[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2010003284A1 - Method, system and its security device for network interworking - Google Patents

Method, system and its security device for network interworking Download PDF

Info

Publication number
WO2010003284A1
WO2010003284A1 PCT/CN2008/071572 CN2008071572W WO2010003284A1 WO 2010003284 A1 WO2010003284 A1 WO 2010003284A1 CN 2008071572 W CN2008071572 W CN 2008071572W WO 2010003284 A1 WO2010003284 A1 WO 2010003284A1
Authority
WO
WIPO (PCT)
Prior art keywords
unit
client
encrypted ciphertext
operation content
security device
Prior art date
Application number
PCT/CN2008/071572
Other languages
French (fr)
Chinese (zh)
Inventor
许剑卓
陶佳
龚志杰
戴英侠
熊蜀吉
Original Assignee
Xu Jianzhuo
Tao Jia
Gong Zhijie
Dai Yingxia
Xiong Shuji
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xu Jianzhuo, Tao Jia, Gong Zhijie, Dai Yingxia, Xiong Shuji filed Critical Xu Jianzhuo
Priority to PCT/CN2008/071572 priority Critical patent/WO2010003284A1/en
Publication of WO2010003284A1 publication Critical patent/WO2010003284A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic

Definitions

  • the invention relates to a network interaction technology between a client and a network server, in particular to a network interaction method, a system and a security device thereof for preventing a Trojan from attacking by means of tampering and forgery when a Trojan exists.
  • the security focus of network communication lies in the identity authentication and information encryption of the interaction process.
  • security technologies for example, fingerprint authentication technology for identity authentication, e-Certificate technology, and the like.
  • encryption algorithms such as AES, 3DES.
  • the application of these technologies creates a rigorous cryptosystem that protects the entire interaction process. Although it is easy to intercept this information over the network, it is difficult to know and tamper with its contents because it does not know the key. In general, directly cracking a cryptosystem is not worth the loss. Therefore, the attacker takes the vulnerability of finding the system and attacks.
  • the common attack method is to use Trojans to steal and tamper with sensitive information. This method of attack differs from direct cracking in that it steals authentication information or tampers with interactive content as an attack to bypass the protection of the password system.
  • the initial system login uses a static password, so the Trojan only needs to monitor the keyboard to steal the user login password.
  • the application of soft keyboard, random verification code, dynamic password authentication technology and e-Cert and other security technologies make this type of Trojan attack difficult to work, it is difficult to achieve the purpose of attack by simply intercepting information. . Therefore, the technology using the Trojan attack in the related art has gradually turned into tampering or falsifying communication content. The manner in which Trojans falsify or falsify communication contents will be described below with reference to the drawings.
  • Figure 1 is a flow chart of normal operation between the client and the server.
  • the client operating system receives the operation content input by the user through the mouse or the keyboard (see step 11), the operating system The operation content is delivered to the client software (see step 12), the client software encrypts the operation content (see step 13), and then passes the encrypted operation content to the server (see step 14).
  • step 12 the operating system transmits the user's operation content to the client software
  • the Trojans can attack this link, bypassing the protection of existing security technologies. That is, the Trojan can be used to host the client host, intercept the user operation, and tamper with the operation content; some Trojans even pretend that the client actively completes the operation scheduled by the attacker, so that the client host of the Trojan is implanted, and the user operates the content. It is difficult to pass to the client software safely.
  • Example 1 is a flow chart of the Trojan monitoring keyboard and mouse.
  • the Trojan When the Trojan is implanted on the client host, monitor the keyboard and mouse, you can get the operation content before the client software (some attackers will add a shell based on the real client software, and then trick the user into downloading.)
  • the design idea of the modified client software is the same as this example. The only difference is that the method of intercepting the mouse and keyboard is different.
  • the operation content received by the client software is tampering or forged operation content. No matter how advanced the security technology used in step 25 is, it cannot achieve a defense effect.
  • FIG. 3 is a flow chart of the Trojan forgery operation content, the virtual user operating the mouse and the keyboard. As shown in Figure 3, it is difficult for the client software to determine whether the real user is operating or whether the Trojan is operating.
  • Example 3 is a flow chart of the Trojan embedding client software intercepting the user's operation content.
  • the Trojan also uses the method of embedding the client software to intercept and tamper with the user's operation content, thereby achieving illegal purposes.
  • a soft keyboard is a technology that provides a password for entering with a mouse. Specifically, a random keyboard is formed on the screen, and then the keyboard is clicked to complete the password input. Because the password input is done by the mouse, it is difficult for the Trojan to steal the keyboard message and steal the password.
  • a verification code is a technique for preventing brute force.
  • a string of characters displayed by the picture is provided on the login interface, and then the user is required to input the characters.
  • the server When logging in, the server first verifies that these characters are correct (some systems are self-verified by the client software, and the defense effect is much worse). Because the characters displayed in the picture are generally distorted, and they are all set against the background of irregular lines. Therefore, these characters are difficult to be automatically recognized from the picture by the program. If used properly, the Trojan has a certain defense effect. . For example, if this technology is extended to critical business operations and supported by captcha technology, the spoofing behavior of the trojan will be greatly limited by forging the content of the operation.
  • the client software embedding Trojan scanning module actually integrates a Trojan killing tool into the client software. Its principle of killing Trojans is the same as anti-virus software, and can be seen as a streamlined version of its anti-virus software.
  • e-Cert technology and dynamic password technology can defend against the attacking behavior of Trojans that steal user passwords.
  • Figure 5 is a flow diagram of normal interaction between the client and the server.
  • Figure 6 is a flow chart of the Trojan implanted in the client preemptively obtaining the content of the operation by the client software, then tampering with the content of the operation and then sending it to the client software. As shown in Figure 6, during the entire interaction, the Trojan completely bypasses the protection of the cryptosystem formed by various security technologies.
  • Figure 7 is a flow chart of using a firewall to defend against Trojans.
  • the Trojan's theft of the username and password must be passed to the attacker, and then the attacker can use the stolen username and password to impersonate the legitimate user to log in to the system to complete the illegal purpose. Therefore, the stolen username password must be sent to the attacker via the network through the Trojan to complete the attack process completely.
  • the communication process between the Trojan and the outside world is blocked, thereby blocking the attack process and recovering the loss.
  • the object of the present invention is to provide a network interaction method, which uses a security device to process an operation content to prevent a Trojan from tampering or forging an operation content to achieve an attacking purpose, thereby providing a more secure solution and improving the solution.
  • the security level of the network application system expands the scope of network applications.
  • the solution has improved the security level of network application systems and expanded the scope of network applications.
  • Another object of the present invention is to provide a network interaction system, which uses a security device to confirm the correctness of operation content and process the operation content, so as to prevent the Trojan from tampering or forging the operation content to achieve the purpose of attack, thereby Provides a more secure solution, increases the security level of network application systems, and expands the scope of network applications.
  • the object of the present invention is also to provide a security device, which can display the operation content, so that the user can confirm whether the operation content is correct through the display, and if it is correct, the operation content is processed to prevent the Trojan from tampering or forging. The way the content is manipulated achieves the purpose of the attack.
  • the present invention provides a network interaction method, the method comprising: obtaining, by a security device, an operation content; the security device processing the operation content to generate an encrypted ciphertext for decrypting the content of the restoration operation, and Transmitting the encrypted ciphertext to the client; the client transmitting the encrypted ciphertext to a server.
  • the present invention also provides a network interaction system, which includes a client and a security device;
  • a security device configured to: input, by the client user, the operation content, process the operation content, to generate an encrypted ciphertext for decrypting the content of the restoration operation, and transmit the encrypted ciphertext to the client; And receiving the encrypted ciphertext transmitted by the security device, and sending the encrypted ciphertext to the server through a network.
  • the present invention further provides a security device, the security device comprising: an input unit, the input unit is configured to input the operation content by a client user; and the processing unit is configured to input the Encrypting the operation content to generate an encrypted ciphertext for decrypting the content of the restoration operation;
  • the present invention also provides a network interaction system, which includes a client and a security device;
  • a client configured to receive the operation content input by the user, and transmit the operation content to the security device, and receive the encrypted ciphertext transmitted by the security device, and send the encrypted ciphertext to the server;
  • a security device configured to receive the operation content transmitted by the client, display the operation content, and determine whether the client user confirms the operation content, and if the determination result is yes, the security device performs the operation
  • the content is processed to generate an encrypted ciphertext for decrypting the content of the restore operation, and the generated encrypted ciphertext is transmitted to the client.
  • the present invention further provides a security device, the security device comprising: a receiving unit, the receiving unit is configured to receive the operation content transmitted by a client, and a display unit, the display unit is configured to display the Operational content;
  • a determining unit configured to determine whether the client user confirms the operation content
  • a processing unit if the determination result of the determining unit is yes, the processing unit is configured to process the operation content, and generate an encrypted ciphertext for decrypting the content of the restoration operation;
  • the present invention further provides a network interaction system, the system including a server, and a client and a security device;
  • the security device is configured to receive an operation content input by a user, process the operation content, generate and display an encrypted ciphertext for decrypting the content of the restoration operation, and the client is configured to receive the encryption input by the user Ciphertext, and the encrypted ciphertext is sent to the server through the network.
  • the present invention further provides a security device, the security device comprising: an input unit, configured to input, by the client user, the operation content;
  • a processing unit configured to process the input operation content, and generate an encrypted ciphertext for decrypting the restored operation content
  • a conversion unit configured to convert the encrypted ciphertext into an inputtable character
  • a display unit configured to display the converted encrypted ciphertext
  • An advantageous effect of the present invention is that by using the security device to process the operation content, an encrypted ciphertext for decrypting the content of the restoration operation is generated, so that the Trojan cannot tamper with the encrypted ciphertext. Therefore, Trojans can only perform blocking attacks at most, and cannot attack with simple bypass. The blocking attack can cause the user to use the application system at most, without causing direct loss to the user, and there is no benefit to the attacker, thereby avoiding the user's loss, providing a more secure solution and improving the network application system.
  • the level of security has expanded the range of network applications.
  • Figure 1 is a flow chart of normal operation between the client and the server
  • FIG. 2 is a flow chart showing the operation of the Trojan tampering operation content implanted in the client host
  • 3 is a flow chart showing the operation of the Trojan forgery operation content implanted in the client host
  • Figure 4 is a flow chart showing the operation of the Trojan tampering operation content embedded in the client software
  • Figure 5 is a flow chart of normal interaction between the client and the server
  • Figure 6 is an interactive flow chart of tampering the content of the operation by the Trojan implanted in the client;
  • Figure 7 is a flow chart for defending a Trojan using a firewall;
  • FIG. 8 is a schematic structural diagram of a network interaction system according to Embodiment 1 of the present invention.
  • Figure 9 is a schematic view showing the structure of the security device of Figure 8.
  • Figure 10 is a schematic diagram of the structure of the client in Figure 8.
  • Figure 11 is a schematic view showing the structure of the server in Figure 8.
  • FIG. 12 is a schematic structural diagram of a network interaction system according to Embodiment 2 of the present invention.
  • Figure 13 is a schematic view showing the structure of the security device of Figure 12;
  • FIG. 14 is a schematic structural diagram of a network interaction system according to Embodiment 3 of the present invention.
  • Figure 15 is a schematic view showing the structure of the safety device of Figure 14;
  • Figure 16 is a schematic diagram of the structure of the client in Figure 14.
  • FIG. 17 is a flow chart of a network interaction according to Embodiment 4 of the present invention.
  • Figure 18 is a flow diagram of one embodiment of steps 1704 and 1705 of Figure 17;
  • Figure 19 is a flow diagram of another embodiment of steps 1704 and 1705 of Figure 17;
  • Figure 20 is a step 1709 of Figure 17.
  • FIG. 21 is a flow chart of another embodiment of steps 1709 and 1710 of FIG. 17;
  • FIG. 22 is a flow chart of network interaction according to Embodiment 5 of the present invention.
  • Figure 23 is a flow chart of the network interaction of Embodiment 6.
  • the invention provides a network interaction method, system and security device thereof.
  • the network interaction system of the present invention includes a server 803, a client 801, and a security device 802.
  • the security device 802 is configured to acquire operation content, and process the operation content to generate Encrypting the encrypted ciphertext of the restored operation content, and transmitting the encrypted ciphertext to the client 801; and the client 801 is configured to receive the transmission transmitted by the security device 802 The ciphertext is sent to the server 803 over the network.
  • the system can complete the input and processing of the operation content by using the security device 802, that is, the output of the security device is the encrypted ciphertext, which we call the full hardware input. Since the user does not input the operation content on the client, the Trojan can not invade the security device content. Therefore, the Trojan cannot intercept the operation content in the plaintext form, let alone tampering and forgery, thereby avoiding unnecessary loss to the user, thereby providing A more secure solution that increases the security level of network applications and expands the range of network applications.
  • Figure 9 is a schematic diagram showing the structure of the security device of Figure 8.
  • the security device 802 further includes an input unit 901, a processing unit 902, and a sending unit 903.
  • the input unit 901 is configured to input the operation content by the client user.
  • the processing unit 902 is configured to input the The operation content is processed to generate an encrypted ciphertext for decrypting the content of the restore operation; the transmitting unit 903 is configured to send the encrypted ciphertext to the client 801.
  • the security device 802 can also include a display unit (not shown) for displaying the input of the operational content.
  • the operations of the input unit 901, the processing unit 902, and the transmitting unit 903 are controlled by the CPU.
  • the processing unit 902 processes the operation content by adopting a method of processing the operation content according to a certain encryption protocol and an encryption algorithm to generate an encrypted ciphertext for decrypting the content of the restoration operation.
  • the security device 802 can be connected to the client 801 in a wired or wireless manner.
  • Figure 10 is a schematic diagram of the structure of the client in Figure 8.
  • the client 801 includes a first receiving unit 1001 and a first sending unit 1002.
  • the first receiving unit 1001 is configured to receive an encrypted ciphertext transmitted by the security device 802.
  • the first sending unit 1002 The encrypted ciphertext for transmitting the first receiving unit 1001 is transmitted to the server 803.
  • FIG. 11 is a block diagram showing the structure of the server of Figure 8.
  • the server 803 includes a second receiving unit 1101, a processing unit 1103, an operating unit 1104, and a second sending unit 1105.
  • the second receiving unit 1101 is configured to receive the encrypted ciphertext transmitted by the client 801.
  • the processing unit 1103 decrypts the encrypted ciphertext to obtain the operation content;
  • the operation unit 1104 is configured to perform a corresponding operation according to the acquired operation content;
  • the second sending unit 1105 is configured to transmit the operation result to the client 801. .
  • the first receiving unit 1001 of the client 801 is further configured to receive an operation result transmitted by the server 803; and the client 801 further includes a first display unit 1004, the first The display unit 1004 is for displaying the result of the operation.
  • the client 801 may further include a first encryption unit 1003, where the first encryption unit 1003 is configured to encrypt the encrypted ciphertext, and then the encrypted encryption key is encrypted by the first sending unit 1002.
  • the text is transmitted to the server 803, which further ensures the security of the transmitted data.
  • the server 803 further includes a second decryption unit 1102, and the second decryption unit 1102 is configured to decrypt the received encrypted encrypted ciphertext to obtain the operation content.
  • the server 803 can encrypt the operation result before returning the operation result to the client 801. After the client 801 receives the operation result, the operation result is decrypted and displayed. Therefore, the server 803 further includes a second encryption unit 1106, the second encryption unit 1106 is configured to encrypt the obtained operation result, and transmit the encrypted operation result to the second sending unit 1105;
  • the client further includes a first decryption unit 1005 for decrypting the encrypted operation result and then sending it to the second display unit 1004 for display.
  • the security device 802 can be used alone or integrated in an existing portable device, such as a USB encryption device for electronic certificate computing, or a mobile phone.
  • the system can complete the input and processing of the operation content by using the security device 802, that is, the output of the security device is the encrypted ciphertext, which we call the full hardware input. Since the user does not input the operation content on the client, the Trojan can not invade the security device content. Therefore, the Trojan cannot intercept the operation content in clear text, let alone tampering and forgery, avoiding unnecessary loss to the user and ensuring network interaction.
  • Security which provides a more secure solution, increases the security level of network application systems, and expands the scope of network applications.
  • the present invention further provides a network interaction system.
  • the system includes a server 1203, a client 1201, and a security device 1202.
  • the client 1201 is configured to receive operation content input by a user, and the operation content is And transmitting to the 1202 security device, and receiving the encrypted ciphertext sent by the security device 1202 for decrypting the content of the restoration operation, and sending the encrypted ciphertext to the server 1203;
  • the security device 1202 is configured to receive the operation content transmitted by the client 1201, Displaying the content of the operation, and determining whether the client user confirms the operation content. If the determination result is yes, the security device 1202 processes the operation content to generate the encrypted ciphertext, and transmits the generated encrypted ciphertext to the client. End 1201.
  • the Trojan modifies or falsifies the operation content before the security device 1202 obtains the operation content
  • the user can detect and block the operation content; the user confirms the operation content, and the operation content is already inside the security device 1202, and the Trojan cannot be modified. Therefore, it can avoid unnecessary loss to the user and ensure the security of the network interaction.
  • the operation content acquired by the security device 1202 is transmitted by the client 1201, is not input by the user, and can transmit information by wire or wirelessly.
  • FIG. 13 is a block diagram showing the construction of the security device of Figure 12.
  • the security device 1202 includes a receiving unit 1301, a display unit 1302, a determining unit 1303, a processing unit 1304, and a sending unit 1305.
  • the receiving unit 1301 is configured to receive the operation content transmitted by the client 1201.
  • the display unit 1302 is configured to display the operation content.
  • the determining unit 1303 is configured to determine whether the user of the client 1201 confirms the operation content. If the determination result of the determination unit 1303 is YES, the processing unit 1304 is configured to perform the operation content. Processing to generate an encrypted ciphertext for decrypting the content of the restore operation; the sending unit 1304 is configured to transmit the encrypted ciphertext to the client 1201.
  • the security device 1202 further includes an input unit 1306 that allows the user to input information confirming the content of the operation; or the user can also input the content of the operation, as described in Embodiment 1.
  • the security device 1202 receives the operation content transmitted by the client 1201, the operation content is displayed. At this time, the user can confirm whether the operation content is incorrect according to the display of the display unit 1302 of the security device 1202. If the error is determined, the confirmation unit 1306 of the security device 1202 can confirm the operation. If the determination unit 1303 determines that the user has confirmed the operation content, the processing unit 1304 of the security device 1202 processes the operation content. The processing result is transmitted to the client 1201. If the user confirms that the operation content is incorrect, the cancel button set in the input unit 1306 is passed. Therefore, if the Trojan modifies or falsifies the operation content before the security device 1202 obtains the operation content, the user can detect and block it.
  • the configuration of the client 1201 is similar to that of the embodiment 1, except that the client 1201 further includes a first input unit for the user to input the operation content; and the first sending unit further needs to send the operation content to the security device 1202.
  • the functions of the other components and their respective parts are similar to those of Embodiment 1, and are not described herein again.
  • the security device 1202 can be used alone or integrated in an existing portable device, such as a USB encryption device for electronic certificate computing or a human biometric authentication device, such as fingerprint authentication and iris authentication.
  • a human biometric authentication device such as fingerprint authentication and iris authentication.
  • the human biometric authentication unit can be used to confirm the operation content, such as using human biometrics such as fingerprints and irises for confirmation. Therefore, the input unit 1306 in the security device 1202 can be a key input unit and a human biometric authentication unit.
  • the Trojan modifies or falsifies the operation content before the security device 1202 obtains the operation content, the user can detect and block the content. Network interaction security is guaranteed.
  • the present invention also provides a network interaction system. As shown in FIG. 14, the system includes a server 1403, a client 1401, and a security device 1402.
  • the security device 1402 is configured to receive an operation content input by the user, process the operation content, generate an encrypted ciphertext for decrypting the content of the restoration operation, convert the encrypted ciphertext into an inputtable character, and display the converted the encryption
  • the cipher text is used by the client 1401 to receive the encrypted ciphertext input by the user, and the encrypted ciphertext is sent to the server 1403 through the network.
  • the system completes the input and processing of the operation contents by using the security device 1402. Since the user does not input the operation content on the client, the Trojan can not invade the security device content. Therefore, the Trojan can not intercept the operation content in the plaintext form, let alone tampering and forgery, avoiding unnecessary loss to the user, thus providing A more secure solution that increases the security level of network applications and expands the range of network applications.
  • FIG 15 is a block diagram showing the construction of the security device of Figure 14.
  • the security device includes an input unit 1501, a processing unit 1502, a conversion unit 1504, and a display unit 1503.
  • the input unit 1501 is configured to input the operation content by the client user.
  • the processing unit 1502 is configured to perform the input operation content. Processing, generating the encrypted ciphertext; converting unit 1504, configured to convert the encrypted ciphertext into an inputtable character; and displaying unit 1503, configured to display the converted encrypted ciphertext.
  • the operations of the input unit 1501, the processing unit 1502, the conversion unit 1504, and the display unit 1503 are controlled by the CPU.
  • the processing unit 1502 processes the operation content in the following manner: using an encryption key, performing operation processing on the operation content according to a certain encryption protocol and an encryption algorithm to generate an encrypted ciphertext.
  • the converting unit 1504 converts the encrypted ciphertext into a common inputtable character by using a certain character conversion rule, but is not limited thereto, and may be represented by other means.
  • the security device 1402 can be disconnected from the client 1401, the client user inputs the operation content by using the input unit 1501 of the security device 1402, and the user can also display the encrypted ciphertext displayed by the display unit 1503 of the security device 1402.
  • the client 1401 is input through an input unit of the client 1401.
  • Figure 16 is a block diagram showing the structure of the client in Figure 14.
  • the client includes a first input unit 1601 and a first sending unit 1602; wherein the first input unit 1601 is configured to input the encrypted ciphertext by a client user; the first sending unit 1602 is configured to: The encrypted ciphertext is transmitted to the server 1403.
  • the client further includes a first encryption unit 1603, the first encryption unit 1603 is configured to encrypt the encrypted ciphertext; and the first sending unit 1602 transmits the encrypted encrypted ciphertext to the Server 1403.
  • the client further includes a first receiving unit 1604, and a first display unit 1606.
  • the first receiving unit 1604 is configured to receive an operation result transmitted by the server 1403.
  • the first display unit 1606 Used to display the result of this operation.
  • the client further includes a first decryption unit 1605 for decrypting the encrypted operation result.
  • the system can complete the input and encryption processing of the operation content by using the security device 802. Since the user does not input the operation content on the client, the Trojan cannot invade the security device content. Therefore, the Trojan cannot intercept the operation content in the plaintext form. , let alone tampering and forgery, to avoid unnecessary losses to users.
  • the security device can be used alone or integrated into an existing portable device, such as the security device being implemented by using a mobile phone.
  • the present invention also provides a network interaction method, the method comprising: the security device acquiring the operation content; the security device processing the operation content to generate an encrypted ciphertext for decrypting the restoration operation content; the client acquiring the encryption password And send the encrypted ciphertext to the server.
  • the method uses the security device to process the operation content, so as to prevent the Trojan from tampering or forging the operation content to achieve the purpose of attack, thereby providing a more secure solution.
  • the case has improved the security level of the network application system and expanded the scope of network applications.
  • Step 1701 The user inputs the operation content through the input unit of the security device 802.
  • Step 1702 The security device 802 processes the operation content by using a certain encryption algorithm and an encryption protocol to generate an encrypted ciphertext for decrypting the content of the restoration operation;
  • Step 1703 the security device 802 transmits the generated encrypted ciphertext to the client 801;
  • Step 1704 the client 801 transmits the encrypted ciphertext to the server 803 through the network;
  • Step 1705 the server 803 receives the encrypted ciphertext;
  • Step 1706 the server 803 decrypts the received encrypted ciphertext to obtain the operation content.
  • Steps 1707, 1708, the server 803 performs corresponding operations according to the operation content, and generates an operation result
  • Step 1709 the server 803 sends the operation result to the client 801 through the network;
  • Step 1710 The client 801 receives the operation result.
  • step 1709 the client 801 displays the result of the operation.
  • the security device 802 and the client 801 can be connected by wire or wirelessly.
  • the system completes the input and processing of the operation content, thereby providing a more secure solution, improving the security level of the network application system, and expanding the scope of the network application.
  • Figure 18 is a flow diagram of one embodiment of steps 1704 and 1705 of the present invention. As shown in FIG. 18, the specific implementation is as follows:
  • Step 1801 the client 801 encapsulates the encrypted ciphertext into a communication packet according to a public and customized network protocol.
  • Step 1802 the client 801 transmits the communication packet to the server 803 through the network; Step 1803, after receiving the communication packet, the server 803 uses the same communication protocol as the client 801 to parse the communication packet to obtain The encrypted ciphertext.
  • the encrypted ciphertext may be encrypted, encrypted, and transmitted before being transmitted to the server 803 in step 1704.
  • the decryption is performed first, and then step 1706 is performed.
  • FIG. 19 The specific implementation manner is shown in FIG. 19:
  • Step 1901 the client 801 uses the encrypted ciphertext as input of one or more cryptosystems. Part of the information, participate in the operation of the cryptosystem, and obtain the encrypted ciphertext after the operation;
  • Step 1902 the client 801 encapsulates the encrypted ciphertext into a communication packet according to a public or customized network protocol.
  • Step 1903 the client 801 transmits the communication packet to the server 803 through the network.
  • Step 1904 after receiving the communication packet, the server 803 parses the received communication packet by using the same communication protocol as the client 801. The obtained encrypted ciphertext is obtained.
  • step 1905 the server 803 performs an inverse operation on the encrypted ciphertext corresponding to the client 801 to obtain the encrypted ciphertext.
  • Figure 20 is a flow diagram of one embodiment of steps 1709 and 1710 of the present invention. As shown in FIG. 20, the specific implementation is as follows:
  • Step 2001 the server 803 encapsulates the operation result into a communication packet according to a public and customized network protocol
  • Step 2002 the server 803 transmits the communication packet to the client 801 through the network; in step 2003, after receiving the communication packet, the client 801 uses the same communication protocol as the server 803 to parse the communication packet to obtain Operation result.
  • the operation result is encrypted first; correspondingly, after the client 801 receives the operation result, the operation result is decrypted and then displayed.
  • the specific implementation manner is as shown in FIG. 21:
  • Step 2101 The server 803 participates in the operation of the cryptosystem as part of the input information of one or more cryptosystems, and obtains the encrypted ciphertext after the operation;
  • Step 2102 the server 803 encapsulates the encrypted ciphertext into a communication packet according to a public or customized network protocol.
  • Step 2103 the server 803 transmits the communication packet to the client 801 through the network.
  • step 2104 after receiving the communication packet, the client 801 parses the received communication packet by using the same communication protocol as the server 803. , obtaining the encrypted ciphertext;
  • Step 2105 The client 801 performs an inverse operation on the encrypted ciphertext corresponding to the server 803 to obtain the operation operation content.
  • Step 2201 The user operates on the human-machine interface of the client 1201, and the operation content can be input through an input unit of the client 1201, such as a keyboard or a mouse;
  • Step 2202 the client 1201 receives the operation content of the user, and then transmits the operation content to the security device 1202;
  • Step 2203 the display unit of the security device 1202 displays the operation content.
  • Step 2204 the security device 1202 checks whether the operation content is incorrect according to the display, and if the determination is correct, the input unit of the security device 1202 confirms, after confirming
  • the security device 1202 processes the operation content with a certain encryption algorithm and an encryption protocol to generate an encrypted ciphertext for decrypting the content of the restoration operation, and transmits the encrypted ciphertext to the client 1201; Biometric features such as fingerprints, irises, etc. are confirmed;
  • Step 2205 the client 1201 transmits the encrypted ciphertext to the server 1203 through the network; the steps 2206 to 2212 are similar to the steps 1705 to 1711 in FIG. 17, and are not described herein again.
  • the client 1201 can transmit the encrypted ciphertext to the server 1203 in the manner shown in Figs. In the manner shown in Figures 20 and 21, the server 1203 transmits the result of the operation to the client 1202.
  • Step 2301 the user inputs the operation content through the input unit of the security device 1402.
  • Step 2302 the security device 1402 processes the operation content with a certain encryption algorithm and an encryption protocol to generate an encrypted ciphertext for decrypting the content of the restoration operation;
  • the security device converts the encrypted ciphertext into an inputtable character according to a certain character conversion rule;
  • Step 2303 the security device 802 displays the converted encrypted ciphertext
  • Step 2304 the user can input the displayed encrypted ciphertext to the client through the client input unit.
  • Step 2305 the client 1401 transmits the encrypted ciphertext to the server 1403 through the network; the steps 2306 to 2312 are similar to the steps 1705 to 1711 in FIG. 17, and are no longer ⁇ Said.
  • the client 1201 can transmit the encrypted ciphertext to the server 1203 in the manner shown in Figs. In the manner shown in Figures 20 and 21, the server 1203 transmits the result of the operation to the client 1202.
  • the input and encryption processing of the operation content can be completed, that is, the output of the security device is the encrypted ciphertext, which is referred to herein as the full hardware input.
  • the Trojan Since the user does not input the operation content on the client, the Trojan can not invade the security device content. Therefore, the Trojan cannot intercept the operation content in the plaintext form, let alone tampering and forgery, avoiding unnecessary loss to the user, thus providing A more secure solution that increases the security level of network applications and expands the range of network applications.
  • the above network interaction system and method are applicable to various application systems involving network interaction, such as online banking, securities trading, online game electronic equipment trading, enterprise key business systems, e-commerce and network payment, and other fields involving network interactive authentication.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A method, a system and its security device for network interworking are provided. The method comprises: the client terminal receiving the operation content inputted by the user; the security device obtaining the operation content; the security device processing the operation content to produce encrypted cryptograph used for recovering the operation content by decryption, and sending the encrypted cryptograph to the client terminal; the client terminal sending the encrypted cryptograph to the server. The method can prevent the operation content from being juggled or forged by Trojan Horse.

Description

网络交互方法、 系统及其安全设备 技术领域  Network interaction method, system and security device thereof
本发明关于客户端和网络服务器之间的网络交互技术,特别关于客户端 存在木马时防止木马用篡改和伪造的方式进行攻击的一种网络交互方法、系 统及其安全设备。 背景技术 由于网络的便捷性, 基于网络的应用系统, 如网络银行、证券、 网络游 戏等在生产生活中占据越来越重要的地位。但是也正因为网络的特性,使得 网络通讯的安全性成为重要课题。  The invention relates to a network interaction technology between a client and a network server, in particular to a network interaction method, a system and a security device thereof for preventing a Trojan from attacking by means of tampering and forgery when a Trojan exists. BACKGROUND OF THE INVENTION Due to the convenience of networks, network-based application systems, such as online banking, securities, and online games, are playing an increasingly important role in production and life. However, due to the characteristics of the network, the security of network communication has become an important issue.
网络通讯的安全焦点在于交互过程的身份鉴别和信息加密。在这一过程 中有各种安全技术可供选择。例如用于身份认证的指纹鉴别技术、 电子证书 技术等。有诸如 AES、 3DES之类的加密算法。这些技术的应用构筑了严密的 密码系统,保护了整个交互过程的安全。虽然可以很轻易地通过网络截获这 些信息, 但是因为不知道密钥, 因此难以知晓和篡改其内容。一般来说直接 破解一个密码系统, 都是得不偿失的, 因此, 攻击者都采取寻找系统的脆弱 点, 加以攻击。  The security focus of network communication lies in the identity authentication and information encryption of the interaction process. There are a variety of security technologies to choose from during this process. For example, fingerprint authentication technology for identity authentication, e-Certificate technology, and the like. There are encryption algorithms such as AES, 3DES. The application of these technologies creates a rigorous cryptosystem that protects the entire interaction process. Although it is easy to intercept this information over the network, it is difficult to know and tamper with its contents because it does not know the key. In general, directly cracking a cryptosystem is not worth the loss. Therefore, the attacker takes the vulnerability of finding the system and attacks.
目前,常用的攻击方法是采用木马窃取和篡改敏感信息。这种攻击方法 与直接破解有所不同, 以盗窃认证信息或篡改交互内容为攻击手段,绕过密 码系统的保护。  Currently, the common attack method is to use Trojans to steal and tamper with sensitive information. This method of attack differs from direct cracking in that it steals authentication information or tampers with interactive content as an attack to bypass the protection of the password system.
最初的系统登录采用静态口令, 因此,木马仅仅需要监控键盘即可盗窃 用户登录口令。在这种情况下, 为了防止木马的攻击, 应用软键盘、 随机验 证码、动态口令身份认证技术和电子证书等安全技术,使得这类木马攻击难 以奏效, 难以仅凭单纯的截获信息达到攻击目的。 因此, 在相关技术中采用 木马攻击的技术逐渐转变为篡改或伪造通讯内容。以下参照附图对木马篡改 或伪造通讯内容的方式进行说明。  The initial system login uses a static password, so the Trojan only needs to monitor the keyboard to steal the user login password. In this case, in order to prevent Trojan attacks, the application of soft keyboard, random verification code, dynamic password authentication technology and e-Cert and other security technologies make this type of Trojan attack difficult to work, it is difficult to achieve the purpose of attack by simply intercepting information. . Therefore, the technology using the Trojan attack in the related art has gradually turned into tampering or falsifying communication content. The manner in which Trojans falsify or falsify communication contents will be described below with reference to the drawings.
图 1为客户端和服务器之间正常操作的流程图。如图 1所示,客户端操 作系统接收用户通过鼠标或键盘输入的操作内容(见步骤 11 ), 该操作系统 将操作内容传递给客户端软件(见步骤 12), 该客户端软件对该操作内容进 行加密(见步骤 13), 然后将加密后的操作内容传递至服务器(见步骤 14)。 Figure 1 is a flow chart of normal operation between the client and the server. As shown in FIG. 1, the client operating system receives the operation content input by the user through the mouse or the keyboard (see step 11), the operating system The operation content is delivered to the client software (see step 12), the client software encrypts the operation content (see step 13), and then passes the encrypted operation content to the server (see step 14).
由上述可知, 步骤 12 "操作系统把用户的操作内容传给客户端软件" 是一个脆弱环节。 木马可以攻击这个环节, 从而绕开现有安全技术的保护。 即木马能左右被植入的客户端主机,截获用户操作, 并篡改操作内容; 有些 木马甚至伪装成客户端主动完成攻击者预定的操作,这样,植入木马的客户 端主机, 用户操作内容就难以安全的传给客户端软件。  It can be seen from the above that step 12 "the operating system transmits the user's operation content to the client software" is a vulnerable link. Trojans can attack this link, bypassing the protection of existing security technologies. That is, the Trojan can be used to host the client host, intercept the user operation, and tamper with the operation content; some Trojans even pretend that the client actively completes the operation scheduled by the attacker, so that the client host of the Trojan is implanted, and the user operates the content. It is difficult to pass to the client software safely.
例 1,图 2是木马监控键盘和鼠标的流程图。当木马植入客户端主机后, 监控键盘和鼠标,可以抢先于客户端软件之前获得操作内容(有的攻击者会 在真正的客户端软件基础上增加一个壳,然后诱骗用户下载使用。这种改装 后的客户端软件的设计思想与本例相同,区别的只是截获鼠标键盘的方法不 同)。 如图 2所示, 客户端软件接收的操作内容是篡改或伪造的操作内容, 无论步骤 25采用的安全技术有多先进, 都不能起到防御效果。  Example 1, Figure 2 is a flow chart of the Trojan monitoring keyboard and mouse. When the Trojan is implanted on the client host, monitor the keyboard and mouse, you can get the operation content before the client software (some attackers will add a shell based on the real client software, and then trick the user into downloading.) The design idea of the modified client software is the same as this example. The only difference is that the method of intercepting the mouse and keyboard is different. As shown in Figure 2, the operation content received by the client software is tampering or forged operation content. No matter how advanced the security technology used in step 25 is, it cannot achieve a defense effect.
例 2, 图 3是木马伪造操作内容、 虚拟用户操作鼠标和键盘的流程图。 如图 3所示, 客户端软件很难判断是真实用户在操作, 还是木马在操作。  Example 2, Figure 3 is a flow chart of the Trojan forgery operation content, the virtual user operating the mouse and the keyboard. As shown in Figure 3, it is difficult for the client software to determine whether the real user is operating or whether the Trojan is operating.
例 3, 图 4是木马嵌入客户端软件截获篡改用户的操作内容的流程图。 对于一些操作复杂的客户端软件(例如网络游戏客户端软件), 木马也会采 用嵌入客户端软件的方式来截获篡改用户的操作内容, 从而达到非法目的。  Example 3, Figure 4 is a flow chart of the Trojan embedding client software intercepting the user's operation content. For some complex client software (such as online game client software), the Trojan also uses the method of embedding the client software to intercept and tamper with the user's operation content, thereby achieving illegal purposes.
由上述可知, 为了清除木马、 保护系统, 通常采用的方案有以下几种: 第一种:使用杀毒软件来查杀木马。虽然使用杀毒软件是清除病毒和木 马的最有效的手段,但是其不能保证客户端上操作系统中完全没有木马。最 重要的原因就是目前新的木马出现和传播速度太快。例如,每天都有新木马 出现, 在病毒库升级前杀毒软件难以清除木马; 电子邮件、 MSN和 QQ类通 讯工具和 BBS论坛等网络应用使得木马散播速度极快;很多用户的主机上安 装了杀毒软件,但却忽视了病毒库的更新,杀毒软件自动更新病毒间隔时间 过长; 木马可以伪造用户操作, 主动关闭杀毒软件的保护, 甚至造成杀毒软 件丧失功能。  It can be seen from the above that in order to remove Trojans and protection systems, the following commonly used schemes are as follows: The first one: using anti-virus software to kill Trojans. Although the use of anti-virus software is the most effective means of removing viruses and Trojans, it does not guarantee that there is no Trojan in the operating system on the client. The most important reason is that the new Trojans are appearing and spreading too fast. For example, new Trojans appear every day, and it is difficult for anti-virus software to remove Trojans before the virus database is upgraded. Web applications such as e-mail, MSN and QQ communication tools and BBS forums make Trojans spread very fast; many users have anti-virus installed on their hosts. Software, but ignores the virus database update, anti-virus software automatically updates the virus interval is too long; Trojan can forge user operations, proactively turn off the protection of anti-virus software, and even cause anti-virus software to lose functionality.
并且对于敏感的、具有经济价值的攻击目标,木马只要得手一次, 就可 以造成极大损失。 因此我们需要另外寻找方法, 以彻底解决木马的威胁。 第二种: 采用各类认证、加密安全产品。针对客户端本地的安全, 目前 这些安全技术仅仅有软键盘、验证码或客户端软件内嵌木马扫描模块等不多 的几种技术。 其中, And for sensitive, economically valuable targets, the Trojan can cause great losses as long as it succeeds. Therefore, we need to find another way to completely solve the threat of Trojans. Second: Adopt various types of authentication and encryption security products. For the local security of the client, at present, these security technologies only have a few technologies such as a soft keyboard, a verification code or a client software embedding Trojan scanning module. among them,
软键盘是提供用鼠标进行输入口令的技术。具体的说,就是在屏幕上形 成一个顺序随机的键盘,然后用鼠标点击这个键盘, 完成口令的输入。 因为 口令输入由鼠标完成, 因此, 使得以截获键盘消息为手段、盗窃口令为目的 的木马难以发挥作用。  A soft keyboard is a technology that provides a password for entering with a mouse. Specifically, a random keyboard is formed on the screen, and then the keyboard is clicked to complete the password input. Because the password input is done by the mouse, it is difficult for the Trojan to steal the keyboard message and steal the password.
验证码是一种防止暴力破解的技术,在登录的界面上提供一个由图片显 示的一串字符,然后要求用户输入这些字符。在进行登录操作时,服务端首 先验证这些字符是否正确(有些系统是客户端软件自己验证, 防御效果就差 了很多)。 因为图片显示的字符一般会进行扭曲处理, 而且都在不规则的线 条组成的背景映衬下, 因此, 这些字符很难用程序自动从图片内识别出来, 若使用得当,对木马有一定的防御效果。例如这种技术如果扩展到关键业务 的操作也有验证码技术做支持, 以伪造操作内容,虚拟用户操作为手段的木 马的攻击行为就会受到很大限制。  A verification code is a technique for preventing brute force. A string of characters displayed by the picture is provided on the login interface, and then the user is required to input the characters. When logging in, the server first verifies that these characters are correct (some systems are self-verified by the client software, and the defense effect is much worse). Because the characters displayed in the picture are generally distorted, and they are all set against the background of irregular lines. Therefore, these characters are difficult to be automatically recognized from the picture by the program. If used properly, the Trojan has a certain defense effect. . For example, if this technology is extended to critical business operations and supported by captcha technology, the spoofing behavior of the trojan will be greatly limited by forging the content of the operation.
客户端软件内嵌木马扫描模块实际上是把一个木马专杀工具,集成到客 户端软件中。其查杀木马的原理与杀毒软件相同,可以把它看作一个具有针 对性的杀毒软件的精简版。  The client software embedding Trojan scanning module actually integrates a Trojan killing tool into the client software. Its principle of killing Trojans is the same as anti-virus software, and can be seen as a streamlined version of its anti-virus software.
另外, 电子证书技术、动态口令技术都可以防御以盗窃用户口令为主的 木马的攻击行为。  In addition, e-Cert technology and dynamic password technology can defend against the attacking behavior of Trojans that steal user passwords.
但是, 上述技术大都针对用户的登录过程, 具有一定的防御效果。对于 用户操作时的安全问题,则难以防御,尤其对于以截获篡改用户操作内容为 主要攻击手段的木马, 防御效果欠佳。 以下举例说明。  However, most of the above technologies are directed to the user's login process and have a certain defense effect. For the security problem when the user operates, it is difficult to defend, especially for the Trojan that intercepts the user's operation content as the main attack means, the defense effect is not good. The following examples are given.
图 5是客户端和服务器之间正常交互的流程图。图 6是植入客户端的木 马抢先于客户端软件获得操作内容,然后篡改该操作内容,再发送给客户端 软件的流程图。如图 6所示,在整个交互过程中,木马完全绕过了各种安全 技术所形成的密码系统的保护。  Figure 5 is a flow diagram of normal interaction between the client and the server. Figure 6 is a flow chart of the Trojan implanted in the client preemptively obtaining the content of the operation by the client software, then tampering with the content of the operation and then sending it to the client software. As shown in Figure 6, during the entire interaction, the Trojan completely bypasses the protection of the cryptosystem formed by various security technologies.
第三种:安装防火墙在客户端上,通过设置防火墙策略来阻止非授权的 网络访问。 图 7是采用防火墙对木马进行防御的流程图。其中,木马盗窃到用户名 和口令必须传递给攻击者,然后由攻击者利用盗窃到的用户名和口令冒充合 法用户登录系统, 才能完成非法目的。 因此, 盗窃到的用户名口令必须由木 马通过网络发送给攻击者,才能彻底完成攻击流程。在配置合理的防火墙策 略时, 木马与外界的通讯过程被阻挡, 从而阻断攻击流程, 挽回损失。 Third: Install the firewall on the client to prevent unauthorized network access by setting a firewall policy. Figure 7 is a flow chart of using a firewall to defend against Trojans. Among them, the Trojan's theft of the username and password must be passed to the attacker, and then the attacker can use the stolen username and password to impersonate the legitimate user to log in to the system to complete the illegal purpose. Therefore, the stolen username password must be sent to the attacker via the network through the Trojan to complete the attack process completely. When a reasonable firewall policy is configured, the communication process between the Trojan and the outside world is blocked, thereby blocking the attack process and recovering the loss.
但是, 用个人版防火墙防御木马攻击, 有很大的局限性,其主要缺点如 下: 完全无法防御以截获篡改或伪造用户操作内容为主要攻击手段的木马; 缺省的防火墙策略过于宽松、漏洞很多; 防火墙的配置需要专业知识, 非普 通用户可以完成;木马可以通过改变通讯端口、嵌入或冒用授权程序进行网 络通讯; 木马可以伪造用户操作, 主动关闭个人防火墙的保护, 甚至造成个 人版防火墙丧失功能。  However, using the personal version of the firewall to defend against Trojan attacks has many limitations. The main disadvantages are as follows: Trojans that are completely unable to defend against tampering or forgery of user operations are the main means of attack; The default firewall policy is too loose and has many loopholes. The configuration of the firewall requires professional knowledge, which can be completed by non-ordinary users; Trojans can communicate by changing the communication port, embedding or fraudulently using the authorized program; Trojans can forge user operations, proactively turn off the protection of personal firewalls, and even cause personal firewalls to be lost. Features.
申请号为 200610149618. X、 公开号为 CN 1965401A的发明专利申请, 揭示了一种互联网接入系统和接入方法, 现将其内容合并于此。 发明内容  An invention patent application having the application number of 200610149618. X, the disclosure of which is incorporated herein by reference. Summary of the invention
本发明的目的在于提供一种网络交互方法,该方法使用安全设备对操作 内容进行处理, 以阻止木马用篡改或伪造操作内容的方式达到攻击目的,从 而提供了更为安全的解决方案,提高了网络应用系统的安全等级,扩大了网 络应用范围。  The object of the present invention is to provide a network interaction method, which uses a security device to process an operation content to prevent a Trojan from tampering or forging an operation content to achieve an attacking purpose, thereby providing a more secure solution and improving the solution. The security level of the network application system expands the scope of network applications.
本发明的目的还在于提供一种网络交互系统,该系统通过使用安全设备 输入操作内容并对操作内容进行处理,以阻止木马用篡改或伪造操作内容的 方式达到攻击目的,从而提供了更为安全的解决方案,提高了网络应用系统 的安全等级, 扩大了网络应用范围。  It is also an object of the present invention to provide a network interaction system that provides security by inputting operational content and processing the operation content by using a security device to prevent the Trojan from tampering or forging the operation content to achieve an attacking purpose. The solution has improved the security level of network application systems and expanded the scope of network applications.
本发明的目的还在于提供一种安全设备,该安全设备可对输入的操作内 容进行处理,使得该操作内容不在客户端输入, 以阻止木马用篡改或伪造操 作内容的方式达到攻击目的。  It is also an object of the present invention to provide a security device that processes input operational content such that the operational content is not entered by the client to prevent the Trojan from tampering or falsifying the content of the operation for attack purposes.
本发明的目的还在于提供一种网络交互系统,该系统通过使用安全设备 对操作内容正确与否进行确认且对操作内容进行处理,以阻止木马用篡改或 伪造操作内容的方式达到攻击目的,从而提供了更为安全的解决方案,提高 了网络应用系统的安全等级, 扩大了网络应用范围。 本发明的目的还在于提供一种安全设备,该安全设备可对操作内容进行 显示,使得用户可通过该显示确认操作内容是否正确,若正确则对操作内容 进行处理, 以阻止木马用篡改或伪造操作内容的方式达到攻击目的。 Another object of the present invention is to provide a network interaction system, which uses a security device to confirm the correctness of operation content and process the operation content, so as to prevent the Trojan from tampering or forging the operation content to achieve the purpose of attack, thereby Provides a more secure solution, increases the security level of network application systems, and expands the scope of network applications. The object of the present invention is also to provide a security device, which can display the operation content, so that the user can confirm whether the operation content is correct through the display, and if it is correct, the operation content is processed to prevent the Trojan from tampering or forging. The way the content is manipulated achieves the purpose of the attack.
为实现上述目的, 本发明提供一种网络交互方法, 该方法包括: 安全设 备获取操作内容;所述安全设备对所述操作内容进行处理, 以产生用于解密 还原操作内容的加密密文,并将所述加密密文传送至所述客户端;所述客户 端将所述加密密文发送至服务器。  To achieve the above object, the present invention provides a network interaction method, the method comprising: obtaining, by a security device, an operation content; the security device processing the operation content to generate an encrypted ciphertext for decrypting the content of the restoration operation, and Transmitting the encrypted ciphertext to the client; the client transmitting the encrypted ciphertext to a server.
为实现上述目的,本发明还提供一种网络交互系统,该系统包括客户端 和安全设备; 其中,  To achieve the above object, the present invention also provides a network interaction system, which includes a client and a security device;
安全设备,用于供客户端用户输入操作内容,对所述操作内容进行处理, 以产生用于解密还原操作内容的加密密文,并将所述加密密文传送至所述客 户端; 客户端,用于接收所述安全设备传送的所述加密密文, 并将所述加密 密文通过网络发送至所述服务器。  a security device, configured to: input, by the client user, the operation content, process the operation content, to generate an encrypted ciphertext for decrypting the content of the restoration operation, and transmit the encrypted ciphertext to the client; And receiving the encrypted ciphertext transmitted by the security device, and sending the encrypted ciphertext to the server through a network.
为实现上述目的, 本发明还提供一种安全设备, 该安全设备包括: 输入单元, 所述输入单元用于供客户端用户输入所述操作内容; 处理单元,所述处理单元用于对输入的所述操作内容进行加密, 以产生 用于解密还原操作内容的加密密文;  To achieve the above object, the present invention further provides a security device, the security device comprising: an input unit, the input unit is configured to input the operation content by a client user; and the processing unit is configured to input the Encrypting the operation content to generate an encrypted ciphertext for decrypting the content of the restoration operation;
发送单元, 所述发送单元用于将所述加密密文发送至所述客户端。 为实现上述目的,本发明还提供一种网络交互系统,该系统包括客户端 和安全设备; 其中,  a sending unit, configured to send the encrypted ciphertext to the client. To achieve the above object, the present invention also provides a network interaction system, which includes a client and a security device;
客户端,用于接收用户输入的操作内容,并将所述操作内容传送至所述 安全设备,并且接收所述安全设备传送的加密密文,将所述加密密文发送至 所述服务器;  a client, configured to receive the operation content input by the user, and transmit the operation content to the security device, and receive the encrypted ciphertext transmitted by the security device, and send the encrypted ciphertext to the server;
安全设备,用于接收所述客户端传送的所述操作内容,显示所述操作内 容, 并判断客户端用户是否确认所述操作内容,若判断结果为是, 则所述安 全设备对所述操作内容进行处理, 以产生用于解密还原操作内容的加密密 文, 并将产生的所述加密密文传送至所述客户端。  a security device, configured to receive the operation content transmitted by the client, display the operation content, and determine whether the client user confirms the operation content, and if the determination result is yes, the security device performs the operation The content is processed to generate an encrypted ciphertext for decrypting the content of the restore operation, and the generated encrypted ciphertext is transmitted to the client.
为实现上述目的, 本发明还提供一种安全设备, 该安全设备包括: 接收单元, 所述接收单元用于接收客户端传送的所述操作内容; 显示单元, 所述显示单元用于显示所述操作内容;  In order to achieve the above object, the present invention further provides a security device, the security device comprising: a receiving unit, the receiving unit is configured to receive the operation content transmitted by a client, and a display unit, the display unit is configured to display the Operational content;
判断单元, 所述判断单元用于判断客户端用户是否确认所述操作内容; 处理单元,若所述判断单元的判断结果为是,则所述处理单元用于对所 述操作内容进行处理, 产生用于解密还原操作内容的加密密文; a determining unit, configured to determine whether the client user confirms the operation content; a processing unit, if the determination result of the determining unit is yes, the processing unit is configured to process the operation content, and generate an encrypted ciphertext for decrypting the content of the restoration operation;
发送单元, 所述发送单元用于将所述加密密文传送至所述客户端。 为实现上述目的,本发明还提供一种网络交互系统,所述系统包括服务 器, 还包括客户端和安全设备; 其中,  a sending unit, configured to transmit the encrypted ciphertext to the client. In order to achieve the above object, the present invention further provides a network interaction system, the system including a server, and a client and a security device;
所述安全设备,用于接收用户输入的操作内容,对所述操作内容进行处 理, 产生并显示用于解密还原操作内容的加密密文; 所述客户端,用于接收 用户输入的所述加密密文, 并将所述加密密文通过网络发送至所述服务器。  The security device is configured to receive an operation content input by a user, process the operation content, generate and display an encrypted ciphertext for decrypting the content of the restoration operation, and the client is configured to receive the encryption input by the user Ciphertext, and the encrypted ciphertext is sent to the server through the network.
为实现上述目的, 本发明还提供一种安全设备, 该安全设备包括: 输入单元, 用于供客户端用户输入所述操作内容;  In order to achieve the above object, the present invention further provides a security device, the security device comprising: an input unit, configured to input, by the client user, the operation content;
处理单元,用于对输入的所述操作内容进行处理,产生用于解密还原操 作内容的加密密文;  a processing unit, configured to process the input operation content, and generate an encrypted ciphertext for decrypting the restored operation content;
转换单元, 所述转换单元用于将所述加密密文转换为可输入字符; 显示单元, 用于显示转换后的所述加密密文。  a conversion unit, configured to convert the encrypted ciphertext into an inputtable character, and a display unit, configured to display the converted encrypted ciphertext.
本发明的有益效果在于,通过使用安全设备对操作内容进行处理,产生 用于解密还原操作内容的加密密文,使得木马不能对加密密文篡改,。因此, 木马最多只能进行阻断性攻击,而不能用简单绕过的方式攻击得手。而阻断 性攻击最多造成用户不能使用应用系统,不会造成用户直接的损失,对于攻 击者来说并没有收益, 从而避免用户的损失, 提供了更为安全的解决方案, 提高了网络应用系统的安全等级, 扩大了网络应用范围。 附图说明 此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部 分, 并不构成对本发明的限定。 在附图中  An advantageous effect of the present invention is that by using the security device to process the operation content, an encrypted ciphertext for decrypting the content of the restoration operation is generated, so that the Trojan cannot tamper with the encrypted ciphertext. Therefore, Trojans can only perform blocking attacks at most, and cannot attack with simple bypass. The blocking attack can cause the user to use the application system at most, without causing direct loss to the user, and there is no benefit to the attacker, thereby avoiding the user's loss, providing a more secure solution and improving the network application system. The level of security has expanded the range of network applications. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are incorporated in the claims In the drawing
图 1是客户端和服务器之间正常操作的流程图;  Figure 1 is a flow chart of normal operation between the client and the server;
图 2是植入客户端主机的木马篡改操作内容的操作流程图;  2 is a flow chart showing the operation of the Trojan tampering operation content implanted in the client host;
图 3是植入客户端主机的木马伪造操作内容的操作流程图;  3 is a flow chart showing the operation of the Trojan forgery operation content implanted in the client host;
图 4是嵌入客户端软件的木马篡改操作内容的操作流程图;  Figure 4 is a flow chart showing the operation of the Trojan tampering operation content embedded in the client software;
图 5是客户端和服务器之间正常交互的流程图;  Figure 5 is a flow chart of normal interaction between the client and the server;
图 6是植入客户端的木马篡改该操作内容的交互流程图; 图 7是采用防火墙对木马进行防御的流程图; 6 is an interactive flow chart of tampering the content of the operation by the Trojan implanted in the client; Figure 7 is a flow chart for defending a Trojan using a firewall;
图 8是本发明实施例 1的网络交互系统构成示意图;  8 is a schematic structural diagram of a network interaction system according to Embodiment 1 of the present invention;
图 9是图 8中安全设备构成示意图;  Figure 9 is a schematic view showing the structure of the security device of Figure 8;
图 10是图 8中客户端构成示意图;  Figure 10 is a schematic diagram of the structure of the client in Figure 8;
图 11是图 8中服务器构成示意图;  Figure 11 is a schematic view showing the structure of the server in Figure 8;
图 12是本发明实施例 2的网络交互系统构成示意图;  12 is a schematic structural diagram of a network interaction system according to Embodiment 2 of the present invention;
图 13是图 12中安全设备构成示意图;  Figure 13 is a schematic view showing the structure of the security device of Figure 12;
图 14是本发明实施例 3的网络交互系统构成示意图;  14 is a schematic structural diagram of a network interaction system according to Embodiment 3 of the present invention;
图 15是图 14中安全设备构成示意图;  Figure 15 is a schematic view showing the structure of the safety device of Figure 14;
图 16是图 14中客户端构成示意图;  Figure 16 is a schematic diagram of the structure of the client in Figure 14;
图 17是本发明实施例 4的一个网络交互流程图;  17 is a flow chart of a network interaction according to Embodiment 4 of the present invention;
图 18是图 17中歩骤 1704和 1705的一个具体实施方式的流程图; 图 19是图 17中歩骤 1704和 1705的另一个具体实施方式的流程图; 图 20是图 17中歩骤 1709和 1710的一个具体实施方式的流程图; 图 21是图 17中歩骤 1709和 1710的另一个具体实施方式的流程图; 图 22是本发明实施例 5的网络交互流程图;  Figure 18 is a flow diagram of one embodiment of steps 1704 and 1705 of Figure 17; Figure 19 is a flow diagram of another embodiment of steps 1704 and 1705 of Figure 17; Figure 20 is a step 1709 of Figure 17. FIG. 21 is a flow chart of another embodiment of steps 1709 and 1710 of FIG. 17; FIG. 22 is a flow chart of network interaction according to Embodiment 5 of the present invention;
图 23是实施例 6的网络交互流程图。  Figure 23 is a flow chart of the network interaction of Embodiment 6.
具体实施方式 为使本发明的目的、技术方案和优点更加清楚明白,下面结合实施方式 和附图, 对本发明做进一步详细说明。在此, 本发明的示意性实施方式及其 说明用于解释本发明, 但并不作为对本发明的限定。 BEST MODE FOR CARRYING OUT THE INVENTION In order to make the objects, technical solutions and advantages of the present invention more comprehensible, the present invention will be further described in detail below with reference to the embodiments and drawings. The illustrative embodiments of the present invention and the description thereof are intended to explain the present invention, but are not intended to limit the invention.
本发明提供一种网络交互方法、系统及其安全设备。以下参照附图对本 发明的具体实施方式进行详细说明。  The invention provides a network interaction method, system and security device thereof. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
实施例 1  Example 1
本发明一种网络交互系统, 如图 8所示, 该系统包括服务器 803、 客户 端 801和安全设备 802; 其中, 该安全设备 802用于获取操作内容, 对该操 作内容进行处理, 以产生用于解密还原操作内容的加密密文,并将该加密密 文传送至客户端 801 ; 并且该客户端 801用于接收该安全设备 802传送的加 密密文, 并将该加密密文通过网络发送至服务器 803。 The network interaction system of the present invention, as shown in FIG. 8, the system includes a server 803, a client 801, and a security device 802. The security device 802 is configured to acquire operation content, and process the operation content to generate Encrypting the encrypted ciphertext of the restored operation content, and transmitting the encrypted ciphertext to the client 801; and the client 801 is configured to receive the transmission transmitted by the security device 802 The ciphertext is sent to the server 803 over the network.
由上述可知, 该系统通过使用安全设备 802, 可完成操作内容的输入和 处理, 即该安全设备输出即是加密后的密文, 这里我们称之为全硬件输入。 由于用户不在客户端上输入操作内容,木马也无法入侵安全设备内容,因此, 木马不能截获明文形式的操作内容,更谈不上篡改和伪造,避免给用户带来 不必要的损失,从而提供了更为安全的解决方案,提高了网络应用系统的安 全等级, 扩大了网络应用范围。  It can be seen from the above that the system can complete the input and processing of the operation content by using the security device 802, that is, the output of the security device is the encrypted ciphertext, which we call the full hardware input. Since the user does not input the operation content on the client, the Trojan can not invade the security device content. Therefore, the Trojan cannot intercept the operation content in the plaintext form, let alone tampering and forgery, thereby avoiding unnecessary loss to the user, thereby providing A more secure solution that increases the security level of network applications and expands the range of network applications.
图 9是图 8中安全设备构成示意图。如图 9所示,该安全设备 802还包 括输入单元 901、 处理单元 902和发送单元 903; 其中, 该输入单元 901用 于供客户端用户输入该操作内容;该处理单元 902用于对输入的该操作内容 进行处理, 以产生用于解密还原操作内容的加密密文;该发送单元 903用于 将该加密密文发送至该客户端 801。 此外, 该安全设备 802还可包括显示单 元(未示出) , 用于显示输入的该操作内容。  Figure 9 is a schematic diagram showing the structure of the security device of Figure 8. As shown in FIG. 9, the security device 802 further includes an input unit 901, a processing unit 902, and a sending unit 903. The input unit 901 is configured to input the operation content by the client user. The processing unit 902 is configured to input the The operation content is processed to generate an encrypted ciphertext for decrypting the content of the restore operation; the transmitting unit 903 is configured to send the encrypted ciphertext to the client 801. In addition, the security device 802 can also include a display unit (not shown) for displaying the input of the operational content.
在本实施方式中, 通过中央处理器 CPU对输入单元 901、 处理单元 902 和发送单元 903的工作进行控制。其中,处理单元 902对操作内容进行处理 可采用如下方式:按照一定的加密协议和加密算法对操作内容进行处理,产 生用于解密还原操作内容的加密密文。  In the present embodiment, the operations of the input unit 901, the processing unit 902, and the transmitting unit 903 are controlled by the CPU. The processing unit 902 processes the operation content by adopting a method of processing the operation content according to a certain encryption protocol and an encryption algorithm to generate an encrypted ciphertext for decrypting the content of the restoration operation.
由上述可知,上述安全设备 802可与客户端 801以有线或无线方式连接。 图 10是图 8中客户端构成示意图。如图 10所示,该客户端 801包括第 一接收单元 1001和第一发送单元 1002; 其中, 该第一接收单元 1001用于 接收该安全设备 802传送的加密密文; 该第一发送单元 1002用于将第一接 收单元 1001传送的加密密文传送至服务器 803。  As can be seen from the above, the security device 802 can be connected to the client 801 in a wired or wireless manner. Figure 10 is a schematic diagram of the structure of the client in Figure 8. As shown in FIG. 10, the client 801 includes a first receiving unit 1001 and a first sending unit 1002. The first receiving unit 1001 is configured to receive an encrypted ciphertext transmitted by the security device 802. The first sending unit 1002 The encrypted ciphertext for transmitting the first receiving unit 1001 is transmitted to the server 803.
图 11是图 8中服务器构成示意图。如图 11所示,该服务器 803包括第 二接收单元 1101、 处理单元 1103、 操作单元 1104和第二发送单元 1105 ; 其中, 该第二接收单元 1101用于接收客户端 801传送的加密密文; 该处理 单元 1103对该加密密文进行解密, 以获取该操作内容; 该操作单元 1104用 于根据获取的操作内容进行相应的操作;该第二发送单元 1105用于将操作结 果传送至客户端 801。  Figure 11 is a block diagram showing the structure of the server of Figure 8. As shown in FIG. 11, the server 803 includes a second receiving unit 1101, a processing unit 1103, an operating unit 1104, and a second sending unit 1105. The second receiving unit 1101 is configured to receive the encrypted ciphertext transmitted by the client 801. The processing unit 1103 decrypts the encrypted ciphertext to obtain the operation content; the operation unit 1104 is configured to perform a corresponding operation according to the acquired operation content; the second sending unit 1105 is configured to transmit the operation result to the client 801. .
如图 10所示, 该客户端 801的第一接收单元 1001还用于接收该服务器 803传送的操作结果; 并且该客户端 801还包括第一显示单元 1004, 该第一 显示单元 1004用于显示该操作结果。 As shown in FIG. 10, the first receiving unit 1001 of the client 801 is further configured to receive an operation result transmitted by the server 803; and the client 801 further includes a first display unit 1004, the first The display unit 1004 is for displaying the result of the operation.
此外, 如图 10所示, 该客户端 801还可包括第一加密单元 1003, 该第 一加密单元 1003用于将该加密密文进行加密,然后通过第一发送单元 1002 将加密后的加密密文传送至服务器 803,这样可进一步保证传输数据的安全 性。 相应地, 如图 11所示, 该服务器 803还包括第二解密单元 1102, 该第 二解密单元 1102用于对接收的加密的加密密文进行解密, 以获取该操作内 容。  In addition, as shown in FIG. 10, the client 801 may further include a first encryption unit 1003, where the first encryption unit 1003 is configured to encrypt the encrypted ciphertext, and then the encrypted encryption key is encrypted by the first sending unit 1002. The text is transmitted to the server 803, which further ensures the security of the transmitted data. Accordingly, as shown in FIG. 11, the server 803 further includes a second decryption unit 1102, and the second decryption unit 1102 is configured to decrypt the received encrypted encrypted ciphertext to obtain the operation content.
此外,该服务器 803在将操作结果返回至客户端 801之前,还可对该操 作结果进行加密; 当客户端 801接收到该操作结果后,对该操作结果进行解 密后显示。 因此, 该服务器 803还包括第二加密单元 1106, 该第二加密单 元 1106用于对获得的操作结果进行加密, 并将加密后的操作结果传送至第 二发送单元 1105;  In addition, the server 803 can encrypt the operation result before returning the operation result to the client 801. After the client 801 receives the operation result, the operation result is decrypted and displayed. Therefore, the server 803 further includes a second encryption unit 1106, the second encryption unit 1106 is configured to encrypt the obtained operation result, and transmit the encrypted operation result to the second sending unit 1105;
相应地, 客户端还包括第一解密单元 1005, 该第一解密单元 1005用于 对加密后的操作结果进行解密, 然后送至第二显示单元 1004进行显示。  Correspondingly, the client further includes a first decryption unit 1005 for decrypting the encrypted operation result and then sending it to the second display unit 1004 for display.
上述实施方式中,安全设备 802可单独使用,也可集成在现有的便携设 备上使用, 如采用用于电子证书运算的 USB加密设备、 或者手机等实现。  In the above embodiment, the security device 802 can be used alone or integrated in an existing portable device, such as a USB encryption device for electronic certificate computing, or a mobile phone.
由上述可知, 该系统通过使用安全设备 802, 可完成操作内容的输入和 处理, 即该安全设备输出即是加密后的密文, 这里我们称之为全硬件输入。 由于用户不在客户端上输入操作内容,木马也无法入侵安全设备内容,因此, 木马不能截获明文形式的操作内容,更谈不上篡改和伪造,避免给用户带来 不必要的损失,保证网络交互安全性, 从而提供了更为安全的解决方案, 提 高了网络应用系统的安全等级, 扩大了网络应用范围。  It can be seen from the above that the system can complete the input and processing of the operation content by using the security device 802, that is, the output of the security device is the encrypted ciphertext, which we call the full hardware input. Since the user does not input the operation content on the client, the Trojan can not invade the security device content. Therefore, the Trojan cannot intercept the operation content in clear text, let alone tampering and forgery, avoiding unnecessary loss to the user and ensuring network interaction. Security, which provides a more secure solution, increases the security level of network application systems, and expands the scope of network applications.
实施例 2  Example 2
本发明还提供一种网络交互系统, 如图 12 所示, 该系统包括服务器 1203、 客户端 1201和安全设备 1202; 其中, 该客户端 1201用于接收用户 输入的操作内容, 并将该操作内容传送至 1202安全设备, 并且接收该安全 设备 1202传送的用于解密还原操作内容的加密密文, 将该加密密文发送至 服务器 1203 ; 该安全设备 1202用于接收客户端 1201传送的操作内容, 显 示该操作内容, 并判断客户端用户是否确认该操作内容, 若判断结果为是, 则安全设备 1202对操作内容进行处理, 以产生该加密密文, 并将产生的该 加密密文传送至客户端 1201。 由上述可知, 如果木马在安全设备 1202获取操作内容前修改或伪造操 作内容, 则用户可以发觉并加以阻止; 而用户加以确认的操作内容,这时操 作内容已经处于安全设备 1202内部, 木马无法修改, 因此, 可避免给用户 带来不必要的损失, 保证了网络交互的安全性。 The present invention further provides a network interaction system. As shown in FIG. 12, the system includes a server 1203, a client 1201, and a security device 1202. The client 1201 is configured to receive operation content input by a user, and the operation content is And transmitting to the 1202 security device, and receiving the encrypted ciphertext sent by the security device 1202 for decrypting the content of the restoration operation, and sending the encrypted ciphertext to the server 1203; the security device 1202 is configured to receive the operation content transmitted by the client 1201, Displaying the content of the operation, and determining whether the client user confirms the operation content. If the determination result is yes, the security device 1202 processes the operation content to generate the encrypted ciphertext, and transmits the generated encrypted ciphertext to the client. End 1201. It can be seen from the above that if the Trojan modifies or falsifies the operation content before the security device 1202 obtains the operation content, the user can detect and block the operation content; the user confirms the operation content, and the operation content is already inside the security device 1202, and the Trojan cannot be modified. Therefore, it can avoid unnecessary loss to the user and ensure the security of the network interaction.
与实施例 1不同, 在本实施方式中, 该安全设备 1202所获取的操作内 容是由客户端 1201传送过来的, 并非由用户输入, 并且可通过有线或无线 的方式传送信息。  Different from Embodiment 1, in the present embodiment, the operation content acquired by the security device 1202 is transmitted by the client 1201, is not input by the user, and can transmit information by wire or wirelessly.
图 13是图 12中安全设备的构成示意图。如图 13所示,该安全设备 1202 包括接收单元 1301、 显示单元 1302、 判断单元 1303、 处理单元 1304和发 送单元 1305 ; 其中, 该接收单元 1301用于接收客户端 1201传送的该操作 内容;该显示单元 1302用于显示该操作内容; 该判断单元 1303用于判断客 户端 1201用户是否确认该操作内容; 若该判断单元 1303的判断结果为是, 则该处理单元 1304用于对该操作内容进行处理, 以产生用于解密还原操作 内容的加密密文; 该发送单元 1304用于将该加密密文传送至客户端 1201。  Figure 13 is a block diagram showing the construction of the security device of Figure 12. As shown in FIG. 13, the security device 1202 includes a receiving unit 1301, a display unit 1302, a determining unit 1303, a processing unit 1304, and a sending unit 1305. The receiving unit 1301 is configured to receive the operation content transmitted by the client 1201. The display unit 1302 is configured to display the operation content. The determining unit 1303 is configured to determine whether the user of the client 1201 confirms the operation content. If the determination result of the determination unit 1303 is YES, the processing unit 1304 is configured to perform the operation content. Processing to generate an encrypted ciphertext for decrypting the content of the restore operation; the sending unit 1304 is configured to transmit the encrypted ciphertext to the client 1201.
此外, 该安全设备 1202还包括输入单元 1306, 该输入单元 1306可供 用户输入确认该操作内容的信息;或者也可供用户输入该操作内容,如实施 例 1所述。  In addition, the security device 1202 further includes an input unit 1306 that allows the user to input information confirming the content of the operation; or the user can also input the content of the operation, as described in Embodiment 1.
由上述可知, 当安全设备 1202接收到客户端 1201传送的操作内容后, 将该操作内容进行显示,此时用户可根据安全设备 1202显示单元 1302的显 示确认该操作内容是否有误, 若操作内容无误, 则可通过该安全设备 1202 的输入单元 1306中设置的确认按键进行确认,若判断单元 1303判断该用户 已经确认该操作内容,则该安全设备 1202的处理单元 1304对该操作内容进 行处理, 并将处理结果传送至客户端 1201。若用户确认该操作内容有误时, 则通过输入单元 1306中设置的取消按键。 因此, 如果木马在安全设备 1202 获取操作内容前修改或伪造操作内容, 则用户可以发觉并加以阻止。  It can be seen from the above that after the security device 1202 receives the operation content transmitted by the client 1201, the operation content is displayed. At this time, the user can confirm whether the operation content is incorrect according to the display of the display unit 1302 of the security device 1202. If the error is determined, the confirmation unit 1306 of the security device 1202 can confirm the operation. If the determination unit 1303 determines that the user has confirmed the operation content, the processing unit 1304 of the security device 1202 processes the operation content. The processing result is transmitted to the client 1201. If the user confirms that the operation content is incorrect, the cancel button set in the input unit 1306 is passed. Therefore, if the Trojan modifies or falsifies the operation content before the security device 1202 obtains the operation content, the user can detect and block it.
相应地,客户端 1201的构成与实施例 1类似,只是客户端 1201还包括 第一输入单元,该第一输入单元供用户输入操作内容;且第一发送单元还需 发送操作内容至安全装置 1202, 此外, 其它各个构成部分及其各部分的作 用与实施例 1类似, 此处不再赘述。  Correspondingly, the configuration of the client 1201 is similar to that of the embodiment 1, except that the client 1201 further includes a first input unit for the user to input the operation content; and the first sending unit further needs to send the operation content to the security device 1202. In addition, the functions of the other components and their respective parts are similar to those of Embodiment 1, and are not described herein again.
该服务器 1203的构成与实施例 1类似, 此处不再赘述。 上述实施方式中, 安全设备 1202可单独使用, 也可集成在现有的便携 设备上使用,如采用用于电子证书运算的 USB加密设备、或者采用人体生物 特征认证设备, 如指紋认证、虹膜认证的设备等实现, 在这种情况下, 安全 设备 1202显示操作内容后且用户进行确认时, 可使用人体生物特征认证单 元对操作内容进行确认,如使用指纹、虹膜等人体生物特征进行确认。因此, 安全设备 1202中的输入单元 1306可为键输入单元、人体生物特征认证单元 由上述可知, 如果木马在安全设备 1202获取操作内容前修改或伪造操 作内容, 则用户可以发觉并加以阻止, 从而保证了网络交互安全性。 The configuration of the server 1203 is similar to that of Embodiment 1, and details are not described herein again. In the above embodiment, the security device 1202 can be used alone or integrated in an existing portable device, such as a USB encryption device for electronic certificate computing or a human biometric authentication device, such as fingerprint authentication and iris authentication. The device or the like is implemented. In this case, after the security device 1202 displays the operation content and the user confirms, the human biometric authentication unit can be used to confirm the operation content, such as using human biometrics such as fingerprints and irises for confirmation. Therefore, the input unit 1306 in the security device 1202 can be a key input unit and a human biometric authentication unit. As can be seen from the above, if the Trojan modifies or falsifies the operation content before the security device 1202 obtains the operation content, the user can detect and block the content. Network interaction security is guaranteed.
实施例 3  Example 3
本发明还提供一种网络交互系统, 如图 14所示, 该系统包括服务器 1403、 客户端 1401和安全设备 1402; 其中,  The present invention also provides a network interaction system. As shown in FIG. 14, the system includes a server 1403, a client 1401, and a security device 1402.
该安全设备 1402用于接收用户输入的操作内容, 对该操作内容进行处 理,产生用于解密还原操作内容的加密密文,将该加密密文转换为可输入字 符, 并显示转换后的该加密密文; 该客户端 1401用于接收用户输入的该加 密密文, 并将该加密密文通过网络发送至该服务器 1403。  The security device 1402 is configured to receive an operation content input by the user, process the operation content, generate an encrypted ciphertext for decrypting the content of the restoration operation, convert the encrypted ciphertext into an inputtable character, and display the converted the encryption The cipher text is used by the client 1401 to receive the encrypted ciphertext input by the user, and the encrypted ciphertext is sent to the server 1403 through the network.
由上述可知, 该系统通过使用安全设备 1402完成操作内容的输入和处 理。 由于用户不在客户端上输入操作内容, 木马也无法入侵安全设备内容, 因此,木马不能截获明文形式的操作内容, 更谈不上篡改和伪造, 避免给用 户带来不必要的损失,从而提供了更为安全的解决方案,提高了网络应用系 统的安全等级, 扩大了网络应用范围。  As can be seen from the above, the system completes the input and processing of the operation contents by using the security device 1402. Since the user does not input the operation content on the client, the Trojan can not invade the security device content. Therefore, the Trojan can not intercept the operation content in the plaintext form, let alone tampering and forgery, avoiding unnecessary loss to the user, thus providing A more secure solution that increases the security level of network applications and expands the range of network applications.
图 15是图 14中安全设备构成示意图。该安全设备包括输入单元 1501、 处理单元 1502、 转换单元 1504和显示单元 1503; 其中, 该输入单元 1501 用于供客户端用户输入该操作内容; 该处理单元 1502用于对输入的该操作 内容进行处理, 产生该加密密文; 转换单元 1504, 用于将该加密密文转换 为可输入字符; 显示单元 1503用于显示转换后的该加密密文。  Figure 15 is a block diagram showing the construction of the security device of Figure 14. The security device includes an input unit 1501, a processing unit 1502, a conversion unit 1504, and a display unit 1503. The input unit 1501 is configured to input the operation content by the client user. The processing unit 1502 is configured to perform the input operation content. Processing, generating the encrypted ciphertext; converting unit 1504, configured to convert the encrypted ciphertext into an inputtable character; and displaying unit 1503, configured to display the converted encrypted ciphertext.
在本实施方式中,通过中央处理器 CPU对输入单元 1501、处理单元 1502、 转换单元 1504和显示单元 1503的工作进行控制。 其中, 处理单元 1502对 操作内容进行处理可采用如下方式:使用加密密钥,按照一定的加密协议和 加密算法对操作内容进行运算处理, 产生加密密文。 在本实施方式中, 转换单元 1504采用一定的字符变换规则将该加密密 文转换为普通可输入字符, 但不限于此, 还可采用其它方式表示。 In the present embodiment, the operations of the input unit 1501, the processing unit 1502, the conversion unit 1504, and the display unit 1503 are controlled by the CPU. The processing unit 1502 processes the operation content in the following manner: using an encryption key, performing operation processing on the operation content according to a certain encryption protocol and an encryption algorithm to generate an encrypted ciphertext. In this embodiment, the converting unit 1504 converts the encrypted ciphertext into a common inputtable character by using a certain character conversion rule, but is not limited thereto, and may be represented by other means.
由上述可知,上述安全设备 1402可与客户端 1401不连接,客户端用户 利用安全设备 1402的输入单元 1501输入操作内容,并且该用户还可将该安 全设备 1402的显示单元 1503显示的加密密文通过该客户端 1401的输入单 元输入该客户端 1401。  As can be seen from the above, the security device 1402 can be disconnected from the client 1401, the client user inputs the operation content by using the input unit 1501 of the security device 1402, and the user can also display the encrypted ciphertext displayed by the display unit 1503 of the security device 1402. The client 1401 is input through an input unit of the client 1401.
图 16是图 14中客户端构成示意图。 如图 16所示, 该客户端包括第一 输入单元 1601和第一发送单元 1602; 其中, 该第一输入单元 1601用于供 客户端用户输入该加密密文; 该第一发送单元 1602用于将该加密密文传送 至该服务器 1403。  Figure 16 is a block diagram showing the structure of the client in Figure 14. As shown in FIG. 16, the client includes a first input unit 1601 and a first sending unit 1602; wherein the first input unit 1601 is configured to input the encrypted ciphertext by a client user; the first sending unit 1602 is configured to: The encrypted ciphertext is transmitted to the server 1403.
如图 16所示,该客户端还包括第一加密单元 1603,该第一加密单元 1603 用于将该加密密文进行加密; 并且该第一发送单元 1602将加密后的该加密 密文传送至服务器 1403。  As shown in FIG. 16, the client further includes a first encryption unit 1603, the first encryption unit 1603 is configured to encrypt the encrypted ciphertext; and the first sending unit 1602 transmits the encrypted encrypted ciphertext to the Server 1403.
在本实施例中,该服务器 1403的构成如实施例 1所述,此处不再赘述。 因此, 如图 16所示, 该客户端还包括第一接收单元 1604、第一显示单 元 1606; 其中, 该第一接收单元 1604用于接收该服务器 1403传送的操作结 果; 该第一显示单元 1606用于显示该操作结果。  In this embodiment, the configuration of the server 1403 is as described in Embodiment 1, and details are not described herein again. Therefore, as shown in FIG. 16, the client further includes a first receiving unit 1604, and a first display unit 1606. The first receiving unit 1604 is configured to receive an operation result transmitted by the server 1403. The first display unit 1606 Used to display the result of this operation.
此外, 该客户端还包括第一解密单元 1605, 用于对加密后的操作结果 进行解密。  In addition, the client further includes a first decryption unit 1605 for decrypting the encrypted operation result.
由上述可知, 该系统通过使用安全设备 802, 可完成操作内容的输入和 加密处理, 由于用户不在客户端上输入操作内容,木马也无法入侵安全设备 内容, 因此, 木马不能截获明文形式的操作内容, 更谈不上篡改和伪造, 避 免给用户带来不必要的损失。  It can be seen from the above that the system can complete the input and encryption processing of the operation content by using the security device 802. Since the user does not input the operation content on the client, the Trojan cannot invade the security device content. Therefore, the Trojan cannot intercept the operation content in the plaintext form. , let alone tampering and forgery, to avoid unnecessary losses to users.
上述实施方式中,安全设备可单独使用,也可集成在现有的便携设备上 使用, 如该安全设备采用手机实现。  In the above embodiment, the security device can be used alone or integrated into an existing portable device, such as the security device being implemented by using a mobile phone.
实施例 4  Example 4
本发明还提供一种网络交互方法,该方法包括:安全设备获取操作内容; 该安全设备对该操作内容进行处理,以产生用于解密还原操作内容的加密密 文; 该客户端获取该加密密文, 并将该加密密文发送至服务器。  The present invention also provides a network interaction method, the method comprising: the security device acquiring the operation content; the security device processing the operation content to generate an encrypted ciphertext for decrypting the restoration operation content; the client acquiring the encryption password And send the encrypted ciphertext to the server.
由上述可知,该方法使用安全设备对操作内容进行处理, 以阻止木马用 篡改或伪造操作内容的方式达到攻击目的, 从而提供了更为安全的解决方 案, 提高了网络应用系统的安全等级, 扩大了网络应用范围。 It can be seen from the above that the method uses the security device to process the operation content, so as to prevent the Trojan from tampering or forging the operation content to achieve the purpose of attack, thereby providing a more secure solution. The case has improved the security level of the network application system and expanded the scope of network applications.
以下结合附图 8、 17对该方法进行详细说明。  The method will be described in detail below with reference to Figs.
步骤 1701, 用户通过安全设备 802的输入单元输入操作内容; 步骤 1702, 该安全设备 802用一定的加密算法和加密协议对操作内容 进行处理, 以产生用于解密还原操作内容的加密密文;  Step 1701: The user inputs the operation content through the input unit of the security device 802. Step 1702: The security device 802 processes the operation content by using a certain encryption algorithm and an encryption protocol to generate an encrypted ciphertext for decrypting the content of the restoration operation;
步骤 1703, 安全设备 802将产生的加密密文传送至客户端 801 ;  Step 1703, the security device 802 transmits the generated encrypted ciphertext to the client 801;
步骤 1704, 该客户端 801将该加密密文通过网络传送至服务器 803 ; 步骤 1705, 该服务器 803接收该加密密文;  Step 1704, the client 801 transmits the encrypted ciphertext to the server 803 through the network; Step 1705, the server 803 receives the encrypted ciphertext;
步骤 1706, 该服务器 803对接收的该加密密文进行解密以获取操作内 容;  Step 1706, the server 803 decrypts the received encrypted ciphertext to obtain the operation content.
步骤 1707、 1708, 该服务器 803根据操作内容进行相应的操作, 并产 生操作结果;  Steps 1707, 1708, the server 803 performs corresponding operations according to the operation content, and generates an operation result;
步骤 1709, 服务器 803将操作结果通过网络发送至客户端 801 ;  Step 1709, the server 803 sends the operation result to the client 801 through the network;
步骤 1710, 客户端 801接收该操作结果;  Step 1710: The client 801 receives the operation result.
步骤 1709, 客户端 801将操作结果进行显示。  In step 1709, the client 801 displays the result of the operation.
上述实施方式中,安全设备 802与客户端 801可通过有线或无线方式连 接。 该系统通过使用安全设备 802, 完成操作内容的输入和处理, 从而提供 了更为安全的解决方案,提高了网络应用系统的安全等级,扩大了网络应用 范围。  In the above embodiment, the security device 802 and the client 801 can be connected by wire or wirelessly. By using the security device 802, the system completes the input and processing of the operation content, thereby providing a more secure solution, improving the security level of the network application system, and expanding the scope of the network application.
图 18是本发明步骤 1704和 1705的一个实施方式流程图。如图 18所示, 具体实施方式如下:  Figure 18 is a flow diagram of one embodiment of steps 1704 and 1705 of the present invention. As shown in FIG. 18, the specific implementation is as follows:
步骤 1801, 该客户端 801按照公开和自定义的网络协议, 将该加密密 文封装成通讯包;  Step 1801, the client 801 encapsulates the encrypted ciphertext into a communication packet according to a public and customized network protocol.
步骤 1802, 该客户端 801将该通讯包通过网络传送至服务器 803; 步骤 1803, 该服务器 803接收到该通讯包后, 采用与客户端 801相同 的通讯协议, 将该通讯包进行解析, 以获得该加密密文。  Step 1802, the client 801 transmits the communication packet to the server 803 through the network; Step 1803, after receiving the communication packet, the server 803 uses the same communication protocol as the client 801 to parse the communication packet to obtain The encrypted ciphertext.
在本实施方式中,为了更进一歩提高网络数据传输的安全性,还可在歩 骤 1704将加密密文传送至服务器 803之前, 将该加密密文进行加密, 加密 后再进行传输。相应地, 在服务器 803接收该加密的加密密文后, 先进行解 密, 然后再执行步骤 1706。 其中, 具体实施方式如图 19所示:  In the present embodiment, in order to further improve the security of network data transmission, the encrypted ciphertext may be encrypted, encrypted, and transmitted before being transmitted to the server 803 in step 1704. Correspondingly, after the encrypted ciphertext is received by the server 803, the decryption is performed first, and then step 1706 is performed. The specific implementation manner is shown in FIG. 19:
步骤 1901, 客户端 801将该加密密文作为一个或多个密码系统的输入 信息的一部分, 参与密码系统的运算, 得到运算后的加密密文; Step 1901, the client 801 uses the encrypted ciphertext as input of one or more cryptosystems. Part of the information, participate in the operation of the cryptosystem, and obtain the encrypted ciphertext after the operation;
步骤 1902, 该客户端 801按照公开或自定义的网络协议, 将运算后的 该加密密文封装成通讯包;  Step 1902, the client 801 encapsulates the encrypted ciphertext into a communication packet according to a public or customized network protocol.
步骤 1903, 该客户端 801将该通讯包通过网络传送至该服务器 803 ; 步骤 1904, 该服务器 803接收到该通讯包之后, 采用与客户端 801相 同的通讯协议, 将接收到的通讯包进行解析, 得到运算后的该加密密文; 步骤 1905, 该服务器 803对运算后的该加密密文进行对应于该客户端 801的逆运算, 得到该加密密文。  Step 1903, the client 801 transmits the communication packet to the server 803 through the network. Step 1904, after receiving the communication packet, the server 803 parses the received communication packet by using the same communication protocol as the client 801. The obtained encrypted ciphertext is obtained. In step 1905, the server 803 performs an inverse operation on the encrypted ciphertext corresponding to the client 801 to obtain the encrypted ciphertext.
图 20是本发明步骤 1709和 1710的一个实施方式流程图。如图 20所示, 具体实施方式如下:  Figure 20 is a flow diagram of one embodiment of steps 1709 and 1710 of the present invention. As shown in FIG. 20, the specific implementation is as follows:
步骤 2001, 该服务器 803按照公开和自定义的网络协议, 将操作结果 封装成通讯包;  Step 2001, the server 803 encapsulates the operation result into a communication packet according to a public and customized network protocol;
步骤 2002, 该服务器 803将该通讯包通过网络传送至客户端 801 ; 步骤 2003, 该客户端 801接收到该通讯包后, 采用与服务器 803相同 的通讯协议, 将该通讯包进行解析, 以获得操作结果。  Step 2002, the server 803 transmits the communication packet to the client 801 through the network; in step 2003, after receiving the communication packet, the client 801 uses the same communication protocol as the server 803 to parse the communication packet to obtain Operation result.
在服务器 803在将操作结果传送至客户端 801之前,先对操作结果进行 加密; 相应地,在客户端 801接收该操作结果后, 对该操作结果进行解密后 再显示。 其中, 具体实施方式如图 21所示:  Before the server 803 transmits the operation result to the client 801, the operation result is encrypted first; correspondingly, after the client 801 receives the operation result, the operation result is decrypted and then displayed. Wherein, the specific implementation manner is as shown in FIG. 21:
步骤 2101, 服务器 803将操作结果作为一个或多个密码系统的输入信 息的一部分, 参与密码系统的运算, 得到运算后的加密密文;  Step 2101: The server 803 participates in the operation of the cryptosystem as part of the input information of one or more cryptosystems, and obtains the encrypted ciphertext after the operation;
步骤 2102, 该服务器 803按照公开或自定义的网络协议, 将该加密密 文封装成通讯包;  Step 2102, the server 803 encapsulates the encrypted ciphertext into a communication packet according to a public or customized network protocol.
步骤 2103, 该服务器 803将该通讯包通过网络传送至该客户端 801 ; 步骤 2104, 该客户端 801接收到该通讯包之后, 采用与服务器 803相 同的通讯协议, 将接收到的通讯包进行解析, 得到该加密密文;  Step 2103, the server 803 transmits the communication packet to the client 801 through the network. In step 2104, after receiving the communication packet, the client 801 parses the received communication packet by using the same communication protocol as the server 803. , obtaining the encrypted ciphertext;
步骤 2105, 该客户端 801对该加密密文进行对应于该服务器 803的逆 运算, 得到该操作操作内容。  Step 2105: The client 801 performs an inverse operation on the encrypted ciphertext corresponding to the server 803 to obtain the operation operation content.
由上述可知,通过使用安全设备对操作内容进行处理,使得木马不能在 篡改、伪造操作内容。 因此, 木马最多只能进行阻断性攻击, 而不能用简单 绕过的方式攻击得手。而阻断性攻击最多造成用户不能使用应用系统,不会 造成用户直接的损失, 对于攻击者来说并没有收益。 实施例 5 It can be seen from the above that by using the security device to process the operation content, the Trojan cannot tamper with and forge the operation content. Therefore, the Trojan can only perform blocking attacks at most, and cannot attack with a simple bypass. Blocking attacks can cause users to use the application system at the most, without causing direct loss to the user, and there is no benefit to the attacker. Example 5
以下结合附图 12、 22对本发明网络交互方法进行详细说明。  The network interaction method of the present invention will be described in detail below with reference to FIGS. 12 and 22.
步骤 2201, 用户在客户端 1201的人机界面上进行操作, 可通过该客户 端 1201的输入单元, 如键盘或鼠标输入操作内容;  Step 2201: The user operates on the human-machine interface of the client 1201, and the operation content can be input through an input unit of the client 1201, such as a keyboard or a mouse;
步骤 2202, 该客户端 1201接收该用户的操作内容, 然后将该操作内容 传送至安全设备 1202;  Step 2202, the client 1201 receives the operation content of the user, and then transmits the operation content to the security device 1202;
步骤 2203, 安全设备 1202的显示单元对该操作内容进行显示; 步骤 2204, 该安全设备 1202根据显示检查操作内容是否有误, 若判断 无误,则通过该安全设备 1202的输入单元进行确认,确认后该安全设备 1202 用一定的加密算法和加密协议对该操作内容进行处理,以产生用于解密还原 操作内容的加密密文, 并将该加密密文传送至客户端 1201 ; 此外, 还可通 过人体生物特征, 如指纹、 虹膜等方式进行确认;  Step 2203, the display unit of the security device 1202 displays the operation content. Step 2204, the security device 1202 checks whether the operation content is incorrect according to the display, and if the determination is correct, the input unit of the security device 1202 confirms, after confirming The security device 1202 processes the operation content with a certain encryption algorithm and an encryption protocol to generate an encrypted ciphertext for decrypting the content of the restoration operation, and transmits the encrypted ciphertext to the client 1201; Biometric features such as fingerprints, irises, etc. are confirmed;
步骤 2205, 客户端 1201将该加密密文通过网络传送至服务器 1203; 步骤 2206至步骤 2212与图 17中的步骤 1705〜1711类似,此处不再赘 述。  Step 2205, the client 1201 transmits the encrypted ciphertext to the server 1203 through the network; the steps 2206 to 2212 are similar to the steps 1705 to 1711 in FIG. 17, and are not described herein again.
此外, 可采用如图 18、 19所示的方式, 客户端 1201将加密密文传送至 服务器 1203。 可采用如图 20、 21所示的方式, 服务器 1203将操作结果传 送至客户端 1202。  In addition, the client 1201 can transmit the encrypted ciphertext to the server 1203 in the manner shown in Figs. In the manner shown in Figures 20 and 21, the server 1203 transmits the result of the operation to the client 1202.
由上述可知, 如果木马在安全设备 1202获取操作内容前修改或伪造操 作内容, 则用户可以发觉并加以阻止, 从而保证了网络认证的安全性。  It can be seen from the above that if the Trojan modifies or falsifies the operation content before the security device 1202 obtains the operation content, the user can detect and block it, thereby ensuring the security of the network authentication.
实施例 6  Example 6
以下结合附图 14、 23对本发明网络交互方法进行详细说明。  The network interaction method of the present invention will be described in detail below with reference to FIGS.
步骤 2301, 用户通过安全设备 1402的输入单元输入操作内容; 步骤 2302, 该安全设备 1402用一定的加密算法和加密协议对操作内容 进行处理, 以产生用于解密还原操作内容的加密密文;该安全设备按照一定 字符转换规则将该加密密文转换成可输入字符;  Step 2301, the user inputs the operation content through the input unit of the security device 1402. Step 2302, the security device 1402 processes the operation content with a certain encryption algorithm and an encryption protocol to generate an encrypted ciphertext for decrypting the content of the restoration operation; The security device converts the encrypted ciphertext into an inputtable character according to a certain character conversion rule;
步骤 2303, 安全设备 802将转换后的加密密文进行显示;  Step 2303, the security device 802 displays the converted encrypted ciphertext;
步骤 2304, 用户可通过客户端输入单元将显示的加密密文输入该客户 端;  Step 2304, the user can input the displayed encrypted ciphertext to the client through the client input unit.
步骤 2305, 该客户端 1401将该加密密文通过网络传送至服务器 1403 ; 步骤 2306至步骤 2312与图 17中的步骤 1705〜1711类似,此处不再赘 述。 Step 2305, the client 1401 transmits the encrypted ciphertext to the server 1403 through the network; the steps 2306 to 2312 are similar to the steps 1705 to 1711 in FIG. 17, and are no longer 此处 Said.
此外, 可采用如图 18、 19所示的方式, 客户端 1201将加密密文传送至 服务器 1203。 可采用如图 20、 21所示的方式, 服务器 1203将操作结果传 送至客户端 1202。  In addition, the client 1201 can transmit the encrypted ciphertext to the server 1203 in the manner shown in Figs. In the manner shown in Figures 20 and 21, the server 1203 transmits the result of the operation to the client 1202.
由上述可知, 通过使用安全设备 802, 可完成操作内容的输入和加密处 理, 即该安全设备输出即是加密后的密文,这里我们称之为全硬件输入。 由 于用户不在客户端上输入操作内容, 木马也无法入侵安全设备内容, 因此, 木马不能截获明文形式的操作内容,更谈不上篡改和伪造,避免给用户带来 不必要的损失,从而提供了更为安全的解决方案,提高了网络应用系统的安 全等级,扩大了网络应用范围。上述网络交互系统和方法适用于涉及到网络 交互的各种应用系统, 例如网上银行、证券交易、 网游电子装备交易、企业 的关键业务系统、 电子商务与网络支付等涉及网络交互认证的各个领域。  It can be seen from the above that by using the security device 802, the input and encryption processing of the operation content can be completed, that is, the output of the security device is the encrypted ciphertext, which is referred to herein as the full hardware input. Since the user does not input the operation content on the client, the Trojan can not invade the security device content. Therefore, the Trojan cannot intercept the operation content in the plaintext form, let alone tampering and forgery, avoiding unnecessary loss to the user, thus providing A more secure solution that increases the security level of network applications and expands the range of network applications. The above network interaction system and method are applicable to various application systems involving network interaction, such as online banking, securities trading, online game electronic equipment trading, enterprise key business systems, e-commerce and network payment, and other fields involving network interactive authentication.
以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行 了进一步详细说明,所应理解的是, 以上所述仅为本发明的具体实施方式而 已, 并不用于限定本发明的保护范围, 凡在本发明的精神和原则之内, 所做 的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。  The specific embodiments of the present invention have been described in detail with reference to the preferred embodiments of the present invention. The scope of the protection, any modifications, equivalents, improvements, etc., made within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

权 利 要 求 书 Claim
1.一种网络交互方法, 其特征在于, 所述方法包括:  A network interaction method, the method comprising:
安全设备获取操作内容;  The security device obtains the operation content;
所述安全设备对所述操作内容进行处理,以产生用于解密还原所述操作 内容的加密密文;  The security device processes the operation content to generate an encrypted ciphertext for decrypting and restoring the operation content;
客户端获取所述加密密文;  The client obtains the encrypted ciphertext;
所述客户端将所述加密密文传送至服务器。  The client transmits the encrypted ciphertext to the server.
2.根据权利要求 1所述的方法,其特征在于,所述安全设备获取所述操 作内容, 包括: 所述用户将所述操作内容输入所述安全设备。  The method according to claim 1, wherein the obtaining, by the security device, the operating content comprises: the user inputting the operating content into the security device.
3.根据权利要求 2所述的方法, 其特征在于, 在产生所述加密密文后, 还包括:  The method according to claim 2, further comprising: after generating the encrypted ciphertext, further comprising:
将所述加密密文转文为可输入字符;  Transmitting the encrypted ciphertext into an inputtable character;
显示转换后的所述加密密文。  The converted encrypted ciphertext is displayed.
4.根据权利要求 3所述的方法,其特征在于,所述客户端获取所述加密 密文, 包括: 所述用户将转换后的所述加密密文输入所述客户端。  The method according to claim 3, wherein the obtaining, by the client, the encrypted ciphertext comprises: the user inputting the converted encrypted ciphertext into the client.
5.根据权利要求 2所述的方法,其特征在于,所述客户端获取所述加密 密文, 包括: 所述安全设备将产生的加密密文传送至所述客户端。  The method according to claim 2, wherein the obtaining, by the client, the encrypted ciphertext comprises: transmitting, by the security device, the generated encrypted ciphertext to the client.
6.根据权利要求 1所述的方法,其特征在于,所述安全设备获取所述操 作内容, 包括:  The method according to claim 1, wherein the obtaining, by the security device, the operation content comprises:
所述客户端接收用户输入的操作内容;  The client receives the operation content input by the user;
所述客户端将所述操作内容传送至所述安全设备,以使所述安全设备获 取所述操作内容。  The client transmits the operational content to the security device to cause the security device to obtain the operational content.
7.根据权利要求 6所述的方法,其特征在于,所述安全设备获取所述操 作内容后, 还包括:  The method according to claim 6, wherein after the security device obtains the operation content, the method further includes:
显示所述操作内容;  Displaying the operation content;
判断所述用户是否确认所述操作内容,若判断结果为是,则所述安全设 备对所述操作内容进行处理。  Determining whether the user confirms the operation content, and if the determination result is yes, the security device processes the operation content.
8.根据权利要求 1所述的方法, 其特征在于, 所述方法还包括: 所述服务器接收所述加密密文;  The method according to claim 1, wherein the method further comprises: the server receiving the encrypted ciphertext;
所述服务器对接收所述加密密文进行解密, 以获取所述操作内容; 根据获取的所述操作内容进行相应的操作, 产生操作结果; The server decrypts the received encrypted ciphertext to obtain the operation content; Performing corresponding operations according to the obtained operation content, and generating an operation result;
将所述操作结果传送至所述客户端。  Transmitting the result of the operation to the client.
9.根据权利要求 8所述的方法,其特征在于,所述客户端将所述加密密 文发送至服务器之前, 还包括: 所述客户端对所述加密密文进行加密; 并且,在所述服务器接收加密的所述加密密文之后,还包括: 所述服务 器对加密的所述加密密文进行解密。  The method according to claim 8, wherein before the sending the encrypted ciphertext to the server, the client further comprises: the client encrypting the encrypted ciphertext; After the server receives the encrypted encrypted ciphertext, the method further includes: the server decrypting the encrypted encrypted ciphertext.
10.根据权利要求 8所述的方法, 其特征在于, 所述方法还包括: 所述客户端接收所述操作结果;  The method according to claim 8, wherein the method further comprises: the client receiving the operation result;
将所述操作结果进行显示。  The result of the operation is displayed.
11.根据权利要求 10所述的方法,其特征在于,所述服务器将操作结果 传送至所述客户端之前, 还包括: 对所述操作结果进行加密;  The method according to claim 10, wherein before the server transmits the operation result to the client, the method further comprises: encrypting the operation result;
则所述客户端在将所述操作结果进行显示之前,还包括:对所述加密后 的操作结果进行解密。  And before the displaying the operation result, the client further includes: decrypting the encrypted operation result.
12.—种网络交互系统, 所述系统包括服务器, 其特征在于, 所述系统 包括客户端和安全设备; 其中,  12. A network interaction system, the system comprising a server, wherein the system comprises a client and a security device;
安全设备,用于供客户端用户输入操作内容,对所述操作内容进行处理, 以产生用于解密还原操作内容的加密密文,并将所述加密密文传送至所述客 户端;  a security device, configured to input, by the client user, the operation content, process the operation content, to generate an encrypted ciphertext for decrypting the content of the restoration operation, and transmit the encrypted ciphertext to the client;
客户端,用于接收所述安全设备传送的所述加密密文,并将所述加密密 文通过网络发送至所述服务器。  And a client, configured to receive the encrypted ciphertext transmitted by the security device, and send the encrypted ciphertext to the server through a network.
13.根据权利要求 12所述的系统, 其特征在于, 所述安全设备包括: 输入单元, 所述输入单元用于供客户端用户输入所述操作内容; 处理单元,所述处理单元用于对输入的所述操作内容进行处理, 以产生 用于解密还原操作内容的加密密文;  The system according to claim 12, wherein the security device comprises: an input unit, wherein the input unit is configured to input the operation content by a client user; and the processing unit is configured to The input operation content is processed to generate an encrypted ciphertext for decrypting the content of the restore operation;
发送单元, 所述发送单元用于将所述加密密文发送至所述客户端。 a sending unit, configured to send the encrypted ciphertext to the client.
14.根据权利要求 12所述的系统, 其特征在于, 所述客户端包括: 第一接收单元,所述第一接收单元用于接收所述安全设备传送的加密密 文; The system according to claim 12, wherein the client comprises: a first receiving unit, wherein the first receiving unit is configured to receive an encrypted ciphertext transmitted by the security device;
第一发送单元,所述第一发送单元用于将所述加密密文传送至所述服务 器。  a first sending unit, wherein the first sending unit is configured to transmit the encrypted ciphertext to the server.
15.根据权利要求 14所述的系统,其特征在于,所述客户端还包括第一 加密单元, 所述第一加密单元用于将所述加密密文进行加密; 并且所述第一发送单元将加密后的所述加密密文传送至所述服务器。15. The system of claim 14, wherein the client further comprises a first An encryption unit, configured to encrypt the encrypted ciphertext; and the first sending unit transmits the encrypted encrypted ciphertext to the server.
16.根据权利要求 14所述的系统, 其特征在于, 所述服务器包括: 第二接收单元,所述第二接收单元用于接收所述客户端传送的所述加密 密文; The system according to claim 14, wherein the server comprises: a second receiving unit, wherein the second receiving unit is configured to receive the encrypted ciphertext transmitted by the client;
处理单元,所述处理单元对所述加密密文进行解密, 以获取所述操作内 容;  a processing unit, the processing unit decrypts the encrypted ciphertext to obtain the operation content;
操作单元, 所述操作单元用于根据获取的所述操作内容进行相应的操作; 第二发送单元, 所述第二发送单元用于将操作结果传送至所述客户端。  An operation unit, configured to perform a corresponding operation according to the acquired operation content; and a second sending unit, configured to transmit an operation result to the client.
17.根据权利要求 15所述的系统, 其特征在于, 所述服务器包括: 第二接收单元,所述第二接收单元用于接收所述客户端传送的加密的加 密密文; The system according to claim 15, wherein the server comprises: a second receiving unit, wherein the second receiving unit is configured to receive the encrypted encrypted ciphertext transmitted by the client;
第二解密单元,所述第二解密单元用于对加密的加密密文进行解密以获 取所述加密密文;  a second decryption unit, configured to decrypt the encrypted encrypted ciphertext to obtain the encrypted ciphertext;
处理单元,所述处理单元对所述加密密文进行解密, 以获取所述操作内 容;  a processing unit, the processing unit decrypts the encrypted ciphertext to obtain the operation content;
操作单元, 所述操作单元用于根据获取的所述操作内容进行相应的操作; 第二发送单元, 所述第二发送单元用于将操作结果传送至所述客户端。 An operation unit, configured to perform a corresponding operation according to the acquired operation content; and a second sending unit, configured to transmit an operation result to the client.
18.根据权利要求 16或 17所述的系统, 其特征在于, 所述第一接收单 元还用于接收所述服务器传送的操作结果; The system according to claim 16 or 17, wherein the first receiving unit is further configured to receive an operation result transmitted by the server;
并且所述客户端还包括第一显示单元,所述第一显示单元用于显示所述 操作结果。  And the client further includes a first display unit, the first display unit is configured to display the operation result.
19.根据权利要求 18所述的系统,其特征在于,所述服务器还包括第二 加密单元,所述第二加密单元用于对所述操作结果进行加密,并将加密后的 所述操作结果传送至所述第二发送单元;  The system according to claim 18, wherein the server further comprises a second encryption unit, the second encryption unit is configured to encrypt the operation result, and the encrypted operation result is Transmitting to the second transmitting unit;
所述客户端还包括第一解密单元,所述第一解密单元用于对加密后的操 作结果进行解密。  The client also includes a first decryption unit for decrypting the encrypted operation result.
20.—种安全设备, 其特征在于, 所述安全设备包括:  20. A security device, characterized in that the security device comprises:
输入单元, 所述输入单元用于供客户端用户输入操作内容;  An input unit, wherein the input unit is configured to input an operation content by a client user;
处理单元,所述处理单元用于对输入的所述操作内容进行处理, 以产生 用于解密还原操作内容的加密密文; 发送单元, 所述发送单元用于将所述加密密文发送至所述客户端。a processing unit, configured to process the input operation content to generate an encrypted ciphertext for decrypting the restored operation content; a sending unit, configured to send the encrypted ciphertext to the client.
21.—种网络交互系统,其特征在于,所述系统包括客户端和安全设备; 其中, 21. A network interaction system, the system comprising a client and a security device; wherein
客户端,用于接收用户输入的操作内容,并将所述操作内容传送至所述 安全设备,并且接收所述安全设备传送的加密密文,将所述加密密文发送至 所述服务器;  a client, configured to receive the operation content input by the user, and transmit the operation content to the security device, and receive the encrypted ciphertext transmitted by the security device, and send the encrypted ciphertext to the server;
安全设备,用于接收所述客户端传送的所述操作内容,显示所述操作内 容, 并判断客户端用户是否确认所述操作内容,若判断结果为是, 则所述安 全设备对所述操作内容进行加密, 以产生用于解密还原操作内容的加密密 文, 并将产生的所述加密密文传送至所述客户端。  a security device, configured to receive the operation content transmitted by the client, display the operation content, and determine whether the client user confirms the operation content, and if the determination result is yes, the security device performs the operation The content is encrypted to generate an encrypted ciphertext for decrypting the content of the restore operation, and the generated encrypted ciphertext is transmitted to the client.
22.根据权利要求 21所述的系统, 其特征在于, 所述安全设备包括: 接收单元, 所述接收单元用于接收所述客户端传送的所述操作内容; 显示单元, 所述显示单元用于显示所述操作内容;  The system according to claim 21, wherein the security device comprises: a receiving unit, the receiving unit is configured to receive the operation content transmitted by the client, and a display unit, where the display unit is used Displaying the operation content;
判断单元, 所述判断单元用于判断客户端用户是否确认所述操作内容; 处理单元,若所述判断单元的判断结果为是,则所述处理单元用于对所 述操作内容进行加密, 以产生所述加密密文;  a determining unit, configured to determine whether the client user confirms the operation content; and the processing unit, if the determining result of the determining unit is yes, the processing unit is configured to encrypt the operation content, Generating the encrypted ciphertext;
发送单元, 所述发送单元用于将所述加密密文传送至所述客户端。 a sending unit, configured to transmit the encrypted ciphertext to the client.
23.根据权利要求 21所述的系统, 其特征在于, 所述客户端包括: 第一输入单元, 所述第一输入单元用于供客户端用户输入所述操作内容; 第一发送单元,所述第一发送单元用于将所述操作内容发送至所述安全 设备; 还用于将所述加密密文传送至所述服务器; The system according to claim 21, wherein the client comprises: a first input unit, wherein the first input unit is configured to input, by the client user, the operation content; The first sending unit is configured to send the operation content to the security device; and is further configured to transmit the encrypted ciphertext to the server;
第一接收单元,所述第一接收单元用于接收所述安全设备传送加密密文。 a first receiving unit, configured to receive the encrypted ciphertext by the security device.
24.根据权利要求 23所述的系统,其特征在于,所述客户端还包括第一 加密单元, 所述第一加密单元用于将所述加密密文进行加密; The system according to claim 23, wherein the client further comprises a first encryption unit, and the first encryption unit is configured to encrypt the encrypted ciphertext;
并且所述第一发送单元将加密的所述加密密文传送至服务器。  And the first sending unit transmits the encrypted encrypted ciphertext to the server.
25.根据权利要求 23所述系统, 其特征在于, 所述服务器包括: 第二接收单元, 所述第二接收单元用于接收所述客户端传送的加密密 文;  The system according to claim 23, wherein the server comprises: a second receiving unit, wherein the second receiving unit is configured to receive an encrypted ciphertext transmitted by the client;
处理单元,所述处理单元对所述加密密文进行解密, 以获取所述操作内 容;  a processing unit, the processing unit decrypts the encrypted ciphertext to obtain the operation content;
操作单元, 所述操作单元用于根据获取的所述操作内容进行相应的操作; 第二发送单元, 所述第二发送单元用于将操作结果传送至所述客户端。An operation unit, configured to perform a corresponding operation according to the obtained operation content; a second sending unit, configured to transmit an operation result to the client.
26.根据权利要求 24所述系统, 其特征在于, 所述服务器包括: 第二接收单元,所述第二接收单元用于接收所述客户端传送的加密的加 密密文; The system according to claim 24, wherein the server comprises: a second receiving unit, wherein the second receiving unit is configured to receive the encrypted encrypted ciphertext transmitted by the client;
第二解密单元, 所述第二解密单元用于对加密的所述加密密文进行解 密, 以获取所述加密密文;  a second decryption unit, configured to decrypt the encrypted encrypted ciphertext to obtain the encrypted ciphertext;
处理单元,所述处理单元对所述加密密文进行解密, 以获取所述操作内 容;  a processing unit, the processing unit decrypts the encrypted ciphertext to obtain the operation content;
操作单元, 所述操作单元用于根据获取的所述操作内容进行相应的操作; 第二发送单元, 所述第二发送单元用于将操作结果传送至所述客户端。 An operation unit, configured to perform a corresponding operation according to the acquired operation content; and a second sending unit, configured to transmit an operation result to the client.
27.根据权利要求 25或 26所述的系统, 其特征在于, 所述第一接收单 元还用于接收所述服务器传送的操作结果; The system according to claim 25 or 26, wherein the first receiving unit is further configured to receive an operation result transmitted by the server;
并且所述客户端还包括第一显示单元,所述第一显示单元用于显示所述 操作结果。  And the client further includes a first display unit, the first display unit is configured to display the operation result.
28.根据权利要求 27所述的系统,其特征在于,所述服务器还包括第二 加密单元,所述第二加密单元用于对所述操作结果进行加密,并将加密后的 所述操作结果传送至所述第二发送单元;  The system according to claim 27, wherein the server further comprises a second encryption unit, the second encryption unit is configured to encrypt the operation result, and the encrypted operation result is obtained Transmitting to the second transmitting unit;
所述客户端还包括第一解密单元,所述第一解密单元用于对加密后的操 作结果进行解密。  The client also includes a first decryption unit for decrypting the encrypted operation result.
29.—种安全设备, 其特征在于, 所述安全设备包括:  29. A security device, characterized in that the security device comprises:
接收单元, 所述接收单元用于接收客户端传送的所述操作内容; 显示单元, 所述显示单元用于显示所述操作内容;  a receiving unit, configured to receive the operation content transmitted by the client; a display unit, the display unit is configured to display the operation content;
判断单元, 所述判断单元用于判断客户端用户是否确认所述操作内容; 处理单元,若所述判断单元的判断结果为是,则所述处理单元用于对所 述操作内容进行处理, 产生用于解密还原操作内容的加密密文;  a judging unit, configured to determine whether the client user confirms the operation content; and the processing unit, if the judgment result of the judging unit is yes, the processing unit is configured to process the operation content, generate An encrypted ciphertext for decrypting the contents of the restore operation;
发送单元, 所述发送单元用于将所述加密密文传送至所述客户端。 a sending unit, configured to transmit the encrypted ciphertext to the client.
30.根据权利要求 29所述的安全设备,其特征在于,所述安全设备还包 括输入单元, 所述输入单元用于供用户输入确认该操作内容的信息。 30. The security device of claim 29, wherein the security device further comprises an input unit for the user to input information confirming the content of the operation.
31.—种网络交互系统, 所述系统包括服务器, 其特征在于, 所述系统 还包括客户端和安全设备; 其中,  31. A network interaction system, the system includes a server, wherein the system further includes a client and a security device;
所述安全设备,用于接收用户输入的操作内容,对所述操作内容进行处 理, 产生并显示用于解密还原操作内容的加密密文; The security device is configured to receive an operation content input by a user, and perform the operation content And generate and display an encrypted ciphertext for decrypting the content of the restore operation;
所述客户端,用于接收用户输入的所述加密密文,并将所述加密密文通 过网络发送至所述服务器。  The client is configured to receive the encrypted ciphertext input by a user, and send the encrypted ciphertext to the server through a network.
32.根据权利要求 31所述的系统, 其特征在于, 所述安全设备包括: 输入单元, 所述输入单元用于供客户端用户输入所述操作内容; 处理单元,所述处理单元用于对输入的所述操作内容进行处理,产生所 述加密密文;  The system according to claim 31, wherein the security device comprises: an input unit, the input unit is configured to input the operation content by a client user; and the processing unit is configured to use The input operation content is processed to generate the encrypted ciphertext;
转换单元, 所述转换单元用于将所述加密密文转换为可输入字符; 显示单元, 所述显示单元用于显示转换后的所述加密密文。  a conversion unit, configured to convert the encrypted ciphertext into an inputtable character; a display unit, wherein the display unit is configured to display the converted encrypted ciphertext.
33.根据权利要求 31所述的系统, 其特征在于, 所述客户端包括: 第一输入单元, 所述第一输入单元用于供客户端用户输入所述加密密 文;  The system according to claim 31, wherein the client comprises: a first input unit, wherein the first input unit is configured to input, by the client user, the encrypted ciphertext;
第一发送单元,所述第一发送单元用于将所述加密密文传送至所述服务 器。  a first sending unit, wherein the first sending unit is configured to transmit the encrypted ciphertext to the server.
34.根据权利要求 33所述的系统,其特征在于,所述客户端还包括第一 加密单元, 所述第一加密单元用于将所述加密密文进行加密;  The system according to claim 33, wherein the client further comprises a first encryption unit, and the first encryption unit is configured to encrypt the encrypted ciphertext;
并且所述第一发送单元将加密后的所述加密密文传送至所述服务器。 And the first sending unit transmits the encrypted encrypted ciphertext to the server.
35.根据权利要求 33所述系统, 其特征在于, 所述服务器包括: 第二接收单元, 所述第二接收单元用于接收所述客户端传送的加密密 文; The system according to claim 33, wherein the server comprises: a second receiving unit, wherein the second receiving unit is configured to receive an encrypted ciphertext transmitted by the client;
处理单元,所述处理单元对所述加密密文进行解密, 以获取所述操作内 容;  a processing unit, the processing unit decrypts the encrypted ciphertext to obtain the operation content;
操作单元, 所述操作单元用于根据获取的所述操作内容进行相应的操作; 第二发送单元, 所述第二发送单元用于将操作结果传送至所述客户端。  An operation unit, configured to perform a corresponding operation according to the acquired operation content; and a second sending unit, configured to transmit an operation result to the client.
36.根据权利要求 34所述的系统, 其特征在于, 所述服务器包括: 第二接收单元,所述第二接收单元用于接收所述客户端传送的加密的加 密密文; The system according to claim 34, wherein the server comprises: a second receiving unit, wherein the second receiving unit is configured to receive the encrypted encrypted ciphertext transmitted by the client;
第二解密单元, 所述第二解密单元用于对加密的所述加密密文进行解 密, 以获取所述加密密文;  a second decryption unit, configured to decrypt the encrypted encrypted ciphertext to obtain the encrypted ciphertext;
处理单元,所述处理单元对所述加密密文进行解密, 以获取所述操作内 容; 操作单元, 所述操作单元用于根据获取的所述操作内容进行相应的操作; 第二发送单元, 所述第二发送单元用于将操作结果传送至所述客户端。a processing unit, the processing unit decrypts the encrypted ciphertext to obtain the operation content; An operation unit, configured to perform a corresponding operation according to the acquired operation content; and a second sending unit, configured to transmit an operation result to the client.
37.根据权利要求 35或 36所述的系统, 其特征在于, 所述客户端还包 括: The system according to claim 35 or 36, wherein the client further comprises:
第一接收单元, 所述第一接收单元用于接收所述服务器传送的操作结果; 第一显示单元, 所述第一显示单元用于显示所述操作结果。  a first receiving unit, configured to receive an operation result transmitted by the server; and a first display unit, where the first display unit is configured to display the operation result.
38.根据权利要求 37所述的系统,其特征在于,所述服务器还包括第二 加密单元,所述第二加密单元用于对所述操作结果进行加密,并将加密后的 所述操作结果传送至所述第二发送单元;  The system according to claim 37, wherein the server further comprises a second encryption unit, the second encryption unit is configured to encrypt the operation result, and the encrypted operation result Transmitting to the second transmitting unit;
所述客户端还包括第一解密单元,所述第一解密单元用于对加密后的操 作结果进行解密。  The client also includes a first decryption unit for decrypting the encrypted operation result.
39.—种安全设备, 其特征在于, 所述安全设备包括:  39. A security device, characterized in that: the security device comprises:
输入单元, 所述输入单元用于供客户端用户输入所述操作内容; 处理单元,所述处理单元用于对输入的所述操作内容进行处理,产生用 于解密还原操作内容的加密密文;  An input unit, configured to: input, by the client user, the operation content; the processing unit, configured to process the input operation content, and generate an encrypted ciphertext for decrypting the content of the restoration operation;
转换单元, 所述转换单元用于将所述加密密文转换为可输入字符; 显示单元, 所述显示单元用于显示转换后的所述加密密文。  a conversion unit, configured to convert the encrypted ciphertext into an inputtable character; a display unit, wherein the display unit is configured to display the converted encrypted ciphertext.
PCT/CN2008/071572 2008-07-07 2008-07-07 Method, system and its security device for network interworking WO2010003284A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2008/071572 WO2010003284A1 (en) 2008-07-07 2008-07-07 Method, system and its security device for network interworking

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2008/071572 WO2010003284A1 (en) 2008-07-07 2008-07-07 Method, system and its security device for network interworking

Publications (1)

Publication Number Publication Date
WO2010003284A1 true WO2010003284A1 (en) 2010-01-14

Family

ID=41506652

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/071572 WO2010003284A1 (en) 2008-07-07 2008-07-07 Method, system and its security device for network interworking

Country Status (1)

Country Link
WO (1) WO2010003284A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1747379A (en) * 2004-09-09 2006-03-15 村田机械株式会社 Encryption device
US20070300062A1 (en) * 2006-06-27 2007-12-27 Osmond Roger F Identifying and enforcing strict file confidentiality in the presence of system and storage administrators in a nas system
CN101159054A (en) * 2007-11-14 2008-04-09 范传东 Method for realizing currency money payment through mobile communication appliance channel

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1747379A (en) * 2004-09-09 2006-03-15 村田机械株式会社 Encryption device
US20070300062A1 (en) * 2006-06-27 2007-12-27 Osmond Roger F Identifying and enforcing strict file confidentiality in the presence of system and storage administrators in a nas system
CN101159054A (en) * 2007-11-14 2008-04-09 范传东 Method for realizing currency money payment through mobile communication appliance channel

Similar Documents

Publication Publication Date Title
Claessens et al. On the security of today’s online electronic banking systems
US8037295B2 (en) Hardware-bonded credential manager method and system
JP5981610B2 (en) Network authentication method for electronic transactions
EP2332089B1 (en) Authorization of server operations
US9590978B2 (en) Verification of password using a keyboard with a secure password entry mode
CN101005361B (en) Server and software protection method and system
Jesudoss et al. A survey on authentication attacks and countermeasures in a distributed environment
Mannan et al. Leveraging personal devices for stronger password authentication from untrusted computers
US20090055642A1 (en) Method, system and computer program for protecting user credentials against security attacks
US20190238334A1 (en) Communication system, communication client, communication server, communication method, and program
US20040230807A1 (en) Apparatus and method for authenticating access to a network resource
US20110202772A1 (en) Networked computer identity encryption and verification
WO2009065154A2 (en) Method of and apparatus for protecting private data entry within secure web sessions
CN101808077B (en) Information security input processing system and method and smart card
CN111464532A (en) Information encryption method and system
US20220407693A1 (en) Method and device for secure communication
Raddum et al. Security analysis of mobile phones used as OTP generators
Latze Stronger Authentication in E-Commerce-How to protect even naıve Users against Phishing, Pharming, and MITM attacks
CN114885326B (en) A bank mobile operation security protection method, device and storage medium
Sidheeq et al. Utilizing trusted platform module to mitigate botnet attacks
KR101754519B1 (en) Keyboard secure system and method for protecting data input via keyboard using one time key
Karthiga et al. Enhancing performance of user authentication protocol with resist to password reuse attacks
CN201286106Y (en) Safety equipment
CN201286107Y (en) Safety equipment
Bavendiek A zero trust security approach with FIDO2

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08773126

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08773126

Country of ref document: EP

Kind code of ref document: A1