[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN117459265A - National encryption communication method and system - Google Patents

National encryption communication method and system Download PDF

Info

Publication number
CN117459265A
CN117459265A CN202311386000.5A CN202311386000A CN117459265A CN 117459265 A CN117459265 A CN 117459265A CN 202311386000 A CN202311386000 A CN 202311386000A CN 117459265 A CN117459265 A CN 117459265A
Authority
CN
China
Prior art keywords
encryption
browser
algorithm
national
suite
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311386000.5A
Other languages
Chinese (zh)
Inventor
应玉龙
王元涛
李孙长
张虎
韩丹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Postal Savings Bank of China Ltd
Original Assignee
Postal Savings Bank of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Postal Savings Bank of China Ltd filed Critical Postal Savings Bank of China Ltd
Priority to CN202311386000.5A priority Critical patent/CN117459265A/en
Publication of CN117459265A publication Critical patent/CN117459265A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application discloses a national encryption communication method and system. The method comprises the following steps: after the browser is started, the browser communicates with the operation and maintenance server to acquire library file information related to encrypted communication, wherein the library file is formed by modularly designing control management functions related to national secret communication and various algorithm libraries by operation and maintenance personnel and is independent into a library file capable of being dynamically loaded; the browser dynamically loads the library files, adds all standard national encryption code suite list information into the encryption request message and sends the information to the web site server; after receiving the encryption request message, the web site server analyzes the list information of the national encryption key suite, selects a proper national encryption key suite from the list information, adds the selected proper national encryption key suite into the encryption response message and returns the encryption response message to the browser; the browser calls an algorithm library interface to load a corresponding complete encryption communication flow and algorithm combination according to the encryption response message Wen Dongtai, and establishes a national encryption communication link with the web site server. The method and the device realize dynamic updating of the cipher algorithm library.

Description

National encryption communication method and system
Technical Field
The application relates to the technical field of communication, in particular to a national encryption communication method and system.
Background
With the progress of society, people pay more and more attention to data confidentiality, so that more and more network data interaction adopts an HTTPS encryption mode. According to Google transparency reports, over 90% of web sites communicate network data in an encrypted manner. HTTPS encrypted communication is based on a B/S architecture, i.e. web page data is transferred in an encrypted manner between a browser and a web server. The encryption communication mode needs to be based on an encryption communication system, and comprises the following steps: encryption and decryption algorithm, password suite and password certificate; the encryption and decryption algorithm is used for encrypting and decrypting data, the cipher suite is used for defining the combination of algorithms used in the encryption communication process, and the cipher certificate is used for guaranteeing an encryption communication trust system. There are currently two types of cryptographic communication systems: one is an international general password standard system, the other is an autonomous national password standard system in China, comprising: a national encryption algorithm, a national encryption code suite and a national encryption certificate.
At present, only a few domestic browsers supporting national secret communication only support one or two national secret code sets in national secret standards, and the browser is limited to be provided for a website background service to select the secret code set when establishing encrypted communication with a website server. As shown in fig. 1, in the prior art scheme, the browser only selects one or two secret key sets (ecc_sm4_sm3 or ecdhe_sm4_sm3) to be added to the request message of the secret communication; in the browser kernel, a complete encrypted communication flow and related algorithm combination can be customized for each cipher suite, and further expansion of the use of the national cipher suite is not provided. After receiving a national encryption communication request of a browser, if the national encryption code suite is supported, the web site server can continue to adopt national encryption communication to web page data; otherwise, the error is reported and the encrypted communication cannot be performed. In addition, the existing national encryption scheme is customized in advance in the browser kernel and cannot be dynamically expanded, so that the web site server and web front-end web pages cannot select the national encryption suite, and the national encryption suite cannot be customized according to the requirements of application scenes.
Disclosure of Invention
The present application is directed to a method and system for cryptographic communication that address one or more of the problems set forth above.
According to a first aspect of the present application, a cryptographic communication method is provided, including:
the browser operation and maintenance server side manages and issues library files related to encrypted communication; the library file is formed by modularly designing a control management function related to national cryptographic communication and various algorithm libraries by operation and maintenance personnel according to a cryptographic suite format in a national cryptographic standard and independently forming a library file capable of being dynamically loaded;
after the browser is started, the browser communicates with the browser operation and maintenance server to acquire library file information related to encrypted communication, and the library files are dynamically loaded;
creating an encryption request message by a browser, adding all standard national encryption code suite list information into a CipherSuite field of the encryption request message, and sending the created encryption request message to a web site server;
after receiving the encryption request message, the web site server analyzes the list information of the ciphered cipher suite of the ciphered suite field in the message, selects a proper ciphered cipher suite from the list information according to the encryption and decryption capability of the client and the encryption performance requirement of an application scene, adds the ciphered cipher suite into the ciphered suite field of the encryption response message, and returns the established encryption response message to the browser;
and the browser dynamically calls an algorithm library interface to load a corresponding complete encryption communication flow and algorithm combination according to the received encryption response message, and establishes a national encryption communication link with the web site server.
According to some embodiments of the present application, the method further comprises:
according to the request and the encryption response message format in the national encryption standard, the browser adds extension fields at the end of the encryption response message in the encryption request message and the web site server, wherein the extension fields comprise subfields corresponding to the encryption algorithms of all types.
According to some embodiments of the present application, the method further comprises:
when creating an encryption request message, the browser adds an algorithm list supported by a client into each subfield under an Extensions field of the encryption request message, wherein the algorithm list comprises a national encryption algorithm and an international universal encryption algorithm;
after receiving the encryption request message, the web site server analyzes a cryptographic algorithm list of each sub-field under the Extensions field in the encryption request message; and when all the national encryption and decryption suite lists in the parsed CipherSuite field cannot be matched with the encryption and decryption capability of the self and the encryption performance requirement of an application scene, further selecting an algorithm from the encryption algorithm list of each sub-field under the parsed Extension field, and correspondingly adding the algorithm into each sub-field under the Extension field of the encryption response message.
According to some embodiments of the present application, the method further comprises:
when the browser analyzes that the webpage data contains the webpage node containing the cryptographic algorithm combination attribute, negotiating with the website server, and carrying out encrypted communication transmission on the part of webpage node data by using the analyzed cryptographic algorithm combination.
According to some embodiments of the present application, the method further comprises:
after the operation and maintenance server of the browser updates the cryptographic algorithm in the library files by the operation and maintenance personnel, the latest version of each library file is released in time;
after each time of starting, the browser automatically acquires the latest version information of each library file from the browser operation and maintenance server, downloads and updates the library file to be updated, and acquires a new cryptographic algorithm online.
According to a second aspect of the present application, a cryptographic communication system is provided, including a browser operation server, a browser, and a web site server, wherein:
the browser operation and maintenance server is used for issuing and managing library files related to encrypted communication; the library file is formed by modularly designing a control management function related to national cryptographic communication and various algorithm libraries by operation and maintenance personnel according to a cryptographic suite format in a national cryptographic standard and independently forming a library file capable of being dynamically loaded;
the browser is used for communicating with the browser operation and maintenance server after being started, acquiring library file information related to encrypted communication and dynamically loading the library files; creating an encryption request message, adding all standard national encryption code suite list information into a ciphersuite field of the encryption request message, and sending the created encryption request message to a web site server;
the website server is used for analyzing the national encryption suite list information of the cipherer suite fields in the message after receiving the encryption request message, selecting a proper national encryption suite from the information according to the encryption and decryption capability of the information and the encryption performance requirement of an application scene, adding the proper national encryption suite into the cipherer suite fields of the encryption response message, and returning the established encryption response message to the browser;
the browser is also used for dynamically calling an algorithm library interface to load a corresponding complete encryption communication flow and algorithm combination according to the received encryption response message, and establishing a national encryption communication link with the web site server.
According to some embodiments of the present application, the browser and the web site server are further configured to append Extensions fields at the end of the encrypted response message and the browser and the web site server according to the request and the encrypted response message formats in the national cryptographic standard, where the Extensions fields include subfields corresponding to each type of cryptographic algorithm.
According to some embodiments of the present application, the browser is further configured to, when creating the encryption request packet, add, to each subfield under the Extensions field of the encryption request packet, an algorithm list supported by the client, where the algorithm list includes not only a cryptographic algorithm but also an international general cryptographic algorithm;
the web site server is further configured to parse a cryptographic algorithm list of each subfield under the Extensions field in the encryption request packet after receiving the encryption request packet; and when all the national encryption and decryption suite lists in the parsed CipherSuite field cannot be matched with the encryption and decryption capability of the self and the encryption performance requirement of an application scene, further selecting an algorithm from the encryption algorithm list of each sub-field under the parsed Extension field, and correspondingly adding the algorithm into each sub-field under the Extension field of the encryption response message.
According to some embodiments of the present application, when the parsed web page data includes a web page node including a combination attribute of a cryptographic algorithm, the browser is further configured to negotiate with a web site server, and perform encrypted communication transmission on the portion of web page node data using the parsed combination of the cryptographic algorithm.
According to some embodiments of the present application, the browser operation and maintenance server is further configured to timely issue the latest version of each library file after the operation and maintenance personnel updates the cryptographic algorithm in the library file; the browser is also used for automatically acquiring the latest version information of each library file from the browser operation and maintenance server after each start, downloading and updating the library file to be updated, and acquiring a new cryptographic algorithm on line. .
The technical scheme of the embodiment of the application can achieve the following beneficial effects:
(1) The method realizes an expansibility management mechanism of the national secret code suite, not only supports the cryptographic algorithms of all national secret communication standards, but also is compatible with various cryptographic algorithms in an international general encryption system, and greatly increases the number of the cryptographic algorithms in the national secret encryption communication.
(2) The function of flexibly combining and expanding the national encryption code suite by the web site server is realized, and the expandable national encryption communication is adopted for the data transmission of the whole web page resource; the web site server is supported to randomly combine a new national encryption code suite according to the actual application scene, so that the selectivity of the national encryption code suite is enlarged.
(3) The function of flexibly combining and expanding the national encryption code suite by the web front-end web page is realized, and expandable national encryption communication is adopted for transmitting some resource data in the web page, so that more web application requirements can be met, and the application range of the national encryption communication standard in a web system is greatly expanded.
(4) By means of updating various algorithm libraries, other advanced cryptographic algorithms can be compatible and absorbed at any time, a browser can update online to acquire a new cryptographic algorithm, and a web site server and a web front-end webpage can use the new cryptographic suite in a combined expansion cryptographic suite mode.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 is a flow diagram of a prior art cryptographic communication method;
FIG. 2 is a schematic flow chart of a cryptographic communication method according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of another method for encrypting communication according to an embodiment of the present application;
fig. 4 is a schematic diagram showing a constitution of a cryptographic communication system according to an embodiment of the present application.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "comprises" and "comprising," along with any variations thereof, in the description and claims of the present application are intended to cover non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus, but may include other steps or elements not expressly listed.
Example 1
According to a first aspect of the present application, an embodiment of the present application proposes a cryptographic communication method, as shown in fig. 2 and 3, including steps S21 to S25:
s21, the browser operation and maintenance server manages and issues library files related to encrypted communication; the library file is a library file which is formed by modularly designing control management functions related to national cryptographic communication and various algorithm libraries by operation and maintenance personnel according to a cipher suite format in the national cryptographic standard and can be dynamically loaded.
In order to well meet the requirements of communication safety and encryption performance, operation and maintenance personnel combine the composition format of the existing national encryption code suite to carry out modularized design on the control management functions and various encryption and decryption algorithms related to national encryption communication, and develop relatively independent 5 libraries: (1) an encrypted transport control library: the method is used for controlling the establishment of encryption handshake link, password certificate analysis and verification, data encryption communication control and the like; (2) a key exchange algorithm library: including national keys (SM 2, SM 9), general cryptographic standard (RSA, DH, ECDH, DHE, ECDHE, SRP, PSK) key exchange algorithms; (3) digital signature algorithm library: including national secret (SM 2, SM 9), general cryptographic standard (RSA, ECDSA, DSA) digital signature algorithm; (4) a batch encryption algorithm library: including the national cipher (SM 1, SM 4), the universal cryptographic standard (AES, DES, 3DES, IDEA, CHACHA20, camellia, ARIA, RC 4) bulk encryption algorithm; (5) message authentication algorithm library: including national security (SM 3, SHA 1), general cryptographic standard (SHA 256, POLY1305, MD 5) message authentication algorithms. In the 5 independent library files, the encryption transmission control library mainly controls and manages the encryption communication flow, and algorithm interfaces in other 4 algorithm libraries are called as required in different stages of encryption communication.
Because the control management function and various algorithm libraries related to the national cryptographic communication are designed and developed into library files which can be dynamically loaded, a background operation and maintenance server of a browser is required to firstly release the library files related to the cryptographic communication as follows: an encryption transmission control library, a key exchange algorithm library, a digital signature algorithm library, a batch encryption algorithm library and a message verification algorithm library. The operation and maintenance personnel can add the developed encryption and decryption algorithm into the algorithm library of the corresponding category, compile and generate the corresponding library file, and then release the corresponding library file on the operation and maintenance server of the browser, so that each browser client can automatically update and download on line.
S22, after the browser is started, the browser communicates with the browser operation and maintenance server side, library file information related to encrypted communication is obtained, and the library files are dynamically loaded.
After the user starts the browser, the browser immediately communicates with the background operation and maintenance server thereof, acquires the information of the library files related to the encrypted communication, and starts to dynamically load the library files. If the library file in DLL format needs to be loaded in windows system, the LoadLibrary ("dllDemo. DLL") direct dynamic loading can be called; if a library file in the SO format needs to be loaded in the linux operating system, dlepen ("/tmp/libtest. SO", RTLD_LAZY ") direct dynamic loading can be invoked.
S23, the browser creates an encryption request message, adds all standard national encryption code suite list information in the CipherSuites field of the encryption request message, and sends the created encryption request message to the web site server.
The user operates the browser to begin accessing the web site. The browser needs to first create an encryption request message, and adds all standard national encryption code suite list information into the ciphersuite field in the message, and the number of the standard national encryption code suites is 12 at present. And after the browser completes the creation of the encryption request message, the browser immediately sends the encryption request message to the web site server.
S24, after receiving the encryption request message, the web site server analyzes the national encryption suite list information of the Ciphersuites field in the message, selects a proper national encryption suite from the information according to the encryption and decryption capability and the encryption performance requirement of an application scene, adds the proper national encryption suite into the Ciphersuites field of the encryption response message, and returns the created encryption response message to the browser.
After receiving the encryption request message, the web site server firstly analyzes the list information of the CipherSuite suite of the CipherSuites field in the message, and then selects a proper CipherSuite suite from the analyzed list information of the CipherSuite suite of the CipherSuite according to the encryption and decryption capability of the web site server and the encryption performance requirement of an application scene, and adds the proper CipherSuite suite of the CipherSuite to the CipherSuite field of the encryption response message. And the web server immediately sends the encrypted response message of the encrypted communication to the browser after the establishment of the encrypted response message of the encrypted communication is completed.
If all standard national encryption and decryption suite lists can not match encryption and decryption capability of the encryption and decryption capability requirements of application scenes, the connection request is terminated, and the encryption session negotiation is ended.
S25, the browser dynamically calls an algorithm library interface to load a corresponding complete encryption communication flow and algorithm combination according to the received encryption response message, and establishes a national encryption communication link with the web site server.
Compared with the prior art that the complete algorithm flow corresponding to each password suite of the browser is solidified in the browser kernel, the browser of the embodiment of the application loads the corresponding complete encryption communication flow and algorithm combination by dynamically calling the modularly designed algorithm library interface according to the national password suite selected by the web site server, so that the free combination of various password algorithms can be realized, and the flexible expansion function of the national password suite is realized.
Of course, after the browser and the website server establish the national cryptographic communication link, the two parties can continue to perform subsequent handshake flow for establishing the cryptographic link, and the negotiation calculates the cryptographic key for encrypting the webpage data in batches, and performs cryptographic communication on the webpage data according to the cryptographic key. And rendering and displaying the webpage data content which should be displayed by the browser for the decrypted webpage data until the encrypted communication session is ended.
Compared with the prior browser encryption and decryption algorithm module integrated in the browser kernel, various cryptographic algorithms are solidified in the browser kernel and are issued together with a browser installation package, the embodiment of the application realizes dynamic updating of the cryptographic algorithm library by carrying out modularized design on various algorithm libraries and independently forming library files capable of being dynamically loaded, and the browser can compatibly support the internationally newer advanced cryptographic algorithm by dynamically loading the library files after starting; compared with the prior browser, the complete algorithm flow corresponding to each cipher suite is solidified in the browser kernel, and the browser of the embodiment of the application loads the corresponding complete encryption communication flow and algorithm combination through dynamically calling the algorithm library interface according to the national cipher suite selected by the web site server, so that the free combination of various cipher algorithms can be realized, and the flexible expansion function of the national cipher suite is realized. In addition, the browser in the embodiment of the application adds all standard national encryption suite list information in the Ciphersuites field in the encryption request message to be selected by the web site server, is not limited to the existing few national encryption suites only supported, and can well meet the communication security and the national encryption requirements of the web site.
According to some embodiments of the present application, the cryptographic communication method of the embodiment of the present application further includes:
according to the request and the encryption response message format in the national encryption standard, the browser adds extension fields at the end of the encryption response message in the encryption request message and the web site server, wherein the extension fields comprise subfields corresponding to the encryption algorithms of all types.
The embodiment of the application expands the encryption request message and the encryption response message as follows:
the message format of the encryption request (ClientHello) sent by the browser to the web site server is as follows:
the message format of the web site server encrypted response (ServerHello) is as follows:
based on the above expansion of the encryption request message and the encryption response message, referring to fig. 3, the method for encrypting and communicating the national encryption in the embodiment of the application further includes:
when creating an encryption request message, the browser adds an algorithm list supported by a client into each subfield under an Extensions field of the encryption request message, wherein the algorithm list comprises a national encryption algorithm and an international universal encryption algorithm;
after receiving the encryption request message, the web site server analyzes a cryptographic algorithm list of each sub-field under the Extensions field in the encryption request message; and when all the national encryption and decryption suite lists in the parsed CipherSuite field cannot be matched with the encryption and decryption capability of the self and the encryption performance requirement of an application scene, further selecting an algorithm from the encryption algorithm list of each subfield under the parsed Extensions field, and correspondingly adding the algorithm to each subfield under the Extensions field of the encryption response message so as to combine and expand a new set of encryption suite.
The browser adds various cryptographic algorithm lists which are convenient for the free combination of web site servers into the Extensions field in the encryption request message, wherein the algorithm lists are obtained by dynamically calling an algorithm list obtaining interface of various algorithm library files, and the (1) Key exchange Algorithm field, the key exchange algorithm list comprises: SM2, SM9, RSA, DH, ECDH, DHE, ECDHE, SRP, PSK; (2) the Signature Algorithm field, the digital signature algorithm list includes: SM2, SM9, RSA, ECDSA, DSA; (3) the encryptionalgorithm list includes: SM1, SM4, AES, DES, 3DES, IDEA, CHACHA, camellia, ARIA, RC4; (4) the ValidationAlgorithms field, the list of message authentication algorithms includes: SM3, SHA1, SHA256, POLY1305, MD5. It can be seen that the algorithm list not only includes the national cryptographic algorithm but also includes the international general cryptographic algorithm.
After receiving the encryption request message, the web site server first analyzes the list information of the national encryption suite of the cipherersuites field in the message, and analyzes the list of the encryption algorithm in each subfield under the Extensions field in the message. And then selecting a proper national encryption and decryption suite according to the encryption and decryption capability of the self and the encryption performance requirement of an application scene, or respectively selecting an algorithm combination from various cipher algorithm lists to expand a new cipher suite. In particular, the method comprises the steps of,
if the standard national encryption suite can meet the performance requirement of the web application scene and the web site server can support, only one most suitable encryption suite is selected from the national encryption suite list to be added into the CipherSuite field of the encryption response message; otherwise, according to the performance requirement of the web application scene and the encryption and decryption algorithm condition supported by the web site server, selecting an algorithm from various cryptographic algorithm lists of the Extensions field, and adding the algorithm into each sub-field under the Extensions field of the encrypted response message.
According to the national encryption communication method, the messages are expanded by adding the Extensions field at the tail ends of the encryption request messages and the encryption response messages, the function of flexibly combining and expanding the national encryption code suite by the web site server is achieved, the web site server can randomly combine a new national encryption code suite according to specific application scenes, the selectivity of the national encryption code suite is improved, and the encryption performance requirement of the web site server in the corresponding application scenes can be well met.
Therefore, the browser of the embodiment of the application not only supports all standard national secret code kits, but also supports the new password kits flexibly and freely combined by the web site server, and the newly expanded password kits not only can use the national secret algorithm, but also can expand and be compatible with various password algorithms in the international general encryption system, so that the number of the password algorithms in the national secret encryption communication is greatly increased.
Still referring to fig. 3, according to some embodiments of the present application, the cryptographic communication method according to the embodiment of the present application further includes: when the browser analyzes that the webpage data contains the webpage node containing the cryptographic algorithm combination attribute, negotiating with the website server, and carrying out encrypted communication transmission on the part of webpage node data by using the analyzed cryptographic algorithm combination.
After the browser downloads the webpage data in an encrypted communication mode, analyzing the webpage data to obtain node information and webpage dynamic script information of the whole webpage, negotiating with a website server if a webpage node containing a cryptographic algorithm combination attribute exists, and carrying out encrypted communication transmission on the webpage node data of the part according to the analyzed cryptographic algorithm combination. And in the encryption communication transmission process, the browser loads the complete encryption communication flow corresponding to the cryptographic algorithm combination through dynamically calling an algorithm library interface.
For example, if the browser analyzes the following dynamic script information from the downloaded web page data, it determines that the web page data has a web page node including a combination attribute of the cryptographic algorithm:
<input type="text"
name="validateCode"
placement holder= "verification code"
KeyExchangeAlgorithm="SM2"
SignatureAlgorithm="SM2"
EncryptionAlgorithm="SM4"
ValidationAlgorithm="SM3"/>
In this case, the browser negotiates with the web site server, and the encrypted communication transmission is performed on the web page node data of the portion by adopting the parsed combination of the cryptographic algorithms.
By adopting the embodiment, the browser of the embodiment of the application can provide the flexible expansion function of the national secret code suite for the web front-end web page, support the requirement that a certain part of data content web front-end web page of the web page needs to adopt specific national secret code suite communication, realize that the web front-end web page can flexibly combine and expand the national secret code suite according to actual use scenes and network conditions, and adopt the national secret code communication for transmitting a certain part of resource data in the web page in an attribute mode, thereby meeting more web application requirements.
For example: for text box content encryption of user names and passwords in web pages, a national encryption code suite combination with high security requirements but low encryption efficiency requirements is needed, but for web page data encryption of online live video, a national encryption code suite combination with high encryption efficiency requirements but low security performance is needed, and for this purpose, a web front-end web page can meet more web application requirements by expanding the national encryption code suite through flexible combination: the content of a text box of a user name and a password in the webpage is communicated by adopting national standard, and only pictures of the identification verification code are communicated by adopting national standard; the functions of obtaining evidence for users by video recordings in the webpage adopt an extended national secret code suite with higher speed performance, and the like. The scheme of the embodiment of the application greatly expands the application range of the national secret communication standard in the web system.
According to some embodiments of the present application, the cryptographic communication method of the embodiment of the present application further includes:
after the operation and maintenance server of the browser updates the cryptographic algorithm in the library files by the operation and maintenance personnel, the latest version of each library file is released in time; after each time of starting, the browser automatically acquires the latest version information of each library file from the browser operation and maintenance server, downloads and updates the library file to be updated, and acquires a new cryptographic algorithm online.
The new cryptographic algorithm is continuously added into various algorithm library update library files by operation and maintenance personnel, and other advanced cryptographic algorithms are compatible and absorbed at any time in a manner that the browser operation and maintenance server timely releases the latest version of each library file. After each time of starting, the browser immediately communicates with a background operation server thereof to acquire the latest version information of each library file and judges whether the relevant library file needs to be updated and downloaded; if the library file needs to be updated, the update is immediately downloaded, so that the browser can update online to acquire a new cryptographic algorithm, and the web site server and the web front-end web page can use the newer cryptographic suite in a combined expansion cryptographic suite mode, thereby realizing the expansion use of the cryptographic suite in various modes and better meeting the requirements of various web application scenes.
In summary, the cryptographic communication method of the embodiment of the present application has the following innovative points and advantages:
(1) The method realizes an expansibility management mechanism of the national secret code suite, not only supports the cryptographic algorithms of all national secret communication standards, but also is compatible with various cryptographic algorithms in an international general encryption system, and greatly increases the number of the cryptographic algorithms in the national secret encryption communication.
(2) The function of flexibly combining and expanding the national encryption code suite by the web site server is realized, and the expandable national encryption communication is adopted for the data transmission of the whole web page resource; the web site server is supported to randomly combine a new national encryption code suite according to the actual application scene, so that the selectivity of the national encryption code suite is enlarged.
(3) The function of flexibly combining and expanding the national encryption code suite by the web front-end web page is realized, and expandable national encryption communication is adopted for transmitting some resource data in the web page, so that more web application requirements can be met, and the application range of the national encryption communication standard in a web system is greatly expanded.
(4) By means of updating various algorithm libraries, other advanced cryptographic algorithms can be compatible and absorbed at any time, a browser can update online to acquire a new cryptographic algorithm, and a web site server and a web front-end webpage can use the new cryptographic suite in a combined expansion cryptographic suite mode.
In a word, the national encryption communication method of the embodiment of the application can completely support the national encryption communication standard and encryption and decryption algorithm, expand and compatible with the international general encryption and decryption cryptographic algorithm, support the web site server to carry out national encryption communication on the whole web page resources in an expansibility cryptographic suite combination mode, and also support the web front-end web page to carry out national encryption communication on certain resources in the web page in an expansibility cryptographic suite combination mode; the password suite of various forms is well expanded and used, and the requirements of various web application scenes are better met.
Example 2
According to a second aspect of the present application, as shown in fig. 4, an embodiment of the present application further provides a cryptographic communication system, including a browser operation and maintenance server 41, a browser 42, and a web site server 43, where:
the browser operation and maintenance server 41 is configured to issue and manage a library file related to encrypted communication; the library file is formed by modularly designing a control management function related to national cryptographic communication and various algorithm libraries by operation and maintenance personnel according to a cryptographic suite format in a national cryptographic standard and independently forming a library file capable of being dynamically loaded;
the browser 42 is configured to communicate with the browser operation and maintenance server 41 after being started, obtain information of library files related to encrypted communication, and dynamically load the library files; creating an encryption request message, adding all standard national encryption code suite list information into the ciphersuite field of the encryption request message, and sending the created encryption request message to the web site server 43;
the website server 43 is configured to parse out the ciphered cipher suite list information of ciphered suites field in the message after receiving the encryption request message, select a proper ciphered cipher suite from the ciphered cipher suite according to its encryption and decryption capability and the encryption performance requirement of the application scenario, add the ciphered suite to ciphered suite field of the encrypted response message, and return the created encrypted response message to the browser 42;
the browser 42 is further configured to dynamically invoke an algorithm library interface to load a corresponding complete encrypted communication flow and algorithm combination according to the received encrypted response message, and establish a national cryptographic communication link with the web site server 43.
According to some embodiments of the present application, the browser 42 and the web site server 43 are further configured to append Extensions fields at the end of the encrypted response message and the web site server according to the request and the encrypted response message formats in the national cryptographic standard, where the Extensions fields include subfields corresponding to cryptographic algorithms of each type.
According to some embodiments of the present application, the browser 42 is further configured to, when creating the encryption request packet, add, to each sub-field under the Extensions field of the encryption request packet, an algorithm list supported by the client, where the algorithm list includes not only a cryptographic algorithm but also an international general cryptographic algorithm;
the web site server 43 is further configured to parse a cryptographic algorithm list of each subfield under the Extensions field in the encrypted request packet after receiving the encrypted request packet; and when all the national encryption and decryption suite lists in the parsed CipherSuite field cannot be matched with the encryption and decryption capability of the self and the encryption performance requirement of an application scene, further selecting an algorithm from the encryption algorithm list of each sub-field under the parsed Extension field, and correspondingly adding the algorithm into each sub-field under the Extension field of the encryption response message.
According to some embodiments of the present application, the browser 42 is further configured to negotiate with the website server 43 when the parsed web page data includes a web page node including a combination attribute of the cryptographic algorithm, and perform encrypted communication transmission on the web page node data of the portion using the parsed combination of the cryptographic algorithm.
According to some embodiments of the present application, the browser operation and maintenance server 41 is further configured to, after an operation and maintenance person updates a cryptographic algorithm in a library file, issue the latest version of each library file in time;
the browser 42 is further configured to automatically obtain, after each startup, the latest version information of each library file from the browser operation and maintenance server, download and update the library file to be updated, and obtain a new cryptographic algorithm online.
It can be understood that the cryptographic communication system shown in fig. 4 can implement the steps in the method of the foregoing embodiment 1, and the explanation about the method of embodiment 1 is applicable to the cryptographic communication system, which is not repeated herein.
Finally, it should be noted that:
the embodiment numbers are merely for the purpose of description and do not represent the advantages or disadvantages of the embodiments. In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments. Embodiments of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of methods and systems according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Claims (10)

1. A method of cryptographically communicating comprising:
the browser operation and maintenance server side manages and issues library files related to encrypted communication; the library file is formed by modularly designing a control management function related to national cryptographic communication and various algorithm libraries by operation and maintenance personnel according to a cryptographic suite format in a national cryptographic standard and independently forming a library file capable of being dynamically loaded;
after the browser is started, the browser communicates with the browser operation and maintenance server to acquire library file information related to encrypted communication, and the library files are dynamically loaded;
creating an encryption request message by a browser, adding all standard national encryption code suite list information into a CipherSuite field of the encryption request message, and sending the created encryption request message to a web site server;
after receiving the encryption request message, the web site server analyzes the list information of the ciphered cipher suite of the ciphered suite field in the message, selects a proper ciphered cipher suite from the list information according to the encryption and decryption capability of the client and the encryption performance requirement of an application scene, adds the ciphered cipher suite into the ciphered suite field of the encryption response message, and returns the established encryption response message to the browser;
and the browser dynamically calls an algorithm library interface to load a corresponding complete encryption communication flow and algorithm combination according to the received encryption response message, and establishes a national encryption communication link with the web site server.
2. The method according to claim 1, wherein the method further comprises:
according to the request and the encryption response message format in the national encryption standard, the browser adds extension fields at the end of the encryption response message in the encryption request message and the web site server, wherein the extension fields comprise subfields corresponding to the encryption algorithms of all types.
3. The method according to claim 2, wherein the method further comprises:
when creating an encryption request message, the browser adds an algorithm list supported by a client into each subfield under an Extensions field of the encryption request message, wherein the algorithm list comprises a national encryption algorithm and an international universal encryption algorithm;
after receiving the encryption request message, the web site server analyzes a cryptographic algorithm list of each sub-field under the Extensions field in the encryption request message; and when all the national encryption and decryption suite lists in the parsed CipherSuite field cannot be matched with the encryption and decryption capability of the self and the encryption performance requirement of an application scene, further selecting an algorithm from the encryption algorithm list of each sub-field under the parsed Extension field, and correspondingly adding the algorithm into each sub-field under the Extension field of the encryption response message.
4. A method according to claim 3, characterized in that the method further comprises:
when the browser analyzes that the webpage data contains the webpage node containing the cryptographic algorithm combination attribute, negotiating with the website server, and carrying out encrypted communication transmission on the part of webpage node data by using the analyzed cryptographic algorithm combination.
5. The method according to any one of claims 1 to 4, further comprising:
after the operation and maintenance server of the browser updates the cryptographic algorithm in the library files by the operation and maintenance personnel, the latest version of each library file is released in time;
after each time of starting, the browser automatically acquires the latest version information of each library file from the browser operation and maintenance server, downloads and updates the library file to be updated, and acquires a new cryptographic algorithm online.
6. The system is characterized by comprising a browser operation and maintenance server, a browser and a website server, wherein:
the browser operation and maintenance server is used for issuing and managing library files related to encrypted communication; the library file is formed by modularly designing a control management function related to national cryptographic communication and various algorithm libraries by operation and maintenance personnel according to a cryptographic suite format in a national cryptographic standard and independently forming a library file capable of being dynamically loaded;
the browser is used for communicating with the browser operation and maintenance server after being started, acquiring library file information related to encrypted communication and dynamically loading the library files; creating an encryption request message, adding all standard national encryption code suite list information into a ciphersuite field of the encryption request message, and sending the created encryption request message to a web site server;
the website server is used for analyzing the national encryption suite list information of the cipherer suite fields in the message after receiving the encryption request message, selecting a proper national encryption suite from the information according to the encryption and decryption capability of the information and the encryption performance requirement of an application scene, adding the proper national encryption suite into the cipherer suite fields of the encryption response message, and returning the established encryption response message to the browser;
the browser is also used for dynamically calling an algorithm library interface to load a corresponding complete encryption communication flow and algorithm combination according to the received encryption response message, and establishing a national encryption communication link with the web site server.
7. The system of claim 6, wherein the browser and the web site server are further configured to append Extensions fields at the end of the encrypted response message, according to the request and the encrypted response message formats in the national cryptographic standard, where the Extensions fields include subfields corresponding to respective types of cryptographic algorithms.
8. The system of claim 7, wherein the system further comprises a controller configured to control the controller,
the browser is further used for respectively adding an algorithm list supported by the client into each subfield under the Extensions field of the encryption request message when the encryption request message is created, wherein the algorithm list comprises a national encryption algorithm and an international universal encryption algorithm;
the web site server is further configured to parse a cryptographic algorithm list of each subfield under the Extensions field in the encryption request packet after receiving the encryption request packet; and when all the national encryption and decryption suite lists in the parsed CipherSuite field cannot be matched with the encryption and decryption capability of the self and the encryption performance requirement of an application scene, further selecting an algorithm from the encryption algorithm list of each sub-field under the parsed Extension field, and correspondingly adding the algorithm into each sub-field under the Extension field of the encryption response message.
9. The system of claim 8, wherein the system further comprises a controller configured to control the controller,
the browser is further configured to negotiate with a website server when the analyzed web page data contains a web page node containing a combination attribute of the cryptographic algorithm, and perform encrypted communication transmission on the web page node data of the portion by using the analyzed combination of the cryptographic algorithm.
10. The system according to any one of claims 6 to 9, wherein,
the browser operation and maintenance server is also used for timely issuing the latest version of each library file after the operation and maintenance personnel update the cryptographic algorithm in the library file;
the browser is also used for automatically acquiring the latest version information of each library file from the browser operation and maintenance server after each start, downloading and updating the library file to be updated, and acquiring a new cryptographic algorithm on line.
CN202311386000.5A 2023-10-24 2023-10-24 National encryption communication method and system Pending CN117459265A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311386000.5A CN117459265A (en) 2023-10-24 2023-10-24 National encryption communication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311386000.5A CN117459265A (en) 2023-10-24 2023-10-24 National encryption communication method and system

Publications (1)

Publication Number Publication Date
CN117459265A true CN117459265A (en) 2024-01-26

Family

ID=89586699

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311386000.5A Pending CN117459265A (en) 2023-10-24 2023-10-24 National encryption communication method and system

Country Status (1)

Country Link
CN (1) CN117459265A (en)

Similar Documents

Publication Publication Date Title
US6996817B2 (en) Method and system for upgrading and rolling back versions
US7373406B2 (en) Method and system for effectively communicating file properties and directory structures in a distributed file system
JP4863777B2 (en) Communication processing method and computer system
US10951595B2 (en) Method, system and apparatus for storing website private key plaintext
US8156318B2 (en) Storing a device management encryption key in a network interface controller
CN106788989B (en) Method and equipment for establishing secure encrypted channel
CN108282467B (en) Application method and system of digital certificate
CN112788012B (en) Log file encryption method and device, storage medium and electronic equipment
CZ2001163A3 (en) Method of transmitting information data from a sender to a receiver via a transcoder, method of transcoding information data, method for receiving transcoded information data, transmitter, transcoder and receiver
CN113992346B (en) Implementation method of security cloud desktop based on national security reinforcement
KR20140095523A (en) Security mechanism for external code
Itani et al. J2ME application-layer end-to-end security for m-commerce
CN114221950A (en) Method for uploading configuration file, method and device for downloading configuration file
CN103401931A (en) Method and system for downloading file
CN111884810A (en) Transaction signature method, device, mobile terminal and system
CN107087004A (en) Source file processing method and device, source file acquisition method and device
CN111857891B (en) Data processing methods, terminals and media for Android native and H5
CN114499836A (en) Key management method, key management device, computer equipment and readable storage medium
US20090157823A1 (en) Apparatus and method for facilitating secure email services using multiple protocols
JP2001282649A (en) Method and system for providing profile information of client for server
CN117459265A (en) National encryption communication method and system
CN116800499A (en) Encrypted data transmission methods and devices, equipment and storage media
JP4222132B2 (en) Software providing method and system
Itani et al. SPECSA: a scalable, policy-driven, extensible, and customizable security architecture for wireless enterprise applications
JP2006039794A (en) File management system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination