WO2022111102A1 - Method, system and apparatus for establishing secure connection, electronic device, and machine-readable storage medium - Google Patents

Abstract

The present application provides a method, system and apparatus for establishing a secure connection, an electronic device, and a machine-readable storage medium. The method comprises: upon receipt of an access request to a target website sent by a client, obtaining a security certificate from a management server storing the security certificate of the target website and a private key of the security certificate; sending the security certificate to the client; when the private key of the security certificate needs to be used to sign or decrypt, sending a private key usage request to the management server, so that the management server uses the private key of the security certificate to sign or decrypt the private key usage request; and receiving a processing result returned by the management server, and establishing a secure connection with the client on the basis of the processing result. In this method, the security certificate of the website and the private key of the security certificate are only stored in the management server; it is unnecessary to deliver the security certificate and the private key in advance; when the client accesses a target website, a connection is established with the client by means of the management server using the security certificate and the private key, thereby avoiding leakage of the private key and the certificate, and improving the data security.

Description

Method, system, apparatus, electronic device, and machine-readable storage medium for establishing a secure connection

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the priority of the Chinese Patent Application No. 202011341971.4 and entitled "Method, System, Apparatus and Electronic Device for Establishing a Secure Connection" filed with the China Patent Office on November 24, 2020, the entire contents of which are incorporated by reference in this application.

technical field

The present application relates to the technical field of data security, and in particular, to a method, system, apparatus, electronic device, and machine-readable storage medium for establishing a secure connection.

Background technique

HTTPS (Hyper Text Transfer Protocol over SecureSocket Layer) is a secure HTTP (Hyper Text Transfer Protocol) channel. On the basis of HTTP, transmission encryption and authentication are used to ensure transmission. process security. The use of HTTPS complies with the requirements of PKI (Public-Key Infrastructure), which requires the service provider to provide a certificate and corresponding private key, and then establish a secure connection with the client. In practical applications, when the origin site uses CDN (Content Delivery Network), the HTTPS connection established by the client with the origin site is transferred from the origin site to the CDN node, that is, the CDN node handshakes on behalf of the origin site , therefore, it is necessary to deploy the certificate and private key of the origin site on the CDN node, but due to the large number of CDN nodes, the overall number of servers is huge, and the certificate and private key are stored on the cache server of each CDN node, which is easy to This results in the disclosure of private keys and certificates, which in turn threatens user data security.

SUMMARY OF THE INVENTION

The purpose of this application is to provide a method, system, apparatus, electronic device and machine-readable storage medium for establishing a secure connection, so as to reduce the risk of leakage of private keys and certificates, thereby ensuring user data security.

In a first aspect, an embodiment of the present application provides a method for establishing a secure connection, the method includes: if an access request for a target website sent by a client is received, obtaining a security certificate of the target website from a management server; wherein the The security certificate of the target website and the private key corresponding to the security certificate are stored in the management server; the security certificate is sent to the client; when the private key corresponding to the security certificate needs to be used for signing or decryption, a private key use request is sent to the management server to sign or decrypt the private key use request by using the private key corresponding to the security certificate by the management server, and return the processing result; and receive the processing result returned by the management server, and establish a secure connection with the client based on the processing result.

In one embodiment, the access request of the above-mentioned target website carries the domain name of the target website; if the above-mentioned access request for the target website sent by the client is received, the step of obtaining the security certificate of the target website from the management server includes: If an access request for the target website sent by the client is received, extract the domain name of the target website carried in the access request; send the domain name of the target website to the management server; and receive the security certificate of the target website returned by the management server according to the domain name of the target website .

In one embodiment, after the above-mentioned step of sending the security certificate to the client, the method further includes: receiving an encrypted pre-master key obtained by the client using the security certificate to encrypt the client's pre-master key; When signing or decrypting with the private key corresponding to the security certificate, sending a private key use request to the management server, so that the management server uses the private key corresponding to the security certificate to sign or decrypt the private key use request, including: encrypting The obtained pre-master key is sent to the management server, so that the encrypted pre-master key is decrypted by the management server using the private key corresponding to the security certificate; the above-mentioned processing result returned by the management server is received, and the security is established with the client based on the processing result. The step of connecting includes: receiving the decrypted pre-master key returned by the management server, and establishing a secure connection with the client based on the pre-master key.

In one embodiment, the above-mentioned private key use request carries specified parameters; the above-mentioned steps of sending the private key use request to the management server to sign or decrypt the private key use request by using the private key corresponding to the security certificate by the management server , including: sending a private key use request carrying the specified parameters to the management server, so that the specified parameters are signed by the management server using the private key corresponding to the security certificate, and the signature information is returned; the above-mentioned processing results returned by the management server are received, based on the processing results The step of establishing a secure connection with the client includes: receiving the signature information returned by the management server, and sending the signature information to the client, so that the client can verify the signature information through the security certificate and obtain specified parameters; and based on the specified parameters Establish a secure connection with the client.

In one embodiment, the private key use request carries the target parameter contained in the access request; the above-mentioned private key use request is sent to the management server, so that the private key pair corresponding to the security certificate is used by the management server. The step of signing or decrypting the private key use request includes: sending a private key use request to the management server, so that the management server uses the private key corresponding to the security certificate to sign the private key use request, and generates a temporary public key based on the target parameter. key, and combined with the temporary public key and target parameters to calculate the shared key, and return the signature information, the temporary public key and the shared key; the above-mentioned steps of receiving the processing result returned by the management server, and establishing a secure connection with the client based on the processing result, include: : Receive the signature information, temporary public key and shared key returned by the management server, and send the signature information and temporary public key to the client, so that the client can verify the signature information through the security certificate. Generate a shared secret with target parameters; establish a secure connection with the client based on the shared secret.

In one embodiment, before the step of obtaining the security certificate of the target website from the management server if an access request for the target website sent by the client is received, the method further includes: passing the saved first certificate and the first certificate The corresponding private key is authenticated with the second certificate stored by the management server and the private key corresponding to the second certificate, and a secure connection with the management server is established.

In a second aspect, an embodiment of the present application provides a method for establishing a secure connection, including: if an access request for a target website sent by a web server is received, sending the saved security certificate of the target website to the web server; wherein the The access request is sent by the client to the web server; receiving the private key use request sent by the web server, using the private key corresponding to the stored security certificate, signing or decrypting the private key use request, and obtaining the processing result; and processing the request The result is sent to the web server, so that the web server establishes a secure connection with the client based on the processing result.

In one embodiment, the access request of the above-mentioned target website carries the domain name of the target website; the above-mentioned steps of sending the saved security certificate of the target website to the web server if the access request for the target website sent by the web server is received, It includes: searching for the security certificate of the target website in the saved security certificate and the private key corresponding to the security certificate according to the domain name of the target website carried in the received access request; and sending the found security certificate to the web server.

In a third aspect, an embodiment of the present application provides a system for establishing a secure connection, the system comprising: a management server and a web server connected in communication; the management server is set to save the security certificate of the website and the private key corresponding to the security certificate; the web server It is set to obtain the security certificate of the target website from the management server when receiving the access request for the target website sent by the client, and send the obtained security certificate to the client; the web server is also set to use the corresponding security certificate when necessary. When signing or decrypting the private key of the security certificate, send a private key use request to the management server; the management server is set to receive the private key use request, use the private key corresponding to the security certificate to sign or decrypt the private key use request, and send the processing result. sending the data to the web server; the web server is further configured to establish a secure connection with the client based on the received processing result.

In a fourth aspect, an embodiment of the present application provides a device for establishing a secure connection, comprising: a certificate obtaining module, configured to obtain a security certificate of the target website from a management server if an access request for a target website sent by a client is received ; wherein, the management server saves the security certificate of the target website and the private key corresponding to the security certificate; the certificate sending module is set to send the security certificate to the client, so that the client can use the security certificate to encrypt the client's pre-master key ;The private key usage module is set to send a private key usage request to the management server when the private key corresponding to the security certificate needs to be used for signing or decryption, so that the private key usage request can be signed by the management server using the private key corresponding to the security certificate Or decryption processing, returning the processing result; and a connection establishment module, set to receive the processing result returned by the management server, and establish a secure connection with the client based on the processing result.

In a fifth aspect, an embodiment of the present application provides an apparatus for establishing a secure connection, comprising: a certificate determination module, configured to send the saved security certificate of the target website to the target website if an access request for the target website sent by the web server is received. The web server; wherein, the access request is sent by the client to the web server; the private key processing module is configured to receive the private key use request sent by the web server, and use the private key corresponding to the saved security certificate to process the private key use request. Signature or decryption processing to obtain a processing result; and a result returning module, configured to send the processing result to the web server, so that the web server establishes a secure connection with the client based on the processing result.

In a sixth aspect, an embodiment of the present application provides an electronic device, including a processor and a memory, where the memory stores machine-executable instructions that can be executed by the processor, and the processor executes the machine-executable instructions to implement the first aspect above The method for establishing a secure connection or the method for establishing a secure connection described in the second aspect.

In a seventh aspect, embodiments of the present application provide a machine-readable storage medium storing machine-executable instructions. When the machine-executable instructions are invoked and executed by a processor, the machine-executable instructions cause the processor to implement the above-mentioned first step. The method for establishing a secure connection described in one aspect or the method for establishing a secure connection described in the second aspect.

Additional features and advantages of the present application will be set forth in the description that follows, or some of the features and advantages may be inferred or unambiguously determined from the description, or may be learned by practicing the above-described techniques of the present application.

In order to make the above-mentioned objects, features and advantages of the present application more obvious and easy to understand, the preferred embodiments are exemplified below, and are described in detail as follows in conjunction with the accompanying drawings.

Description of drawings

In order to more clearly illustrate the specific embodiments of the present application or the technical solutions in the prior art, the accompanying drawings that need to be used in the description of the specific embodiments or the prior art will be briefly introduced below. The drawings are some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.

FIG. 1 is a flowchart of a method for establishing a secure connection provided by an embodiment of the present application;

2 is a flowchart of another method for establishing a secure connection provided by an embodiment of the present application;

3 is a flowchart of another method for establishing a secure connection provided by an embodiment of the present application;

4 is a flowchart of another method for establishing a secure connection provided by an embodiment of the present application;

5 is a flowchart of another method for establishing a secure connection provided by an embodiment of the present application;

6 is a schematic structural diagram of a system for establishing a secure connection according to an embodiment of the present application;

7 is a schematic structural diagram of an apparatus for establishing a secure connection according to an embodiment of the present application;

FIG. 8 is a schematic structural diagram of another apparatus for establishing a secure connection provided by an embodiment of the present application;

FIG. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed ways

In order to make the purposes, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions in the embodiments of the present application will be described clearly and completely below with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments It is a part of the embodiments of the present application, but not all of the embodiments. The components of the embodiments of the present application generally described and illustrated in the drawings herein may be arranged and designed in a variety of different configurations.

Thus, the following detailed description of the embodiments of the application provided in the accompanying drawings is not intended to limit the scope of the application as claimed, but is merely representative of selected embodiments of the application. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative work fall within the protection scope of the present application.

HTTPS can encrypt HTTP requests and responses to ensure data integrity, privacy, and authentication. The use of HTTPS complies with the requirements of PKI. The service provider needs to provide a certificate and a private key corresponding to the certificate, and then establish a secure connection with the client. In practical applications, after the website uses CDN, the HTTPS connection established between the client and the website is transferred from the origin site to the CDN node, that is, the CDN node handshakes on behalf of the origin site. Therefore, the website certificate and private key need to be It is deployed on the CDN node so that the CDN node can complete the SSL (Secure Sockets Layer, Secure Sockets Layer)/TLS (Transport Layer Security, Transport Layer Security) handshake. However, due to the large number of CDN nodes and the huge number of overall servers, certificates and private keys are stored on the cache server of each CDN node, which increases the probability of private keys and certificates being attacked, and there is a risk of leakage, which in turn threatens to the user's data security.

In the related art, the source station needs to send both the certificate and the private key to the server (equivalent to the above CDN node), so that the server can perform SSL/TLS handshake with the client through the certificate and private key. Based on RSA (RivestShamirAdleman, a The handshake process of the encryption algorithm) algorithm is:

1. Client hello, which can be called "client hello", that is, the client sends a domain name access request to the server, and the access request contains SNI (Server Name Indication, server name indication) information and the encryption algorithm supported by the client, etc. .

2. The server greeting can be called "sever hello", that is, after the server receives the access request, it gives the client response handshake information, including the matching negotiated encryption algorithm and digital certificate. The digital certificate is actually the public key. It just contains a lot of information, such as the issuer of the certificate, the expiration time, the public key of the server, the signature of the third-party certificate certification authority, and the domain name information of the server.

3. When the client parses the digital certificate, it first verifies whether the public key in the digital certificate is valid, such as the issuing authority, expiration time, etc.; if an abnormality is found, a warning box will pop up, indicating that there is a problem with the certificate. If there is no problem with the certificate, random Generate a pre-master key, encrypt the pre-master key with the public key in the digital certificate, and send the encrypted pre-master key to the server.

4. The server decrypts the received encrypted pre-master key with the private key corresponding to the digital certificate, and obtains the decrypted pre-master key. At this time, both the client and the server have the pre-master key. can jointly obtain a session key.

5. The client encrypts a message through the session key and sends it to the server, mainly to verify whether the server can normally receive the message encrypted by the client.

6. The server will also encrypt a message through the session key and send it back to the client. If the client can receive it normally, it indicates that the SSL/TLS layer connection is established.

In the handshake process based on the DH (Diffie-Hellman, key exchange) algorithm, the first two steps are the same as the handshake process based on the RSA algorithm. The third step is that the server will sign the specified parameters through the private key corresponding to the digital certificate. The signature information is sent to the client, so that the client can verify the signature information through the digital certificate. After the verification is successful, the client obtains the specified parameter, thereby establishing the session key between the client and the server through the specified parameter.

In the handshake process based on the TLS1.3 algorithm, the client first sends a client hello message. The client hello message mainly includes the protocol version, session identifier, cipher suite, compression algorithm, and extended message (key sharing, pre-shared key) supported by the client. , pre-shared key mode, etc.) and parameters to be encrypted; then the server replies with a sever hello message, including: the selected encryption suite, sending the certificate to the client; sign the handshake message with the private key corresponding to the certificate, and send the result to The client; selects the parameters provided by the client to generate a temporary public key, and calculates the shared key for encrypting the HTTP message in combination with the selected parameters; the temporary public key generated by the server is sent to the client through the KeyShare message. After the client receives the KeyShare message, it uses the certificate public key for signature verification, obtains the temporary public key of the server, and generates the shared key required for the session; both parties use the generated shared key to encrypt and transmit the message to ensure message security.

Generally speaking, for customers with more stringent security requirements, they do not want to expose the private key to CDN nodes. If the security requirements are higher or the deployment conditions are more stringent, the customer wants to expose neither the certificate nor the private key. to CDN nodes.

Based on the above problems, the embodiments of the present application provide a method, system, apparatus, electronic device, and machine-readable storage medium for establishing a secure connection. The technology can be applied to an HTTPS access scenario, especially an SSL/TSL handshake scenario. In order to facilitate the understanding of this embodiment, a method for establishing a secure connection disclosed in this embodiment of the present application is first introduced in detail. The method is applied to a web server, and the web server is equivalent to the above-mentioned CDN node, and the web server is connected to the client respectively. Communicate with the management server, the client can be a mobile terminal, for example, a mobile phone, a tablet computer, a smart bracelet, etc., or a computer; the management server can be a separate physical server, and at least one The security certificate of the website (equivalent to the above digital certificate), and the private key corresponding to the security certificate.

As shown in Figure 1, the above method for establishing a secure connection includes the following steps:

Step S102, if an access request for the target website sent by the client is received, obtain the security certificate of the target website from the management server.

The above target website is usually the website that the customer wants to visit, and the target website can provide the customer with corresponding services. The specific service provided can be set according to the research and development requirements of the research and development personnel for the target website. During implementation, when the web server receives the access request for the target website sent by the client, it will forward the access request of the target website to the management server, or send a certificate acquisition request to the management server based on the access request, so that the management server Find the security certificate of the target website from the saved security certificate, and return the found security certificate of the target website to the web server.

During implementation, when the user accesses the target website through the client, an HTTPS GET request (equivalent to the above access request) is initiated to the web server. In the process of HTTPS GET request, according to the SSL/TLS protocol, a "handshake" is first performed. During the SSL/TLS handshake process, the specific format of the access request of the target website can be a client hello message.

Step S104, sending the above-mentioned security certificate to the client.

After the web server receives the security certificate of the target website, it will send the security certificate to the client. During the SSL/TLS handshake process, the specific format of the security certificate sent by the web server to the client may be a server hello (sever hello) message.

Step S106, when the private key corresponding to the security certificate needs to be used for signature or decryption, a private key use request is sent to the management server, so that the management server uses the private key corresponding to the security certificate to sign or decrypt the private key use request, Return the processing result.

When the web server establishes a secure connection with the client, it needs to use the private key corresponding to the security certificate to sign or decrypt, so the web server needs to send a private key usage request to the management server, and the private key usage request can carry the private key that needs to be signed. information or information that needs to be decrypted, so that the management server uses the private key corresponding to the security certificate to sign the information that needs to be signed, or decrypt the information that needs to be decrypted, and return the processing result to the web server.

Step S108: Receive the processing result returned by the management server, and establish a secure connection with the client based on the processing result.

After receiving the processing result returned by the management server, the web server generates a session key based on the processing result, so as to establish a secure connection with the client through the session key.

In a method for establishing a secure connection provided by an embodiment of the present application, if an access request for a target website sent by a client is received, the target website is obtained from a management server that stores a security certificate of the target website and a private key corresponding to the security certificate Then send the obtained security certificate to the client; when the private key corresponding to the security certificate needs to be used for signing or decryption, send a private key use request to the management server to use the private key corresponding to the security certificate through the management server Sign or decrypt the private key use request, and return the processing result; then receive the processing result returned by the management server, and establish a secure connection with the client based on the processing result. In this method, the security certificate of the website and the private key of the security certificate are stored in the management server, and there is no need to issue the security certificate and private key in advance. The certificate and private key are used to establish a connection with the client, thereby avoiding the leakage of the private key and the certificate and improving the security of user data.

The embodiment of the present application also provides another method for establishing a secure connection, which is implemented on the basis of the method in the above-mentioned embodiment; the method focuses on describing that if an access request for the target website sent by the client is received, the The specific process of obtaining the security certificate of the target website (implemented through the following steps S204-S208), when the private key corresponding to the security certificate needs to be used for signing or decryption, a private key use request is sent to the management server to use the management server. The private key corresponding to the security certificate signs or decrypts the private key use request, returns the processing result (implemented by the following step S212), and receives the processing result returned by the management server, and establishes a secure connection with the client based on the processing result. process (implemented through the following step S214); as shown in Figure 2, the method includes the following steps:

Step S202: Establish a secure connection with the management server by authenticating the stored first certificate and the private key corresponding to the first certificate with the second certificate stored by the management server and the private key corresponding to the second certificate.

The private key corresponding to the first certificate and the first certificate is set to certify the identity of the web server, and is stored in the web server in advance; in the management server. When establishing a secure connection between the web server and the management server, the web server needs to send the first certificate to the management server, and the management server sends the second certificate to the web server for mutual authentication. The private key of the second certificate encrypts the session information, so that the management server can decrypt the session information through the public key in the first certificate; the management server can also encrypt the session information through the private key corresponding to the second certificate, so that the web server can pass the public key in the second certificate. to decrypt.

Step S204, if an access request for the target website sent by the client is received, extract the domain name of the target website carried in the access request.

During implementation, the access request of the target website may carry information such as the domain name and SNI information of the target website.

Step S206, sending the domain name of the target website to the management server.

Step S208, receiving the security certificate of the target website returned by the management server according to the domain name of the target website.

When the management server receives the domain name of the target website, it can search for the security certificate corresponding to the domain name, that is, the security certificate of the target website, in the security certificate and the private key corresponding to the security certificate saved by the management server, and find the security certificate of the target website. The security certificate is sent to the web server.

Step S210: Send the above-mentioned security certificate to the client, so that the client can use the security certificate to encrypt the pre-master key of the client.

When the client receives the security certificate, it will verify whether the public key in the security certificate is valid, such as the issuing authority, expiration time, etc. If an exception is found, a warning box will pop up, indicating that there is a problem with the security certificate; if the certificate is not If there is a problem, a pre-master key is randomly generated, the pre-master key is encrypted with the public key in the security certificate, and the encrypted pre-master key is sent to the web server. The pre-master key is usually a 48-bit data block that randomly combines the client and the web server, and uses a pseudo-random function to randomly create a session key in the web server.

In the implementation, when the web server receives the security certificate of the target website sent by the management server, the security certificate is sent to the client, and the received security certificate of the target website can also be cached for a specified time, so that other clients have access to the security certificate. When the client sends the access request of the target website within the specified time, it will directly return it to the client.

Step S212: Receive the encrypted pre-master key sent by the client, and send the encrypted pre-master key to the management server, so that the encrypted pre-master key is processed by the management server using the private key corresponding to the security certificate. decrypt.

When the web server receives the encrypted pre-master key sent by the client, it sends the encrypted pre-master key to the management server, and the management server will use the private key corresponding to the security certificate of the target website to pair the encrypted pre-master key The master key is decrypted to obtain a decrypted pre-master key.

Step S214: Receive the decrypted pre-master key returned by the management server, and establish a secure connection with the client based on the pre-master key.

After the web server receives the decrypted pre-master key returned by the management server, it will save the pre-master key. At this time, the client and the web server have the same pre-master key, and they can jointly obtain a session key. Then the client encrypts a message with the session key and sends it to the web server to verify whether the server can normally receive the encrypted message sent by the client; the web server also encrypts a message with the session key and sends it back to the client , if the client can receive it normally, it indicates that the SSL/TLS handshake is completed, that is, a secure connection between the web server and the client is established.

When implemented, the above steps S204-S214 are logic inserted in the entire SSL/TLS handshake phase. The SSL/TLS handshake phase is essentially to calculate the symmetric key, and the security certificate is to confirm the legitimacy of the target website to the client. The private key corresponding to the certificate is used for the final calculation of the symmetric key. In the handshake phase, the client initiates an HTTPS request to the web server (equivalent to the access request of the target website mentioned above), and the web server, as the server, aims to agree on a symmetric key with the client during the whole handshake process; In the process, it is necessary to use the relevant information to calculate some key information in the form of private key signature or private key decryption to generate the final symmetric key. The process is: after the client receives the security certificate, it uses the The public key encrypts the randomly generated pre-master key, and then sends the encrypted pre-master key to the web server. For the management server, the management server completes the calculation (that is, uses the private key corresponding to the security certificate to decrypt the encrypted pre-master key to obtain the decrypted pre-master key), and then returns it to the web server. The web server receives the decrypted pre-master key, and establishes a secure connection with the client based on the pre-master key. The above-mentioned private agreement is usually a set of self-defined agreement standards within the enterprise, which is only applicable to the equipment products produced by the enterprise.

During the whole handshake process, the security certificate and private key are stored through the management server instead of being issued and stored in the web server. It allows customers to fully control the management of security certificates and private keys; on the other hand, it also eliminates the possibility of web servers leaking security certificates and private keys.

The above method of establishing a secure connection, the management server saves and manages the security certificate and private key of the website without providing the security certificate and private key to the web server. When the security certificate and private key are used, the web server manages from Obtained from the server, thus avoiding the disclosure of security certificates and private keys, and customers can fully control the management of security certificates and private keys; at the same time, the deployment of web servers is also shorter and more secure. In this method, both the website's security certificate and the private key of the security certificate are stored in the management server, and do not need to be issued to the web server in advance. When the client accesses the target website, the web server communicates with the management server in real time to use the security certificate and private key to establish a secure connection with the client, thus avoiding the disclosure of private key and certificate and improving the security of user data.

The embodiment of the present application also provides another method for establishing a secure connection, which is implemented on the basis of the method in the above-mentioned embodiment; The process of sending a private key use request to use the private key corresponding to the security certificate to sign or decrypt the private key use request through the management server, returning the processing result (implemented by the following step S306), and receiving the processing returned by the management server As a result, the process of establishing a secure connection with the client based on the processing result (implemented by the following step S308); as shown in FIG. 3 , the method includes the following steps:

Step S302, if an access request for the target website sent by the client is received, obtain the security certificate of the target website from the management server.

Step S304, sending the above-mentioned security certificate to the client.

Step S306, sending a private key use request carrying the specified parameters to the management server, so that the management server uses the private key corresponding to the security certificate to sign the specified parameters, and returns the signature information.

After the web server sends the security certificate to the client, it will send a private key usage request with the specified parameters to the management server; after receiving the private key usage request, the management server will use the private key corresponding to the security certificate to perform the specified parameters. Sign, get the signature information, and return the signature information to the web server. The specified parameter may be a Herman parameter.

Step S308: Receive the signature information returned by the management server, and send the signature information to the client, so that the client can verify the signature information through the security certificate to obtain specified parameters; establish a secure connection with the client based on the specified parameters.

The web server sends the received signature information returned by the management server to the client, and the client will use the received security certificate to verify the signature information. After the verification is successful, the specified parameters are obtained, so that both the web server and the client store the specified parameters. , so that both the web server and the client can establish a session key according to the specified parameters, that is, a secure connection between the web server and the client is established.

In the above method of establishing a secure connection, the security certificate of the website and the private key of the security certificate are both stored in the management server, and do not need to be pre-delivered to the web server. When the client accesses the target website, the web server communicates with the management server in real time. In this way, the security certificate and private key are used to establish a secure connection with the client, thereby avoiding the leakage of the private key and the certificate and improving the security of user data.

The embodiment of the present application also provides another method for establishing a secure connection, which is implemented on the basis of the method in the above-mentioned embodiment; The process of sending a private key use request to use the private key corresponding to the security certificate to sign or decrypt the private key use request through the management server, returning the processing result (implemented by the following step S404), and receiving the processing returned by the management server As a result, the process of establishing a secure connection with the client based on the processing result (implemented through the following step S406); as shown in FIG. 4 , the method includes the following steps:

Step S402, if an access request for the target website sent by the client is received, the security certificate of the target website is obtained from the management server, and the access request carries the target parameter.

The above target parameter is a parameter provided by the client and set to generate a session key between the client and the web server.

Step S404, sending the above-mentioned security certificate to the client, and sending the private key use request carrying the target parameters to the management server, so that the management server uses the private key corresponding to the security certificate to sign the private key use request, and generates the request based on the target parameters. The temporary public key is calculated, and the shared key is calculated by combining the temporary public key and the target parameters, and the signature information, the temporary public key and the shared key are returned.

Step S406: Receive the signature information, the temporary public key and the shared key returned by the management server, and send the signature information and the temporary public key to the client, so that the client can verify the signature information through the security certificate. The public key and target parameters generate a shared secret; based on the shared secret, a secure connection is established with the client.

After the client generates the shared key, both the client and the web server store the shared key, and the client and the web server can conduct a conversation according to the shared key.

In the above-mentioned method of establishing a secure connection, the security certificate of the website and the private key of the security certificate are stored in the management server, and there is no need to issue the security certificate and private key in advance. The method uses the security certificate and private key to establish a connection with the client, thereby avoiding the leakage of the private key and the certificate, and improving the security of user data.

For the above-mentioned embodiment, the embodiment of the present application also provides another method for establishing a secure connection. The method is applied to the management server. As shown in FIG. 5 , the method includes the following steps:

Step S502, if an access request for the target website sent by the web server is received, the saved security certificate of the target website is sent to the web server.

The above access request is forwarded by the web server to the management server after the client sends the request to the web server.

Step S504: Receive the private key use request sent by the web server, and use the private key corresponding to the stored security certificate to sign or decrypt the private key use request to obtain a processing result.

Step S506, sending the above processing result to the web server, so that the web server establishes a secure connection with the client based on the processing result.

When implemented, the access request of the above-mentioned target website carries the domain name of the target website; the above-mentioned step S502 can be realized by the following steps 10-11:

Step 10, according to the domain name of the target website carried in the received access request, in the stored security certificate and the private key corresponding to the security certificate, search for the security certificate of the target website.

Step 11, sending the found security certificate to the web server.

The above-mentioned method for establishing a secure connection, if the access request for the target website sent by the web server is received, the security certificate of the saved target website is sent to the web server; and then the web server sends the received security certificate to the client; then Receive the private key use request sent by the web server, use the private key corresponding to the saved security certificate, sign or decrypt the private key use request, obtain the processing result, and send the processing result to the web server, so that the web server Establish a secure connection with the client based on the processing result. In this method, the security certificate of the website and the private key of the security certificate are stored in the management server, and there is no need to pre-issue the security certificate and private key value to the web server. When the client accesses the target website, the web server communicates with the management server in real time. The communication method uses the security certificate and private key to establish a connection with the client, thereby avoiding the leakage of the private key and the certificate, and improving the security of user data.

Corresponding to the above method embodiments, the embodiments of the present application also provide a system for establishing a secure connection. As shown in FIG. 6 , the system includes: a management server 60 and a web server 61 that are connected in communication, and the web server 61 also communicates with the client terminal communication connection; the management server 60 is set to save the security certificate of the website and the private key corresponding to the security certificate.

The above-mentioned web server 61 is configured to obtain the security certificate of the target website from the management server 60 when receiving an access request for the target website sent by the client, and send the obtained security certificate to the client.

The web server 61 is further configured to send a private key use request to the management server 60 when the private key corresponding to the security certificate needs to be used for signature or decryption.

The management server 60 is configured to receive the private key use request, use the private key corresponding to the security certificate to sign or decrypt the private key use request, and send the processing result to the web server 61 .

The web server 61 is also configured to establish a secure connection with the client based on the received processing result. After receiving the processing result returned by the management server 60, the web server 61 generates a session key based on the processing result, so as to establish a secure connection with the client through the session key.

The implementation principle and technical effects of the system for establishing a secure connection provided by the embodiments of the present application are the same as those of the foregoing method embodiments. content.

Corresponding to the method embodiments described in FIG. 1 to FIG. 4 , the embodiment of the present application provides an apparatus for establishing a secure connection. The apparatus is set on a web server. As shown in FIG. 7 , the apparatus includes:

The certificate obtaining module 70 is configured to obtain the security certificate of the target website from the management server if an access request for the target website sent by the client is received; wherein, the management server saves the security certificate of the target website and the corresponding security certificate. private key.

The certificate sending module 71 is configured to send the security certificate to the client.

The private key use module 72 is configured to send a private key use request to the management server when the private key corresponding to the security certificate needs to be used for signing or decryption, so that the private key use request can be processed by the management server using the private key corresponding to the security certificate. Signature or decryption processing, and the processing result is returned.

The connection establishment module 73 is configured to receive the processing result returned by the management server, and establish a secure connection with the client based on the processing result.

The above-mentioned device for establishing a secure connection, if receiving an access request for the target website sent by the client, obtain the security certificate of the target website from the management server that preserves the security certificate of the target website and the private key corresponding to the security certificate; and then obtain The security certificate of the security certificate is sent to the client; when the private key corresponding to the security certificate needs to be used for signature or decryption, a private key use request is sent to the management server, so that the private key is used by the management server using the private key corresponding to the security certificate. Perform signature or decryption processing, and return the processing result; then receive the processing result returned by the management server, and establish a secure connection with the client based on the processing result. In this method, both the security certificate of the website and the private key of the security certificate are stored in the management server, and there is no need to issue the security certificate and private key in advance. When the client accesses the target website, it communicates with the management server in real time. certificate and private key, establish a connection with the client, thus avoiding the leakage of the private key and certificate, and improving the security of user data.

In one embodiment, the access request of the above-mentioned target website carries the domain name of the target website; the above-mentioned certificate obtaining module 70 is set to: if an access request for the target website sent by the client is received, extract the target website carried by the access request. the domain name of the target website; send the domain name of the target website to the management server; receive the security certificate of the target website returned by the management server according to the domain name of the target website.

In one embodiment, the above-mentioned apparatus further includes a key receiving module 74, which is configured to receive the encrypted pre-master key obtained by encrypting the client's pre-master key using the security certificate by the client. The above-mentioned private key using module 72 is set to: send the encrypted pre-master key to the management server, so as to decrypt the encrypted pre-master key by using the private key corresponding to the security certificate through the management server; the above-mentioned connection establishment module 73. Set to: receive the decrypted pre-master key returned by the management server, and establish a secure connection with the client based on the pre-master key.

In one embodiment, the above-mentioned private key use request carries specified parameters; the above-mentioned private key use module 72 is set to: send a private key use request carrying the specified parameters to the management server, so as to use the corresponding security certificate through the management server. The private key signs the specified parameters, and returns the signature information; the above-mentioned connection establishment module 73 is set to: receive the signature information returned by the management server, and send the signature information to the client, so that the client can verify the signature information through the security certificate. , get the specified parameters, and establish a secure connection with the client based on the specified parameters.

In one embodiment, the above-mentioned private key use request carries the target parameter contained in the access request; the above-mentioned private key use module 72 is set to: send a private key use request to the management server, so as to use the private key corresponding to the security certificate by the management server. The key-pair private key use request is signed, a temporary public key is generated based on the target parameters, and the shared key is calculated in combination with the temporary public key and the target parameters, and the signature information, the temporary public key and the shared key are returned; the above-mentioned connection establishment module 73 is set to : Receive the signature information, temporary public key and shared key returned by the management server, and send the signature information and temporary public key to the client, so that the client can verify the signature information through the security certificate. Generate a shared secret with target parameters; establish a secure connection with the client based on the shared secret.

In one embodiment, the above-mentioned device further includes an authentication module 75, which is configured to: before obtaining the security certificate of the target website from the management server, through the stored first certificate and the private key corresponding to the first certificate, with the stored first certificate and the corresponding private key of the management server. The second certificate and the private key corresponding to the second certificate are authenticated, and a secure connection with the management server is established.

The implementation principle and the technical effect of the device for establishing a secure connection provided by the embodiment of the present application are the same as those in the foregoing method embodiments. content.

Corresponding to the method embodiment described above in FIG. 5 , the embodiment of the present application provides another apparatus for establishing a secure connection. The apparatus is set on a management server. As shown in FIG. 8 , the apparatus includes:

The certificate determining module 80 is configured to send the saved security certificate of the target website to the web server if an access request for the target website sent by the web server is received; wherein, the access request is sent by the client to the web server.

The private key processing module 81 is configured to receive the private key usage request sent by the web server, and use the private key corresponding to the stored security certificate to sign or decrypt the private key usage request to obtain a processing result.

The result returning module 82 is configured to send the processing result to the web server, so that the web server establishes a secure connection with the client based on the processing result.

The above-mentioned device for establishing a secure connection, in this way, the management server saves and manages the security certificate and private key of the website, and does not need to provide the security certificate and private key to the web server. When using the security certificate and private key, the web server manages from Obtained from the server, thus avoiding the disclosure of security certificates and private keys, and customers can fully control the management of security certificates and private keys; and the deployment of web servers is also shorter and more secure. In this method, the security certificate of the website and the private key of the security certificate are stored in the management server, and there is no need to issue the security certificate and private key value to the web server in advance. When the client accesses the target website, the web server communicates with the management server in real time through The communication method uses the security certificate and private key to establish a connection with the client, thereby avoiding the leakage of the private key and the certificate, and improving the security of user data.

In one embodiment, the access request of the above-mentioned target website carries the domain name of the target website; the above-mentioned certificate determination module 80 is set to: according to the domain name of the target website carried in the received access request, in the saved security certificate and security certificate Find the security certificate of the target website in the corresponding private key; send the found security certificate to the web server.

The device for establishing a secure connection provided by the embodiment of the present application has the same implementation principle and technical effects as the foregoing method for establishing a secure connection. Corresponding content in the method embodiment.

The embodiment of the present application further provides an electronic device, as shown in FIG. 9 , the electronic device includes a processor 101 and a memory 100, where the memory 100 stores machine-executable instructions that can be executed by the processor 101, and the processor 101 Machine-executable instructions are executed to implement the above-described method of establishing a secure connection.

In one embodiment, the electronic device shown in FIG. 9 further includes a bus 102 and a communication interface 103 , and the processor 101 , the communication interface 103 and the memory 100 are connected through the bus 102 .

The memory 100 may include a high-speed random access memory (RAM, Random Access Memory), and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 103 (which may be wired or wireless), which may use the Internet, a wide area network, a local network, a metropolitan area network, and the like. The bus 102 may be an ISA bus, a PCI bus, an EISA bus, or the like. The bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one bidirectional arrow is used in FIG. 9, but it does not mean that there is only one bus or one type of bus.

The processor 101 may be an integrated circuit chip with signal processing capability. In the implementation process, each step of the above-mentioned method may be completed by an integrated logic circuit of hardware in the processor 101 or an instruction in the form of software. The above-mentioned processor 101 may be a general-purpose processor, including a central processing unit (Central Processing Unit, referred to as CPU), a network processor (Network Processor, referred to as NP), etc.; may also be a digital signal processor (Digital Signal Processor, referred to as DSP) ), Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, and discrete hardware components. The methods, steps, and logic block diagrams disclosed in the embodiments of this application can be implemented or executed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in conjunction with the embodiments of the present application may be directly embodied as executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software modules may be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other storage media mature in the art. The storage medium is located in the memory 100, and the processor 101 reads the information in the memory 100, and completes the steps of the methods in the foregoing embodiments in combination with its hardware.

Embodiments of the present application further provide a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions, and when the machine-executable instructions are invoked and executed by a processor, the machine-executable instructions cause the processor to implement For the above-mentioned method for establishing a secure connection, reference may be made to the method embodiment for implementation, and details are not described herein again.

The method, system, device, and computer program product of an electronic device for establishing a secure connection provided by the embodiments of the present application include a machine-readable storage medium storing program codes, and the instructions included in the program codes can be configured to execute the implementation of the foregoing method. For the specific implementation of the method described in the example, reference may be made to the method embodiment, which will not be repeated here. The functions, if implemented in the form of software functional units and sold or used as separate products, may be stored in a machine-readable storage medium.

A method, system, device, electronic device and machine-readable storage medium for establishing a secure connection provided by this application, if an access request for a target website sent by a client is received, the security certificate and security certificate of the target website are saved from the Obtain the security certificate of the target website from the management server of the corresponding private key; then send the obtained security certificate to the client; when the private key corresponding to the security certificate needs to be used to sign or decrypt, send a private key use request to the management server, The management server uses the private key corresponding to the security certificate to sign or decrypt the private key use request, and returns the processing result; and then receives the processing result returned by the management server, and establishes a secure connection with the client based on the processing result. In this method, the security certificate of the website and the private key of the security certificate are stored in the management server, and there is no need to issue the security certificate and private key in advance. certificate and private key, establish a connection with the client, thus avoiding the leakage of the private key and certificate, and improving the security of user data.

Based on this understanding, the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, an electronic device, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .

Finally, it should be noted that the above-mentioned embodiments are only specific implementations of the present application, and are used to illustrate the technical solutions of the present application, rather than limit them. The embodiments describe the application in detail, and those of ordinary skill in the art should understand that: any person skilled in the art can still modify the technical solutions described in the foregoing embodiments within the technical scope disclosed in the application. Or can easily think of changes, or equivalently replace some of the technical features; and these modifications, changes or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions in the embodiments of the application, and should be covered in this application. within the scope of protection. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Industrial Applicability

This application can be applied to the technical field of data security, and provides a method, system, device, electronic device and machine-readable storage medium for establishing a secure connection. The security certificate of the website and the private key of the security certificate are only stored in the management server, without the need for The security certificate and private key are issued in advance. When the client accesses the target website, the management server uses the security certificate and private key to establish a connection with the client, thereby avoiding the leakage of the private key and the certificate and improving the data security.

Claims (13)

A method of establishing a secure connection comprising: If receiving the access request for the target website sent by the client, obtain the security certificate of the target website from the management server; wherein, the management server saves the security certificate of the target website and the corresponding security certificate private key; sending the security certificate to the client; When the private key corresponding to the security certificate needs to be used for signature or decryption, a private key use request is sent to the management server, so that the management server uses the private key corresponding to the security certificate to use the private key Perform signature or decryption processing and return the processing result; and Receive the processing result returned by the management server, and establish a secure connection with the client based on the processing result. The method according to claim 1, wherein the access request of the target website carries the domain name of the target website; The step of obtaining the security certificate of the target website from the management server if an access request for the target website sent by the client is received, including: If an access request for the target website sent by the client is received, extract the domain name of the target website carried in the access request; sending the domain name of the target website to the management server; and The security certificate of the target website returned by the management server according to the domain name of the target website is received. The method of claim 1, wherein after the step of sending the security certificate to the client, the method further comprises: receiving the encrypted pre-master key obtained by the client using the security certificate to encrypt the pre-master key of the client; When the private key corresponding to the security certificate needs to be used for signing or decryption, sending a private key use request to the management server, so that the management server uses the private key corresponding to the security certificate to pair the private key with the private key. The steps for signing or decrypting a request, including: sending the encrypted pre-master key to the management server, so that the encrypted pre-master key is decrypted by the management server using the private key corresponding to the security certificate; The step of receiving the processing result returned by the management server and establishing a secure connection with the client based on the processing result includes: Receive the decrypted pre-master key returned by the management server, and establish a secure connection with the client based on the pre-master key. The method according to claim 1, wherein the private key use request carries specified parameters; and the private key use request is sent to the management server, so as to use the private key corresponding to the security certificate through the management server The steps of signing or decrypting the request for using the private key with the key include: sending a private key use request carrying the specified parameter to the management server, so that the specified parameter is signed by the management server using the private key corresponding to the security certificate, and signature information is returned; The step of receiving the processing result returned by the management server and establishing a secure connection with the client based on the processing result includes: receiving the signature information returned by the management server, and sending the signature information to the client, so that the client verifies the signature information through the security certificate to obtain the specified parameters; and A secure connection is established with the client based on the specified parameters. The method according to claim 1, wherein the private key use request carries the target parameter contained in the access request; The step of sending a private key use request to the management server to sign or decrypt the private key use request by using the private key corresponding to the security certificate by the management server includes: Send the private key use request to the management server, so that the management server uses the private key corresponding to the security certificate to sign the private key use request, generates a temporary public key based on the target parameter, and combines with Calculate the shared key from the temporary public key and the target parameter, and return signature information, the temporary public key and the shared key; The step of receiving the processing result returned by the management server and establishing a secure connection with the client based on the processing result includes: Receive the signature information, the temporary public key and the shared key returned by the management server, and send the signature information and the temporary public key to the client, so that the client can pass the security The certificate verifies the signature information, and after the verification is successful, the shared key is generated based on the temporary public key and the target parameter; and A secure connection is established with the client based on the shared key. The method according to any one of claims 1 to 5, wherein, before the step of acquiring the security certificate of the target website from the management server if an access request for the target website sent by the client is received, the The method also includes: A secure connection with the management server is established by authenticating the stored first certificate and the private key corresponding to the first certificate with the second certificate stored by the management server and the private key corresponding to the second certificate. A method of establishing a secure connection comprising: If an access request for the target website sent by the web server is received, the saved security certificate of the target website is sent to the web server; wherein, the access request is sent by the client to the web server; Receive the private key usage request sent by the web server, and use the stored private key corresponding to the security certificate to sign or decrypt the private key usage request to obtain a processing result; and The processing result is sent to the web server, so that the web server establishes a secure connection with the client based on the processing result. The method according to claim 7, wherein the access request of the target website carries the domain name of the target website; The step of sending the saved security certificate of the target website to the webpage server if an access request for the target website sent by the webpage server is received, including: According to the domain name of the target website carried in the received access request, in the saved security certificate and the private key corresponding to the security certificate, look up the security certificate of the target website; and Sending the found security certificate to the web server. A system for establishing a secure connection, comprising: a communication connection management server and a web server; The management server is set to save the security certificate of the website and the private key corresponding to the security certificate; The web server is configured to obtain the security certificate of the target website from the management server when receiving the access request for the target website sent by the client, and send the obtained security certificate to the client; The web server is further configured to send a private key use request to the management server when the private key corresponding to the security certificate needs to be used for signature or decryption; The management server is configured to receive the private key use request, use the private key corresponding to the security certificate to sign or decrypt the private key use request, and send the processing result to the web server; The web server is further configured to establish a secure connection with the client based on the received processing result. An apparatus for establishing a secure connection, comprising: A certificate obtaining module, configured to obtain the security certificate of the target website from the management server if an access request for the target website sent by the client is received; wherein, the management server saves the security certificate of the target website and the private key corresponding to the security certificate; a certificate sending module, configured to send the security certificate to the client; A private key use module, configured to send a private key use request to the management server when the private key corresponding to the security certificate needs to be used for signature or decryption, so as to use the private key corresponding to the security certificate through the management server Signing or decrypting the private key use request, and returning the processing result; and The connection establishment module is configured to receive the processing result returned by the management server, and establish a secure connection with the client based on the processing result. An apparatus for establishing a secure connection, comprising: A certificate determination module, configured to send the saved security certificate of the target website to the webpage server if an access request for the target website sent by the webpage server is received; wherein, the access request is sent by the client to the webpage server. web server; A private key processing module, configured to receive a private key usage request sent by the web server, and use the stored private key corresponding to the security certificate to sign or decrypt the private key usage request to obtain a processing result; and The result returning module is configured to send the processing result to the web server, so that the web server establishes a secure connection with the client based on the processing result. An electronic device comprising a processor and a memory, the memory storing machine-executable instructions executable by the processor, the processor executing the machine-executable instructions to implement any one of claims 1 to 6 The method for establishing a secure connection described in item 7, or the method for establishing a secure connection according to any one of claims 7-8. A machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the implementation of any one of claims 1 to 6. The method for establishing a secure connection described above, or the method for establishing a secure connection described in any one of claims 7-8.

Images