CN106817219A - A kind of method and device of consulting session key - Google Patents
A kind of method and device of consulting session key Download PDFInfo
- Publication number
- CN106817219A CN106817219A CN201510867354.0A CN201510867354A CN106817219A CN 106817219 A CN106817219 A CN 106817219A CN 201510867354 A CN201510867354 A CN 201510867354A CN 106817219 A CN106817219 A CN 106817219A
- Authority
- CN
- China
- Prior art keywords
- client
- service end
- private information
- message
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 230000004044 response Effects 0.000 claims abstract description 125
- 230000005540 biological transmission Effects 0.000 claims description 19
- 230000001960 triggered effect Effects 0.000 claims description 4
- 230000008569 process Effects 0.000 description 12
- 238000004891 communication Methods 0.000 description 9
- 230000003993 interaction Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 238000003756 stirring Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000001568 sexual effect Effects 0.000 description 1
- 238000004904 shortening Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of method and device of consulting session key, wherein, a kind of method includes:Client sends message to service end;The message is that client generates the first private information using rivest, shamir, adelman, after being encrypted to the business datum in data message using the first private information, data message is merged into generation with negotiation packet;Client receives the response message that service end sends, and the response bag of data message and the response bag of negotiation packet are carried in the response message;The second private information ciphertext is carried in the response bag of the negotiation packet;Client is decrypted to the second private information ciphertext according to the first private information and obtains the second private information, and according to the identical algorithms arranged with service end, according to first private information and second private information generation session key.The present invention can save the network delay that negotiation phase MESSAGE EXCHANGE causes, and shorten the response time of client traffic request, so as to improve Consumer's Experience.
Description
Technical field
The present invention relates to data processing field, more particularly to a kind of method and apparatus of consulting session key.
Background technology
Information security and secret protection are one of significant challenges for facing at present Internet era.Traditional
On PC, information security and secret protection are solved the problems, such as frequently with HTTPS.In order to ensure session
Confidentiality and reliability, client is when session is initiated, it is necessary to first with service end consulting session key, most
Eventually, client and service end are communicated using the session key that both sides consult.
At present, conventional consulting session key method is that first sending Hello to server from client please
Ask, server is asked in response to the Hello of client, and the card issued by authoritative institution is sent to client
Book, includes service end public key in the certificate, the certificate is used to prove that its response for receiving is to client
From legal server.Client is received after the certificate, is carried out with service end using RSA Algorithm
Session key is consulted.Client is more long with the interaction flow of service end, causes the service request of client
Response time is more long, influences Consumer's Experience.
The content of the invention
In order to solve the above-mentioned technical problem, the invention provides a kind of method and apparatus of consulting session key,
The network delay that negotiation phase MESSAGE EXCHANGE causes can be saved, when shortening the response of client traffic request
Between, so as to improve Consumer's Experience.
A kind of method of consulting session key is provided in first aspect present invention, client is applied to, institute
The method of stating includes:
Client sends message to service end;The message is that client is generated using rivest, shamir, adelman
First private information, after being encrypted to the business datum in data message using the first private information, will
Data message merges generation with negotiation packet;
Client receives the response message that service end sends, and data message is carried in the response message
The response bag of response bag and negotiation packet;Service end is carried in the response bag of the negotiation packet based on non-
Second private information ciphertext of symmetric encipherment algorithm generation;
Client is decrypted to the second private information ciphertext according to the first private information and obtains the second secret letter
Breath, and according to the identical algorithms arranged with service end, according to first private information and second private
Confidential information generates session key.
A kind of method of consulting session key is provided in second aspect present invention, service end is applied to, institute
The method of stating includes:
Service end receives client and sends message;The message is that client is given birth to using rivest, shamir, adelman
Into the first private information, after being encrypted to the business datum in data message using the first private information,
Data message is merged into generation with negotiation packet;
Service end parses the message and obtains client public key, and client is utilized based on rivest, shamir, adelman
Public key and service end private key calculate the first private information of generation, using the first private information ciphertext data message
Obtain business datum;
Service end sends response message to client, and the response of data message is carried in the response message
The response bag of bag and negotiation packet;Service end is carried in the response bag of the negotiation packet and utilizes the first secret
Information is encrypted to the second private information of random generation and obtains the second private information ciphertext;
Service end according to the identical algorithms arranged with client, according to first private information and described
Two private informations generate session key.
A kind of device of consulting session key is provided in third aspect present invention, client is applied to, institute
Stating device includes:
First transmitting element, for sending message to service end;The message is client using asymmetric
AES generates the first private information, and the business datum in data message is entered using the first private information
After row encryption, data message is merged into generation with negotiation packet;
First receiving unit, the response message for receiving service end transmission, carries in the response message
There are the response bag of data message and the response bag of negotiation packet;Carried in the response bag of the negotiation packet
Service end is based on the second private information ciphertext of rivest, shamir, adelman generation;
Session key generation unit, for being solved to the second private information ciphertext according to the first private information
It is close to obtain the second private information, and according to the identical algorithms arranged with service end, according to first secret
Information and second private information generation session key.
A kind of device of consulting session key is provided in fourth aspect present invention, service end is applied to, institute
Stating device includes:
First receiving unit, message is sent for receiving client;The message is client using non-right
AES is claimed to generate the first private information, using the first private information to the business datum in data message
After being encrypted, data message is merged into generation with negotiation packet;
First resolution unit, client public key is obtained for parsing the message, is calculated based on asymmetric encryption
Method calculates the first private information of generation using client public key and service end private key, using the first private information
Ciphertext data message obtains business datum;
First response unit, for sending response message to client, number is carried in the response message
According to the response bag and the response bag of negotiation packet of message;Service end is carried in the response bag of the negotiation packet
It is encrypted that to obtain the second private information close to the second private information of random generation using the first private information
Text;
Session key generation unit, for according to the identical algorithms arranged with client, according to described first
Private information and second private information generation session key.
Compared with prior art, the above-mentioned technical proposal that the present invention is provided has the advantages that:
In technical solution of the present invention, client in the initial period with service end consulting session key, just
Message is sent to service end, the message is that client generates the first private information using rivest, shamir, adelman,
After being encrypted to the business datum in data message using the first private information, by data message and negotiation
Message merges generation;Service end first receives and parses through the message and obtains the interior of business datum and negotiation packet
Hold, then to client feedback response message, response bag and the association of data message are carried in the response message
The response bag of Business's text;Service end is carried in the response bag of the negotiation packet and is based on rivest, shamir, adelman
Second private information ciphertext of generation;Finally, client and service end be according to the identical algorithms of agreement, respectively
From according to first private information and second private information generation session key.
In the present invention, client is in the initial period with service end consulting session key, it becomes possible to clothes
Business end transmission services data, it is often more important that, client is carried out using the first private information to business datum
Encryption so that what is carried in message is the ciphertext of business datum, so as to ensure that the peace of business data transmission
Quan Xing, meets the requirement of session privacy.So, compared in the prior art, client needs to wait
After being completed with service end consulting session key, just can be with transmission services data, present invention reduces whole
The interaction time of consulting session key, shortens the response time of client traffic request such that it is able to improve
Consumer's Experience.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to reality
The accompanying drawing to be used needed for example or description of the prior art is applied to be briefly described, it should be apparent that, below
Accompanying drawing in description is only some embodiments of the present invention, for those of ordinary skill in the art,
Without having to pay creative labor, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of flow chart of the method for consulting session key provided in an embodiment of the present invention;
Fig. 2 is that a kind of session key negotiations process based on ECDH algorithms provided in an embodiment of the present invention is illustrated
Figure;
Fig. 3 is the flow chart of the method for another consulting session key provided in an embodiment of the present invention;
Fig. 4 is that another session key negotiations process based on ECDH algorithms provided in an embodiment of the present invention is shown
It is intended to;
Fig. 5 is that the session key negotiations process based on Session ticket provided in an embodiment of the present invention is shown
It is intended to;
Fig. 6 is the flow chart of the method for another consulting session key provided in an embodiment of the present invention;
Fig. 7 is a kind of structure chart of the device of consulting session key provided in an embodiment of the present invention;
Fig. 8 is the structure chart of the device of another consulting session key provided in an embodiment of the present invention.
Specific embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with this hair
Accompanying drawing in bright embodiment, is explicitly described to the technical scheme in the embodiment of the present invention, it is clear that
Described embodiment is a part of embodiment of the invention, rather than whole embodiments.Based on the present invention
In embodiment, the institute that those of ordinary skill in the art are obtained under the premise of creative work is not made
There is other embodiment, belong to the scope of protection of the invention.
The technical scheme that the present invention is provided is explained below by embodiment.
Embodiment one
Fig. 1 is referred to, Fig. 1 is a kind of flow of the method for consulting session key provided in an embodiment of the present invention
Figure, the flow chart is described from the angle of client, and methods described includes step 101-103.
Step 101, client sends message to service end;The message is that client utilizes asymmetric encryption
Algorithm generates the first private information, and the business datum in data message is added using the first private information
After close, data message is merged into generation with negotiation packet.
In embodiments of the present invention, client is to refer to load application program, by application program and clothes
The equipment that business end is communicated.Such as mobile phone, notebook, flat board, wearable device, computer terminal
Equipment.Client can be that mobile terminal can also be fixed terminal device.
It is client service that service end is, the content of service such as provides resource, preserves visitor to client
Family end data etc.;Service end can be set up with multiple client and be connected simultaneously, for multiple client is provided
Service.
Client has many with the advance predetermined rivest, shamir, adelman of service end, conventional rivest, shamir, adelman
Plant, such as ECDH, RSA scheduling algorithm.For the ease of description, hereafter to step 101 only by taking ECDH algorithms as an example
The generating process of middle message is illustrated.
Fig. 2 is referred to, Fig. 2 is that the session key based on ECDH algorithms provided in an embodiment of the present invention is consulted
Process schematic;Detailed process is as follows:
(1) client calculates a pair of random numbers (b, B), and, used as client private key, B is used as client for b
End public key.
As shown in Fig. 2 client is first random to generate b, B=b*G is calculated;Wherein, b is used as client
Private key, B as client public key, G is the basic point parameter of ECDH algorithms.
(2) client is calculated the first private information n1 according to client private key b and service end public key A,
Wherein, n1=b*A.
(3) client is encrypted using n1 to the business datum in data message, then by after encryption
Data message is merged into a message with negotiation packet, and the message is sent to service end.Wherein, consult
Client public key B is carried in message.
As shown in Fig. 2 (2nd) step can be realized in such a way when implementing:
The private key that client is generated at random according to the service end public key and client being preset in client, base
The first private information is calculated in rivest, shamir, adelman.
Wherein, service end public key can be preset in the application program of client, and and application synchronization
Update.So, user is when using client, it is possible to download legal application from application program shop
Program, these application programs are built-in with and utilize service end public key and service end with service end public key, client
The key that directly conversates negotiation, so as to eliminate, client is each and service end interaction is required for receiving and takes
The business certificate that issues of end simultaneously makees the process verified.The delay expense that primary network interacting strip is come can either be saved,
Flow can be saved again, when especially applying the client under wireless network, can save client
Electricity and flow are consumed.
And on the renewal of service end public key, can be by the same of client periodicity automatic updating application program
When, synchronized update service end public key;Renewal prompting can also be issued the user with by client, by user's hand
Dynamic more new application and service end public key.
But (2nd) step is not limited to a kind of above-mentioned implementation, can also realize as follows:
Client is asked by sending Hello to service end, and server please in response to the Hello of client
Ask, the certificate issued by authoritative institution is sent to client, service end public key A, the card are included in the certificate
Book is used to prove that its response for receiving is from legal server to client.Client is according to formula
N1=b*A calculates n1.
Service end is received after the message of client transmission, can be to client feedback response message;On
Service end operation principle will be described in detail in embodiment three below.Carried out only by taking Fig. 2 as an example herein
Simple declaration.
As shown in Fig. 2 service end receives message and parsing obtains B, based on ECDH algorithms, first is calculated
Private information n1=a*B.Wherein, a is service end private key, and B is client public key.Service end utilizes n1
Business datum ciphertext in message is decrypted and obtains business datum.Then, service end generates n2 at random,
N2 is encrypted to n2 using n1 and obtains the second private information ciphertext n2 ' as the second private information;
Service end to client send response message, carried in the response message data message response bag and
The response bag of negotiation packet;N2 ' is carried in the response bag of the negotiation packet.
In addition, after execution of step 101, if client is also not received by answering for service end transmission
Message is answered, then client can also carry out following steps:
Client is added using first private information to the business datum in next data message
It is close, send the data message after encryption to service end;So that the server receives and parses through the encryption
Data message afterwards obtains business datum.Referring to what is shown in Fig. 2, before client receives n2 ',
Client sends the business datum after encryption to service end, and business number is obtained so that service end is received and parsed through
According to.So, client can continue to send many within the time period for sending message and receiving response message
Individual data message, multigroup business datum is sent with to service end.
Step 102:Client receives the response message that service end sends, and number is carried in the response message
According to the response bag and the response bag of negotiation packet of message;Service is carried in the response bag of the negotiation packet
The second private information ciphertext that end group is generated in rivest, shamir, adelman.
Client receives the response message that service end sends, and parses the response message and obtains answering for data message
The response bag of bag and negotiation packet is answered, the response bag according to data message can determine the transmission of business datum
Situation;Response bag according to negotiation packet obtains the second private information ciphertext of server generation.
Step 103:Client is decrypted to the second private information ciphertext according to the first private information and obtains
Two private informations, and according to the identical algorithms arranged with service end, according to first private information and institute
State the second private information generation session key.
As shown in Fig. 2 client is decrypted using n1 to n2 ' obtains n2, then based on service end
That preengages stirs function, according to n1 and n2 generation session key session key.Certainly, in this implementation
When implementing of example, client and service end are not limited to use stirs function.
Due to specifying the negotiation phase in session key in prior art HTTPS, client and service end are double
Side does not allow to send service request and response.Client and service end only after consulting session key,
The communication of business datum is carried out using the session key.The response of the true request of client can so be caused
Overlong time, influences Consumer's Experience.
Compared with prior art, in technical scheme provided in an embodiment of the present invention, client with service
Hold the initial period of consulting session key, it becomes possible to service end transmission services data, it is often more important that,
Client is encrypted using the first private information to business datum so that what is carried in message is business number
According to ciphertext, so as to ensure that the security of business data transmission, meet session privacy requirement.
In the present invention client without waiting for service end consulting session key after, just start send business datum,
But business datum is just directly transmitted when consulting session key starts, therefore, present invention reduces whole
The interaction time of consulting session key, shortens the response time of client traffic request such that it is able to improve
Consumer's Experience.
On the basis of above-described embodiment, inventor is additionally contemplates that the Replay Attack often occurred in network, weight
Put attack and be also called replay attack, the attack that goes back on defense, fresh sexual assault, it refers to that attacker sends a mesh
The bag that had received of main frame, so as to reach the purpose of deception destination host, be generally used for authentication
Journey destroys the correctness of certification.In order to avoid main frame to be influenceed by Replay Attack as far as possible, the present invention is also carried
Another technical scheme is supplied, has been explained below by embodiment two.
Embodiment two
Fig. 3 is referred to, Fig. 3 is the stream of the method for another consulting session key provided in an embodiment of the present invention
Cheng Tu, the flow chart is described from the angle of client, and methods described includes step 301-303.
Step 301:Client judges whether business has Replay Attack risk according to session service type, such as
It is really no, then perform step 302, step 303 and step 304;If it is, performing step 305 and step
Rapid 304.
Wherein, the essence of step 302-303-304 is that client is in the negotiation with service end session key
In the stage, interacting for business datum is carried out simultaneously between client and service end, this communication pattern is eliminated
The network delay that message interaction causes during consulting session key;This pattern is referred to as in the present invention
0-RTT patterns.The implementation process of the pattern may be referred to Fig. 2.
Wherein, the essence of step 305-304 is, client first with service end consulting session key, then
The interaction of business datum is carried out using the session key, this mode at least needs 1 RTT (Round-Trip
Time, two-way time) network delay, this pattern is referred to as 1-RTT patterns in the present invention.
The session key negotiations process schematic diagram of ECDH algorithms is based on reference to the another kind shown in Fig. 4;
1-RTT patterns are explained.Detailed process is as follows:
(1) client calculates a pair of random numbers (b, B), and, used as client private key, B is used as client for b
End public key.
As shown in figure 4, client is first random to generate b, B=b*G is calculated;Wherein, b is used as client
Private key, B as client public key, G is the basic point parameter of ECDH algorithms.
(2) client is calculated the first private information n1 according to client private key b and service end public key A,
Wherein, n1=b*A.
(3) client directly sends negotiation packet to service end, client is carried in negotiation packet public
Key B.
(4) client receives the second private information ciphertext n2 ' that service end sends;Wherein, the second secret
Information ciphertext n2 ' is to generate the second private information n2 at random by service end, and n2 is encrypted using n1
The ciphertext n2 ' for obtaining.
(5) client is decrypted to n2 ' using n1 and obtains n2, then based on stirring that service end is preengage
Function is closed, according to n1 and n2 generation session key session key.Certainly, in the specific of the present embodiment
When realizing, client and service end are not limited to use and stir function.
Step 302:Client sends message to service end;The message is that client utilizes asymmetric encryption
Algorithm generates the first private information, and the business datum in data message is added using the first private information
After close, data message is merged into generation with negotiation packet.
Step 303:Client receives the response message that service end sends, and number is carried in the response message
According to the response bag and the response bag of negotiation packet of message;Service is carried in the response bag of the negotiation packet
The second private information ciphertext that end group is generated in rivest, shamir, adelman.
Step 304:Client is decrypted to the second private information ciphertext according to the first private information and obtains
Two private informations, and according to the identical algorithms arranged with service end, according to first private information and institute
State the second private information generation session key.
Step 305:Client sends the negotiation packet to service end, and receives the negotiation of service end return
The response message of message, carries service end and is based on asymmetric encryption in the response message of the negotiation packet
Second private information ciphertext of algorithm generation.
Wherein, step 302-304 is identical with the step 101-103 in above-described embodiment one, may be referred to
Above-described content, here is omitted.
Two kinds of communication patterns 0-RTT and 1-RTT, so, client are enabled in the embodiment of the present invention two
Conversated before key consults with service end, whether first judge type of service with Replay Attack risk,
If there is no Replay Attack risk, according to 0-RTT communication patterns conversate key consult, i.e. visitor
Family end and service end conversate key when consulting, and just directly business datum are sent to service end, to reduce
Network delay;And when business has Replay Attack risk, then conversated according to 1-RTT communication patterns
Key consult, i.e., client first with service end conversate key negotiation, retransmit business datum.It is this
The mode of communication pattern is flexibly selected according to type of service, session key negotiations process on the one hand can be avoided
In be subject to Replay Attack, on the other hand for most of business, whole consulting session key can be shortened
Interaction time, shortens the response time of client traffic request such that it is able to improve Consumer's Experience.
In addition, on the basis of above-mentioned technical proposal of the present invention, inventor additionally provides a kind of optional skill
Art scheme, the technical scheme is that session ticket (Session is increased on the basis of above-mentioned technical proposal
Ticket) technology, the negotiation of session key is realized using Session ticket technologies.Below only with
Based on method shown in Fig. 1, the optional technical scheme is explained.
Session ticket technologies using symmetric encipherment algorithm primarily to substitute rivest, shamir, adelman
Come a kind of technology of the key negotiation that conversates, it mainly uses the session key of last negotiation, uses
In session key negotiations process next time.
Illustrate, on the basis of method shown in above-mentioned Fig. 1, methods described also includes:
Client is received and preserves the session ticket of service end transmission;
Then client is when session key next time is consulted, using session ticket be based on symmetric encipherment algorithm with
Service end conversate key negotiation.
That is, after client and service end have consulted current sessions key using rivest, shamir, adelman,
Next time during session setup, client and service end can be held consultation private key using session ticket, without
Rivest, shamir, adelman is used again;Because symmetric encipherment algorithm compares rivest, shamir, adelman, it was realized
Journey is simple, and calculating performance is higher, therefore, it is secret that client consults a session using rivest, shamir, adelman
After key, using the session key as the basis consulted next time, when session key next time is consulted,
The efficiency of session key negotiation can be directly improved using symmetric encipherment algorithm.
In order to improve the security of session ticket technologies realization, service end can be in the session ticket
According to carrying effective time;Then the client judges that current time is in consulting session next time, first
It is no within effective time, if it is, perform the use session ticket be based on symmetric encipherment algorithm with clothes
The step of business end consulting session key;Otherwise, the step of performing the client to service end transmission message.
Consult flow to the session key of Session ticket with reference to Fig. 5 to explain.
As shown in figure 5, the Session ticket that client sends before preserving service end;Client
Random generation n1, is encrypted to n1 using Session key and obtains n1 ';Service end receives Session
Ticket, according to the subscript for having Keys in Session ticket, Session is found by subscript
The key group that ticket is used, signature check is carried out using the key group for finding to Session ticket,
Verification is decrypted after passing through and obtains Session-key, and n1 is obtained using Session-key decryption n1 ', and
The n2 for carrying out random generation using n1 is encrypted and obtains n2 ', then sends to client n2 '.
Client is decrypted to n2 ' using n1 and obtains n2, is recycled and is given birth to the function that stirs of service end agreement
Into the session key of session next time, the later use session key carries out the friendship of business datum with service end
Mutually.
Explanation is needed exist for, during the key that conversated using Session ticket is consulted,
0-RTT communication patterns can be used, it would however also be possible to employ 1-RTT communication patterns, only with 1-RTT in figure 4 above
Illustrated as a example by pattern.
It is above that explanation is explained to the technical scheme that the present invention is provided from the angle of client.
The technical scheme that the present invention is provided will hereafter be explained from the angle of service end.
Referring to Fig. 6, Fig. 6 is the method flow diagram of another consulting session key provided in an embodiment of the present invention;
The method is applied to service end, and the method includes:
Step 601, service end receives client and sends message;The message is that client is added using asymmetric
Close algorithm generates the first private information, and the business datum in data message is carried out using the first private information
After encryption, data message is merged into generation with negotiation packet.
Step 602, service end parses the message and obtains client public key, based on rivest, shamir, adelman profit
The first private information of generation is calculated with client public key and service end private key, is decrypted using the first private information
Data message obtains business datum.
Step 603, service end sends response message to client, and datagram is carried in the response message
The response bag of text and the response bag of negotiation packet;Service end is carried in the response bag of the negotiation packet to utilize
First private information is encrypted to the second private information of random generation and obtains the second private information ciphertext.
Step 604:Service end according to the identical algorithms arranged with client, according to first private information
Session key is generated with second private information.
Optionally, methods described also includes:
Service end receives client and sends negotiation packet, to the response message of client feedback negotiation packet,
The second private that service end is based on rivest, shamir, adelman generation is carried in the response message of the negotiation packet
Confidential information ciphertext.
Optionally, methods described also includes:
Service end also sends session ticket when response message is sent to client;So that the client
When session key next time is consulted, symmetric encipherment algorithm is based on using session ticket and enters guild with service end
Words key is consulted.
Optionally, the session ticket carries effective time;So that client is in consulting session next time
When, decided whether to be conversated based on symmetric encipherment algorithm using session ticket according to the effective time
Key is consulted.
In addition, present invention also offers two kinds of devices of consulting session key, one kind is applied to client,
Another kind is applied to service end.
The device for being applied to client is explained with reference to Fig. 7.Referring to Fig. 7, described device
Including:
First transmitting element 701, for sending message to service end;The message is client using non-right
AES is claimed to generate the first private information, using the first private information to the business datum in data message
After being encrypted, data message is merged into generation with negotiation packet;
First receiving unit 702, the response message for receiving service end transmission, takes in the response message
The response bag of response bag and negotiation packet with data message;Carried in the response bag of the negotiation packet
There is service end to be based on the second private information ciphertext of rivest, shamir, adelman generation;
Session key generation unit 703, for being carried out to the second private information ciphertext according to the first private information
Decryption obtains the second private information, and according to the identical algorithms arranged with service end, it is private according to described first
Confidential information and second private information generation session key.
Optionally, described device also includes:
First judging unit, for judging whether business has Replay Attack risk according to session service type,
If it is not, then triggering first transmitting element;If it is, the second transmitting element of triggering;
Second transmitting element, for sending the negotiation packet to service end;So that the service end
Receive the negotiation packet, to the response message of client feedback negotiation packet, the negotiation packet should
Answer and the second private information ciphertext that service end is based on rivest, shamir, adelman generation is carried in message.
Optionally, described device also includes:
3rd transmitting element, it is sharp for before first receiving unit is not received by response message
The business datum in next data message is encrypted with first private information, is sent out to service end
Send the data message after encryption;So that the data message that the server receives and parses through after the encryption is obtained
To business datum.
Optionally, described device also includes:
First private information computing unit, for according to service end public key and the client being preset in client
The private key of the random generation in end, the first private information is calculated based on rivest, shamir, adelman.
Optionally, described device also includes:
Updating block, for the preset public key of service end in the application and application synchronization to be updated.
Optionally, described device also includes:
Second receiving unit, for receiving and preserve service end transmission session ticket;So that client exists
When session key is consulted next time, symmetric cryptography negotiation element is triggered;
The symmetric cryptography negotiation element, for being based on symmetric encipherment algorithm and service end using session ticket
The key that conversates is consulted.
Optionally, the session ticket carries effective time;Then described device also includes:
Second judging unit, for judging current time whether within effective time, if it is, triggering
The symmetric cryptography negotiation element;Otherwise, first transmitting element is triggered.
The device for being applied to service end is explained with reference to Fig. 8.Referring to Fig. 8, described device
Including:
First receiving unit 801, message is sent for receiving client;The message is client using non-
Symmetric encipherment algorithm generates the first private information, using the first private information to the business number in data message
After being encrypted, data message is merged into generation with negotiation packet;
First resolution unit 802, obtains client public key, based on asymmetric encryption for parsing the message
Algorithm calculates the first private information of generation using client public key and service end private key, is believed using the first secret
Breath ciphertext data message obtains business datum;
First response unit 803, for sending response message to client, carries in the response message
The response bag of data message and the response bag of negotiation packet;Service is carried in the response bag of the negotiation packet
Hold to be encrypted the second private information of random generation using the first private information and obtain the second private information
Ciphertext;
Session key generation unit 804, for according to the identical algorithms arranged with client, according to described
One private information and second private information generation session key.
Optionally, described device also includes:Second receiving unit, report is consulted for receiving client and sending
Text, to the response message of client feedback negotiation packet, carries in the response message of the negotiation packet
Service end is based on the second private information ciphertext of rivest, shamir, adelman generation.
Optionally, the first response unit, is additionally operable to, when response message is sent to client, also send meeting
Words bill;So that the client is when session key next time is consulted, it is based on using session ticket symmetrical
AES and service end conversate key negotiation.
Optionally, the session ticket carries effective time;So that client is in consulting session next time
When, decided whether to be conversated based on symmetric encipherment algorithm using session ticket according to the effective time
Key is consulted.
As seen through the above description of the embodiments, those skilled in the art can be understood that
All or part of step in above-described embodiment method can add the mode of general hardware platform to come real by software
It is existing.Based on such understanding, technical scheme substantially contributes to prior art in other words
Part can be embodied in the form of software product, the computer software product can store storage
In medium, such as ROM/RAM, magnetic disc, CD, including some instructions are used to so that a computer equipment
(can be the network communication equipments such as personal computer, server, or WMG) performs sheet
Invent the method described in some parts of each embodiment or embodiment.
It should be noted that each embodiment in this specification is described by the way of progressive, each
Identical similar part is mutually referring to what each embodiment was stressed is and it between embodiment
The difference of his embodiment.For especially for equipment and system embodiment, because it is substantially similar
In embodiment of the method, so describe fairly simple, referring to the part explanation of embodiment of the method in place of correlation
.Equipment and system embodiment described above is only schematical, wherein as separating component
The unit of explanation can be or may not be physically separate, and the part shown as unit can be with
It is or may not be physical location, you can with positioned at a place, or multiple can also be distributed to
On NE.Some or all of module therein can be according to the actual needs selected to realize this reality
Apply the purpose of a scheme.Those of ordinary skill in the art are without creative efforts, you can
To understand and implement.
The above is only the preferred embodiment of the present invention, is not intended to limit the scope of the present invention.
It should be pointed out that for those skilled in the art, before the principle of the invention is not departed from
Put, some improvements and modifications can also be made, these improvements and modifications also should be regarded as protection of the invention
Scope.
Claims (22)
1. a kind of method of consulting session key, it is characterised in that be applied to client, methods described bag
Include:
Client sends message to service end;The message is that client is generated using rivest, shamir, adelman
First private information, after being encrypted to the business datum in data message using the first private information, will
Data message merges generation with negotiation packet;
Client receives the response message that service end sends, and data message is carried in the response message
The response bag of response bag and negotiation packet;Service end is carried in the response bag of the negotiation packet based on non-
Second private information ciphertext of symmetric encipherment algorithm generation;
Client is decrypted to the second private information ciphertext according to the first private information and obtains the second secret letter
Breath, and according to the identical algorithms arranged with service end, according to first private information and second private
Confidential information generates session key.
2. method according to claim 1, it is characterised in that sent out to service end in the client
Deliver newspaper before the step of text, methods described also includes:
Client judges whether business has Replay Attack risk according to session service type, if it is not, then
The step of client is performed to service end transmission message;
If it is, client sends the negotiation packet to service end, and receive the negotiation of service end return
The response message of message, carries service end and is based on asymmetric encryption in the response message of the negotiation packet
Second private information ciphertext of algorithm generation;Then client according to the first private information to the second private information
Ciphertext is decrypted and obtains the second private information, and according to the identical algorithms arranged with service end, according to institute
State the first private information and second private information generation session key.
3. method according to claim 1, it is characterised in that receive service end in the client
Before the response message of transmission, methods described also includes:
Client is added using first private information to the business datum in next data message
It is close, send the data message after encryption to service end;So that the server receives and parses through the encryption
Data message afterwards obtains business datum.
4. method according to claim 1, it is characterised in that the client is in the following manner
Generate the first private information:
The private key that client is generated at random according to the service end public key and client being preset in client, base
The first private information is calculated in rivest, shamir, adelman.
5. method according to claim 4, it is characterised in that
The service end public key is preset in the application program of client, and is updated with application synchronization.
6. method according to claim 1, it is characterised in that methods described also includes:
Client is received and preserves the session ticket of service end transmission;
Then client is when session key next time is consulted, using session ticket be based on symmetric encipherment algorithm with
Service end conversate key negotiation.
7. method according to claim 6, it is characterised in that
The session ticket carries effective time;
Then whether the client judges current time within effective time in consulting session next time, first,
If it is, performing the use session ticket is based on symmetric encipherment algorithm and service end consulting session key
The step of;Otherwise, the step of performing the client to service end transmission message.
8. a kind of method of consulting session key, it is characterised in that be applied to service end, methods described bag
Include:
Service end receives client and sends message;The message is that client is given birth to using rivest, shamir, adelman
Into the first private information, after being encrypted to the business datum in data message using the first private information,
Data message is merged into generation with negotiation packet;
Service end parses the message and obtains client public key, and client is utilized based on rivest, shamir, adelman
Public key and service end private key calculate the first private information of generation, using the first private information ciphertext data message
Obtain business datum;
Service end sends response message to client, and the response of data message is carried in the response message
The response bag of bag and negotiation packet;Service end is carried in the response bag of the negotiation packet and utilizes the first secret
Information is encrypted to the second private information of random generation and obtains the second private information ciphertext;
Service end according to the identical algorithms arranged with client, according to first private information and described
Two private informations generate session key.
9. method according to claim 8, it is characterised in that methods described also includes:
Service end receives client and sends negotiation packet, to the response message of client feedback negotiation packet,
The second private that service end is based on rivest, shamir, adelman generation is carried in the response message of the negotiation packet
Confidential information ciphertext.
10. method according to claim 8, it is characterised in that methods described also includes:
Service end also sends session ticket when response message is sent to client;So that the client
When session key next time is consulted, symmetric encipherment algorithm is based on using session ticket and enters guild with service end
Words key is consulted.
11. methods according to claim 10, it is characterised in that
The session ticket carries effective time;So that client is in consulting session next time, according to
The effective time decide whether using session ticket based on symmetric encipherment algorithm conversate key assist
Business.
12. a kind of devices of consulting session key, it is characterised in that be applied to client, described device
Including:
First transmitting element, for sending message to service end;The message is client using asymmetric
AES generates the first private information, and the business datum in data message is entered using the first private information
After row encryption, data message is merged into generation with negotiation packet;
First receiving unit, the response message for receiving service end transmission, carries in the response message
There are the response bag of data message and the response bag of negotiation packet;Carried in the response bag of the negotiation packet
Service end is based on the second private information ciphertext of rivest, shamir, adelman generation;
Session key generation unit, for being solved to the second private information ciphertext according to the first private information
It is close to obtain the second private information, and according to the identical algorithms arranged with service end, according to first secret
Information and second private information generation session key.
13. devices according to claim 12, it is characterised in that described device also includes:
First judging unit, for judging whether business has Replay Attack risk according to session service type,
If it is not, then triggering first transmitting element;
If it is, the second transmitting element of triggering;
Second transmitting element, for sending the negotiation packet to service end;So that the service end
Receive the negotiation packet, to the response message of client feedback negotiation packet, the negotiation packet should
Answer and the second private information ciphertext that service end is based on rivest, shamir, adelman generation is carried in message.
14. devices according to claim 12, it is characterised in that described device also includes:
3rd transmitting element, it is sharp for before first receiving unit is not received by response message
The business datum in next data message is encrypted with first private information, is sent out to service end
Send the data message after encryption;So that the data message that the server receives and parses through after the encryption is obtained
To business datum.
15. devices according to claim 12, it is characterised in that described device also includes:
First private information computing unit, for according to service end public key and the client being preset in client
The private key of the random generation in end, the first private information is calculated based on rivest, shamir, adelman.
16. devices according to claim 15, it is characterised in that described device also includes:
Updating block, for the preset public key of service end in the application and application synchronization to be updated.
17. devices according to claim 12, it is characterised in that described device also includes:
Second receiving unit, for receiving and preserve service end transmission session ticket;So that client exists
When session key is consulted next time, symmetric cryptography negotiation element is triggered;
The symmetric cryptography negotiation element, for being based on symmetric encipherment algorithm and service end using session ticket
The key that conversates is consulted.
18. devices according to claim 17, it is characterised in that
The session ticket carries effective time;Then described device also includes:
Second judging unit, for judging current time whether within effective time, if it is, triggering
The symmetric cryptography negotiation element;Otherwise, first transmitting element is triggered.
19. a kind of devices of consulting session key, it is characterised in that be applied to service end, described device
Including:
First receiving unit, message is sent for receiving client;The message is client using non-right
AES is claimed to generate the first private information, using the first private information to the business datum in data message
After being encrypted, data message is merged into generation with negotiation packet;
First resolution unit, client public key is obtained for parsing the message, is calculated based on asymmetric encryption
Method calculates the first private information of generation using client public key and service end private key, using the first private information
Ciphertext data message obtains business datum;
First response unit, for sending response message to client, number is carried in the response message
According to the response bag and the response bag of negotiation packet of message;Service end is carried in the response bag of the negotiation packet
It is encrypted that to obtain the second private information close to the second private information of random generation using the first private information
Text;
Session key generation unit, for according to the identical algorithms arranged with client, according to described first
Private information and second private information generation session key.
20. devices according to claim 19, it is characterised in that described device also includes:
Second receiving unit, sends negotiation packet, to client feedback negotiation packet for receiving client
Response message, carried in the response message of the negotiation packet service end be based on rivest, shamir, adelman
Second private information ciphertext of generation.
21. devices according to claim 19, it is characterised in that
First response unit, is additionally operable to, when response message is sent to client, also send session ticket;
So that the client is when session key next time is consulted, symmetric encipherment algorithm is based on using session ticket
With service end conversate key consult.
22. devices according to claim 21, it is characterised in that
The session ticket carries effective time;So that client is in consulting session next time, according to
The effective time decide whether using session ticket based on symmetric encipherment algorithm conversate key assist
Business.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510867354.0A CN106817219B (en) | 2015-12-01 | 2015-12-01 | Method and device for negotiating session key |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510867354.0A CN106817219B (en) | 2015-12-01 | 2015-12-01 | Method and device for negotiating session key |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106817219A true CN106817219A (en) | 2017-06-09 |
| CN106817219B CN106817219B (en) | 2020-11-03 |
Family
ID=59107866
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510867354.0A Active CN106817219B (en) | 2015-12-01 | 2015-12-01 | Method and device for negotiating session key |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106817219B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107644175A (en) * | 2017-09-13 | 2018-01-30 | 南京南瑞集团公司 | A kind of method for preventing SQL injection |
| CN110868291A (en) * | 2019-11-26 | 2020-03-06 | 普联技术有限公司 | Data encryption transmission method, device, system and storage medium |
| CN111093193A (en) * | 2019-12-31 | 2020-05-01 | 中科芯集成电路有限公司 | MAC layer communication security mechanism suitable for Lora network |
| CN112926076A (en) * | 2021-03-29 | 2021-06-08 | 建信金融科技有限责任公司 | Data processing method, device and system |
| CN113378136A (en) * | 2021-06-08 | 2021-09-10 | 罗克佳华(重庆)科技有限公司 | Fingerprint identification method and device, password key and storage medium |
| CN113472792A (en) * | 2021-07-01 | 2021-10-01 | 北京玩蟹科技有限公司 | Long-connection network communication encryption method and system |
| CN114172645A (en) * | 2021-12-06 | 2022-03-11 | 北京天融信网络安全技术有限公司 | Communication bypass auditing method and device, electronic equipment and storage medium |
| CN115396097A (en) * | 2022-08-31 | 2022-11-25 | 联想(北京)有限公司 | Key generation method and device |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030026428A1 (en) * | 2001-07-30 | 2003-02-06 | Yann Loisel | Method of transmitting confidential data |
| US20040139319A1 (en) * | 2002-07-26 | 2004-07-15 | Netegrity, Inc. | Session ticket authentication scheme |
| CN101052033A (en) * | 2006-04-05 | 2007-10-10 | 华为技术有限公司 | Certifying and key consulting method and its device based on TTP |
| CN101527908A (en) * | 2009-04-08 | 2009-09-09 | 中兴通讯股份有限公司 | Method for pre-identifying wireless local area network terminal and wireless local area network system |
| CN101719910A (en) * | 2009-11-16 | 2010-06-02 | 北京数字太和科技有限责任公司 | Terminal equipment for realizing content protection and transmission method thereof |
| CN101980558A (en) * | 2010-11-16 | 2011-02-23 | 北京航空航天大学 | An Encryption Authentication Method on Ad hoc Network Transport Layer Protocol |
| CN103068005A (en) * | 2011-07-14 | 2013-04-24 | 华为终端有限公司 | Method for realizing machine-to-machine (M2M) business, M2M terminal, AP (access point) and system |
| CN104158653A (en) * | 2014-08-14 | 2014-11-19 | 华北电力大学句容研究中心 | Method of secure communication based on commercial cipher algorithm |
| CN104753937A (en) * | 2015-03-24 | 2015-07-01 | 江苏物联网研究发展中心 | SIP (System In Package)-based security certificate registering method |
| CN104980928A (en) * | 2014-04-03 | 2015-10-14 | 华为终端有限公司 | Method, equipment and system used for establishing secure connection |
-
2015
- 2015-12-01 CN CN201510867354.0A patent/CN106817219B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030026428A1 (en) * | 2001-07-30 | 2003-02-06 | Yann Loisel | Method of transmitting confidential data |
| US20040139319A1 (en) * | 2002-07-26 | 2004-07-15 | Netegrity, Inc. | Session ticket authentication scheme |
| CN101052033A (en) * | 2006-04-05 | 2007-10-10 | 华为技术有限公司 | Certifying and key consulting method and its device based on TTP |
| CN101527908A (en) * | 2009-04-08 | 2009-09-09 | 中兴通讯股份有限公司 | Method for pre-identifying wireless local area network terminal and wireless local area network system |
| CN101719910A (en) * | 2009-11-16 | 2010-06-02 | 北京数字太和科技有限责任公司 | Terminal equipment for realizing content protection and transmission method thereof |
| CN101980558A (en) * | 2010-11-16 | 2011-02-23 | 北京航空航天大学 | An Encryption Authentication Method on Ad hoc Network Transport Layer Protocol |
| CN103068005A (en) * | 2011-07-14 | 2013-04-24 | 华为终端有限公司 | Method for realizing machine-to-machine (M2M) business, M2M terminal, AP (access point) and system |
| CN104980928A (en) * | 2014-04-03 | 2015-10-14 | 华为终端有限公司 | Method, equipment and system used for establishing secure connection |
| CN104158653A (en) * | 2014-08-14 | 2014-11-19 | 华北电力大学句容研究中心 | Method of secure communication based on commercial cipher algorithm |
| CN104753937A (en) * | 2015-03-24 | 2015-07-01 | 江苏物联网研究发展中心 | SIP (System In Package)-based security certificate registering method |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107644175A (en) * | 2017-09-13 | 2018-01-30 | 南京南瑞集团公司 | A kind of method for preventing SQL injection |
| CN110868291A (en) * | 2019-11-26 | 2020-03-06 | 普联技术有限公司 | Data encryption transmission method, device, system and storage medium |
| CN111093193A (en) * | 2019-12-31 | 2020-05-01 | 中科芯集成电路有限公司 | MAC layer communication security mechanism suitable for Lora network |
| CN112926076A (en) * | 2021-03-29 | 2021-06-08 | 建信金融科技有限责任公司 | Data processing method, device and system |
| CN112926076B (en) * | 2021-03-29 | 2023-03-21 | 中国建设银行股份有限公司 | Data processing method, device and system |
| CN113378136A (en) * | 2021-06-08 | 2021-09-10 | 罗克佳华(重庆)科技有限公司 | Fingerprint identification method and device, password key and storage medium |
| CN113472792A (en) * | 2021-07-01 | 2021-10-01 | 北京玩蟹科技有限公司 | Long-connection network communication encryption method and system |
| CN113472792B (en) * | 2021-07-01 | 2023-05-05 | 北京玩蟹科技有限公司 | Communication encryption method and system for long-connection network |
| CN114172645A (en) * | 2021-12-06 | 2022-03-11 | 北京天融信网络安全技术有限公司 | Communication bypass auditing method and device, electronic equipment and storage medium |
| CN115396097A (en) * | 2022-08-31 | 2022-11-25 | 联想(北京)有限公司 | Key generation method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106817219B (en) | 2020-11-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106817219A (en) | A kind of method and device of consulting session key | |
| Krawczyk et al. | The OPTLS protocol and TLS 1.3 | |
| CN106101068B (en) | Terminal communication method and system | |
| CN102833253B (en) | Set up method and server that client is connected with server security | |
| CN105975846B (en) | The authentication method and system of terminal | |
| CN105307165B (en) | Communication means, server-side and client based on mobile application | |
| US8380992B2 (en) | Device and method for security key exchange and system pertaining to same | |
| CN105577377B (en) | The authentication method and system of identity-based with key agreement | |
| Ullah et al. | A lightweight and secured certificate-based proxy signcryption (CB-PS) scheme for E-prescription systems | |
| Brincat et al. | On the use of Blockchain technologies in WiFi networks | |
| CN106341375A (en) | Method and system for realizing resource encrypted access | |
| CN110198295A (en) | Safety certifying method and device and storage medium | |
| CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
| CN105721412A (en) | Method and device for authenticating identity between multiple systems | |
| CN107404469A (en) | A kind of secure session processing system, unit and method | |
| CN104917807A (en) | Resource transfer method, apparatus and system | |
| Arshad et al. | Security analysis and improvement of two authentication and key agreement schemes for session initiation protocol | |
| CN116800499A (en) | Encrypted data transmission methods and devices, equipment and storage media | |
| Kambourakis et al. | Performance evaluation of public key-based authentication in future mobile communication systems | |
| CN119995879A (en) | End-to-end encrypted data key distribution method, electronic device and program product | |
| CN102629928B (en) | Implementation method for safety link of internet lottery ticket system based on public key | |
| Agal et al. | Non-interactive zero-knowledge proof based authentication | |
| CN110035083A (en) | Communication means, equipment and the computer readable storage medium of dialogue-based key | |
| Gupta et al. | Towards security mechanism in D2D wireless communication: A 5G network approach | |
| Zhang et al. | Certificateless hybrid signcryption by a novel protocol applied to internet of things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |