document. Signing, and using the public key of the terminal WAPI certificate to encrypt the temporary session key by public key algorithm to obtain the encrypted key;
  • SMS4 symmetric key algorithm
  • the second sending module is configured to send the ciphertext, the signature, and the encrypted temporary session key to the terminal as a 200 OK message body;
  • the first receiving module is configured to send the received 200 OK message to the first decryption module; the first decryption module is configured to use the private key of the terminal WAPI certificate to decrypt the encrypted key by using a public key algorithm to obtain a temporary session.
  • the key, and the temporary session key decrypt the ciphertext by the symmetric key algorithm to obtain the document body, hash the decrypted text to obtain a hash value, and publicize the signature by using the public key of the application server WAPI certificate.
  • the key algorithm decrypts to obtain another hash value, and whether the above two hash values obtained by the comparison are consistent. If they are consistent, the verification passes, and the received file content is not changed.
  • the first encryption module is further configured to digitally sign the unified resource locator when sending the HTTP GET message to the application server;
  • the first sending module is further configured to send the digital signature and the user certificate identifier as a uniform resource locator parameter to the application server when sending the HTTP GET message to the application server;
  • the second decryption module is further configured to: separate the user certificate identifier in the HTTP GET message, obtain the user certificate, and decrypt the digital signature by using the public key in the certificate, and use the WAI hash function to perform the uniform resource locator Hash calculation, then compare the result of the hash calculation with the decrypted digital signature, and if it is consistent, pass the identification of the terminal.
  • the second encryption module performs signature calculation on the content of the document, and performs hash calculation on the content of the document, and then uses the private key of the application server WAPI certificate to encrypt the hashed value with the public key algorithm.
  • the invention also provides a method for transmitting files by a WAPI terminal and an application server.
  • the sender uses the WPI algorithm to encrypt the transmitted file content, and encrypts the transmitted content.
  • the receiving end parses the content of the file and verifies the digital signature after receiving the HTTP message containing the content of the file, and if the digital signature is verified, the content of the transmitted file is not changed.
  • This embodiment is a method for a terminal to upload file content to an application server. As shown in FIG. 3, the method includes the following steps:
  • Step 301 The terminal browser sends an HTTP GET request to the application server to obtain a page of the network storage application, and the terminal indicates that it is a WAPI terminal by setting a header field value in the request to a preset value, for example, the User-Agent may be (User Agent) Set to WAPI Mobile User (WAPI-Mobile-Client) VI.0;
  • the User-Agent may be (User Agent) Set to WAPI Mobile User (WAPI-Mobile-Client) VI.0;
  • the value of the header field may be specified by the terminal when the request is made, or may be modified by a Wireless Application Protocol (WAP)/HTTP application gateway adjacent to the WLAN segment.
  • WAP Wireless Application Protocol
  • Step 302 The application server receives the HTTP GET request sent by the terminal, and determines whether the request is from the WAPI terminal according to the value in a header field; for example, when the value of the User-Agent is WAPI-Mobile-Client VI.0.
  • the terminal is a WAPI terminal;
  • Step 303 The application server returns a 200 OK message to the terminal, and adds a hidden form to the message, and the content includes at least one digital signature encrypted by the WAI public key algorithm.
  • the signature method is as follows:
  • the generated signature is sent to the terminal browser in a hidden form in the page response.
  • Step 304 As shown in FIG. 8, after receiving the 200 OK message, the terminal parses the digital signature from the hidden form, obtains the public key pre-stored in the WAPI certificate of the application server on the terminal, decrypts the digital signature, and uses the WAI.
  • the hash function hashes the content of the webpage, and then compares whether the result of the hash calculation is consistent with the decrypted digital signature. If they are consistent, the authentication is passed, otherwise the authentication fails.
  • the method for obtaining the application server WAPI certificate by the terminal is the same as the prior art.
  • Step 305 The WAPI terminal browser presents the page after acquiring the application server webpage data and completing the authentication of the server.
  • the terminal submits the content of the file to be uploaded through the browser. Submit the process using the HTTP POST method.
  • the WAPI terminal first generates a 128-bit random number as the temporary session key, and encrypts the content of the uploaded file to obtain the ciphertext by using the SMS4 algorithm in WPI (ie, the symmetric key algorithm in FIG. 5), and then uses the public key of the application server WAPI certificate.
  • the public key algorithm is encrypted for the temporary session key to obtain the encrypted key, and then the digital signature of the uploaded content is completed by using the private key of the terminal WAPI certificate.
  • the digital signature process first performs hash calculation on the file content, and then uses The private key of the terminal WAPI certificate is encrypted and hashed; the ciphertext, digital signature, and encrypted key and user WAPI certificate identifier or certificate are encapsulated in a fixed format, for example:
  • the content of the POST is composed and sent to the application service by the terminal browser or through the form.
  • Step 306 After the application server receives the HTTP POST message, first according to the form or a certain A fixed format separates the user's WAPI certificate identifier or WAPI certificate. If it is a certificate identifier, the user's public key certificate is obtained through interaction with the public authentication center (the acquisition process is a standard process, which is not described in detail in the present invention).
  • the application server obtains the random number encrypted value generated by the terminal and encrypted by the application server public key, and uses the private key of the WAPI certificate of the application server to decrypt the encrypted key by a public key algorithm to obtain a 128-bit temporary session key. Then, using the 128-bit temporary session key, the ciphertext in the uploaded content is decrypted by a symmetric key algorithm to obtain a body text, and the decrypted body is hashed to obtain a hash value, and the application server also uses the terminal WAPI certificate.
  • the key pair signature is decrypted by the public key algorithm to obtain another hash value, and then the obtained two hash values are compared. If the two hash values are consistent, the verification is passed, indicating that the uploaded file content has not been changed. If not, the verification fails. .
  • This embodiment is a method for a terminal to obtain content from an application server. As shown in FIG. 4, the method includes the following steps:
  • Step 401 The terminal browser sends an HTTP GET request to the application server, and obtains a page of the network storage application.
  • the terminal indicates that it is a WAPI terminal by setting a certain header field value of the request to a preset value, for example, the User-Agent may be The (user agent) is set to WAPI-Mobile-Client VI.0; the value of the header field may be specified by the terminal when the request is made, or may be modified by the WAP/HTTP application gateway adjacent to the wireless LAN segment.
  • Step 402 The application server receives the HTTP GET request sent by the terminal, and determines whether the request is from the WAPI terminal according to a header field value. If the value of the User-Agent is WAPI-Mobile-Client VI.0, the terminal is determined. Is a WAPI terminal;
  • Step 403 The application server returns a 200 OK message to the terminal, and adds a hidden form to the message, and the content includes at least one digital signature encrypted by the WAI public key algorithm.
  • the signature method is as follows:
  • Step 404 As shown in FIG. 8, after receiving the 200 OK message, the terminal parses the digital signature from the hidden form, and obtains the public key of the WAPI certificate of the application server pre-stored on the terminal to decrypt the signature by the public key algorithm, and The hash function of the WAI is used to hash the content of the webpage, and then the result of the hash calculation is compared with the decrypted digital signature. If they are consistent, the authentication is passed, otherwise the authentication fails.
  • the method for obtaining the application server WAPI certificate by the terminal is the same as the prior art.
  • Step 405 The WAPI terminal browser presents the page after acquiring the application server webpage data and completing the server identity authentication.
  • Step 406 The terminal specifies, by using an interface, a URL (Uniform Resource Locator) corresponding to the content, and uses the GET method to obtain the content.
  • a URL Uniform Resource Locator
  • the client plug-in invokes the WAI function to perform signature calculation on the Uniform Resource Locator (URL, Uniform Resource Locator).
  • the signature method is as follows:
  • the digital signature for the Uniform Resource Locator does not include the URL parameter portion.
  • Step 407 The application server receives the HTTP GET message, separates the user certificate identifier in the URL parameter, obtains the user certificate, and then decrypts the digital signature by using the public key in the terminal WAPI certificate, and uses the WAI hash function to the webpage content. The hash calculation is performed, and then the result of the hash calculation is compared with the decrypted digital signature. If they are consistent, the terminal is authenticated, otherwise the authentication fails.
  • a 128-bit random number is generated as a temporary session key, and the temporary session key is used to perform SMS4 encryption on the document content requested by the client (that is, as shown in FIG. 6 Perform symmetric key encryption on the document, and digitally sign the body of the document.
  • the digital signature process first hashes the document body, and then uses the private key of the application server WAPI certificate to encrypt the hashed value with the public key algorithm; the application server also uses the public key pair of the terminal WAPI certificate for the temporary session.
  • the key is encrypted by the public key algorithm to obtain the encrypted key.
  • all the content is encapsulated in a fixed format or in the form of a form, and is returned to the terminal as a 200 OK message body.
  • Step 408 As shown in FIG. 7, after receiving the 200 OK message, the terminal decrypts the encrypted key by using the private key of the terminal WAPI certificate to obtain a temporary session key, and then uses the temporary session key pair.
  • the ciphertext is decrypted by the symmetric key algorithm to obtain the document body, and the hashed text is hashed to obtain the hash value.
  • the public key of the application server WAPI certificate is used to decrypt the signature by the public key algorithm to obtain another hash value. Whether the above two hash values obtained by the comparison are consistent, if they are consistent, the verification is passed, and the content of the received file is not changed, and if not, the verification fails.
  • the terminal and the application server use the same public key algorithm for encryption and decryption.
  • the invention completes the authentication process based on the WAPI certificate and the encryption and integrity protection of the transmitted data through the HTTP message body or the form in the hypertext without changing the HTTP protocol, and does not affect the WEB of the application server.
  • the normal process of access request processing, the mentioned functions can be completed by adding new function modules. The new functions only involve WAPI related public keys and symmetric encryption calculations, and the contents of HTTP and hypertext transfer protocols are not changed.
  • the system and method for transmitting files by the WAPI terminal and the application server provided by the invention complete the authentication process based on the WAPI certificate, encrypt and complete the transmission data through the HTTP message body or the form in the hypertext without changing the HTTP protocol.
  • the mentioned functions can be completed by adding new function modules. The new functions only involve WAPI-related public keys and symmetric encryption calculations, without changing HTTP and hypertext transfer protocols. content.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

This invention provides a system and method for transmitting files between a Wireless Local Area Network (WLAN) Authentication and Privacy Infrastructure (WAPI) terminal and an application server. The method includes the following steps: when Hypertext Transfer Protocol (HTTP) messages are used to transmit file content between the WAPI terminal and the application sever, the transmission end encrypts, using a WLAN Privacy Infrastructure (WPI) algorithm, the file content to be transmitted, and transmits the file content after performing a digital signature on the file content to be transmitted; the reception end resolves out the file content after receiving the HTTP messages including the file content, and validates the digital signature; if the digital signature is validated successfully, the transmitted file content has not been modified. With the system and method for transmitting files between the WAPI terminal and the application server provided in the invention, the authentication process based on the WAPI certificate, the encryption of the transmission data, and the integrity protection function are accomplished without the modification of the HTTP protocol.

Description

一种 WAPI终端与应用服务器传输文件的***及方法  System and method for transmitting files by WAPI terminal and application server
技术领域 Technical field
本发明涉及无线局域网认证与保密基础结构(WAPI )技术领域, 具体涉 及一种 WAPI终端与应用服务器传输文件的***及方法。  The present invention relates to the field of wireless local area network authentication and privacy infrastructure (WAPI), and specifically relates to a system and method for transmitting files by a WAPI terminal and an application server.
背景技术 Background technique
为了解决无线局域网国际标准化组织(ISO) /国际电工委员会 (IEC) 8802-11中定义的有线等效保密 (Wired Equivalent Privacy, WEP)安全机制存 在的安全漏洞, 我国颁布了无线局域网国家标准及其第一号修改单, 釆用无 线局 i或网认证与保密基础结构 (WLAN Authentication and Privacy Infrastructure, WAPI)替代 WEP, 解决无线局域网的安全问题。 WAPI由无线 局 i或网鉴别基础结构 (WLAN Authentication Infrastructure, WAI)和无线局域 < 网保密基础结构 (WLAN Privacy Infrastructure, WPI)组成。 WAI釆用了公开 密钥加密技术, 用于终端与接入点之间的互相身份鉴别; WPI釆用国家密码 管理委员会办公室批准的用于无线局域网 (WLAN ) 的对称密码算法实现数 据保护,对媒体接入控制( MAC )子层的 MAC服务数据单元( Mac Server Data Unit, MSDU )进行加、 解密处理。 规范中介绍的基础结构包括了几个功能实 体, 接入点 ( access point, AP )是指任何一个具备站点功能, 通过无线媒体 为关联的站点提供访问分布式服务的实体; 鉴别请求者实体 ( ASUE , authentication supplicant entity )是在接入服务之前请求进行鉴别操作的实体; 鉴别器实体(AE, authenticator entity )为鉴别请求者在接入服务之前提供鉴 别操作的实体。 该实体驻留在接入点或终端内; 鉴别服务单元 (ASU , authentication service unit)的基本功能是实现对用户证书的管理和用户身份的 鉴别等, 是基于公开密钥密码技术的 WAI鉴别基础结构中重要的组成部分; 鉴别服务实体 (ASE, authentication service entity)为鉴别器和鉴别请求者提供身 份鉴别服务的实体。 该实体驻留在鉴别服务单元中, 鉴别服务单元对应网络 中的节点为 WAPI鉴别服务器 11 , 如图 1所示。 用户证书为公开密钥证书, 它是 WAI ***构造中重要的环节。 公开密钥证书是网络用户的数字身份凭 证, 通过私有密钥验证可以唯一地确定网络用户的身份。 In order to solve the security loopholes in the Wired Equivalent Privacy (WEP) security mechanism defined by the International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 8802-11, China has promulgated the national standard for wireless local area networks (WLANs). The first modification is to replace the WEP with the WLAN Authentication and Privacy Infrastructure (WAPI) to solve the security problem of the WLAN. WAPI consists of a wireless office i or a WLAN Authentication Infrastructure (WAI) and a wireless local area network (WLAN Privacy Infrastructure (WPI)). WAI uses public key encryption technology for mutual identification between terminals and access points. WPI uses the symmetric cryptographic algorithm for wireless local area networks (WLAN) approved by the Office of the National Password Management Committee to implement data protection. The MAC Service Data Unit (MSDU) of the Media Access Control (MAC) sublayer performs addition and decryption processing. The infrastructure described in the specification includes several functional entities. An access point (AP) refers to any entity that has a site function to provide distributed services to associated sites through wireless media; ASUE (authentication supplicant entity) is an entity that requests an authentication operation before accessing the service; an authenticator entity (AE) is an entity that authenticates the requestor to provide an authentication operation before accessing the service. The entity resides in the access point or the terminal; the basic function of the authentication service unit (ASU) is to implement the management of the user certificate and the identification of the user identity, etc., which is based on the WAI authentication of the public key cryptography technology. An important component of the structure; an authentication service entity (ASE) that provides an identity authentication service for the discriminator and the authentication requester. The entity resides in the authentication service unit, and the node in the corresponding network of the authentication service unit is the WAPI authentication server 11, as shown in FIG. The user certificate is a public key certificate, which is an important part of the WAI system construction. The public key certificate is the digital identity of the network user. It is verified that the identity of the network user can be uniquely determined by private key authentication.
网络存储是一种常见的互联网业务, 提供各类文件内容的上传、 下载和 检索功能。 随着 WAPI的部署和实施, 越来越多的移动终端支持无线局域网 接入, 同时也将会支持越来越多的互联网业务功能。 网络存储对于移动终端 而言, 具有相当大的使用价值。 目前的移动终端已逐渐演变为以个人沟通交 流为核心的多媒体信息平台, 终端强大的多媒体信息釆集功能势必需要一个 可靠的内存存储平台, 考虑到多设备间的内容共享, 网络存储无疑是一个非 常有潜力的移动互联网业务。 基于 Web的网络存储应用在互联网环境下, 通 常会有自己的登录机制, 如需用户提供用户名密码以辨明身份。 如何有效地 保证传输文件内容的安全性是一个需要解决的重要问题。  Network storage is a common Internet service that provides upload, download, and retrieval of various file contents. With the deployment and implementation of WAPI, more and more mobile terminals support wireless LAN access, and will also support more and more Internet service functions. Network storage has considerable value for mobile terminals. The current mobile terminal has gradually evolved into a multimedia information platform with personal communication as the core. The powerful multimedia information collection function of the terminal is bound to require a reliable memory storage platform. Considering the content sharing among multiple devices, network storage is undoubtedly a Very promising mobile internet business. Web-based network storage applications usually have their own login mechanism in the Internet environment. Users need to provide a username and password to identify themselves. How to effectively ensure the security of the contents of the transmitted file is an important issue that needs to be solved.
发明内容 Summary of the invention
移动终端在接入网络时已经完成了身份鉴别过程, 如果可以充分利用接 入鉴别的能力, 一方面简化了终端用户的操作, 另一方面, 应用提供商可复 用 WAPI所依赖的公开密钥基础设施( Public Key Infrastructure, PKI ) , 包括 证书颁发***和客户端上的证书等资源, 还可以向客户提供存储内容的完整 性、 机密性保护功能。  The mobile terminal has completed the identity authentication process when accessing the network. If the access authentication capability can be fully utilized, the operation of the terminal user is simplified on the one hand, and the application provider can reuse the public key on which the WAPI depends. The Public Key Infrastructure (PKI), which includes resources such as the certificate issuing system and the certificate on the client, can also provide customers with integrity and confidentiality protection of the stored content.
本发明要解决的技术问题是提供一种 WAPI终端与应用服务器传输文件 的***及方法, 有效地保证了传输文件内容的安全性。  The technical problem to be solved by the present invention is to provide a system and method for transmitting files by a WAPI terminal and an application server, thereby effectively ensuring the security of the content of the transmitted file.
为了解决上述问题, 本发明提供了一种 WAPI终端与应用服务器传输文 件的方法, 包括:  In order to solve the above problems, the present invention provides a method for transmitting a file by a WAPI terminal and an application server, including:
WAPI终端与应用服务器之间釆用超文本传输协议 HTTP消息传输文件 内容时, 发送端使用无线局域网保密基础结构 WPI算法对传输的文件内容进 行加密, 并对传输的文件内容做数字签名后通过 HTTP消息传输, 接收端收 到包含文件内容的 HTTP消息后解析出所述文件内容并验证所述数字签名, 若数字签名验证通过, 则传输的文件内容未被更改。  When the WAPI terminal and the application server use the hypertext transfer protocol HTTP message to transfer the file content, the sender uses the wireless local area network security infrastructure WPI algorithm to encrypt the transmitted file content, and digitally signs the transmitted file content through HTTP. In the message transmission, after receiving the HTTP message containing the content of the file, the receiving end parses the content of the file and verifies the digital signature. If the digital signature is verified, the content of the transmitted file is not changed.
优选地, 在传输文件内容的步骤之前, 所述方法还包括: 终端向应用服 务器发送 HTTP获取 ( GET )请求时, 将该 HTTP GET请求的一头域值设置 为一预设值表示该终端为 WAPI终端 , 所述应用服务器收到所述 HTTP GET 请求后若所述头域值为所述预设值, 则判定所述终端为 WAPI终端。 Preferably, before the step of transmitting the file content, the method further includes: when the terminal sends an HTTP Get (GET) request to the application server, setting a field value of the HTTP GET request For a preset value, the terminal is a WAPI terminal, and after the application server receives the HTTP GET request, if the header field value is the preset value, it is determined that the terminal is a WAPI terminal.
优选地,在应用服务器收到所述终端发来的 HTTP GET请求的步骤之后, 所述方法还包括:  Preferably, after the step of the application server receiving the HTTP GET request sent by the terminal, the method further includes:
向所述终端返回 200 响应(OK )消息时增加一个数字签名, 所述数字签 名的生成步骤包括:使用无线局域网鉴别基础结构 WAI散列算法计算返回的 页面, 并使用应用服务器 WAPI证书的私钥, 利用 WAI的椭圓曲线算法, 对 散列计算结果做加密计算生成所述数字签名; 以及  Adding a digital signature when returning a 200 response (OK) message to the terminal, the step of generating the digital signature includes: calculating a returned page using a wireless local area network authentication infrastructure WAI hash algorithm, and using a private key of the application server WAPI certificate Encrypting the hash calculation result using WAI's elliptic curve algorithm to generate the digital signature;
所述终端收到 200 OK消息后解析出所述数字签名,获取预存于终端上的 应用服务器 WAPI证书的公钥解密该数字签名,并利用 WAI的散列函数对页 面内容进行散列计算, 比较散列计算的结果与解密的数字签名是否一致, 若 散列计算的结果与解密的数字签名一致, 则通过对应用服务器的鉴别, 若散 列计算的结果与解密的数字签名不一致, 则鉴别未通过。  After receiving the 200 OK message, the terminal parses the digital signature, obtains the public key of the application server WAPI certificate pre-stored on the terminal, decrypts the digital signature, and hashes the page content by using a WAI hash function, and compares Whether the result of the hash calculation is consistent with the decrypted digital signature. If the result of the hash calculation is consistent with the decrypted digital signature, the authentication is performed on the application server, and if the result of the hash calculation is inconsistent with the decrypted digital signature, the authentication is not by.
优选地, 当所述发送端为 WAPI终端, 接收端为应用服务器时, 所述发送端使用无线局域网保密基础结构 WPI算法对传输的文件内容进 行加密,并对传输的文件内容做数字签名后通过 HTTP消息传输的步骤包括: 在 WAPI终端传输文件内容时, 先生成一个 128位随机数作为临时会话 密钥,使用 WPI中的对称密钥算法 SMS4对传输的文件内容做加密得到密文; 使用应用服务器 WAPI证书的公钥对临时会话密钥进行公开密钥算法加密得 到加密后的密钥; 对传输的文件内容做数字签名; 将所述密文、 数字签名、 加密后的密钥和终端 WAPI证书信息一起封装, 将封装的内容通过 HTTP提 交(POST )发送至应用服务器, 其中, 所述终端 WAPI证书信息包括终端 WAPI证书标识或终端 WAPI证书;  Preferably, when the sending end is a WAPI terminal and the receiving end is an application server, the sending end encrypts the transmitted file content by using a wireless local area network security infrastructure WPI algorithm, and digitally signs the transmitted file content. The HTTP message transmission step includes: when the WAPI terminal transmits the file content, first generates a 128-bit random number as the temporary session key, and uses the symmetric key algorithm SMS4 in the WPI to encrypt the transmitted file content to obtain the ciphertext; The public key of the server WAPI certificate encrypts the temporary session key by the public key algorithm to obtain the encrypted key; digitally signs the transmitted file content; and the ciphertext, digital signature, encrypted key, and terminal WAPI The certificate information is encapsulated together, and the encapsulated content is sent to the application server through HTTP submission (POST), where the terminal WAPI certificate information includes a terminal WAPI certificate identifier or a terminal WAPI certificate;
所述接收端收到包含文件内容的 HTTP消息后解析出所述文件内容并验 证所述数字签名, 若数字签名验证通过, 则传输的文件内容未被更改的步骤 包括:  After receiving the HTTP message containing the file content, the receiving end parses the file content and verifies the digital signature. If the digital signature verification is passed, the step of transmitting the file content is not changed.
所述应用服务器收到所述 HTTP POST后,分离出终端 WAPI证书标识或 终端 WAPI证书, 若分离出的是终端 WAPI证书标识, 则获取终端 WAPI证 书; 使用应用服务器的 WAPI证书的私钥对加密后的密钥进行公开密钥算法 解密得到临时会话密钥, 对传输的文件内容中的密文进行对称密钥算法解密 得到正文, 并对解密出的正文进行散列计算得到散列值; 所述应用服务器使 用终端 WAPI证书的公钥对数字签名进行公开密钥算法解密得到另一散列 值; 比较得到的两个散列值是否一致, 若两个散列值一致, 则对 WAPI终端 的验证通过, 且接收的文件内容未被更改; After receiving the HTTP POST, the application server separates the terminal WAPI certificate identifier or the terminal WAPI certificate, and if the terminal WAPI certificate identifier is separated, the terminal WAPI certificate is obtained. Using the private key of the WAPI certificate of the application server, the encrypted key is decrypted by the public key algorithm to obtain a temporary session key, and the ciphertext in the transmitted file content is decrypted by a symmetric key algorithm to obtain a text, and decrypted. The text of the output is hashed to obtain a hash value; the application server decrypts the digital signature by using the public key of the terminal WAPI certificate to obtain another hash value; whether the obtained two hash values are consistent, If the two hash values are consistent, the verification of the WAPI terminal is passed, and the content of the received file is not changed;
或者  Or
当所述发送端为应用服务器, 接收端为 WAPI终端时,  When the sending end is an application server and the receiving end is a WAPI terminal,
在所述 WAPI终端与应用服务器之间釆用超文本传输协议 HTTP消息传 输文件内容的步骤中,  In the step of transmitting the content of the file by using a hypertext transfer protocol HTTP message between the WAPI terminal and the application server,
当所述 WAPI 终端从应用服务器获取文件内容时, 向应用服务器发送 HTTP GET消息时携带要获取内容对应的统一资源定位符;  When the WAPI terminal obtains the file content from the application server, the HTTP GET message is sent to the application server, and the uniform resource locator corresponding to the content to be acquired is carried;
所述发送端使用无线局域网保密基础结构 WPI算法对传输的文件内容进 行加密,并对传输的文件内容做数字签名后通过 HTTP消息传输的步骤包括: 所述应用服务器收到 HTTP GET 消息后根据所述统一资源定位符获知 The sending end encrypts the transmitted file content by using the wireless local area network security infrastructure WPI algorithm, and performs digital signature on the transmitted file content and then transmits the HTTP message through the following steps: the application server receives the HTTP GET message and then according to the The uniform resource locator is known
WAPI终端请求的文件内容, 之后生成 128位随机数作为临时会话密钥, 并 使用所述临时会话密钥对 WAPI终端请求的文件内容做 SMS4加密得到密文, 并对文件内容做数字签名, 还使用终端 WAPI证书的公钥对临时会话密钥进 行公开密钥算法加密得到加密后的密钥, 所述加密后的密钥、 密文和数字签 名以固定格式封装或以表单形式作为 200 OK消息返回给 WAPI终端; The file content requested by the WAPI terminal, and then generating a 128-bit random number as a temporary session key, and using the temporary session key to perform SMS4 encryption on the file content requested by the WAPI terminal to obtain a ciphertext, and digitally signing the content of the file, Encrypting the temporary session key using a public key of the terminal WAPI certificate to obtain an encrypted key, the encrypted key, ciphertext and digital signature being encapsulated in a fixed format or in the form of a form as a 200 OK message Return to the WAPI terminal;
所述接收端收到包含文件内容的 HTTP消息后解析出所述文件内容并验 证所述数字签名, 若数字签名验证通过, 则传输的文件内容未被更改的步骤 包括:  After receiving the HTTP message containing the file content, the receiving end parses the file content and verifies the digital signature. If the digital signature verification is passed, the step of transmitting the file content is not changed.
所述 WAPI终端收到所述 200 OK消息后, 利用终端 WAPI证书的私钥 对加密后的密钥进行公开密钥算法解密得出临时会话密钥, 之后使用该临时 会话密钥对密文进行对称密钥算法解密得到正文, 并对解密出的正文进行散 列计算得到散列值; 还使用应用服务器 WAPI证书的公钥对数字签名进行公 开密钥算法解密得到另一散列值; 比较得到的两个散列值是否一致, 若两个 散列值一致则验证通过, 且接收的文件内容未被更改。 After receiving the 200 OK message, the WAPI terminal decrypts the encrypted key by using the private key of the terminal WAPI certificate to obtain a temporary session key, and then uses the temporary session key to perform the ciphertext. The symmetric key algorithm decrypts the text, and hashes the decrypted text to obtain a hash value. The public key of the application server WAPI certificate is used to decrypt the digital signature to obtain another hash value. Whether the two hash values are the same, if two If the hash value is consistent, the verification is passed, and the contents of the received file are not changed.
优选地, 在所述 WAPI终端向应用服务器发送 HTTP GET消息时携带要 获取内容对应的统一资源定位符的步骤中,  Preferably, when the WAPI terminal sends an HTTP GET message to the application server, the step of carrying the uniform resource locator corresponding to the content is
所述终端向应用服务器发送 HTTP GET消息时对所述统一资源定位符进 行数字签名, 并将所述数字签名及终端 WAPI证书标识作为统一资源定位符 参数通过 HTTP GET消息发送至应用服务器;  When the terminal sends an HTTP GET message to the application server, the unified resource locator is digitally signed, and the digital signature and the terminal WAPI certificate identifier are sent to the application server by using an HTTP GET message as a uniform resource locator parameter;
在所述 WAPI终端向应用服务器发送 HTTP GET消息时携带要获取内容 对应的统一资源定位符的步骤之后, 所述方法还包括:  After the step of the WAPI terminal sending the HTTP GET message to the application server to carry the uniform resource locator corresponding to the content, the method further includes:
所述应用服务器收到 HTTP GET消息后分离出终端 WAPI证书标识, 获 取终端 WAPI证书, 并使用终端 WAPI证书中的公开密钥解密该数字签名; 利用 WAI的散列函数对页面内容进行散列计算; 比较散列计算的结果与解密 的数字签名是否一致, 若散列计算的结果与解密的数字签名一致, 则通过对 终端的鉴别。  After receiving the HTTP GET message, the application server separates the terminal WAPI certificate identifier, obtains the terminal WAPI certificate, and decrypts the digital signature by using the public key in the terminal WAPI certificate; hashing the page content by using the WAI hash function Whether the result of the comparison hash calculation is consistent with the decrypted digital signature, and if the result of the hash calculation is consistent with the decrypted digital signature, the terminal is authenticated.
优选地, 所述 WAPI终端对传输的文件内容做数字签名的步骤包括: 对 所述文件内容做散列计算, 并使用终端 WAPI证书的私钥对散列计算后的值 进行公开密钥算法加密。  Preferably, the step of digitally signing the content of the transmitted file by the WAPI terminal comprises: performing hash calculation on the content of the file, and performing public key algorithm encryption on the hashed value by using a private key of the terminal WAPI certificate. .
优选地, 所述应用服务器对文件内容做数字签名的步骤包括: 对所述文 件内容做散列计算, 并使用应用服务器 WAPI证书的私钥对散列计算后的值 进行公开密钥算法加密。  Preferably, the step of the application server digitally signing the file content comprises: performing hash calculation on the file content, and performing a public key algorithm encryption on the hash calculated value by using a private key of the application server WAPI certificate.
本发明还提供一种无线局域网认证与保密基础结构 WAPI终端与应用服 务器传输文件的***, 包括发送端与接收端;  The invention also provides a wireless local area network authentication and security infrastructure WAPI terminal and an application server for transmitting files, including a transmitting end and a receiving end;
所述发送端设置为, 使用无线局域网保密基础结构 WPI算法对传输的文 件内容进行加密, 并对传输的文件内容做数字签名后通过超文本传输协议 The sending end is configured to encrypt the transmitted file content by using a wireless local area network security infrastructure WPI algorithm, and digitally sign the transmitted file content through a hypertext transfer protocol.
HTTP消息发送至所述接收端; Sending an HTTP message to the receiving end;
所述接收端设置为, 收到所述 HTTP消息后解析出所述文件内容并验证 所述数字签名, 若数字签名验证通过, 则传输的文件内容未被更改。  The receiving end is configured to parse out the content of the file after receiving the HTTP message and verify the digital signature, and if the digital signature is verified, the content of the transmitted file is not changed.
优选地, 所述发送端为 WAPI终端, 接收端为应用服务器; 或者所述发 送端为应用服务器, 所述接收端为 WAPI终端; 所述 WAPI终端包括设置模块; Preferably, the sending end is a WAPI terminal, and the receiving end is an application server; or the sending end is an application server, and the receiving end is a WAPI terminal; The WAPI terminal includes a setting module;
所述 WAPI终端的设置模块设置为, 在传输文件内容之前, 向应用服务 器发送 HTTP获取 ( GET )请求时, 将该 HTTP GET请求的一头域值设置为 一预设值表示该终端为 WAPI终端;  The setting module of the WAPI terminal is configured to: when sending an HTTP get (GET) request to the application server before transmitting the file content, setting a field value of the HTTP GET request to a preset value indicates that the terminal is a WAPI terminal;
所述应用服务器还设置为, 收到所述 HTTP GET请求后若所述头域值为 预设值则判定所述终端为 WAPI终端。  The application server is further configured to determine that the terminal is a WAPI terminal if the header field value is a preset value after receiving the HTTP GET request.
优选地, 所述应用服务器包括加密模块及发送模块, 所述 WAPI终端还 包括解密模块;  Preferably, the application server includes an encryption module and a sending module, and the WAPI terminal further includes a decryption module;
所述应用服务器的加密模块设置为, 使用无线局域网鉴别基础结构 WAI 散列算法计算返回的页面, 并使用应用服务器 WAPI证书的私钥, 利用 WAI 的椭圓曲线算法, 对散列计算结果做加密计算生成数字签名;  The encryption module of the application server is configured to calculate a returned page by using a wireless local area network authentication WAI hash algorithm, and encrypt the hash calculation result by using a WAI elliptic curve algorithm using a private key of the application server WAPI certificate. Calculate the generated digital signature;
所述应用服务器的发送模块设置为, 向终端返回 200 响应(OK )消息时 携带所述数字签名;  The sending module of the application server is configured to carry the digital signature when returning a 200 response (OK) message to the terminal;
所述 WAPI终端的解密模块设置为, 收到 200 OK消息后解析出所述数 字签名, 获取预存于 WAPI终端上的应用服务器 WAPI证书的公钥解密该数 字签名, 并利用 WAI的散列函数对页面内容进行散列计算, 比较散列计算的 结果与解密的数字签名是否一致,若散列计算的结果与解密的数字签名一致, 则通过对应用服务器的鉴别, 若散列计算的结果与解密的数字签名不一致, 则鉴别未通过。  The decryption module of the WAPI terminal is configured to parse the digital signature after receiving the 200 OK message, obtain the public key of the application server WAPI certificate pre-stored on the WAPI terminal, decrypt the digital signature, and use the WAI hash function pair. The content of the page is hashed, and the result of the hash calculation is consistent with the decrypted digital signature. If the result of the hash calculation is consistent with the decrypted digital signature, the result of the hash calculation and the decryption are determined by the authentication of the application server. If the digital signatures are inconsistent, the authentication fails.
优选地, 当所述终端向应用服务器上传文件内容时, 所述终端为发送端, 所述应用服务器为接收端;  Preferably, when the terminal uploads the file content to the application server, the terminal is a sending end, and the application server is a receiving end;
所述终端包括加密模块及发送模块;  The terminal includes an encryption module and a sending module;
所述终端的加密模块设置为,生成一个 128位随机数作为临时会话密钥, 以及使用 WPI中的对称密钥算法 SMS4对上传的文件内容做加密得到密文; 使用应用服务器 WAPI证书的公钥对临时会话密钥进行公开密钥算法加密得 到加密后的密钥; 以及对上传的文件内容做数字签名;  The encryption module of the terminal is configured to generate a 128-bit random number as a temporary session key, and encrypt the uploaded file content using the symmetric key algorithm SMS4 in the WPI to obtain a ciphertext; use the public key of the application server WAPI certificate Encrypting the temporary session key by public key algorithm to obtain the encrypted key; and digitally signing the content of the uploaded file;
所述终端的发送模块设置为, 将密文、 数字签名、 加密后的密钥和终端 WAPI证书信息一起封装, 以及将封装的内容通过 HTTP提交(POST )发送 至应用服务器, 其中, 所述终端 WAPI证书信息包括终端 WAPI证书标识或 终端 WAPI证书; The sending module of the terminal is configured to encapsulate the ciphertext, the digital signature, the encrypted key and the terminal WAPI certificate information, and send the encapsulated content through HTTP submission (POST). To the application server, where the terminal WAPI certificate information includes a terminal WAPI certificate identifier or a terminal WAPI certificate;
所述应用服务器包括接收模块及解密模块;  The application server includes a receiving module and a decryption module;
所述应用服务器的接收模块设置为,收到所述 HTTP POST后,分离出终 端 WAPI证书标识或终端 WAPI证书 , 若分离出的是终端 WAPI证书标识 , 则获取终端 WAPI证书;  The receiving module of the application server is configured to: after receiving the HTTP POST, separate the terminal WAPI certificate identifier or the terminal WAPI certificate, and if the terminal WAPI certificate identifier is separated, obtain the terminal WAPI certificate;
所述应用服务器的解密模块设置为, 使用应用服务器的 WAPI证书的私 钥对加密后的密钥进行公开密钥算法解密得到临时会话密钥, 以及使用该临 时会话密钥对传输的文件内容中的密文进行对称密钥算法解密得到正文, 并 对解密出的正文进行散列计算得到散列值; 以及使用终端 WAPI证书的公钥 对签名进行公开密钥算法解密得到另一散列值 , 并比较得到的两个散列值是 否一致, 若两个散列值一致, 则对终端的验证通过, 且接收的文件内容未被 更改。  The decryption module of the application server is configured to decrypt the encrypted key by using a private key of the WAPI certificate of the application server to obtain a temporary session key, and use the temporary session key pair to transfer the file content. The ciphertext is decrypted by the symmetric key algorithm to obtain the body text, and the decrypted text is hashed to obtain a hash value; and the public key of the terminal WAPI certificate is used to decrypt the signature to obtain another hash value. And compare whether the obtained two hash values are consistent. If the two hash values are consistent, the verification of the terminal is passed, and the content of the received file is not changed.
优选地, 当所述终端从应用服务器获取文件内容时, 所述应用服务器为 发送端, 所述终端为接收端;  Preferably, when the terminal acquires file content from an application server, the application server is a sending end, and the terminal is a receiving end;
所述终端包括发送模块、 接收模块及解密模块;  The terminal includes a sending module, a receiving module, and a decrypting module;
所述终端的发送模块设置为, 向应用服务器发送 HTTP GET消息时携带 要获取文件内容对应的统一资源定位符;  The sending module of the terminal is configured to: when sending an HTTP GET message to the application server, carry a uniform resource locator corresponding to the content of the file;
所述应用服务器包括接收模块、 加密模块及发送模块;  The application server includes a receiving module, an encryption module, and a sending module;
所述应用服务器的接收模块设置为, 收到 HTTP GET消息后根据所述统 一资源定位符获知终端请求的文件内容;  The receiving module of the application server is configured to: after receiving the HTTP GET message, learn the file content requested by the terminal according to the unified resource locator;
所述应用服务器的加密模块设置为, 生成 128位随机数作为临时会话密 钥,以及使用该临时会话密钥对终端请求的文件内容做 SMS4加密形成密文, 并对文件内容做数字签名, 以及使用终端 WAPI证书的公钥对临时会话密钥 进行公开密钥算法加密得到加密后的密钥;  The encryption module of the application server is configured to generate a 128-bit random number as a temporary session key, and use the temporary session key to perform SMS4 encryption on the file content requested by the terminal to form a ciphertext, and digitally sign the content of the file, and Encrypting the temporary session key using a public key of the terminal WAPI certificate to obtain an encrypted key;
所述应用服务器的发送模块设置为, 将所述密文、 数字签名以及加密后 的密钥作为 200 OK消息发送至终端;  The sending module of the application server is configured to send the ciphertext, the digital signature, and the encrypted key to the terminal as a 200 OK message;
所述终端的接收模块设置为,将收到的所述 200 OK消息发送至终端的解 密模块; The receiving module of the terminal is configured to send the received 200 OK message to the solution of the terminal. Secret module
所述终端的解密模块设置为, 使用终端 WAPI证书的私钥对加密后的密 钥进行公开密钥算法解密得出临时会话密钥, 以及该临时会话密钥对密文进 行对称密钥算法解密得到正文,并对解密出的正文进行散列计算得到散列值, 以及使用应用服务器 WAPI证书的公钥对签名进行公开密钥算法解密得到另 一散列值, 并比较得到的两个散列值是否一致, 若两个散列值一致, 则验证 通过, 且接收的文件内容未被更改。  The decryption module of the terminal is configured to decrypt the encrypted key by using a private key of the terminal WAPI certificate to obtain a temporary session key, and the temporary session key performs symmetric key algorithm decryption on the ciphertext. Obtaining the body text, hashing the decrypted body text to obtain a hash value, and decrypting the signature by public key algorithm using the public key of the application server WAPI certificate to obtain another hash value, and comparing the obtained two hashes Whether the values are consistent. If the two hash values are the same, the verification passes and the received file contents are not changed.
优选地, 所述终端的加密模块还设置为, 向应用服务器发送 HTTP GET 消息时对所述统一资源定位符进行数字签名;  Preferably, the encryption module of the terminal is further configured to digitally sign the uniform resource locator when sending an HTTP GET message to the application server;
所述终端的发送模块还设置为, 向应用服务器发送 HTTP GET消息时将 所述数字签名及用户证书标识作为统一资源定位符参数发送至应用服务器; 所述应用服务器的解密模块还设置为, 分离出 HTTP GET消息中的终端 WAPI证书标识, 并获取终端 WAPI证书, 以及使用终端 WAPI证书中的公 开密钥解密该数字签名; 利用 WAI的散列函数对页面内容进行散列计算; 比 较散列计算的结果与解密的数字签名是否一致, 若散列计算的结果与解密的 数字签名一致, 则通过对终端的鉴别。  The sending module of the terminal is further configured to: send the digital signature and the user certificate identifier as a uniform resource locator parameter to the application server when sending the HTTP GET message to the application server; the decryption module of the application server is further configured to be separated Extracting the terminal WAPI certificate identifier in the HTTP GET message, and obtaining the terminal WAPI certificate, and decrypting the digital signature using the public key in the terminal WAPI certificate; hashing the page content using the WAI hash function; comparing hash calculation Whether the result is consistent with the decrypted digital signature, if the result of the hash calculation is consistent with the decrypted digital signature, the terminal is authenticated.
优选地, 所述终端的加密模块是设置为, 对所述文件内容做散列计算, 并使用终端 WAPI证书的私钥对散列计算后的值进行公开密钥算法加密来对 传输的文件内容做数字签名。  Preferably, the encryption module of the terminal is configured to perform hash calculation on the file content, and use a private key of the terminal WAPI certificate to perform a public key algorithm encryption on the hashed value to transmit the file content. Make a digital signature.
优选地, 所述应用服务器的加密模块是设置为, 对所述文件内容做散列 计算, 并使用应用服务器 WAPI证书的私钥对散列计算后的值进行公开密钥 算法加密来对文件内容做数字签名。  Preferably, the encryption module of the application server is configured to perform hash calculation on the file content, and use a private key of the application server WAPI certificate to perform a public key algorithm encryption on the hashed value to the file content. Make a digital signature.
釆用本发明的技术方案, 充分利用了 WAPI基础设施提供的公开密钥证 书颁发机构和客户端 WAPI证书。 WAPI终端用户在登录网络存储应用的过 程中, 依靠 WAPI鉴别服务实现用户登录过程, 登录过程无需用户输入用户 名密码。 客户端在保存内容时, 通过证书鉴别过程中协商得到的临时会话密 钥和对称加密算法, 加密存储内容, 确保内容机密性, 客户端通过散列函数 和公有证书的私有密钥, 对存储内容做数字签名计算, 并由服务器侧验证签 名和解密内容, 确保内容真实有效未被修改。 客户端在获取内容时, 通过证 书鉴别过程中协商的临时会话密钥和对称加密算法, 解密获取内容。 本发明 中介绍用户认证的方法亦可应用于其他基于 Web访问的网络应用。 附图概述 Using the technical solution of the present invention, the public key certificate authority and the client WAPI certificate provided by the WAPI infrastructure are fully utilized. During the process of logging in to the network storage application, the WAPI terminal user relies on the WAPI authentication service to implement the user login process. The login process does not require the user to input a username and password. When the client saves the content, the temporary session key and the symmetric encryption algorithm negotiated in the certificate authentication process encrypt the stored content to ensure content confidentiality, and the client uses the private function of the hash function and the public certificate to store the content. Do digital signature calculation, and verify by the server side Name and decrypt the content to ensure that the content is authentic and not modified. When obtaining the content, the client decrypts the obtained content through the temporary session key negotiated in the certificate authentication process and the symmetric encryption algorithm. The method for introducing user authentication in the present invention can also be applied to other web applications based on web access. BRIEF abstract
图 1是网络***结构;  Figure 1 is the network system structure;
图 2是本发明***结构示意图;  Figure 2 is a schematic structural view of the system of the present invention;
图 3是本发明终端向应用服务器上传内容时的流程图;  3 is a flow chart of the terminal of the present invention uploading content to an application server;
图 4是本发明终端从应用服务器获取内容时的流程图;  4 is a flow chart of the terminal of the present invention when acquiring content from an application server;
图 5是本发明终端上传内容时的处理过程图;  FIG. 5 is a process diagram of a process when a terminal of the present invention uploads content;
图 6是本发明应用服务器下发内容时的处理过程图;  6 is a process diagram of the application server when the content is delivered by the application server;
图 7是本发明终端及应用服务器接收文件内容后的处理过程图; 图 8是本发明终端对应用服务器进行鉴别的处理过程图。 本发明的较佳实施方式  7 is a process diagram of the terminal and the application server of the present invention after receiving the file content; FIG. 8 is a process diagram of the terminal of the present invention for authenticating the application server. Preferred embodiment of the invention
本发明提供一种 WAPI终端与应用服务器传输文件的***,如图 2所示, 该***包括发送端与接收端;  The present invention provides a system for transmitting files by a WAPI terminal and an application server, as shown in FIG. 2, the system includes a transmitting end and a receiving end;
发送端为 WAPI终端 21或应用服务器 22, 接收端为应用服务器 22或 WAPI终端 21 ;  The sender is the WAPI terminal 21 or the application server 22, and the receiving end is the application server 22 or the WAPI terminal 21;
发送端设置为, 使用 WPI算法对传输的文件内容进行加密, 并对传输的 内容做数字签名后通过超文本传输协议(HTTP ) 消息发送至所述接收端; 接收端设置为, 收到 HTTP消息后解析出文件内容并验证数字签名, 若 数字签名验证通过则传输的文件内容未被更改。  The sending end is configured to encrypt the transmitted file content by using the WPI algorithm, and digitally sign the transmitted content, and then send the content to the receiving end through a hypertext transfer protocol (HTTP) message; the receiving end is set to receive the HTTP message. After parsing the contents of the file and verifying the digital signature, if the digital signature is verified, the content of the transferred file is not changed.
WAPI终端 21包括设置模块 211、第一加密模块 212、第一解密模块 213、 第一发送模块 214及第一接收模块 215;  The WAPI terminal 21 includes a setting module 211, a first encryption module 212, a first decryption module 213, a first sending module 214, and a first receiving module 215;
应用服务器 22包括第二加密模块 221、 第二解密模块 222、 第二发送模 块 223及第二接收模块 224; WAPI终端的设置模块设置为, 在传输文件内容前, 向应用服务器发送 HTTP 获取(GET )请求时将该请求的一头域值表示为一预设值表示该终端 为 WAPI终端, 应用服务器收到 HTTP GET请求后若该头域值为预设值则判 定终端为 WAPI终端。 The application server 22 includes a second encryption module 221, a second decryption module 222, a second sending module 223, and a second receiving module 224; The setting module of the WAPI terminal is configured to: when sending an HTTP get (GET) request to the application server before transmitting the file content, indicating a field value of the request as a preset value indicates that the terminal is a WAPI terminal, and the application server receives the HTTP After the GET request, if the header field value is a preset value, it is determined that the terminal is a WAPI terminal.
第二加密模块设置为, 使用 WAI散列算法计算返回的页面, 并使用应用 服务器 WAPI证书的私钥, 利用 WAI的椭圓曲线算法, 对散列计算结果做加 密计算生成数字签名;  The second encryption module is configured to calculate the returned page by using a WAI hash algorithm, and use the private key of the application server WAPI certificate to perform an encryption calculation on the hash calculation result to generate a digital signature by using an elliptic curve algorithm of WAI;
第二发送模块设置为, 向 WAPI终端返回 200 OK消息时携带上述数字 签名;  The second sending module is configured to carry the digital signature when returning the 200 OK message to the WAPI terminal;
第一解密模块设置为,收到 200 OK消息后解析出数字签名,获取预存于 终端上的应用服务器 WAPI证书中的公钥解密该数字签名,并利用 WAI的散 列函数对网页内容进行散列计算, 之后比较散列计算的结果与解密的数字签 名是否一致, 若一致则通过对应用服务器的鉴别, 否则鉴别未通过。  The first decryption module is configured to parse the digital signature after receiving the 200 OK message, obtain the public key pre-stored in the WAPI certificate of the application server on the terminal, decrypt the digital signature, and hash the webpage content by using a WAI hash function. The calculation then compares the result of the hash calculation with the decrypted digital signature. If it is consistent, it authenticates the application server, otherwise the authentication fails.
( 1 )当终端向应用服务器上传内容时, 终端为发送端, 应用服务器为接 收端;  (1) When the terminal uploads content to the application server, the terminal is the sending end, and the application server is the receiving end;
第一加密模块设置为, 生成一个 128位随机数作为临时会话密钥, 以及 使用 WPI 中的对称密钥算法(SMS4 )对上传的文件内容做加密得到密文, 使用应用服务器 WAPI证书的公钥对临时会话密钥进行公开密钥算法加密得 到加密后的密钥, 以及对上传的文件内容做数字签名;  The first encryption module is configured to generate a 128-bit random number as a temporary session key, and encrypt the uploaded file content using the symmetric key algorithm (SMS4) in WPI to obtain a ciphertext, using the public key of the application server WAPI certificate. The public session key algorithm encrypts the temporary session key to obtain the encrypted key, and digitally signs the uploaded file content;
第一发送模块设置为, 将加密后的密文、 数字签名、 加密后的随机数和 用户 WAPI证书标识或 WAPI证书一起封装,以及将封装的内容通过 HTTP提 交(POST )发送至应用服务器;  The first sending module is configured to encapsulate the encrypted ciphertext, the digital signature, the encrypted random number together with the user WAPI certificate identifier or the WAPI certificate, and send the encapsulated content to the application server through HTTP submission (POST);
第二接收模块设置为,收到 HTTP POST后,分离出用户的 WAPI证书标 识或 WAPI证书, 若分离出的是 WAPI证书标识则获取 WAPI证书;  The second receiving module is configured to: after receiving the HTTP POST, separate the WAPI certificate identifier or the WAPI certificate of the user, and if the WAPI certificate identifier is separated, obtain the WAPI certificate;
第二解密模块设置为, 使用应用服务器的 WAPI证书的私钥对加密后的 密钥进行公开密钥算法解密得到临时会话密钥, 以及使用该临时会话密钥对 上传内容中的密文进行对称密钥算法解密得到正文, 并对解密出的正文进行 散列计算得到散列值, 以及使用终端 WAPI证书的公钥对签名进行公开密钥 算法解密得到另一散列值, 并比较得到的上述 2个散列值是否一致, 若一致 则对终端的验证通过, 且接收的文件内容未被更改。 The second decryption module is configured to decrypt the encrypted key by using a public key of the WAPI certificate of the application server to obtain a temporary session key, and use the temporary session key to symmetrically encrypt the ciphertext in the uploaded content. The key algorithm decrypts the body, and hashes the decrypted body to obtain a hash value, and uses the public key of the terminal WAPI certificate to publicize the signature. The algorithm decrypts to obtain another hash value, and compares whether the obtained two hash values are consistent. If they are consistent, the verification of the terminal passes, and the received file content is not changed.
第一加密模块对上传的文件内容做数字签名是指, 对文件内容做散列计 算, 之后使用终端 WAPI证书的私钥对散列计算后的值进行公开密钥算法加 密。  The first encryption module digitally signs the content of the uploaded file, and performs hash calculation on the content of the file, and then uses the private key of the terminal WAPI certificate to encrypt the hashed value with the public key algorithm.
( 2 )当终端从应用服务器获取内容时, 应用服务器为发送端, 终端为接 收端;  (2) When the terminal obtains content from the application server, the application server is the sending end, and the terminal is the receiving end;
第一发送模块设置为, 向应用服务器发送 HTTP GET消息时携带要获取 内容对应的统一资源定位符;  The first sending module is configured to: when sending an HTTP GET message to the application server, carry a uniform resource locator corresponding to the content to be obtained;
第二接收模块设置为, 收到 HTTP GET消息后根据统一资源定位符获知 终端请求的文档内容;  The second receiving module is configured to: after receiving the HTTP GET message, learn, according to the uniform resource locator, the content of the document requested by the terminal;
第二加密模块设置为, 生成 128位随机数作为临时会话密钥, 以及使用 该临时会话密钥对终端请求的文档内容做对称密钥算法( SMS4 )加密形成密 文, 并对文档内容做数字签名, 以及使用终端 WAPI证书的公钥对临时会话 密钥进行公开密钥算法加密得到加密后的密钥;  The second encryption module is configured to generate a 128-bit random number as a temporary session key, and use the temporary session key to encrypt the document content requested by the terminal by using a symmetric key algorithm (SMS4) to form a ciphertext, and to digitally mark the content of the document. Signing, and using the public key of the terminal WAPI certificate to encrypt the temporary session key by public key algorithm to obtain the encrypted key;
第二发送模块设置为,将密文、签名以及加密后的临时会话密钥作为 200 OK消息体发送至终端;  The second sending module is configured to send the ciphertext, the signature, and the encrypted temporary session key to the terminal as a 200 OK message body;
第一接收模块设置为, 将收到的 200 OK消息发送至第一解密模块; 第一解密模块设置为, 使用终端 WAPI证书的私钥对加密的密钥进行公 开密钥算法解密得出临时会话密钥, 以及该临时会话密钥对密文进行对称密 钥算法解密得到文档正文, 并对解密出的正文进行散列计算得到散列值, 以 及使用应用服务器 WAPI证书的公钥对签名进行公开密钥算法解密得到另一 散列值, 以及比较得到的上述 2个散列值是否一致, 若一致则验证通过, 且 接收的文件内容未被更改。  The first receiving module is configured to send the received 200 OK message to the first decryption module; the first decryption module is configured to use the private key of the terminal WAPI certificate to decrypt the encrypted key by using a public key algorithm to obtain a temporary session. The key, and the temporary session key, decrypt the ciphertext by the symmetric key algorithm to obtain the document body, hash the decrypted text to obtain a hash value, and publicize the signature by using the public key of the application server WAPI certificate. The key algorithm decrypts to obtain another hash value, and whether the above two hash values obtained by the comparison are consistent. If they are consistent, the verification passes, and the received file content is not changed.
第一加密模块还设置为, 向应用服务器发送 HTTP GET消息时对统一资 源定位符进行数字签名;  The first encryption module is further configured to digitally sign the unified resource locator when sending the HTTP GET message to the application server;
第一发送模块还设置为, 向应用服务器发送 HTTP GET消息时将数字签 名及用户证书标识作为统一资源定位符参数发送至应用服务器; 第二解密模块还设置为, 分离出 HTTP GET消息中的用户证书标识, 并 获取用户证书, 以及使用证书中的公开密钥解密该数字签名, 并利用 WAI的 散列函数对统一资源定位符进行散列计算, 之后比较散列计算的结果与解密 的数字签名是否一致, 若一致则通过对终端的鉴别。 The first sending module is further configured to send the digital signature and the user certificate identifier as a uniform resource locator parameter to the application server when sending the HTTP GET message to the application server; The second decryption module is further configured to: separate the user certificate identifier in the HTTP GET message, obtain the user certificate, and decrypt the digital signature by using the public key in the certificate, and use the WAI hash function to perform the uniform resource locator Hash calculation, then compare the result of the hash calculation with the decrypted digital signature, and if it is consistent, pass the identification of the terminal.
第二加密模块对文档内容做签名计算是指, 对文档内容做散列计算, 之 后使用应用服务器 WAPI证书的私钥对散列计算后的值进行公开密钥算法加 密。  The second encryption module performs signature calculation on the content of the document, and performs hash calculation on the content of the document, and then uses the private key of the application server WAPI certificate to encrypt the hashed value with the public key algorithm.
本发明还提供一种 WAPI终端与应用服务器传输文件的方法, WAPI终 端与应用服务器之间釆用 HTTP消息传输文件内容时, 发送端使用 WPI算法 对传输的文件内容进行加密, 并对传输的内容做数字签名后传输, 接收端收 到包含文件内容的 HTTP消息后解析出文件内容并验证数字签名, 若数字签 名验证通过则传输的文件内容未被更改。  The invention also provides a method for transmitting files by a WAPI terminal and an application server. When the WAPI terminal and the application server use the HTTP message to transmit the file content, the sender uses the WPI algorithm to encrypt the transmitted file content, and encrypts the transmitted content. After the digital signature is transmitted, the receiving end parses the content of the file and verifies the digital signature after receiving the HTTP message containing the content of the file, and if the digital signature is verified, the content of the transmitted file is not changed.
实施例一  Embodiment 1
本实施例为终端向应用服务器上传文件内容的方法, 如图 3所示, 包括 以下步骤:  This embodiment is a method for a terminal to upload file content to an application server. As shown in FIG. 3, the method includes the following steps:
步骤 301 : 终端浏览器向应用服务器发送 HTTP GET请求, 获取到网络 存储应用的页面,终端通过将请求中的某头域值设置为预设值表示其为 WAPI 终端, 如可以是将 User-Agent (用户代理) 设置为 WAPI 移动用户 ( WAPI-Mobile-Client ) VI.0;  Step 301: The terminal browser sends an HTTP GET request to the application server to obtain a page of the network storage application, and the terminal indicates that it is a WAPI terminal by setting a header field value in the request to a preset value, for example, the User-Agent may be (User Agent) Set to WAPI Mobile User (WAPI-Mobile-Client) VI.0;
该头域的值可以是终端在组建请求时指定, 也可以通过和无线局域网段 相邻的无线应用协议( WAP ) /HTTP应用网关修改。  The value of the header field may be specified by the terminal when the request is made, or may be modified by a Wireless Application Protocol (WAP)/HTTP application gateway adjacent to the WLAN segment.
步骤 302: 应用服务器收到终端发来的 HTTP GET请求, 根据其中某头 域中的值判断此请求是否来自于 WAPI 终端; 如根据 User-Agent 的值为 WAPI-Mobile-Client VI.0时判定该终端是 WAPI终端;  Step 302: The application server receives the HTTP GET request sent by the terminal, and determines whether the request is from the WAPI terminal according to the value in a header field; for example, when the value of the User-Agent is WAPI-Mobile-Client VI.0. The terminal is a WAPI terminal;
步骤 303: 应用服务器向终端返回 200 OK消息, 在该消息中增加一个隐 藏表单, 内容至少包含一个釆用 WAI公开密钥算法加密的数字签名, 签名方 法如下:  Step 303: The application server returns a 200 OK message to the terminal, and adds a hidden form to the message, and the content includes at least one digital signature encrypted by the WAI public key algorithm. The signature method is as follows:
( a )使用 WAI散列算法计算返回的页面, 即超文本格式字符串。 ( b )使用应用服务器 WAPI证书的私钥, 利用 WAI的椭圓曲线算法, 对散列计算结果做加密计算, 生成签名。 (a) Calculate the returned page using the WAI hash algorithm, which is a hypertext format string. (b) Using the private key of the application server WAPI certificate, using WAI's elliptic curve algorithm, the hash calculation result is encrypted and the signature is generated.
生成的签名存入页面响应中的隐藏表单里下发给终端浏览器。  The generated signature is sent to the terminal browser in a hidden form in the page response.
步骤 304: 如图 8所示, 终端在收到 200 OK消息后, 从隐藏表单中解析 出数字签名, 获取预存于终端上的应用服务器 WAPI证书中的公钥解密该数 字签名, 并利用 WAI的散列函数对网页内容进行散列计算, 之后比较散列计 算的结果与解密的数字签名是否一致, 若一致则鉴别通过, 否则鉴别未通过。  Step 304: As shown in FIG. 8, after receiving the 200 OK message, the terminal parses the digital signature from the hidden form, obtains the public key pre-stored in the WAPI certificate of the application server on the terminal, decrypts the digital signature, and uses the WAI. The hash function hashes the content of the webpage, and then compares whether the result of the hash calculation is consistent with the decrypted digital signature. If they are consistent, the authentication is passed, otherwise the authentication fails.
本发明中终端获得应用服务器 WAPI证书的方法同现有技术。  In the present invention, the method for obtaining the application server WAPI certificate by the terminal is the same as the prior art.
步骤 305: WAPI终端浏览器在获取应用服务器网页数据并完成对服务器 身份鉴别之后, 呈现页面。 终端通过浏览器提交需上传的文件内容。 提交过 程釆用 HTTP POST方法。  Step 305: The WAPI terminal browser presents the page after acquiring the application server webpage data and completing the authentication of the server. The terminal submits the content of the file to be uploaded through the browser. Submit the process using the HTTP POST method.
WAPI终端首先生成一个 128位随机数作为临时会话密钥, 使用 WPI中 SMS4算法(即图 5 中的对称密钥算法)对上传文件内容做加密得到密文, 接着使用应用服务器 WAPI证书的公钥对临时会话密钥进行公开密钥算法加 密得到加密后的密钥, 接着使用终端 WAPI证书的私钥完成上传的内容的数 字签名, 数字签名的过程即先对文件内容做散列计算, 然后使用终端 WAPI 证书的私钥加密散列计算后的值; 密文、 数字签名和加密后的密钥和用户 WAPI证书标识或证书通过某一固定格式封装, 例如:  The WAPI terminal first generates a 128-bit random number as the temporary session key, and encrypts the content of the uploaded file to obtain the ciphertext by using the SMS4 algorithm in WPI (ie, the symmetric key algorithm in FIG. 5), and then uses the public key of the application server WAPI certificate. The public key algorithm is encrypted for the temporary session key to obtain the encrypted key, and then the digital signature of the uploaded content is completed by using the private key of the terminal WAPI certificate. The digital signature process first performs hash calculation on the file content, and then uses The private key of the terminal WAPI certificate is encrypted and hashed; the ciphertext, digital signature, and encrypted key and user WAPI certificate identifier or certificate are encapsulated in a fixed format, for example:
<upload-content>  <upload-content>
<body-sign>@e23233dsew </body-sign>  <body-sign>@e23233dsew </body-sign>
<encrypted-rand>we233 dse .. </ encrypted-rand>  <encrypted-rand>we233 dse .. </ encrypted-rand>
<encrypted-body>3EWRW@#4..</encrypted-body>  <encrypted-body>3EWRW@#4..</encrypted-body>
<cert-id>23234K/cert-id>  <cert-id>23234K/cert-id>
</upload-content>  </upload-content>
终端浏览器或通过表单的方式, 组成了 POST的内容并发送给应用服务 哭口  The content of the POST is composed and sent to the application service by the terminal browser or through the form.
步骤 306: 应用服务器收到此 HTTP POST消息后, 首先根据表单或者某 一固定格式, 分离出用户的 WAPI证书标识或 WAPI证书, 如果是证书标识, 则通过与公共认证中心的交互, 获取用户的公钥证书(获取过程为标准流程, 本发明不再详述) 。 Step 306: After the application server receives the HTTP POST message, first according to the form or a certain A fixed format separates the user's WAPI certificate identifier or WAPI certificate. If it is a certificate identifier, the user's public key certificate is obtained through interaction with the public authentication center (the acquisition process is a standard process, which is not described in detail in the present invention).
应用服务器获取由终端生成的并由应用服务器公钥加密的后的随机数加 密值, 使用应用服务器的 WAPI证书的私钥对加密后的密钥进行公开密钥算 法解密得到 128位临时会话密钥, 之后使用此 128位临时会话密钥对上传内 容中的密文进行对称密钥算法解密得到正文, 并对解密出的正文进行散列计 算得到散列值, 应用服务器还使用终端 WAPI证书的公钥对签名进行公开密 钥算法解密得到另一散列值, 之后比较得到的上述 2个散列值是否一致, 若 一致则验证通过, 说明上传的文件内容未被更改, 若不一致则验证未通过。  The application server obtains the random number encrypted value generated by the terminal and encrypted by the application server public key, and uses the private key of the WAPI certificate of the application server to decrypt the encrypted key by a public key algorithm to obtain a 128-bit temporary session key. Then, using the 128-bit temporary session key, the ciphertext in the uploaded content is decrypted by a symmetric key algorithm to obtain a body text, and the decrypted body is hashed to obtain a hash value, and the application server also uses the terminal WAPI certificate. The key pair signature is decrypted by the public key algorithm to obtain another hash value, and then the obtained two hash values are compared. If the two hash values are consistent, the verification is passed, indicating that the uploaded file content has not been changed. If not, the verification fails. .
实施例二  Embodiment 2
本实施例为终端从应用服务器获取内容的方法, 如图 4所示, 包括以下 步骤:  This embodiment is a method for a terminal to obtain content from an application server. As shown in FIG. 4, the method includes the following steps:
步骤 401 : 终端浏览器向应用服务器发送 HTTP GET请求, 获取到网络 存储应用的页面,终端通过将请求的某头域值设置为一预设值表示其为 WAPI 终端, 如可以是将 User-Agent (用户代理)设置为 WAPI-Mobile-Client VI.0; 该头域的值可以是终端在组建请求时指定, 也可以通过和无线局域网段 相邻的 WAP/HTTP应用网关修改。  Step 401: The terminal browser sends an HTTP GET request to the application server, and obtains a page of the network storage application. The terminal indicates that it is a WAPI terminal by setting a certain header field value of the request to a preset value, for example, the User-Agent may be The (user agent) is set to WAPI-Mobile-Client VI.0; the value of the header field may be specified by the terminal when the request is made, or may be modified by the WAP/HTTP application gateway adjacent to the wireless LAN segment.
步骤 402: 应用服务器收到终端发来的 HTTP GET请求, 根据其中某头 域值判断此请求是否来自于 WAPI 终端; 如根据 User-Agent 的值为 WAPI-Mobile-Client VI.0时判定该终端是 WAPI终端;  Step 402: The application server receives the HTTP GET request sent by the terminal, and determines whether the request is from the WAPI terminal according to a header field value. If the value of the User-Agent is WAPI-Mobile-Client VI.0, the terminal is determined. Is a WAPI terminal;
步骤 403: 应用服务器向终端返回 200 OK消息, 在该消息中增加一个隐 藏表单, 内容至少包含一个釆用 WAI公开密钥算法加密的数字签名, 签名方 法如下:  Step 403: The application server returns a 200 OK message to the terminal, and adds a hidden form to the message, and the content includes at least one digital signature encrypted by the WAI public key algorithm. The signature method is as follows:
( a )使用 WAI散列算法计算返回的页面、 即超文本格式字符串。  (a) Calculate the returned page, the hypertext format string, using the WAI hash algorithm.
( b )使用应用服务器 WAPI证书的私钥, 利用 WAI的椭圓曲线算法, 对散列计算结果做加密计算, 生成签名。  (b) Using the private key of the application server WAPI certificate, using WAI's elliptic curve algorithm, the hash calculation result is encrypted and the signature is generated.
生成的签名存入页面响应中的隐藏表单里下发给终端浏览器。 步骤 404: 如图 8所示, 终端在收到 200 OK消息后, 从隐藏表单中解析 出数字签名, 获取预存于终端上的应用服务器 WAPI证书的公钥对签名进行 公开密钥算法解密, 并利用 WAI的散列函数对网页内容进行散列计算, 之后 比较散列计算的结果与解密的数字签名是否一致, 若一致则鉴别通过, 否则 鉴别未通过。 The generated signature is sent to the terminal browser in a hidden form in the page response. Step 404: As shown in FIG. 8, after receiving the 200 OK message, the terminal parses the digital signature from the hidden form, and obtains the public key of the WAPI certificate of the application server pre-stored on the terminal to decrypt the signature by the public key algorithm, and The hash function of the WAI is used to hash the content of the webpage, and then the result of the hash calculation is compared with the decrypted digital signature. If they are consistent, the authentication is passed, otherwise the authentication fails.
本发明中终端获得应用服务器 WAPI证书的方法同现有技术。  In the present invention, the method for obtaining the application server WAPI certificate by the terminal is the same as the prior art.
步骤 405: WAPI终端浏览器在获取应用服务器网页数据并完成对服务器 身份鉴别之后, 呈现页面。  Step 405: The WAPI terminal browser presents the page after acquiring the application server webpage data and completing the server identity authentication.
步骤 406: 终端通过界面指定要获取内容对应的 URL ( Uniform Resource Locator, 统一资源定位符) , 并使用 GET方法获取内容。  Step 406: The terminal specifies, by using an interface, a URL (Uniform Resource Locator) corresponding to the content, and uses the GET method to obtain the content.
终端用户通过浏览器操作界面选择获取文件时, 将通过 GET方法完成, 客户端插件调用 WAI 功能对统一资源定位符 (URL , Uniform Resource Locator )做签名计算, 签名方法如下:  When the terminal user selects the file through the browser operation interface, it will be completed by the GET method. The client plug-in invokes the WAI function to perform signature calculation on the Uniform Resource Locator (URL, Uniform Resource Locator). The signature method is as follows:
( a )使用 WAI散列算法计算 URL;  (a) Calculate the URL using the WAI hash algorithm;
( b )使用终端 WAPI证书对应的私钥, 利用 WAI的椭圓曲线算法, 对 散列计算结果做加密计算, 生成签名。  (b) Using the private key corresponding to the terminal WAPI certificate, using WAI's elliptic curve algorithm, the hash calculation result is encrypted and the signature is generated.
URL签名和用户证书标识通过 URL参数的方式提交给服务器, 例如: http://upload-doc-server.com/document/20091117203? Url-sign=deFQWER3d&certid=2343 ....  The URL signature and user certificate ID are submitted to the server by URL parameters, for example: http://upload-doc-server.com/document/20091117203? Url-sign=deFQWER3d&certid=2343 ....
对统一资源定位符的数字签名不包括 URL参数部分。  The digital signature for the Uniform Resource Locator does not include the URL parameter portion.
步骤 407: 应用服务器收到 HTTP GET消息, 分离出 URL参数中的用户 证书标识, 获取用户证书, 之后使用终端 WAPI证书中的公开密钥解密该数 字签名, 并利用 WAI的散列函数对网页内容进行散列计算, 之后比较散列计 算的结果与解密的数字签名是否一致, 若一致则通过对终端的鉴别, 否则鉴 别未通过。  Step 407: The application server receives the HTTP GET message, separates the user certificate identifier in the URL parameter, obtains the user certificate, and then decrypts the digital signature by using the public key in the terminal WAPI certificate, and uses the WAI hash function to the webpage content. The hash calculation is performed, and then the result of the hash calculation is compared with the decrypted digital signature. If they are consistent, the terminal is authenticated, otherwise the authentication fails.
如图 6所示, 应用服务器完成对终端的鉴别后, 生成 128位随机数作为 临时会话密钥, 并使用此临时会话密钥对客户端请求的文档内容做 SMS4加 密(即图 6中所示的对文档进行对称密钥加密), 并对文档正文做数字签名, 数字签名的过程即先对文档正文作散列计算, 之后使用应用服务器 WAPI证 书的私钥对散列计算后的值进行公开密钥算法加密; 应用服务器还使用终端 WAPI证书的公钥对临时会话密钥进行公开密钥算法加密得到加密后的密钥; 最后,所有内容以固定格式封装或以表单形式,作为 200 OK消息体返回给终 端。 As shown in FIG. 6, after the application server completes the authentication of the terminal, a 128-bit random number is generated as a temporary session key, and the temporary session key is used to perform SMS4 encryption on the document content requested by the client (that is, as shown in FIG. 6 Perform symmetric key encryption on the document, and digitally sign the body of the document. The digital signature process first hashes the document body, and then uses the private key of the application server WAPI certificate to encrypt the hashed value with the public key algorithm; the application server also uses the public key pair of the terminal WAPI certificate for the temporary session. The key is encrypted by the public key algorithm to obtain the encrypted key. Finally, all the content is encapsulated in a fixed format or in the form of a form, and is returned to the terminal as a 200 OK message body.
步骤 408: 如图 7所示, 终端收到 200 OK消息后, 利用终端 WAPI证书 的私钥对加密的密钥进行公开密钥算法解密得出临时会话密钥, 之后使用该 临时会话密钥对密文进行对称密钥算法解密得到文档正文, 并对解密出的正 文进行散列计算得到散列值, 还使用应用服务器 WAPI证书的公钥对签名进 行公开密钥算法解密得到另一散列值,比较得到的上述 2个散列值是否一致, 若一致则验证通过, 且接收的文件内容未被更改, 若不一致则验证未通过。  Step 408: As shown in FIG. 7, after receiving the 200 OK message, the terminal decrypts the encrypted key by using the private key of the terminal WAPI certificate to obtain a temporary session key, and then uses the temporary session key pair. The ciphertext is decrypted by the symmetric key algorithm to obtain the document body, and the hashed text is hashed to obtain the hash value. The public key of the application server WAPI certificate is used to decrypt the signature by the public key algorithm to obtain another hash value. Whether the above two hash values obtained by the comparison are consistent, if they are consistent, the verification is passed, and the content of the received file is not changed, and if not, the verification fails.
本发明中终端及应用服务器使用相同的公开密钥算法进行加密及解密。 本发明在不改动 HTTP协议的基础上, 通过 HTTP消息体或者超文本中 的表单, 完成基于 WAPI证书的鉴别过程, 和传输数据的加密及完整性保护, 对于应用服务器来说,不影响其 WEB访问请求处理的正常流程,所提及功能 可以通过新增功能模块完成, 新增功能只涉及 WAPI相关公钥及对称加密计 算, 未改动 HTTP及超文本传输协议的内容。  In the present invention, the terminal and the application server use the same public key algorithm for encryption and decryption. The invention completes the authentication process based on the WAPI certificate and the encryption and integrity protection of the transmitted data through the HTTP message body or the form in the hypertext without changing the HTTP protocol, and does not affect the WEB of the application server. The normal process of access request processing, the mentioned functions can be completed by adding new function modules. The new functions only involve WAPI related public keys and symmetric encryption calculations, and the contents of HTTP and hypertext transfer protocols are not changed.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成, 所述程序可以存储于计算机可读存储介质中, 如只读 存储器、 磁盘或光盘等。 可选地, 上述实施例的全部或部分步骤也可以使用 一个或多个集成电路来实现。 相应地, 上述实施例中的各模块 /单元可以釆用 硬件的形式实现, 也可以釆用软件功能模块的形式实现。 本发明不限制于任 何特定形式的硬件和软件的结合。  One of ordinary skill in the art will appreciate that all or a portion of the steps above may be accomplished by a program to instruct the associated hardware, such as a read-only memory, a magnetic disk, or an optical disk. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the above embodiment may be implemented in the form of hardware or in the form of a software function module. The invention is not limited to any specific form of combination of hardware and software.
工业实用性 Industrial applicability
本发明提供的 WAPI终端与应用服务器传输文件的***及方法, 在不改 动 HTTP协议的基础上, 通过 HTTP消息体或者超文本中的表单, 完成基于 WAPI证书的鉴别过程、 传输数据的加密及完整性保护功能; 对于应用服务 器来说,不影响其 WEB访问请求处理的正常流程,所提及功能可以通过新增 功能模块完成, 新增功能只涉及 WAPI相关公钥及对称加密计算, 未改动 HTTP及超文本传输协议的内容。 The system and method for transmitting files by the WAPI terminal and the application server provided by the invention complete the authentication process based on the WAPI certificate, encrypt and complete the transmission data through the HTTP message body or the form in the hypertext without changing the HTTP protocol. Sexual protection; for application services For the device, it does not affect the normal process of WEB access request processing. The mentioned functions can be completed by adding new function modules. The new functions only involve WAPI-related public keys and symmetric encryption calculations, without changing HTTP and hypertext transfer protocols. content.

Claims

权 利 要 求 书 Claim
1、一种无线局域网认证与保密基础结构 WAPI终端与应用服务器传输文 件的方法, 包括:  1. A wireless local area network authentication and privacy infrastructure WAPI terminal and application server method for transmitting files, including:
WAPI终端与应用服务器之间釆用超文本传输协议 HTTP消息传输文件 内容时, 发送端使用无线局域网保密基础结构 WPI算法对传输的文件内容进 行加密, 并对传输的文件内容做数字签名后通过 HTTP消息传输, 接收端收 到包含文件内容的 HTTP消息后解析出所述文件内容并验证所述数字签名, 若数字签名验证通过, 则传输的文件内容未被更改。  When the WAPI terminal and the application server use the hypertext transfer protocol HTTP message to transfer the file content, the sender uses the wireless local area network security infrastructure WPI algorithm to encrypt the transmitted file content, and digitally signs the transmitted file content through HTTP. In the message transmission, after receiving the HTTP message containing the content of the file, the receiving end parses the content of the file and verifies the digital signature. If the digital signature is verified, the content of the transmitted file is not changed.
2、 如权利要求 1所述的方法, 其中:  2. The method of claim 1 wherein:
在传输文件内容的步骤之前, 所述方法还包括: 终端向应用服务器发送 Before the step of transmitting the content of the file, the method further includes: sending, by the terminal, to the application server
HTTP获取 ( GET )请求时, 将该 HTTP GET请求的一头域值设置为一预设 值表示该终端为 WAPI终端, 所述应用服务器收到所述 HTTP GET请求后若 所述头域值为所述预设值, 则判定所述终端为 WAPI终端。 When the HTTP get (GET) request is set, the value of the header field of the HTTP GET request is set to a preset value, indicating that the terminal is a WAPI terminal, and if the application server receives the HTTP GET request, if the header field value is The preset value determines that the terminal is a WAPI terminal.
3、 如权利要求 2所述的方法, 其中,  3. The method of claim 2, wherein
在应用服务器收到 HTTP GET请求的步骤之后, 所述方法还包括: 向所述终端返回 200 响应(OK )消息时增加一个数字签名, 所述数字签 名的生成步骤包括:使用无线局域网鉴别基础结构 WAI散列算法计算返回的 页面, 并使用应用服务器 WAPI证书的私钥, 利用 WAI的椭圓曲线算法, 对 散列计算结果做加密计算生成所述数字签名; 以及  After the step of the application server receiving the HTTP GET request, the method further includes: adding a digital signature when returning the 200 response (OK) message to the terminal, the step of generating the digital signature comprising: using a wireless local area network to identify the infrastructure The WAI hash algorithm calculates the returned page, and uses the private key of the application server WAPI certificate to perform the encryption calculation on the hash calculation result to generate the digital signature by using the WAI elliptic curve algorithm;
所述终端收到 200 OK消息后解析出所述数字签名,获取预存于终端上的 应用服务器 WAPI证书的公钥解密该数字签名,并利用 WAI的散列函数对页 面内容进行散列计算, 比较散列计算的结果与解密的数字签名是否一致, 若 散列计算的结果与解密的数字签名一致, 则通过对应用服务器的鉴别, 若散 列计算的结果与解密的数字签名不一致, 则鉴别未通过。  After receiving the 200 OK message, the terminal parses the digital signature, obtains the public key of the application server WAPI certificate pre-stored on the terminal, decrypts the digital signature, and hashes the page content by using a WAI hash function, and compares Whether the result of the hash calculation is consistent with the decrypted digital signature. If the result of the hash calculation is consistent with the decrypted digital signature, the authentication is performed on the application server, and if the result of the hash calculation is inconsistent with the decrypted digital signature, the authentication is not by.
4、 如权利要求 1所述的方法, 其中, 当所述发送端为 WAPI终端, 接收 端为应用服务器时,  4. The method according to claim 1, wherein, when the transmitting end is a WAPI terminal and the receiving end is an application server,
所述发送端使用无线局域网保密基础结构 WPI算法对传输的文件内容进 行加密,并对传输的文件内容做数字签名后通过 HTTP消息传输的步骤包括: 在 WAPI终端传输文件内容时, 先生成一个 128位随机数作为临时会话 密钥,使用 WPI中的对称密钥算法 SMS4对传输的文件内容做加密得到密文; 使用应用服务器 WAPI证书的公钥对临时会话密钥进行公开密钥算法加密得 到加密后的密钥; 对传输的文件内容做数字签名; 将所述密文、 数字签名、 加密后的密钥和终端 WAPI证书信息一起封装, 将封装的内容通过 HTTP提 交(POST )发送至应用服务器, 其中, 所述终端 WAPI证书信息包括终端 WAPI证书标识或终端 WAPI证书; The sending end encrypts the transmitted file content by using the wireless local area network security infrastructure WPI algorithm, and performs digital signature on the transmitted file content and then transmits the HTTP message through the following steps: When the WAPI terminal transmits the file content, first generate a 128-bit random number as the temporary session key, and use the symmetric key algorithm SMS4 in WPI to encrypt the transmitted file content to obtain the ciphertext; use the public key pair of the application server WAPI certificate. The temporary session key is encrypted by the public key algorithm to obtain the encrypted key; the digital content of the transmitted file is digitally signed; the ciphertext, the digital signature, the encrypted key and the terminal WAPI certificate information are encapsulated together, and the package is encapsulated The content is sent to the application server through an HTTP submission (POST), where the terminal WAPI certificate information includes a terminal WAPI certificate identifier or a terminal WAPI certificate;
所述接收端收到包含文件内容的 HTTP消息后解析出所述文件内容并验 证所述数字签名, 若数字签名验证通过, 则传输的文件内容未被更改的步骤 包括:  After receiving the HTTP message containing the file content, the receiving end parses the file content and verifies the digital signature. If the digital signature verification is passed, the step of transmitting the file content is not changed.
所述应用服务器收到所述 HTTP POST后,分离出终端 WAPI证书标识或 终端 WAPI证书, 若分离出的是终端 WAPI证书标识 , 则获取终端 WAPI证 书; 使用应用服务器的 WAPI证书的私钥对加密后的密钥进行公开密钥算法 解密得到临时会话密钥, 对传输的文件内容中的密文进行对称密钥算法解密 得到正文, 并对解密出的正文进行散列计算得到散列值; 所述应用服务器使 用终端 WAPI证书的公钥对数字签名进行公开密钥算法解密得到另一散列 值; 比较得到的两个散列值是否一致, 若两个散列值一致, 则对 WAPI终端 的验证通过, 且接收的文件内容未被更改;  After receiving the HTTP POST, the application server separates the terminal WAPI certificate identifier or the terminal WAPI certificate, and if the terminal WAPI certificate identifier is separated, obtains the terminal WAPI certificate; and encrypts the private key pair of the WAPI certificate of the application server. The latter key is decrypted by the public key algorithm to obtain a temporary session key, and the ciphertext in the transmitted file content is decrypted by a symmetric key algorithm to obtain a body text, and the decrypted text is hashed to obtain a hash value; The application server uses the public key of the terminal WAPI certificate to decrypt the digital signature by the public key algorithm to obtain another hash value; whether the obtained two hash values are consistent, if the two hash values are consistent, then the WAPI terminal is The verification passed, and the content of the received file has not been changed;
或者  Or
当所述发送端为应用服务器, 接收端为 WAPI终端时,  When the sending end is an application server and the receiving end is a WAPI terminal,
在所述 WAPI终端与应用服务器之间釆用超文本传输协议 HTTP消息传 输文件内容的步骤中, 当所述 WAPI终端从应用服务器获取文件内容时, 向 应用服务器发送 HTTP GET消息时携带要获取内容对应的统一资源定位符; 所述发送端使用无线局域网保密基础结构 WPI算法对传输的文件内容进 行加密,并对传输的文件内容做数字签名后通过 HTTP消息传输的步骤包括: 所述应用服务器收到 HTTP GET 消息后根据所述统一资源定位符获知 WAPI终端请求的文件内容, 之后生成 128位随机数作为临时会话密钥, 并 使用所述临时会话密钥对 WAPI终端请求的文件内容做 SMS4加密得到密文, 并对文件内容做数字签名, 还使用终端 WAPI证书的公钥对临时会话密钥进 行公开密钥算法加密得到加密后的密钥, 所述加密后的密钥、 密文和数字签 名以固定格式封装或以表单形式作为 200 OK消息返回给 WAPI终端; In the step of transmitting the file content by using the hypertext transfer protocol HTTP message between the WAPI terminal and the application server, when the WAPI terminal acquires the file content from the application server, when the HTTP GET message is sent to the application server, the content to be acquired is carried Corresponding uniform resource locator; the sending end encrypts the transmitted file content by using the wireless local area network security infrastructure WPI algorithm, and digitally signs the transmitted file content, and then transmits the HTTP message through the following steps: After the HTTP GET message is obtained, the file content requested by the WAPI terminal is obtained according to the uniform resource locator, and then a 128-bit random number is generated as a temporary session key, and the file content requested by the WAPI terminal is used for SMS4 encryption by using the temporary session key. Get the ciphertext, And digitally signing the content of the file, and encrypting the temporary session key by using the public key of the terminal WAPI certificate to obtain the encrypted key, and the encrypted key, ciphertext and digital signature are in a fixed format. Encapsulate or return to the WAPI terminal as a 200 OK message in the form of a form;
所述接收端收到包含文件内容的 HTTP消息后解析出所述文件内容并验 证所述数字签名, 若数字签名验证通过, 则传输的文件内容未被更改的步骤 包括:  After receiving the HTTP message containing the file content, the receiving end parses the file content and verifies the digital signature. If the digital signature verification is passed, the step of transmitting the file content is not changed.
所述 WAPI终端收到所述 200 OK消息后, 利用终端 WAPI证书的私钥 对加密后的密钥进行公开密钥算法解密得出临时会话密钥, 之后使用该临时 会话密钥对密文进行对称密钥算法解密得到正文, 并对解密出的正文进行散 列计算得到散列值; 还使用应用服务器 WAPI证书的公钥对数字签名进行公 开密钥算法解密得到另一散列值; 比较得到的两个散列值是否一致, 若两个 散列值一致则验证通过, 且接收的文件内容未被更改。  After receiving the 200 OK message, the WAPI terminal decrypts the encrypted key by using the private key of the terminal WAPI certificate to obtain a temporary session key, and then uses the temporary session key to perform the ciphertext. The symmetric key algorithm decrypts the text, and hashes the decrypted text to obtain a hash value. The public key of the application server WAPI certificate is used to decrypt the digital signature to obtain another hash value. Whether the two hash values are consistent, if the two hash values are the same, the verification passes, and the content of the received file is not changed.
5、 如权利要求 4所述的方法, 其中, 在所述 WAPI终端向应用服务器发 送 HTTP GET消息时携带要获取内容对应的统一资源定位符的步骤中, 所述终端向应用服务器发送 HTTP GET消息时对所述统一资源定位符进 行数字签名, 并将所述数字签名及终端 WAPI证书标识作为统一资源定位符 参数通过 HTTP GET消息发送至应用服务器;  The method of claim 4, wherein, in the step of the WAPI terminal sending an HTTP GET message to the application server, the terminal carries a uniform resource locator corresponding to the content, the terminal sends an HTTP GET message to the application server. And digitally signing the uniform resource locator, and sending the digital signature and the terminal WAPI certificate identifier as a uniform resource locator parameter to the application server by using an HTTP GET message;
在所述 WAPI终端向应用服务器发送 HTTP GET消息时携带要获取内容 对应的统一资源定位符的步骤之后, 所述方法还包括:  After the step of the WAPI terminal sending the HTTP GET message to the application server to carry the uniform resource locator corresponding to the content, the method further includes:
所述应用服务器收到 HTTP GET消息后分离出终端 WAPI证书标识, 获 取终端 WAPI证书, 并使用终端 WAPI证书中的公开密钥解密该数字签名; 利用 WAI的散列函数对页面内容进行散列计算; 比较散列计算的结果与解密 的数字签名是否一致, 若散列计算的结果与解密的数字签名一致, 则通过对 终端的鉴别。  After receiving the HTTP GET message, the application server separates the terminal WAPI certificate identifier, obtains the terminal WAPI certificate, and decrypts the digital signature by using the public key in the terminal WAPI certificate; hashing the page content by using the WAI hash function Whether the result of the comparison hash calculation is consistent with the decrypted digital signature, and if the result of the hash calculation is consistent with the decrypted digital signature, the terminal is authenticated.
6、 如权利要求 4所述的方法, 其中,  6. The method of claim 4, wherein
所述 WAPI终端对传输的文件内容做数字签名的步骤包括: 对所述文件 内容做散列计算, 并使用终端 WAPI证书的私钥对散列计算后的值进行公开 密钥算法加密。 The step of digitally signing the transmitted file content by the WAPI terminal comprises: performing hash calculation on the file content, and performing a public key algorithm encryption on the hashed value using the private key of the terminal WAPI certificate.
7、 如权利要求 4所述的方法, 其中: 7. The method of claim 4, wherein:
所述应用服务器对文件内容做数字签名的步骤包括: 对所述文件内容做 散列计算, 并使用应用服务器 WAPI证书的私钥对散列计算后的值进行公开 密钥算法加密。  The step of the application server digitally signing the file content comprises: performing hash calculation on the file content, and performing a public key algorithm encryption on the hashed value using the private key of the application server WAPI certificate.
8、一种无线局域网认证与保密基础结构 WAPI终端与应用服务器传输文 件的***, 包括发送端与接收端; 其中:  8. A wireless local area network authentication and privacy infrastructure A system for transmitting files by a WAPI terminal and an application server, including a transmitting end and a receiving end;
所述发送端设置为, 使用无线局域网保密基础结构 WPI算法对传输的文 件内容进行加密, 并对传输的文件内容做数字签名后通过超文本传输协议 The sending end is configured to encrypt the transmitted file content by using a wireless local area network security infrastructure WPI algorithm, and digitally sign the transmitted file content through a hypertext transfer protocol.
HTTP消息发送至所述接收端; Sending an HTTP message to the receiving end;
所述接收端设置为, 收到所述 HTTP消息后解析出所述文件内容并验证 所述数字签名, 若数字签名验证通过, 则传输的文件内容未被更改。  The receiving end is configured to parse out the content of the file after receiving the HTTP message and verify the digital signature, and if the digital signature is verified, the content of the transmitted file is not changed.
9、 如权利要求 8所述的***, 其中:  9. The system of claim 8 wherein:
所述发送端为 WAPI终端, 接收端为应用服务器; 或者所述发送端为应 用服务器, 所述接收端为 WAPI终端;  The sending end is a WAPI terminal, and the receiving end is an application server; or the sending end is an application server, and the receiving end is a WAPI terminal;
所述 WAPI终端包括设置模块;  The WAPI terminal includes a setting module;
所述 WAPI终端的设置模块设置为, 在传输文件内容之前, 向应用服务 器发送 HTTP获取 ( GET )请求时, 将该 HTTP GET请求的一头域值设置为 一预设值表示该终端为 WAPI终端;  The setting module of the WAPI terminal is configured to: when sending an HTTP get (GET) request to the application server before transmitting the file content, setting a field value of the HTTP GET request to a preset value indicates that the terminal is a WAPI terminal;
所述应用服务器还设置为, 收到所述 HTTP GET请求后, 若所述头域值 为预设值, 则判定所述终端为 WAPI终端。  The application server is further configured to: after receiving the HTTP GET request, if the header field value is a preset value, determining that the terminal is a WAPI terminal.
10、 如权利要求 9所述的***, 其中:  10. The system of claim 9 wherein:
所述应用服务器包括加密模块及发送模块, 所述 WAPI终端还包括解密 模块;  The application server includes an encryption module and a sending module, and the WAPI terminal further includes a decryption module;
所述应用服务器的加密模块设置为, 使用无线局域网鉴别基础结构 WAI 散列算法计算返回的页面, 并使用应用服务器 WAPI证书的私钥, 利用 WAI 的椭圓曲线算法, 对散列计算结果做加密计算生成数字签名;  The encryption module of the application server is configured to calculate a returned page by using a wireless local area network authentication WAI hash algorithm, and encrypt the hash calculation result by using a WAI elliptic curve algorithm using a private key of the application server WAPI certificate. Calculate the generated digital signature;
所述应用服务器的发送模块设置为, 向终端返回 200 响应(OK )消息时 携带所述数字签名; The sending module of the application server is set to return a 200 response (OK) message to the terminal. Carrying the digital signature;
所述 WAPI终端的解密模块设置为, 收到 200 OK消息后解析出所述数 字签名, 获取预存于 WAPI终端上的应用服务器 WAPI证书的公钥解密该数 字签名, 并利用 WAI的散列函数对页面内容进行散列计算, 比较散列计算的 结果与解密的数字签名是否一致,若散列计算的结果与解密的数字签名一致, 则通过对应用服务器的鉴别, 若散列计算的结果与解密的数字签名不一致, 则鉴别未通过。  The decryption module of the WAPI terminal is configured to parse the digital signature after receiving the 200 OK message, obtain the public key of the application server WAPI certificate pre-stored on the WAPI terminal, decrypt the digital signature, and use the WAI hash function pair. The content of the page is hashed, and the result of the hash calculation is consistent with the decrypted digital signature. If the result of the hash calculation is consistent with the decrypted digital signature, the result of the hash calculation and the decryption are determined by the authentication of the application server. If the digital signatures are inconsistent, the authentication fails.
11、 如权利要求 8所述的***, 其中:  11. The system of claim 8 wherein:
当所述终端向应用服务器上传文件内容时, 所述终端为发送端, 所述应 用服务器为接收端;  When the terminal uploads the file content to the application server, the terminal is a sending end, and the application server is a receiving end;
所述终端包括加密模块及发送模块;  The terminal includes an encryption module and a sending module;
所述终端的加密模块设置为,生成一个 128位随机数作为临时会话密钥, 以及使用 WPI中的对称密钥算法 SMS4对上传的文件内容做加密得到密文; 使用应用服务器 WAPI证书的公钥对临时会话密钥进行公开密钥算法加密得 到加密后的密钥; 以及对上传的文件内容做数字签名;  The encryption module of the terminal is configured to generate a 128-bit random number as a temporary session key, and encrypt the uploaded file content using the symmetric key algorithm SMS4 in the WPI to obtain a ciphertext; use the public key of the application server WAPI certificate Encrypting the temporary session key by public key algorithm to obtain the encrypted key; and digitally signing the content of the uploaded file;
所述终端的发送模块设置为, 将密文、 数字签名、 加密后的密钥和终端 WAPI证书信息一起封装, 以及将封装的内容通过 HTTP提交(POST )发送 至应用服务器, 其中, 所述终端 WAPI证书信息包括终端 WAPI证书标识或 终端 WAPI证书;  The sending module of the terminal is configured to encapsulate the ciphertext, the digital signature, the encrypted key, and the terminal WAPI certificate information, and send the encapsulated content to the application server through HTTP submission (POST), where the terminal The WAPI certificate information includes a terminal WAPI certificate identifier or a terminal WAPI certificate;
所述应用服务器包括接收模块及解密模块;  The application server includes a receiving module and a decryption module;
所述应用服务器的接收模块设置为,收到所述 HTTP POST后,分离出终 端 WAPI证书标识或终端 WAPI证书 , 若分离出的是终端 WAPI证书标识 , 则获取终端 WAPI证书;  The receiving module of the application server is configured to: after receiving the HTTP POST, separate the terminal WAPI certificate identifier or the terminal WAPI certificate, and if the terminal WAPI certificate identifier is separated, obtain the terminal WAPI certificate;
所述应用服务器的解密模块设置为, 使用应用服务器的 WAPI证书的私 钥对加密后的密钥进行公开密钥算法解密得到临时会话密钥, 以及使用该临 时会话密钥对传输的文件内容中的密文进行对称密钥算法解密得到正文, 并 对解密出的正文进行散列计算得到散列值; 以及使用终端 WAPI证书的公钥 对签名进行公开密钥算法解密得到另一散列值, 并比较得到的两个散列值是 否一致, 若两个散列值一致, 则对终端的验证通过, 且接收的文件内容未被 更改。 The decryption module of the application server is configured to decrypt the encrypted key by using a private key of the WAPI certificate of the application server to obtain a temporary session key, and use the temporary session key pair to transfer the file content. The ciphertext is decrypted by the symmetric key algorithm to obtain the body text, and the decrypted text is hashed to obtain a hash value; and the public key of the terminal WAPI certificate is used to decrypt the signature to obtain another hash value. And compare the two hash values obtained No. If the two hash values are the same, the verification of the terminal is passed, and the content of the received file is not changed.
12、 如权利要求 8所述的***, 其中:  12. The system of claim 8 wherein:
当所述终端从应用服务器获取文件内容时, 所述应用服务器为发送端, 所述终端为接收端;  When the terminal obtains the file content from the application server, the application server is a sending end, and the terminal is a receiving end;
所述终端包括发送模块、 接收模块及解密模块;  The terminal includes a sending module, a receiving module, and a decrypting module;
所述终端的发送模块设置为, 向应用服务器发送 HTTP GET消息时携带 要获取文件内容对应的统一资源定位符;  The sending module of the terminal is configured to: when sending an HTTP GET message to the application server, carry a uniform resource locator corresponding to the content of the file;
所述应用服务器包括接收模块、 加密模块及发送模块;  The application server includes a receiving module, an encryption module, and a sending module;
所述应用服务器的接收模块设置为, 收到 HTTP GET消息后根据所述统 一资源定位符获知终端请求的文件内容;  The receiving module of the application server is configured to: after receiving the HTTP GET message, learn the file content requested by the terminal according to the unified resource locator;
所述应用服务器的加密模块设置为, 生成 128位随机数作为临时会话密 钥,以及使用该临时会话密钥对终端请求的文件内容做 SMS4加密形成密文, 并对文件内容做数字签名, 以及使用终端 WAPI证书的公钥对临时会话密钥 进行公开密钥算法加密得到加密后的密钥;  The encryption module of the application server is configured to generate a 128-bit random number as a temporary session key, and use the temporary session key to perform SMS4 encryption on the file content requested by the terminal to form a ciphertext, and digitally sign the content of the file, and Encrypting the temporary session key using a public key of the terminal WAPI certificate to obtain an encrypted key;
所述应用服务器的发送模块设置为, 将所述密文、 数字签名以及加密后 的密钥作为 200 OK消息发送至终端;  The sending module of the application server is configured to send the ciphertext, the digital signature, and the encrypted key to the terminal as a 200 OK message;
所述终端的接收模块设置为,将收到的所述 200 OK消息发送至终端的解 密模块;  The receiving module of the terminal is configured to send the received 200 OK message to the decryption module of the terminal;
所述终端的解密模块设置为, 使用终端 WAPI证书的私钥对加密后的密 钥进行公开密钥算法解密得出临时会话密钥, 以及该临时会话密钥对密文进 行对称密钥算法解密得到正文,并对解密出的正文进行散列计算得到散列值, 以及使用应用服务器 WAPI证书的公钥对签名进行公开密钥算法解密得到另 一散列值, 并比较得到的两个散列值是否一致, 若两个散列值一致, 则验证 通过, 且接收的文件内容未被更改。  The decryption module of the terminal is configured to decrypt the encrypted key by using a private key of the terminal WAPI certificate to obtain a temporary session key, and the temporary session key performs symmetric key algorithm decryption on the ciphertext. Obtaining the body text, hashing the decrypted body text to obtain a hash value, and decrypting the signature by public key algorithm using the public key of the application server WAPI certificate to obtain another hash value, and comparing the obtained two hashes Whether the values are consistent. If the two hash values are the same, the verification passes and the received file contents are not changed.
13、 如权利要求 12所述的***, 其中:  13. The system of claim 12, wherein:
所述终端的加密模块还设置为, 向应用服务器发送 HTTP GET消息时对 所述统一资源定位符进行数字签名; 所述终端的发送模块还设置为, 向应用服务器发送 HTTP GET消息时将 所述数字签名及用户证书标识作为统一资源定位符参数发送至应用服务器; 所述应用服务器的解密模块还设置为, 分离出 HTTP GET消息中的终端 WAPI证书标识, 并获取终端 WAPI证书, 以及使用终端 WAPI证书中的公 开密钥解密该数字签名; 利用 WAI的散列函数对页面内容进行散列计算; 比 较散列计算的结果与解密的数字签名是否一致, 若散列计算的结果与解密的 数字签名一致, 则通过对终端的鉴别。 The encryption module of the terminal is further configured to digitally sign the uniform resource locator when sending an HTTP GET message to the application server; The sending module of the terminal is further configured to: send the digital signature and the user certificate identifier as a uniform resource locator parameter to the application server when sending the HTTP GET message to the application server; the decryption module of the application server is further configured to be separated Extracting the terminal WAPI certificate identifier in the HTTP GET message, and obtaining the terminal WAPI certificate, and decrypting the digital signature using the public key in the terminal WAPI certificate; hashing the page content using the WAI hash function; comparing hash calculation Whether the result is consistent with the decrypted digital signature, if the result of the hash calculation is consistent with the decrypted digital signature, the terminal is authenticated.
14、 如权利要求 11所述的***, 其中:  14. The system of claim 11 wherein:
所述终端的加密模块是设置为, 对所述文件内容做散列计算, 并使用终 端 WAPI证书的私钥对散列计算后的值进行公开密钥算法加密来对传输的文 件内容做数字签名。  The encryption module of the terminal is configured to perform hash calculation on the content of the file, and use a private key of the terminal WAPI certificate to perform a public key algorithm encryption on the hashed value to digitally sign the transmitted file content. .
15、 如权利要求 12所述的***, 其中:  15. The system of claim 12, wherein:
所述应用服务器的加密模块是设置为, 对所述文件内容做散列计算, 并 使用应用服务器 WAPI证书的私钥对散列计算后的值进行公开密钥算法加密 来对文件内容做数字签名。  The encryption module of the application server is configured to perform hash calculation on the file content, and use a private key of the application server WAPI certificate to perform a public key algorithm encryption on the hashed value to digitally sign the file content. .
PCT/CN2010/075406 2009-12-21 2010-07-22 System and method for transmitting files between wapi teminal and application sever WO2011076008A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910247064.0 2009-12-21
CN200910247064A CN101742508A (en) 2009-12-21 2009-12-21 System and method for transmitting files between WAPI terminal and application server

Publications (1)

Publication Number Publication Date
WO2011076008A1 true WO2011076008A1 (en) 2011-06-30

Family

ID=42465224

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/075406 WO2011076008A1 (en) 2009-12-21 2010-07-22 System and method for transmitting files between wapi teminal and application sever

Country Status (2)

Country Link
CN (1) CN101742508A (en)
WO (1) WO2011076008A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013086756A1 (en) * 2011-12-14 2013-06-20 金峰顺泰知识产权有限公司 Method and system for documentation of digital archives
CN114760129A (en) * 2022-04-11 2022-07-15 平安国际智慧城市科技股份有限公司 Data access method, device, equipment and storage medium

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101742508A (en) * 2009-12-21 2010-06-16 中兴通讯股份有限公司 System and method for transmitting files between WAPI terminal and application server
CN103220159A (en) * 2012-01-19 2013-07-24 北京千橡网景科技发展有限公司 Method used for transferring information and device used for transferring information
CN103368901A (en) * 2012-03-27 2013-10-23 复旦大学 Cloud computing system based on large-scale discrete data
CN102868765B (en) * 2012-10-09 2015-06-03 乐视网信息技术(北京)股份有限公司 Method and system for uploading files
CN103220295A (en) * 2013-04-26 2013-07-24 福建伊时代信息科技股份有限公司 Document encryption and decryption method, device and system
CN105227514A (en) * 2014-05-27 2016-01-06 北大方正集团有限公司 Based on document transmission processing method and the browser of browser
CN105825145B (en) * 2016-03-16 2018-08-31 孙凤鸣 Electronic evidence-collecting method, evidence obtaining server, evidence obtaining intelligent terminal and evidence-obtaining system
CN105933124B (en) * 2016-06-30 2020-10-30 武汉理工大学 Digital signature and message hash value recovery and signature verification method
CN106326394A (en) * 2016-08-18 2017-01-11 乐视控股(北京)有限公司 Method and device for obtaining file name
CN106790075A (en) * 2016-12-21 2017-05-31 上海云熵网络科技有限公司 For the Verification System and authentication method of UDP transmission
CN109561124A (en) * 2017-09-27 2019-04-02 深圳市创易联合科技有限公司 A kind of method, system and the terminal device of file transmission
CN107920069A (en) * 2017-11-15 2018-04-17 中国联合网络通信集团有限公司 Application security processing method and processing device in ciphering terminal
CN108400979B (en) * 2018-02-06 2021-07-30 武汉斗鱼网络科技有限公司 Communication method applied to client and server and electronic equipment
CN108549701A (en) * 2018-04-17 2018-09-18 上海海事大学 Cloud environment encrypts outsourcing data semantic extended search method and system
CN109194631A (en) * 2018-08-17 2019-01-11 郑州云海信息技术有限公司 A kind of proof of identity method and relevant apparatus
CN109150516A (en) * 2018-08-31 2019-01-04 密信技术(深圳)有限公司 The signature and/or encryption method of browser file, device, browser and medium
CN109088889B (en) * 2018-10-16 2021-07-06 深信服科技股份有限公司 SSL encryption and decryption method, system and computer readable storage medium
CN109672530A (en) * 2019-01-08 2019-04-23 如般量子科技有限公司 Anti- quantum calculation digital signature method and anti-quantum calculation digital signature system based on unsymmetrical key pond
CN109889344B (en) * 2019-01-31 2020-06-16 深圳中兴飞贷金融科技有限公司 Terminal, data transmission method, and computer-readable storage medium
CN109831311B (en) * 2019-03-21 2022-04-01 深圳市网心科技有限公司 Server verification method, system, user terminal and readable storage medium
CN110008727B (en) * 2019-04-10 2020-07-21 南方电网数字电网研究院有限公司 Encryption sensitive parameter processing method and device, computer equipment and storage medium
CN114499871B (en) * 2021-12-23 2024-01-09 成都卫士通信息产业股份有限公司 Signature encryption method, device and system and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1505360A (en) * 2002-11-29 2004-06-16 英华达(上海)电子有限公司 Method and system for implementing program updating by use of hypertext transmission protocol service
CN1905504A (en) * 2006-07-31 2007-01-31 西安西电捷通无线网络通信有限公司 Method for implementing virtual LAN based on WAPI system in WLAN
CN101466079A (en) * 2009-01-12 2009-06-24 中兴通讯股份有限公司 Method, system and WAPI terminal for transmitting e-mail
CN101742508A (en) * 2009-12-21 2010-06-16 中兴通讯股份有限公司 System and method for transmitting files between WAPI terminal and application server

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1505360A (en) * 2002-11-29 2004-06-16 英华达(上海)电子有限公司 Method and system for implementing program updating by use of hypertext transmission protocol service
CN1905504A (en) * 2006-07-31 2007-01-31 西安西电捷通无线网络通信有限公司 Method for implementing virtual LAN based on WAPI system in WLAN
CN101466079A (en) * 2009-01-12 2009-06-24 中兴通讯股份有限公司 Method, system and WAPI terminal for transmitting e-mail
CN101742508A (en) * 2009-12-21 2010-06-16 中兴通讯股份有限公司 System and method for transmitting files between WAPI terminal and application server

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013086756A1 (en) * 2011-12-14 2013-06-20 金峰顺泰知识产权有限公司 Method and system for documentation of digital archives
CN114760129A (en) * 2022-04-11 2022-07-15 平安国际智慧城市科技股份有限公司 Data access method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN101742508A (en) 2010-06-16

Similar Documents

Publication Publication Date Title
WO2011076008A1 (en) System and method for transmitting files between wapi teminal and application sever
CN108650227B (en) Handshaking method and system based on datagram secure transmission protocol
KR102124413B1 (en) System and method for identity based key management
CN109088870B (en) Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform
US8635444B2 (en) System and method for distributing keys in a wireless network
KR102134302B1 (en) Wireless network access method and apparatus, and storage medium
KR100832893B1 (en) A method for the access of the mobile terminal to the WLAN and for the data communication via the wireless link securely
WO2010078755A1 (en) Method and system for transmitting electronic mail, wlan authentication and privacy infrastructure (wapi) terminal thereof
US20080222714A1 (en) System and method for authentication upon network attachment
Ha et al. Efficient authentication of resource-constrained IoT devices based on ECQV implicit certificates and datagram transport layer security protocol
WO2006032214A1 (en) Method for realizng transmission of syncml synchronous data
CN110995414B (en) Method for establishing channel in TLS1_3 protocol based on cryptographic algorithm
KR101706117B1 (en) Apparatus and method for other portable terminal authentication in portable terminal
KR20050064119A (en) Server certification validation method for authentication of extensible authentication protocol for internet access on user terminal
CN109714360B (en) Intelligent gateway and gateway communication processing method
CN112165386B (en) Data encryption method and system based on ECDSA
CN106788960A (en) A kind of method and device of key agreement
WO2022135391A1 (en) Identity authentication method and apparatus, and storage medium, program and program product
WO2010088812A1 (en) Transmission method, system and wapi terminal for instant message
Kambourakis et al. Performance evaluation of public key-based authentication in future mobile communication systems
KR101572598B1 (en) Secure User Authentication Scheme against Credential Replay Attack
CN112583807A (en) Verification method, verification device, electronic equipment and storage medium
WO2015104567A1 (en) Secure communication between a server and a client web browser
Shojaie et al. Enhancing EAP-TLS authentication protocol for IEEE 802.11 i
CN213938340U (en) 5G application access authentication network architecture

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10838571

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10838571

Country of ref document: EP

Kind code of ref document: A1