CN106169990A - A kind of encrypt data on flows monitoring method, Apparatus and system - Google Patents
A kind of encrypt data on flows monitoring method, Apparatus and system Download PDFInfo
- Publication number
- CN106169990A CN106169990A CN201610460472.4A CN201610460472A CN106169990A CN 106169990 A CN106169990 A CN 106169990A CN 201610460472 A CN201610460472 A CN 201610460472A CN 106169990 A CN106169990 A CN 106169990A
- Authority
- CN
- China
- Prior art keywords
- client
- certificate
- encrypted
- random key
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0457—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply dynamic encryption, e.g. stream encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
Abstract
本发明公开了一种加密流量数据监控的方法、装置及系统,涉及互联网技术领域,解决了现有技术中无法对局域网内的加密流量数据进行有效监控的问题。本发明的方法包括:在网关侧拦截客户端发送的安全访问请求;向客户端发送对应所述安全访问请求的伪证书,以便客户端根据自身预置的伪证书库对所述伪证书进行验证;接收客户端返回的用于对流量数据进行加密的随机密钥;根据所述随机密钥对客户端发送的加密流量数据解密后进行监控。本发明能够针对局域网内HTTPS加密流量数据进行还原并监控,主要用于对局域网的网络安全进行有效管理。
The invention discloses a method, device and system for monitoring encrypted flow data, relates to the technical field of the Internet, and solves the problem that the encrypted flow data in a local area network cannot be effectively monitored in the prior art. The method of the present invention includes: intercepting the security access request sent by the client at the gateway side; sending a fake certificate corresponding to the security access request to the client, so that the client can verify the fake certificate according to its own preset fake certificate library; Receive the random key used to encrypt the traffic data returned by the client; decrypt the encrypted traffic data sent by the client according to the random key, and then monitor it. The invention can restore and monitor HTTPS encrypted flow data in the local area network, and is mainly used for effectively managing the network security of the local area network.
Description
技术领域technical field
本发明涉及互联网技术领域,特别是涉及一种加密流量数据监控的方法、装置及系统。The invention relates to the technical field of the Internet, in particular to a method, device and system for monitoring encrypted flow data.
背景技术Background technique
在现有的浏览器访问各种网站时,是通过超文本传送协议(Hypertext transferprotocol,简称HTTP)来定义浏览器如何向网络服务器请求网络内容以及网络服务器如何把网络内容传送给浏览器的。HTTP是面向应用层协议,它是万维网上能够可靠的交换文件(包括文本、声音、图像等各种多媒体文件)的重要基础。而伴随着互联网技术的发展,人们可以通过网络进行各种活动,如网络游戏、网上购物、网上看视频、网上转账等。由于人们的日常生活与网络之间的联系越来越紧密,因此如何保护人们在网络上的各种访问信息也变得越来越重要。尤其对于网上购物、网上转账等情况,就更需要对用户的访问信息进行加密保护。When existing browsers access various websites, the Hypertext Transfer Protocol (HTTP) is used to define how the browser requests web content from the web server and how the web server transmits the web content to the browser. HTTP is an application-oriented layer protocol, and it is an important basis for reliable exchange of files (including various multimedia files such as text, sound, and images) on the World Wide Web. With the development of Internet technology, people can carry out various activities through the Internet, such as online games, online shopping, online watching videos, online transfers and so on. As the connection between people's daily life and the network is getting closer, how to protect people's various access information on the network is becoming more and more important. Especially for situations such as online shopping and online transfer, it is even more necessary to encrypt and protect the user's access information.
为了使HTTP的使用更加安全,现有技术通过在原有HTTP的基础上加入安全套接(Secure Sockets Layer,简称SSL)层协议构建出HTTPS协议,HTTPS的安全基础是SSL,用于对访问相关的详细信息进行加密,达到安全的HTTP数据传输的目的。但是,在现有的局域网管理过程中,对于局域网内的HTTPS流量而言,由于其进行了加密,因此无法获取到流量的详细信息,不便于对局域网进行监控与管理。In order to make the use of HTTP more secure, the existing technology builds the HTTPS protocol by adding the Secure Sockets Layer (SSL) layer protocol on the basis of the original HTTP. The security basis of HTTPS is SSL, which is used for access-related details The information is encrypted to achieve the purpose of secure HTTP data transmission. However, in the existing local area network management process, for the HTTPS traffic in the local area network, because it is encrypted, the detailed information of the traffic cannot be obtained, and it is not convenient to monitor and manage the local area network.
发明内容Contents of the invention
有鉴于此,本发明提出了一种加密流量数据监控的方法、装置及系统,主要目的在于解决现有技术中无法对局域网内的加密流量数据进行有效监控的问题。In view of this, the present invention proposes a method, device and system for monitoring encrypted traffic data, the main purpose of which is to solve the problem that the encrypted traffic data in the local area network cannot be effectively monitored in the prior art.
依据本发明的第一个方面,本发明提供一种加密流量数据监控的方法,该方法主要应用于网关侧,包括:According to the first aspect of the present invention, the present invention provides a method for monitoring encrypted traffic data, which is mainly applied to the gateway side, including:
在网关侧拦截客户端发送的安全访问请求;Intercept the security access request sent by the client on the gateway side;
向客户端发送对应所述安全访问请求的伪证书,以便客户端根据自身预置的伪证书库对所述伪证书进行验证;Sending the fake certificate corresponding to the security access request to the client, so that the client can verify the fake certificate according to its own preset fake certificate library;
接收客户端返回的用于对流量数据进行加密的随机密钥;Receive the random key used to encrypt the traffic data returned by the client;
根据所述随机密钥对客户端发送的加密流量数据解密后进行监控。According to the random key, the encrypted traffic data sent by the client is decrypted and then monitored.
依据本发明的第二个方面,本发明提供一种加密流量数据监控的方法,该方法主要应用于客户端侧,包括:According to the second aspect of the present invention, the present invention provides a method for monitoring encrypted traffic data, which is mainly applied to the client side, including:
接收网关发送的对应客户端安全访问请求的伪证书;Receive the fake certificate corresponding to the client security access request sent by the gateway;
根据预置的伪证书库对接收的所述伪证书进行验证;Verifying the received fake certificate according to the preset fake certificate library;
当对接收的所述伪证书验证通过后,生成用于对流量数据进行加密的随机密钥;After passing the verification of the received fake certificate, generate a random key for encrypting the traffic data;
将所述随机密钥发送给网关,以便网关根据所述随机密钥对加密的流量数据解密后进行监控。The random key is sent to the gateway, so that the gateway can monitor the encrypted traffic data after decrypting it according to the random key.
依据本发明的第三个方面,本发明提供一种加密流量数据监控的装置,该装置主要位于网关中或者与网关建立有数据交互关系,包括:According to the third aspect of the present invention, the present invention provides a device for monitoring encrypted traffic data, which is mainly located in the gateway or establishes a data interaction relationship with the gateway, including:
拦截单元,用于在网关侧拦截客户端发送的安全访问请求;The interception unit is used to intercept the security access request sent by the client at the gateway side;
发送单元,用于向客户端发送对应所述安全访问请求的伪证书,以便客户端根据自身预置的伪证书库对所述伪证书进行验证;A sending unit, configured to send the fake certificate corresponding to the security access request to the client, so that the client can verify the fake certificate according to its own preset fake certificate library;
接收单元,用于接收客户端返回的用于对流量数据进行加密的随机密钥;The receiving unit is used to receive the random key used to encrypt the traffic data returned by the client;
处理单元,用于根据所述随机密钥对客户端发送的加密流量数据解密后进行监控。The processing unit is configured to decrypt the encrypted traffic data sent by the client according to the random key and then monitor it.
依据本发明的第四个方面,本发明提供一种加密流量数据监控的装置,该装置主要位于客户端中或者与客户端建立有数据交互关系,包括:According to the fourth aspect of the present invention, the present invention provides a device for monitoring encrypted traffic data. The device is mainly located in the client or establishes a data interaction relationship with the client, including:
接收单元,用于接收网关发送的对应客户端安全访问请求的伪证书;The receiving unit is used to receive the fake certificate corresponding to the client security access request sent by the gateway;
验证单元,用于根据预置的伪证书库对接收的所述伪证书进行验证;a verification unit, configured to verify the received false certificate according to a preset false certificate library;
生成单元,用于当对接收的所述伪证书验证通过后,生成用于对流量数据进行加密的随机密钥;a generating unit, configured to generate a random key for encrypting traffic data after the received fake certificate is verified;
发送单元,用于将所述随机密钥发送给网关,以便网关根据所述随机密钥对加密的流量数据解密后进行监控。The sending unit is configured to send the random key to the gateway, so that the gateway can monitor the encrypted traffic data after decrypting it according to the random key.
依据本发明的第五个方面,本发明提供一种加密流量数据监控的系统,包括:According to the fifth aspect of the present invention, the present invention provides a system for monitoring encrypted traffic data, including:
网关、客户端及服务器,其中,所述网关包含上述第三个方面所述的装置,所述客户端包含上述第四个方面所述的装置。A gateway, a client and a server, wherein the gateway includes the device described in the third aspect above, and the client includes the device described in the fourth aspect above.
借由上述技术方案,本发明实施例提供的一种加密流量数据监控的方法、装置及系统,能够在网关侧拦截客户端发送的安全访问请求,并构建一份对应所述安全访问请求的伪证书,将伪证书返回给客户端后,由客户端根据预置的伪证书库对伪证书进行验证,当伪证书验证通过后,客户端与网关协商好对流量数据进行加密的密钥,从而在客户端后续发送经过加密的流量数据时,能够在网关侧被拦截并解密。与现有技术中当局域网内使用HTTPS协议进行访问请求时,由于无法获知访问请求的流量数据的具体内容,导致无法对局域网内客户端的日常操作进行监控的缺陷相比,本发明能够对局域网内进出的加密流量数据进行还原,便于对局域网进行有效的监控与管理。By virtue of the above technical solutions, the embodiment of the present invention provides a method, device and system for monitoring encrypted traffic data, which can intercept the security access request sent by the client on the gateway side, and construct a pseudonym corresponding to the security access request. Certificate, after returning the fake certificate to the client, the client will verify the fake certificate according to the preset fake certificate library. When the client subsequently sends encrypted traffic data, it can be intercepted and decrypted on the gateway side. Compared with the defect in the prior art that when the HTTPS protocol is used to make an access request in the local area network, the daily operation of the client in the local area network cannot be monitored due to the inability to know the specific content of the traffic data of the access request, the present invention is able to monitor the daily operations of the client in the local area network. Restore the incoming and outgoing encrypted traffic data, which is convenient for effective monitoring and management of the LAN.
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.
附图说明Description of drawings
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same reference numerals are used to designate the same components. In the attached picture:
图1示出了本发明实施例提供的一种加密流量数据监控的方法的流程图;FIG. 1 shows a flow chart of a method for monitoring encrypted traffic data provided by an embodiment of the present invention;
图2示出了本发明实施例提供的另一种加密流量数据监控的方法的流程图;FIG. 2 shows a flow chart of another method for monitoring encrypted traffic data provided by an embodiment of the present invention;
图3示出了本发明实施例提供的一种加密流量数据监控的装置的组成框图;FIG. 3 shows a block diagram of a device for monitoring encrypted traffic data provided by an embodiment of the present invention;
图4示出了本发明实施例提供的一种加密流量数据监控的装置的组成框图;FIG. 4 shows a block diagram of a device for monitoring encrypted traffic data provided by an embodiment of the present invention;
图5示出了本发明实施例提供的一种加密流量数据监控的装置的组成框图;FIG. 5 shows a block diagram of a device for monitoring encrypted traffic data provided by an embodiment of the present invention;
图6示出了本发明实施例提供的一种加密流量数据监控的装置的组成框图;FIG. 6 shows a block diagram of a device for monitoring encrypted traffic data provided by an embodiment of the present invention;
图7示出了本发明实施例提供的一种加密流量数据监控的系统的示意图。Fig. 7 shows a schematic diagram of a system for monitoring encrypted traffic data provided by an embodiment of the present invention.
具体实施方式detailed description
下面将参照附图更加详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.
现有的HTTPS协议是由SSL和HTTP协议构建的可进行加密传输、身份认证的网络协议,使用HTTPS传输的流量数据都是进行加密传输的,如果在局域网内进出的流量都为HTTPS流量时,由于无法获知这些流量的加密数据,因此不便于对局域网进行有效的管理。The existing HTTPS protocol is a network protocol capable of encrypted transmission and identity authentication constructed by the SSL and HTTP protocols. The traffic data transmitted using HTTPS is encrypted and transmitted. If the incoming and outgoing traffic in the LAN is HTTPS traffic, Since the encrypted data of these traffic cannot be obtained, it is not convenient to effectively manage the local area network.
为了解决上述问题,本发明实施例提供了一种加密流量数据监控的方法,能够针对局域网内HTTPS加密流量数据进行还原并监控,从而对局域网的网络安全进行有效管理。该方法主要应用于网关侧,如图1所示,该方法包括:In order to solve the above problems, an embodiment of the present invention provides a method for monitoring encrypted traffic data, which can restore and monitor HTTPS encrypted traffic data in a local area network, thereby effectively managing the network security of the local area network. This method is mainly applied to the gateway side, as shown in Figure 1, the method includes:
101、在网关侧拦截客户端发送的安全访问请求。101. Intercept the security access request sent by the client at the gateway side.
通常用户在访问某些网站如购物网站或者银行及金融机构的网站时,为了保护用户的访问信息不被恶意截获并利用,网站往往会使用HTTPS协议来与用户的客户端进行信息传递。采用HTTPS的网站服务器必须从证书管理机构(Certificate Authority,简称CA)申请一个用于证明服务器用途类型的证书,只有网站服务器的证书被客户端验证通过后,才能确定客户端访问的网站是安全的。由于HTTPS协议是由HTTP协议与SSL构建的可进行加密传输、身份认证的网络协议,因此客户端使用HTTPS:URL连接到网站时,需要验证网站的证书,当网站证书验证通过后,客户端就会与网站之间进行加密的流量数据传输。但是,在需要进行监管的局域网内,如果客户端发送的安全访问请求,也就是客户端向网站发送的HTTPS:URL顺利的经过上述一系列过程,那么管理员将无法获取流量数据的明文信息,从而无法对局域网内客户端的操作进行监管。因此,为了监控局域网内进出的加密流量数据,本发明首先需要执行步骤101在网关侧拦截客户端发送的安全访问请求。Usually when a user visits certain websites such as shopping websites or websites of banks and financial institutions, in order to protect the user's access information from being maliciously intercepted and used, the website often uses the HTTPS protocol to transmit information with the user's client. The website server using HTTPS must apply for a certificate from the Certificate Authority (CA) to prove the type of server use. Only after the certificate of the website server is verified by the client can it be determined that the website accessed by the client is safe. . Since the HTTPS protocol is a network protocol constructed by the HTTP protocol and SSL that can perform encrypted transmission and identity authentication, when the client uses the HTTPS: URL to connect to the website, it needs to verify the certificate of the website. After the website certificate is verified, the client will Encrypted traffic data transmission with the website. However, in the local area network that needs to be supervised, if the secure access request sent by the client, that is, the HTTPS: URL sent by the client to the website, goes through the above series of processes smoothly, then the administrator will not be able to obtain the plaintext information of the traffic data. Therefore, it is impossible to supervise the operation of the client in the LAN. Therefore, in order to monitor the encrypted traffic data entering and leaving the local area network, the present invention first needs to execute step 101 to intercept the security access request sent by the client at the gateway side.
102、向客户端发送对应安全访问请求的伪证书,以便客户端根据自身预置的伪证书库对所述伪证书进行验证。102. Send the fake certificate corresponding to the security access request to the client, so that the client verifies the fake certificate according to its preset fake certificate library.
由于客户端与网站进行安全的数据交互时,也就是它们之间使用HTTPS协议传输数据时,网站需要向客户端发送证书,以便客户端对该证书进行验证,只有在该证书被验证通过后,客户端才会与网站之间协商一个对流量数据进行加密的密钥,并使用该密钥加密客户端与网站之间交互的数据信息。因此,为了对局域网内客户端的操作进行监管,就需要对客户端发送的加密流量数据进行还原,而还原加密流量数据就需要获取加密使用的密钥。由于客户端在对网站发送的证书认证通过后,会与网站协商一个对流量数据进行加密的密钥。因此,要获取该密钥就需要与客户端私自建立一个证书的认证过程。由于本发明实施例在步骤101中已经在网关侧拦截了客户端发送的安全访问请求,网站没有收到该安全访问请求就不会向客户端发送自己拥有的证书,因此在步骤101之后,本发明实施例需要执行步骤102向客户端发送对应安全访问请求的伪证书,以便客户端根据自身预置的伪证书库对所述伪证书进行验证。When the client and the website perform secure data interaction, that is, when they use the HTTPS protocol to transmit data, the website needs to send a certificate to the client so that the client can verify the certificate. Only after the certificate is verified, Only the client and the website negotiate a key for encrypting traffic data, and use the key to encrypt the data information exchanged between the client and the website. Therefore, in order to supervise the operation of the client in the LAN, it is necessary to restore the encrypted traffic data sent by the client, and to restore the encrypted traffic data requires obtaining the key used for encryption. After the client passes the certificate authentication sent by the website, it will negotiate with the website for a key to encrypt traffic data. Therefore, to obtain the key, it is necessary to privately establish a certificate authentication process with the client. Since the embodiment of the present invention has intercepted the security access request sent by the client at the gateway side in step 101, the website will not send its own certificate to the client without receiving the security access request, so after step 101, this The embodiment of the invention needs to perform step 102 to send the fake certificate corresponding to the security access request to the client, so that the client can verify the fake certificate according to its own preset fake certificate library.
103、接收客户端返回的用于对流量数据进行加密的随机密钥。103. Receive the random key used to encrypt the traffic data returned by the client.
当在步骤102中将对应安全访问请求的伪证书发送给客户端后,客户端会对该伪证书进行验证,在验证该伪证书时是通过预先安装在客户端内的伪证书库进行验证的,当网关发送的伪证书位于客户端内的伪证书库中时,客户端认为该伪证书的拥有者是安全的,并会与伪证书的拥有者协商一个密钥,用来对它们之间的传输数据进行加密。由于本发明实施例中客户端预置的伪证书库是针对性的安装的,因此步骤102中网关发送给客户端的伪证书一定会被客户端认证通过。由此,在步骤102之后,会执行步骤103接收客户端返回的用于对流量数据进行加密的随机密钥。After the false certificate corresponding to the security access request is sent to the client in step 102, the client will verify the false certificate. When verifying the false certificate, the false certificate library pre-installed in the client is used for verification. When the fake certificate sent by the gateway is in the fake certificate store in the client, the client thinks that the owner of the fake certificate is safe, and will negotiate a key with the owner of the fake certificate to secure the transmission between them. Data is encrypted. Since the fake certificate library preset by the client in the embodiment of the present invention is installed in a targeted manner, the fake certificate sent by the gateway to the client in step 102 must be authenticated by the client. Therefore, after step 102, step 103 is executed to receive the random key used to encrypt the traffic data returned by the client.
104、根据随机密钥对客户端发送的加密流量数据解密后进行监控。104. Perform monitoring after decrypting the encrypted traffic data sent by the client according to the random key.
当在步骤103中接收到客户端返回的用于对流量数据进行加密的随机密钥之后,就可以执行步骤104根据随机密钥对客户端发送的加密流量数据解密后进行监控。After receiving the random key used to encrypt the traffic data returned by the client in step 103, step 104 may be executed to decrypt the encrypted traffic data sent by the client according to the random key and then monitor it.
进一步的,本发明实施例还提供了一种加密流量数据监控的方法,该方法主要应用于客户端侧,如图2所示,该方法包括:Further, the embodiment of the present invention also provides a method for monitoring encrypted traffic data, the method is mainly applied to the client side, as shown in Figure 2, the method includes:
201、接收网关发送的对应客户端安全访问请求的伪证书。201. Receive the fake certificate corresponding to the security access request of the client sent by the gateway.
当客户端访问网站时,需要向网站发送访问请求,在本发明实施例中为安全访问请求,随后客户端会收到网站返回的证书,并对证书进行验证。但是在本发明实施例中,为了对进出局域网的加密流量数据进行监控,会在网关侧拦截客户端发出的安全访问请求,并根据该安全访问请求对应的信息构建一个伪证书并发送给客户端。而局域网内的客户端是不知道其发送的安全访问请求已经被拦截,客户端只要收到返回的证书后,就会对证书进行验证。因此,在客户端一侧需要执行步骤201接收网关发送的对应客户端安全访问请求的伪证书。When a client accesses a website, it needs to send an access request to the website, which is a security access request in the embodiment of the present invention, and then the client will receive the certificate returned by the website and verify the certificate. However, in the embodiment of the present invention, in order to monitor the encrypted traffic data in and out of the LAN, the security access request sent by the client will be intercepted on the gateway side, and a fake certificate will be constructed according to the information corresponding to the security access request and sent to the client . However, the client in the LAN does not know that the security access request sent by it has been intercepted, and the client will verify the certificate as long as it receives the returned certificate. Therefore, step 201 needs to be performed on the client side to receive the fake certificate corresponding to the client security access request sent by the gateway.
202、根据预置的伪证书库对接收的伪证书进行验证。202. Verify the received fake certificate according to the preset fake certificate library.
由于本发明实施例为了监控局域网内进出的加密流量数据,因此会预先在局域网内的客户端中预置伪证书库。当客户端接收到网关发送的伪证书后,就需要对该伪证书进行验证。具体的是在预置的伪证书库中查找是否存在网关发送的伪证书的。若预置的伪证书库中存在网关发送的伪证书,则客户端认为与该伪证书的拥有者进行通信是安全的。Since the embodiment of the present invention monitors the encrypted flow data entering and leaving the local area network, a false certificate library is preset in the client in the local area network in advance. After the client receives the fake certificate sent by the gateway, it needs to verify the fake certificate. Specifically, it is to check whether there is a fake certificate sent by the gateway in the preset fake certificate library. If there is a fake certificate sent by the gateway in the preset fake certificate library, the client considers it safe to communicate with the owner of the fake certificate.
203、当对接收的伪证书验证通过后,生成用于对流量数据进行加密的随机密钥。203. After the received fake certificate is verified, generate a random key for encrypting the traffic data.
当客户端通过步骤202对网关发送的伪证书验证通过后,就会生成一个随机密钥,并使用该随机密钥对与网站之间传递的流量数据进行加密。When the client passes the verification of the fake certificate sent by the gateway in step 202, it will generate a random key, and use the random key to encrypt the traffic data transmitted between the client and the website.
204、将随机密钥发送给网关,以便网关根据所述随机密钥对加密的流量数据解密后进行监控。204. Send the random key to the gateway, so that the gateway can monitor the encrypted traffic data after decrypting it according to the random key.
当客户端生成对流量数据进行加密的随机密钥之后,就会将该随机密钥发送给验证通过的伪证书的拥有者,并在随后的通信中使用该随机密钥对传递的数据信息进行加密,而伪证书的拥有者在收到客户端发送的随机密钥后,就可以使用该随时密钥来获取加密流量数据的明文信息,从而能够加密流量数据进行监控。After the client generates a random key for encrypting traffic data, it will send the random key to the owner of the verified fake certificate, and use the random key to encrypt the transmitted data information in subsequent communications. After receiving the random key sent by the client, the owner of the fake certificate can use the random key to obtain the plaintext information of the encrypted traffic data, so that the encrypted traffic data can be monitored.
本发明实施例提供的一种加密流量数据监控的方法,能够在网关侧拦截客户端发送的安全访问请求,并构建一份对应所述安全访问请求的伪证书,将伪证书返回给客户端后,由客户端根据预置的伪证书库对伪证书进行验证,当伪证书验证通过后,客户端与网关协商好对流量数据进行加密的密钥,从而在客户端后续发送经过加密的流量数据时,能够在网关侧被拦截并解密。与现有技术中当局域网内使用HTTPS协议进行访问请求时,由于无法获知访问请求的流量数据的具体内容,导致无法对局域网内客户端的日常操作进行监控的缺陷相比,本发明能够对局域网内进出的加密流量数据进行还原,便于对局域网进行有效的监控与管理。The method for monitoring encrypted traffic data provided by the embodiment of the present invention can intercept the security access request sent by the client on the gateway side, and construct a fake certificate corresponding to the security access request, and return the fake certificate to the client , the client will verify the fake certificate according to the preset fake certificate library. After the fake certificate is verified, the client and the gateway will negotiate a key to encrypt the traffic data, so that when the client sends the encrypted traffic data subsequently , which can be intercepted and decrypted on the gateway side. Compared with the defect in the prior art that when the HTTPS protocol is used to make an access request in the local area network, the daily operation of the client in the local area network cannot be monitored due to the inability to know the specific content of the traffic data of the access request, the present invention is able to monitor the daily operations of the client in the local area network. Restore the incoming and outgoing encrypted traffic data, which is convenient for effective monitoring and management of the LAN.
为了更好的对上述图1及图2所示的方法进行理解,作为对上述实施方式的细化和扩展,本发明实施例将结合图1及图2的步骤进行详细说明。In order to better understand the above-mentioned methods shown in FIG. 1 and FIG. 2 , as a refinement and expansion of the above-mentioned implementation manner, the embodiment of the present invention will be described in detail with reference to the steps in FIG. 1 and FIG. 2 .
本发明实施例为了监控局域网内进出的加密流量数据,需要在网关侧对客户端发送给网站的流量进行拦截,阻断客户端与网站之间的正常通信,也就是在网关侧设立一个代理层,代理层对客户端与网站之间的传递信息进行中转,在中转过程中能够对客户端与网站之间的加密流量数据进行还原。具体的,在客户端与网站服务器进行正常通信的情况下,客户端向网站发送HTTPS的安全访问请求时,客户端的浏览器会向网站服务器传送客户端SSL协议的版本号、加密算法的种类、产生的随机数以及其他服务器和客户端之间通信所需要的各种信息;而且在正常情况下,服务器也会向客户端传送SSL协议的版本号、加密算法的种类、随机数以及其他相关信息,同时服务器还将向客户端传送自己的证书。因此,本发明实施例在网关侧拦截客户端发送的安全访问请求后,就会截获网站服务器和客户端之间通信所需要的各种信息,并根据这些信息构建出一个客户端所要访问服务器的伪证书,也就是与客户端发送的安全访问请求对应的伪证书;网关内的代理层构建了伪证书后,就会代替网站服务器将该伪证书发送给客户端,以便客户端对该伪证书进行验证。In the embodiment of the present invention, in order to monitor the encrypted traffic data entering and leaving the LAN, it is necessary to intercept the traffic sent by the client to the website on the gateway side, and block the normal communication between the client and the website, that is, set up a proxy layer on the gateway side , the proxy layer transfers the transfer information between the client and the website, and can restore the encrypted traffic data between the client and the website during the transfer process. Specifically, when the client and the website server communicate normally, when the client sends an HTTPS secure access request to the website, the browser of the client will send the version number of the SSL protocol of the client, the type of encryption algorithm, the Generated random numbers and other information required for communication between the server and the client; and under normal circumstances, the server will also transmit the version number of the SSL protocol, the type of encryption algorithm, random numbers and other related information to the client , and the server will also send its own certificate to the client. Therefore, after the gateway side intercepts the security access request sent by the client, the embodiment of the present invention will intercept various information required for communication between the website server and the client, and construct a client-side access request to the server based on these information. Fake certificate, that is, a fake certificate corresponding to the security access request sent by the client; after the proxy layer in the gateway constructs the fake certificate, it will send the fake certificate to the client instead of the website server, so that the client can recognize the fake certificate authenticating.
具体的在执行上述过程时,可以在网关侧的代理层建立一个伪的证书颁发机构,用于给网站颁发自签名证书,例如当局域网内客户端访问淘宝网站时,其访问请求会经过网关侧进行传递,此时,网关会根据访问请求中有关淘宝网站的信息,抽取TLS协议(TLS建立在SSL3.0协议规范之上,是SSL3.0的后续版本)数据包,由于TLS协议中的记录协议可能包含长度、描述和内容等字段,并且记录协议也可以不加密使用,因此可以对抽取的TLS协议数据包进行拆解,根据拆解后得到的信息伪造一个淘宝证书,将伪造的证书返回给客户端,以便客户端对该伪证书进行验证。Specifically, when performing the above process, a fake certificate authority can be established at the proxy layer on the gateway side to issue a self-signed certificate to the website. For example, when a client in the local area network accesses the Taobao website, its access request will pass through the gateway side. At this time, the gateway will extract the TLS protocol (TLS is built on the SSL3.0 protocol specification, which is a subsequent version of SSL3.0) data packet according to the information about the Taobao website in the access request. Due to the records in the TLS protocol The protocol may contain fields such as length, description, and content, and the record protocol can also be used without encryption. Therefore, the extracted TLS protocol data packet can be disassembled, and a Taobao certificate can be forged according to the information obtained after disassembly, and the forged certificate can be returned. to the client so that the client can verify the fake certificate.
当客户端收到网关发送的伪证书后,就需要对伪证书进行验证。由于本发明实施例为了监控局域网内进出的加密流量数据,必须要确保客户端能够将网关发送的伪证书验证通过,因此就需要提前在客户端中预置伪证书库,并通过预置的伪证书库对网关发送的伪证书进行验证。客户端只有在验证伪证书正确后,才能确定该伪证书的发送者也就是伪证书拥有者是可信的,可以与其协商密钥并进行后续的数据传输。具体的,客户端对伪证书的验证包括:伪证书是否过期,伪证书的发行者是否可靠,发行者证书的公钥能否正确解开伪证书的“发行者数字签名”等。如果合法性没有通过验证,则通信将断开;如果合法性通过验证,则会与伪证书的发送者协商密钥用于对流量数据进行加密。After the client receives the fake certificate sent by the gateway, it needs to verify the fake certificate. Since the embodiment of the present invention is to monitor the encrypted flow data entering and leaving the local area network, it is necessary to ensure that the client can pass the verification of the false certificate sent by the gateway. Validate the fake certificate sent by the gateway. Only after verifying that the fake certificate is correct, the client can determine that the sender of the fake certificate, that is, the owner of the fake certificate, is trustworthy, and can negotiate a key with it and perform subsequent data transmission. Specifically, the client's verification of the fake certificate includes: whether the fake certificate has expired, whether the issuer of the fake certificate is reliable, whether the public key of the issuer's certificate can correctly unlock the "issuer's digital signature" of the fake certificate, etc. If the legality is not verified, the communication will be disconnected; if the legality is verified, a key will be negotiated with the sender of the fake certificate to encrypt the traffic data.
由于本发明实施例在网关侧设置了具有伪证书颁发机构的代理层,并且在客户端中预置了伪证书库,这些操作都是人为设定的,目的是为了让网关发送的伪证书能够顺利通过客户端的验证。因此,上述验证伪证书是否过期这一过程可以在设置伪证书库的过程中就予以规避。因此,本发明实施例中的客户端在验证网关发送的伪证书时,主要就是验证伪证书的发行者(代理层的伪证书颁发机构)是否可靠,发行者证书(网关侧根证书)的公钥能否正确解开伪证书的“发行者数字签名”。由于根证书是CA认证中心给自己颁发的证书,是信任链的起始点。根证书是一份特殊的证书,它的签发者是它本身,下载根证书就表示对该根证书以下所签发的证书都表示信任。而本发明实施例中代理层的伪证书颁发机构在构建伪证书时,是通过网关侧的根证书对伪证书进行签名的。因此,客户端需要先安装网关侧的根证书,安装了根证书,就证明客户端信任伪证书的发行者(代理层的伪证书颁发机构);当客户端安装了网关侧的根证书后,就可以使用根证书的公钥对网关发送的伪证书的签名进行验证,验证通过后就可以将该伪证书在预置的伪证书库中进行校验,当确定该伪证书位于预置的伪证书库中时,客户端会认为该伪证书的拥有者是安全的,可以与之进行通信。Since the embodiment of the present invention sets up a proxy layer with a fake certificate authority on the gateway side, and presets a fake certificate library in the client, these operations are artificially set, and the purpose is to make the fake certificate sent by the gateway smooth Validated by the client. Therefore, the above-mentioned process of verifying whether the fake certificate has expired can be circumvented in the process of setting the fake certificate store. Therefore, when the client in the embodiment of the present invention verifies the fake certificate sent by the gateway, it mainly verifies whether the issuer of the fake certificate (the fake certificate authority of the proxy layer) is reliable, and the public key of the issuer certificate (root certificate on the gateway side) Can the "issuer's digital signature" of the fake certificate be correctly deciphered. Since the root certificate is the certificate issued by the CA certification center to itself, it is the starting point of the chain of trust. The root certificate is a special certificate, and its issuer is itself. Downloading the root certificate means trusting all certificates issued under the root certificate. However, in the embodiment of the present invention, when the fake certificate issuing authority of the proxy layer constructs the fake certificate, it signs the fake certificate through the root certificate on the gateway side. Therefore, the client needs to install the root certificate on the gateway side first. After installing the root certificate, it proves that the client trusts the issuer of the fake certificate (the fake certificate authority of the proxy layer); after the client installs the root certificate on the gateway side, You can use the public key of the root certificate to verify the signature of the fake certificate sent by the gateway. After the verification is passed, you can verify the fake certificate in the preset fake certificate library. When it is determined that the fake certificate is in the preset fake certificate library , the client will think that the owner of the fake certificate is safe and can communicate with it.
当客户端对网关发送的伪证书的验证通过后,就会随机产生一个用于后续与服务器进行通信的随机密钥,该随机密钥用于对通信的流量数据进行加密。由于该随机密钥也需要一同传送给服务器,以便服务器利用该随机密钥对返回给客户端的数据进行加密,因此,为了确保该随机密钥的安全性,客户端还需要将该随机密钥进行加密后才能传送给服务器。由于本发明实施例中客户端不知道其接收的伪证书是由网关发送的,因此客户端还是会将加密后的随机密钥传送给网关。具体的,在对随机密钥进行加密时,客户端会使用网关发送的伪证书中包含的公共密钥对随机密钥进行加密。由于伪证书是由网关侧的代理层发送的,因此,网关侧会唯一保留有对应伪证书中的公共密钥的私有密钥。When the client passes the verification of the fake certificate sent by the gateway, it will randomly generate a random key for subsequent communication with the server, and the random key is used to encrypt the communication traffic data. Since the random key also needs to be sent to the server so that the server can use the random key to encrypt the data returned to the client, so in order to ensure the security of the random key, the client also needs to encrypt the random key Encrypted before being sent to the server. Since the client in the embodiment of the present invention does not know that the fake certificate it receives is sent by the gateway, the client will still transmit the encrypted random key to the gateway. Specifically, when encrypting the random key, the client will use the public key contained in the fake certificate sent by the gateway to encrypt the random key. Since the fake certificate is sent by the proxy layer on the gateway side, the gateway side will uniquely retain the private key corresponding to the public key in the fake certificate.
当网关接收到客户端返回的经过伪证书中的公共密钥进行加密的随机密钥后,就会使用与公共密钥对应的私有密钥对加密的随机密钥进行解密。其中,公共密钥加密的数据只能用对应的私有密钥进行解密,并且私有密钥只在发送伪证书的网关侧保留。当网关获得随机密钥后,就能够使用该随机密钥对客户端发送的加密流量数据进行解密还原,从而能够对局域网内进出的加密流量数据进行监控。这里需要说明的是,本发明实施例中对流量数据进行加密的随机密钥可以为随机产生的对称密钥。When the gateway receives the random key encrypted by the public key in the fake certificate returned by the client, it will use the private key corresponding to the public key to decrypt the encrypted random key. Among them, the data encrypted by the public key can only be decrypted by the corresponding private key, and the private key is only kept on the side of the gateway that sends the fake certificate. After the gateway obtains the random key, it can use the random key to decrypt and restore the encrypted traffic data sent by the client, so that the encrypted traffic data entering and leaving the LAN can be monitored. It should be noted here that the random key used to encrypt traffic data in this embodiment of the present invention may be a randomly generated symmetric key.
由于本发明实施例在网关侧将客户端发送的安全访问请求进行了拦截,并使用网关侧的代理层私自向客户端返回了一个经过根证书签名的伪证书,使客户端误以为该伪证书是由网站服务器发送的,因此客户端会对该伪证书进行验证;并且由于客户端内预置了伪证书库以及预先安装了网关侧的根证书,因此客户端通过根证书会将网关发送的伪证书验证通过,当客户端对验证通过的伪证书进行校验发现其位于伪证书库之后,就可以与网关协商对流量数据进行加密的随机密钥,并将使用伪证书内的公共密钥对该随机密钥进行加密后发送给网关,网关接收到经过加密的随机密钥之后,会使用与所述公共密钥对应的私有密钥进行解密得到该随机密钥,从而使用该随机密钥对后续客户端发送的加密流量数据进行解密还原,实现对局域网进出的加密流量数据的有效监控。Since the embodiment of the present invention intercepts the security access request sent by the client on the gateway side, and uses the proxy layer on the gateway side to privately return a fake certificate signed by the root certificate to the client, the client mistakenly thinks that the fake certificate is is sent by the website server, so the client will verify the fake certificate; and because the fake certificate store is preset in the client and the root certificate on the gateway side is pre-installed, the client will pass the fake certificate sent by the gateway through the root certificate. After the certificate verification is passed, when the client verifies the verified fake certificate and finds that it is located in the fake certificate library, it can negotiate with the gateway for a random key to encrypt traffic data, and use the public key in the fake certificate to The random key is encrypted and sent to the gateway. After the gateway receives the encrypted random key, it will use the private key corresponding to the public key to decrypt to obtain the random key, so that the random key can be used for subsequent The encrypted traffic data sent by the client is decrypted and restored to realize the effective monitoring of the encrypted traffic data entering and leaving the LAN.
进一步的,作为对上述图1所示方法的实现,本发明实施例提供了一种加密流量数据监控的装置,该装置主要位于网关中或者与网关建立有数据交互关系,如图3所示,该装置包括:拦截单元31、发送单元32、接收单元33及处理单元34,其中,Further, as an implementation of the method shown in FIG. 1 above, an embodiment of the present invention provides a device for monitoring encrypted traffic data. The device is mainly located in the gateway or establishes a data interaction relationship with the gateway, as shown in FIG. 3 , The device includes: an intercepting unit 31, a sending unit 32, a receiving unit 33 and a processing unit 34, wherein,
拦截单元31,用于在网关侧拦截客户端发送的安全访问请求;An interception unit 31, configured to intercept the security access request sent by the client at the gateway side;
发送单元32,用于向客户端发送对应所述安全访问请求的伪证书,以便客户端根据自身预置的伪证书库对所述伪证书进行验证;The sending unit 32 is configured to send the fake certificate corresponding to the security access request to the client, so that the client can verify the fake certificate according to its own preset fake certificate library;
接收单元33,用于接收客户端返回的用于对流量数据进行加密的随机密钥;The receiving unit 33 is configured to receive the random key returned by the client for encrypting the traffic data;
处理单元34,用于根据所述随机密钥对客户端发送的加密流量数据解密后进行监控。The processing unit 34 is configured to decrypt the encrypted traffic data sent by the client according to the random key and then monitor it.
进一步的,如图4所示,发送单元32包括:Further, as shown in FIG. 4, the sending unit 32 includes:
提取模块321,用于提取所述安全访问请求的协议数据包;An extraction module 321, configured to extract the protocol packet of the security access request;
构建模块322,用于根据所述协议数据包中的数据信息构建与所述安全访问请求对应的伪证书;A construction module 322, configured to construct a fake certificate corresponding to the security access request according to the data information in the protocol packet;
发送模块323,用于将构建的所述伪证书发送给客户端。The sending module 323 is configured to send the constructed fake certificate to the client.
进一步的,接收单元33用于当所述伪证书被客户端验证通过后,接收客户端返回的经过加密的随机密钥。Further, the receiving unit 33 is configured to receive the encrypted random key returned by the client after the fake certificate is verified by the client.
进一步的,接收单元33用于接收客户端返回的经过所述伪证书中包含的公共密钥进行加密的随机密钥。Further, the receiving unit 33 is configured to receive the random key encrypted by the public key contained in the fake certificate returned by the client.
进一步的,如图4所示,处理单元34包括:Further, as shown in Figure 4, the processing unit 34 includes:
第一解密模块341,用于根据与所述伪证书中包含的公共密钥相对应的私有密钥对经过加密的随机密钥进行解密,所述私有密钥唯一保留在网关侧;The first decryption module 341 is configured to decrypt the encrypted random key according to the private key corresponding to the public key included in the fake certificate, and the private key is exclusively reserved on the gateway side;
第二解密模块342,用于使用解密后得到的随机密钥对客户端发送的加密流量数据解密后进行监控。The second decryption module 342 is configured to use the decrypted random key to decrypt the encrypted traffic data sent by the client and then monitor it.
进一步的,作为对上述图2所示方法的实现,本发明实施例提供了一种加密流量数据监控的装置,该装置主要位于客户端中或者与客户端建立有数据交互关系,如图5所示,该装置包括:接收单元51、验证单元52、生成单元53及发送单元54,其中,Further, as an implementation of the method shown in FIG. 2 above, an embodiment of the present invention provides a device for monitoring encrypted traffic data. The device is mainly located in the client or establishes a data interaction relationship with the client, as shown in FIG. 5 As shown, the device includes: a receiving unit 51, a verification unit 52, a generating unit 53 and a sending unit 54, wherein,
接收单元51,用于接收网关发送的对应客户端安全访问请求的伪证书;The receiving unit 51 is configured to receive the fake certificate corresponding to the client security access request sent by the gateway;
验证单元52,用于根据预置的伪证书库对接收的所述伪证书进行验证;A verification unit 52, configured to verify the received false certificate according to a preset false certificate library;
生成单元53,用于当对接收的所述伪证书验证通过后,生成用于对流量数据进行加密的随机密钥;A generating unit 53, configured to generate a random key for encrypting traffic data after the received fake certificate is verified;
发送单元54,用于将所述随机密钥发送给网关,以便网关根据所述随机密钥对加密的流量数据解密后进行监控。The sending unit 54 is configured to send the random key to the gateway, so that the gateway can monitor the encrypted traffic data after decrypting it according to the random key.
进一步的,如图6所示,验证单元52包括:Further, as shown in Figure 6, the verification unit 52 includes:
安装模块521,用于安装网关侧的根证书;The installation module 521 is used to install the root certificate on the gateway side;
验证模块522,用于通过所述根证书对网关发送的所述伪证书的签名进行验证;A verification module 522, configured to verify the signature of the fake certificate sent by the gateway through the root certificate;
校验模块523,用于将验证通过的所述伪证书在预置的伪证书库中进行校验,确定所述伪证书是否位于预置的伪证书库中。The verification module 523 is configured to verify the fake certificate that has passed the verification in a preset fake certificate library, and determine whether the fake certificate is located in the preset fake certificate library.
进一步的,如图6所示,生成单元53包括:Further, as shown in Figure 6, the generation unit 53 includes:
生成模块531,用于生成对流量数据进行加密的随机密钥;A generating module 531, configured to generate a random key for encrypting traffic data;
加密模块532,用于对所述随机密钥进行加密。An encryption module 532, configured to encrypt the random key.
进一步的,加密模块532使用所述伪证书中包含的公共密钥对所述随机密钥进行加密。Further, the encryption module 532 encrypts the random key by using the public key contained in the fake certificate.
进一步的,发送单元54用于将使用所述公共密钥进行加密的随机密钥发送给网关,以便网关根据与所述公共密钥相对应的私有密钥对加密的随机密钥进行解密,并使用解密后得到的随机密钥对加密流量数据解密后进行监控,所述私有密钥唯一保留在网关侧。Further, the sending unit 54 is configured to send the encrypted random key using the public key to the gateway, so that the gateway decrypts the encrypted random key according to the private key corresponding to the public key, and Use the random key obtained after decryption to monitor the encrypted traffic data after decryption, and the private key is uniquely reserved on the gateway side.
本发明实施例提供的一种加密流量数据监控的装置,能够在网关侧拦截客户端发送的安全访问请求,并构建一份对应所述安全访问请求的伪证书,将伪证书返回给客户端后,由客户端根据预置的伪证书库对伪证书进行验证,当伪证书验证通过后,客户端与网关协商好对流量数据进行加密的密钥,从而在客户端后续发送经过加密的流量数据时,能够在网关侧被拦截并解密。与现有技术中当局域网内使用HTTPS协议进行访问请求时,由于无法获知访问请求的流量数据的具体内容,导致无法对局域网内客户端的日常操作进行监控的缺陷相比,本发明能够对局域网内进出的加密流量数据进行还原,便于对局域网进行有效的监控与管理。The device for monitoring encrypted traffic data provided by the embodiment of the present invention can intercept the security access request sent by the client on the gateway side, and construct a fake certificate corresponding to the security access request, and return the fake certificate to the client , the client will verify the fake certificate according to the preset fake certificate library. After the fake certificate is verified, the client and the gateway will negotiate a key to encrypt the traffic data, so that when the client sends the encrypted traffic data subsequently , which can be intercepted and decrypted on the gateway side. Compared with the defect in the prior art that when the HTTPS protocol is used to make an access request in the local area network, the daily operation of the client in the local area network cannot be monitored due to the inability to know the specific content of the traffic data of the access request, the present invention is able to monitor the daily operations of the client in the local area network. Restore the incoming and outgoing encrypted traffic data, which is convenient for effective monitoring and management of the LAN.
此外,由于本发明实施例提供的装置在网关侧将客户端发送的安全访问请求进行了拦截,并使用网关侧的代理层私自向客户端返回了一个经过根证书签名的伪证书,使客户端误以为该伪证书是由网站服务器发送的,因此客户端会对该伪证书进行验证;并且由于客户端内预置了伪证书库以及预先安装了网关侧的根证书,因此客户端通过根证书会将网关发送的伪证书验证通过,当客户端对验证通过的伪证书进行校验发现其位于伪证书库之后,就可以与网关协商对流量数据进行加密的随机密钥,并将使用伪证书内的公共密钥对该随机密钥进行加密后发送给网关,网关接收到经过加密的随机密钥之后,会使用与所述公共密钥对应的私有密钥进行解密得到该随机密钥,从而使用该随机密钥对后续客户端发送的加密流量数据进行解密还原,实现对局域网进出的加密流量数据的有效监控。In addition, because the device provided by the embodiment of the present invention intercepts the security access request sent by the client on the gateway side, and uses the proxy layer on the gateway side to return a fake certificate signed by the root certificate to the client privately, so that the client Mistakenly thinking that the fake certificate was sent by the website server, the client will verify the fake certificate; and because the client has a preset fake certificate library and the root certificate on the gateway side is pre-installed, the client will pass the root certificate. After verifying the fake certificate sent by the gateway, when the client verifies the fake certificate and finds that it is located in the fake certificate library, it can negotiate with the gateway for a random key to encrypt traffic data, and will use the fake certificate in the fake certificate The public key encrypts the random key and sends it to the gateway. After the gateway receives the encrypted random key, it decrypts it with the private key corresponding to the public key to obtain the random key, thereby using the The random key decrypts and restores the encrypted traffic data sent by the subsequent client, realizing effective monitoring of the encrypted traffic data entering and leaving the LAN.
进一步的,作为对上述图1及图2所示方法的实现,以及对上述图3、图4以及图5、图6的应用,本发明实施例提供了一种加密流量数据监控的系统,如图7所示,该系统包括:网关71、客户端72及服务器73;其中,网关71包含上述图3或图4所示的装置;客户端72包含上述图5或图6所示的装置。Further, as the realization of the method shown in the above-mentioned Figure 1 and Figure 2, and the application of the above-mentioned Figure 3, Figure 4, Figure 5, and Figure 6, the embodiment of the present invention provides a system for monitoring encrypted traffic data, such as As shown in FIG. 7 , the system includes: a gateway 71 , a client 72 and a server 73 ; wherein, the gateway 71 includes the device shown in FIG. 3 or 4 ; the client 72 includes the device shown in FIG. 5 or 6 above.
本发明实施例提供的一种加密流量数据监控的系统,能够在网关侧拦截客户端发送的安全访问请求,并构建一份对应所述安全访问请求的伪证书,将伪证书返回给客户端后,由客户端根据预置的伪证书库对伪证书进行验证,当伪证书验证通过后,客户端与网关协商好对流量数据进行加密的密钥,从而在客户端后续发送经过加密的流量数据时,能够在网关侧被拦截并解密。与现有技术中当局域网内使用HTTPS协议进行访问请求时,由于无法获知访问请求的流量数据的具体内容,导致无法对局域网内客户端的日常操作进行监控的缺陷相比,本发明能够对局域网内进出的加密流量数据进行还原,便于对局域网进行有效的监控与管理。An encrypted traffic data monitoring system provided by the embodiment of the present invention can intercept the security access request sent by the client on the gateway side, and construct a fake certificate corresponding to the security access request, and return the fake certificate to the client , the client will verify the fake certificate according to the preset fake certificate library. After the fake certificate is verified, the client and the gateway will negotiate a key to encrypt the traffic data, so that when the client sends the encrypted traffic data subsequently , which can be intercepted and decrypted on the gateway side. Compared with the defect in the prior art that when the HTTPS protocol is used to make an access request in the local area network, the daily operation of the client in the local area network cannot be monitored due to the inability to know the specific content of the traffic data of the access request, the present invention is able to monitor the daily operations of the client in the local area network. Restore the incoming and outgoing encrypted traffic data, which is convenient for effective monitoring and management of the LAN.
此外,由于本发明实施例提供的系统在网关侧将客户端发送的安全访问请求进行了拦截,并使用网关侧的代理层私自向客户端返回了一个经过根证书签名的伪证书,使客户端误以为该伪证书是由网站服务器发送的,因此客户端会对该伪证书进行验证;并且由于客户端内预置了伪证书库以及预先安装了网关侧的根证书,因此客户端通过根证书会将网关发送的伪证书验证通过,当客户端对验证通过的伪证书进行校验发现其位于伪证书库之后,就可以与网关协商对流量数据进行加密的随机密钥,并将使用伪证书内的公共密钥对该随机密钥进行加密后发送给网关,网关接收到经过加密的随机密钥之后,会使用与所述公共密钥对应的私有密钥进行解密得到该随机密钥,从而使用该随机密钥对后续客户端发送的加密流量数据进行解密还原,实现对局域网进出的加密流量数据的有效监控。In addition, because the system provided by the embodiment of the present invention intercepts the security access request sent by the client on the gateway side, and uses the proxy layer on the gateway side to return a fake certificate signed by the root certificate to the client privately, so that the client Mistakenly thinking that the fake certificate was sent by the website server, the client will verify the fake certificate; and because the client has a preset fake certificate library and the root certificate on the gateway side is pre-installed, the client will pass the root certificate. After verifying the fake certificate sent by the gateway, when the client verifies the fake certificate and finds that it is located in the fake certificate library, it can negotiate with the gateway for a random key to encrypt traffic data, and will use the fake certificate in the fake certificate The public key encrypts the random key and sends it to the gateway. After the gateway receives the encrypted random key, it decrypts it with the private key corresponding to the public key to obtain the random key, thereby using the The random key decrypts and restores the encrypted traffic data sent by the subsequent client, realizing effective monitoring of the encrypted traffic data entering and leaving the LAN.
本发明的实施例公开了:Embodiments of the invention disclose:
A1、一种加密流量数据监控的方法,其特征在于,所述方法包括:A1, a method for encrypting flow data monitoring, is characterized in that, described method comprises:
在网关侧拦截客户端发送的安全访问请求;Intercept the security access request sent by the client on the gateway side;
向客户端发送对应所述安全访问请求的伪证书,以便客户端根据自身预置的伪证书库对所述伪证书进行验证;Sending the fake certificate corresponding to the security access request to the client, so that the client can verify the fake certificate according to its own preset fake certificate library;
接收客户端返回的用于对流量数据进行加密的随机密钥;Receive the random key used to encrypt the traffic data returned by the client;
根据所述随机密钥对客户端发送的加密流量数据解密后进行监控。According to the random key, the encrypted traffic data sent by the client is decrypted and then monitored.
A2、根据A1所述的方法,其特征在于,所述向客户端发送对应所述安全访问请求的伪证书包括:A2. The method according to A1, wherein the sending the fake certificate corresponding to the security access request to the client includes:
提取所述安全访问请求的协议数据包;Extracting the protocol packet of the security access request;
根据所述协议数据包中的数据信息构建与所述安全访问请求对应的伪证书;Constructing a fake certificate corresponding to the security access request according to the data information in the protocol packet;
将构建的所述伪证书发送给客户端。Send the constructed fake certificate to the client.
A3、根据A1所述的方法,其特征在于,所述接收客户端返回的用于对流量数据进行加密的随机密钥包括:A3. The method according to A1, wherein the random key used to encrypt the traffic data returned by the receiving client includes:
当所述伪证书被客户端验证通过后,接收客户端返回的经过加密的随机密钥。After the fake certificate is verified by the client, the encrypted random key returned by the client is received.
A4、根据A3所述的方法,其特征在于,所述接收客户端返回的经过加密的随机密钥包括:A4, according to the method described in A3, it is characterized in that, the encrypted random key returned by the receiving client includes:
接收客户端返回的经过所述伪证书中包含的公共密钥进行加密的随机密钥。Receive the random key encrypted by the public key contained in the fake certificate returned by the client.
A5、根据A4所述的方法,其特征在于,所述根据所述随机密钥对客户端发送的加密流量数据解密后进行监控包括:A5. The method according to A4, wherein the monitoring includes:
根据与所述伪证书中包含的公共密钥相对应的私有密钥对经过加密的随机密钥进行解密,所述私有密钥唯一保留在网关侧;decrypting the encrypted random key according to the private key corresponding to the public key contained in the fake certificate, the private key being exclusively retained on the gateway side;
使用解密后得到的随机密钥对客户端发送的加密流量数据解密后进行监控。Use the decrypted random key to decrypt the encrypted traffic data sent by the client and then monitor it.
A6、根据A1-5中任一项所述的方法,其特征在于,所述用于对流量数据进行加密的随机密钥为随机对称密钥。A6. The method according to any one of A1-5, wherein the random key used to encrypt the traffic data is a random symmetric key.
B7、一种加密流量数据监控的方法,其特征在于,所述方法包括:B7, a method for encrypting traffic data monitoring, is characterized in that, described method comprises:
接收网关发送的对应客户端安全访问请求的伪证书;Receive the fake certificate corresponding to the client security access request sent by the gateway;
根据预置的伪证书库对接收的所述伪证书进行验证;Verifying the received fake certificate according to the preset fake certificate library;
当对接收的所述伪证书验证通过后,生成用于对流量数据进行加密的随机密钥;After passing the verification of the received fake certificate, generate a random key for encrypting the traffic data;
将所述随机密钥发送给网关,以便网关根据所述随机密钥对加密的流量数据解密后进行监控。The random key is sent to the gateway, so that the gateway can monitor the encrypted traffic data after decrypting it according to the random key.
B8、根据B7所述的方法,其特征在于,所述根据预置的伪证书库对接收的所述伪证书进行验证包括:B8, according to the method described in B7, it is characterized in that, described according to the pseudo-certificate warehouse of preset, verifying the described pseudo-certificate received comprises:
安装网关侧的根证书;Install the root certificate on the gateway side;
通过所述根证书对网关发送的所述伪证书的签名进行验证;Verifying the signature of the fake certificate sent by the gateway through the root certificate;
将验证通过的所述伪证书在预置的伪证书库中进行校验,确定所述伪证书是否位于预置的伪证书库中。The fake certificate that has passed the verification is verified in a preset fake certificate library, and it is determined whether the fake certificate is located in the preset fake certificate library.
B9、根据B7所述的方法,其特征在于,所述生成用于对流量数据进行加密的随机密钥包括:B9, according to the method described in B7, it is characterized in that, described generation is used for the random key that traffic data is encrypted comprises:
生成用于对流量数据进行加密的随机密钥,并对所述随机密钥进行加密。A random key for encrypting traffic data is generated, and the random key is encrypted.
B10、根据B9所述的方法,其特征在于,所述对所述随机密钥进行加密包括:B10, according to the method described in B9, it is characterized in that, described encrypting described random key comprises:
使用所述伪证书中包含的公共密钥对所述随机密钥进行加密。The random key is encrypted using the public key contained in the fake certificate.
B11、根据B10所述的方法,其特征在于,所述将所述随机密钥发送给网关,以便网关根据所述随机密钥对加密的流量数据解密后进行监控包括:B11. The method according to B10, wherein the sending the random key to the gateway so that the gateway decrypts the encrypted traffic data according to the random key and then monitors includes:
将使用所述公共密钥进行加密的随机密钥发送给网关,以便网关根据与所述公共密钥相对应的私有密钥对加密的随机密钥进行解密,并使用解密后得到的随机密钥对加密流量数据解密后进行监控,所述私有密钥唯一保留在网关侧。Send the encrypted random key using the public key to the gateway, so that the gateway can decrypt the encrypted random key according to the private key corresponding to the public key, and use the decrypted random key The encrypted traffic data is decrypted and monitored, and the private key is uniquely reserved on the gateway side.
B12、根据B7-11所述的方法,其特征在于,所述用于对流量数据进行加密的随机密钥为随机对称密钥。B12. The method according to B7-11, wherein the random key used to encrypt the traffic data is a random symmetric key.
C13、一种加密流量数据监控的装置,其特征在于,所述装置包括:C13. A device for monitoring encrypted flow data, characterized in that the device includes:
拦截单元,用于在网关侧拦截客户端发送的安全访问请求;The interception unit is used to intercept the security access request sent by the client at the gateway side;
发送单元,用于向客户端发送对应所述安全访问请求的伪证书,以便客户端根据自身预置的伪证书库对所述伪证书进行验证;A sending unit, configured to send the fake certificate corresponding to the security access request to the client, so that the client can verify the fake certificate according to its own preset fake certificate library;
接收单元,用于接收客户端返回的用于对流量数据进行加密的随机密钥;The receiving unit is used to receive the random key used to encrypt the traffic data returned by the client;
处理单元,用于根据所述随机密钥对客户端发送的加密流量数据解密后进行监控。The processing unit is configured to decrypt the encrypted traffic data sent by the client according to the random key and then monitor it.
C14、根据C13所述的装置,其特征在于,所述发送单元包括:C14. The device according to C13, wherein the sending unit includes:
提取模块,用于提取所述安全访问请求的协议数据包;An extraction module, configured to extract the protocol packet of the security access request;
构建模块,用于根据所述协议数据包中的数据信息构建与所述安全访问请求对应的伪证书;A construction module, configured to construct a pseudo-certificate corresponding to the security access request according to the data information in the protocol data packet;
发送模块,用于将构建的所述伪证书发送给客户端。A sending module, configured to send the constructed pseudo-certificate to the client.
C15、根据C13所述的装置,其特征在于,所述接收单元用于当所述伪证书被客户端验证通过后,接收客户端返回的经过加密的随机密钥。C15. The device according to C13, wherein the receiving unit is configured to receive the encrypted random key returned by the client after the fake certificate is verified by the client.
C16、根据C15所述的装置,其特征在于,所述接收单元用于接收客户端返回的经过所述伪证书中包含的公共密钥进行加密的随机密钥。C16. The device according to C15, wherein the receiving unit is configured to receive the random key returned by the client and encrypted by the public key contained in the fake certificate.
C17、根据C16所述的装置,其特征在于,所述处理单元包括:C17. The device according to C16, wherein the processing unit includes:
第一解密模块,用于根据与所述伪证书中包含的公共密钥相对应的私有密钥对经过加密的随机密钥进行解密,所述私有密钥唯一保留在网关侧;The first decryption module is used to decrypt the encrypted random key according to the private key corresponding to the public key contained in the fake certificate, and the private key is exclusively reserved on the gateway side;
第二解密模块,用于使用解密后得到的随机密钥对客户端发送的加密流量数据解密后进行监控。The second decryption module is configured to use the decrypted random key to decrypt the encrypted flow data sent by the client and then monitor it.
D18、一种加密流量数据监控的装置,其特征在于,所述装置包括:D18. A device for monitoring encrypted traffic data, characterized in that the device includes:
接收单元,用于接收网关发送的对应客户端安全访问请求的伪证书;The receiving unit is used to receive the fake certificate corresponding to the client security access request sent by the gateway;
验证单元,用于根据预置的伪证书库对接收的所述伪证书进行验证;a verification unit, configured to verify the received false certificate according to a preset false certificate library;
生成单元,用于当对接收的所述伪证书验证通过后,生成用于对流量数据进行加密的随机密钥;a generating unit, configured to generate a random key for encrypting traffic data after the received fake certificate is verified;
发送单元,用于将所述随机密钥发送给网关,以便网关根据所述随机密钥对加密的流量数据解密后进行监控。The sending unit is configured to send the random key to the gateway, so that the gateway can monitor the encrypted traffic data after decrypting it according to the random key.
D19、根据D18所述的装置,其特征在于,所述验证单元包括:D19. The device according to D18, wherein the verification unit includes:
安装模块,用于安装网关侧的根证书;The installation module is used to install the root certificate on the gateway side;
验证模块,用于通过所述根证书对网关发送的所述伪证书的签名进行验证;A verification module, configured to verify the signature of the fake certificate sent by the gateway through the root certificate;
校验模块,用于将验证通过的所述伪证书在预置的伪证书库中进行校验,确定所述伪证书是否位于预置的伪证书库中。The verification module is configured to verify the fake certificate that has passed the verification in a preset fake certificate library, and determine whether the fake certificate is located in the preset fake certificate library.
D20、根据D18所述的装置,其特征在于,所述生成单元包括:D20. The device according to D18, wherein the generating unit includes:
生成模块,用于生成对流量数据进行加密的随机密钥;A generating module, configured to generate a random key for encrypting traffic data;
加密模块,用于对所述随机密钥进行加密。An encryption module, configured to encrypt the random key.
D21、根据D20所述的装置,其特征在于,所述加密模块使用所述伪证书中包含的公共密钥对所述随机密钥进行加密。D21. The device according to D20, wherein the encryption module encrypts the random key using the public key contained in the fake certificate.
D22、根据D21所述的装置,其特征在于,所述发送单元用于将使用所述公共密钥进行加密的随机密钥发送给网关,以便网关根据与所述公共密钥相对应的私有密钥对加密的随机密钥进行解密,并使用解密后得到的随机密钥对加密流量数据解密后进行监控,所述私有密钥唯一保留在网关侧。D22. The device according to D21, wherein the sending unit is configured to send the random key encrypted with the public key to the gateway, so that the gateway can use the private key corresponding to the public key to key to decrypt the encrypted random key, and use the decrypted random key to decrypt the encrypted traffic data for monitoring, and the private key is only kept on the gateway side.
E23、一种加密流量数据监控的系统,其特征在于,所述系统包括:E23, a system for monitoring encrypted flow data, characterized in that the system includes:
网关、客户端及服务器;其中,gateway, client and server; where,
所述网关包含上述C13-17中任一项所述的装置;The gateway comprises the device described in any one of C13-17 above;
所述客户端包含上述D18-22中任一项所述的装置。The client includes the device described in any one of D18-22 above.
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the foregoing embodiments, the descriptions of each embodiment have their own emphases, and for parts not described in detail in a certain embodiment, reference may be made to relevant descriptions of other embodiments.
可以理解的是,上述方法及装置中的相关特征可以相互参考。另外,上述实施例中的“第一”、“第二”等是用于区分各实施例,而并不代表各实施例的优劣。It can be understood that related features in the above methods and devices can refer to each other. In addition, "first", "second" and so on in the above embodiments are used to distinguish each embodiment, and do not represent the advantages and disadvantages of each embodiment.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other device. Various generic systems can also be used with the teachings based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the contents of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method or method so disclosed may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的发明名称(如确定网站内链接等级的装置)中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It should be understood by those skilled in the art that a microprocessor or a digital signal processor (DSP) can be used in practice to implement some or all of the components in the title of the invention (such as the device for determining the link level in the website) according to the embodiment of the present invention some or all of the features. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610460472.4A CN106169990A (en) | 2016-06-22 | 2016-06-22 | A kind of encrypt data on flows monitoring method, Apparatus and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610460472.4A CN106169990A (en) | 2016-06-22 | 2016-06-22 | A kind of encrypt data on flows monitoring method, Apparatus and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106169990A true CN106169990A (en) | 2016-11-30 |
Family
ID=58064664
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610460472.4A Pending CN106169990A (en) | 2016-06-22 | 2016-06-22 | A kind of encrypt data on flows monitoring method, Apparatus and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106169990A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107172030A (en) * | 2017-05-09 | 2017-09-15 | 国家计算机网络与信息安全管理中心 | A kind of high concealed and anti-communication means traced to the source |
| CN111212048A (en) * | 2019-12-26 | 2020-05-29 | 北京安码科技有限公司 | https protocol real-time monitoring method, system, electronic device and storage medium |
| CN114070672A (en) * | 2021-08-24 | 2022-02-18 | 阿里云计算有限公司 | Method, device and system for realizing communication between VPN gateway and client |
| CN114679322A (en) * | 2022-03-29 | 2022-06-28 | 上海众至科技有限公司 | Flow security auditing method, system and computer equipment |
| CN116566649A (en) * | 2023-04-04 | 2023-08-08 | 苏州云至深技术有限公司 | Smart sense component-based user behavior risk analysis method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101001140A (en) * | 2006-01-10 | 2007-07-18 | 中兴通讯股份有限公司 | Flow control method |
| CN102164049A (en) * | 2011-04-28 | 2011-08-24 | 中国人民解放军信息工程大学 | Universal identification method for encrypted flow |
| CN102347870A (en) * | 2010-07-29 | 2012-02-08 | 中国电信股份有限公司 | Flow rate security detection method, equipment and system |
| US8862869B1 (en) * | 2010-11-30 | 2014-10-14 | Tellabs Operations, Inc. | Method and apparatus for providing network initiated session encryption |
-
2016
- 2016-06-22 CN CN201610460472.4A patent/CN106169990A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101001140A (en) * | 2006-01-10 | 2007-07-18 | 中兴通讯股份有限公司 | Flow control method |
| CN102347870A (en) * | 2010-07-29 | 2012-02-08 | 中国电信股份有限公司 | Flow rate security detection method, equipment and system |
| US8862869B1 (en) * | 2010-11-30 | 2014-10-14 | Tellabs Operations, Inc. | Method and apparatus for providing network initiated session encryption |
| CN102164049A (en) * | 2011-04-28 | 2011-08-24 | 中国人民解放军信息工程大学 | Universal identification method for encrypted flow |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107172030A (en) * | 2017-05-09 | 2017-09-15 | 国家计算机网络与信息安全管理中心 | A kind of high concealed and anti-communication means traced to the source |
| CN107172030B (en) * | 2017-05-09 | 2021-05-18 | 国家计算机网络与信息安全管理中心 | High-privacy and anti-tracing communication method |
| CN111212048A (en) * | 2019-12-26 | 2020-05-29 | 北京安码科技有限公司 | https protocol real-time monitoring method, system, electronic device and storage medium |
| CN114070672A (en) * | 2021-08-24 | 2022-02-18 | 阿里云计算有限公司 | Method, device and system for realizing communication between VPN gateway and client |
| CN114679322A (en) * | 2022-03-29 | 2022-06-28 | 上海众至科技有限公司 | Flow security auditing method, system and computer equipment |
| CN116566649A (en) * | 2023-04-04 | 2023-08-08 | 苏州云至深技术有限公司 | Smart sense component-based user behavior risk analysis method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109088889B (en) | SSL encryption and decryption method, system and computer readable storage medium | |
| CN102624740B (en) | A kind of data interactive method and client, server | |
| CN109309565B (en) | Security authentication method and device | |
| CN107666383B (en) | Message processing method and device based on HTTPS (hypertext transfer protocol secure protocol) | |
| CN106533665B (en) | Mthods, systems and devices for storing website private key plaintext | |
| CN105072125B (en) | A kind of http communication system and method | |
| US20090307486A1 (en) | System and method for secured network access utilizing a client .net software component | |
| US10257171B2 (en) | Server public key pinning by URL | |
| CN106790090A (en) | Communication means, apparatus and system based on SSL | |
| JP2017524287A (en) | System and method for secure communication over a network using linking addresses | |
| CN105871797A (en) | Handshake method, device and system of client and server | |
| CN110622482B (en) | No cache session ticket support in TLS inspection | |
| JP2015115893A (en) | COMMUNICATION METHOD, COMMUNICATION PROGRAM, AND RELAY DEVICE | |
| CN106972919B (en) | Key negotiation method and device | |
| US20180198762A1 (en) | Distribution of secure data with entitlement enforcement | |
| WO2016112580A1 (en) | Service processing method and device | |
| CN106169990A (en) | A kind of encrypt data on flows monitoring method, Apparatus and system | |
| CN111526161A (en) | Communication method, communication equipment and proxy system | |
| US20130019092A1 (en) | System to Embed Enhanced Security / Privacy Functions Into a User Client | |
| CN104811421A (en) | Secure communication method and secure communication device based on digital rights management | |
| JP2014147039A (en) | Cryptocommunication device, proxy server, cryptocommunication system, cryptocommunication program and proxy server program | |
| KR101962349B1 (en) | Consolidated Authentication Method based on Certificate | |
| KR101893758B1 (en) | System and method for monitoring leakage of internal information through analyzing encrypted traffic | |
| CN115623013A (en) | Strategy information synchronization method, system and related product | |
| US7890751B1 (en) | Method and system for increasing data access in a secure socket layer network environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161130 |
|
| RJ01 | Rejection of invention patent application after publication |