[go: up one dir, main page]

CN116318943A - Communication method, device and storage medium based on transport layer security protocol - Google Patents

Communication method, device and storage medium based on transport layer security protocol Download PDF

Info

Publication number
CN116318943A
CN116318943A CN202310222447.2A CN202310222447A CN116318943A CN 116318943 A CN116318943 A CN 116318943A CN 202310222447 A CN202310222447 A CN 202310222447A CN 116318943 A CN116318943 A CN 116318943A
Authority
CN
China
Prior art keywords
client
server
key
certificate
public key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310222447.2A
Other languages
Chinese (zh)
Inventor
王首媛
张晓辉
孙宁宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
China Information Technology Designing and Consulting Institute Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
China Information Technology Designing and Consulting Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd, China Information Technology Designing and Consulting Institute Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202310222447.2A priority Critical patent/CN116318943A/en
Publication of CN116318943A publication Critical patent/CN116318943A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a communication method, a device and a storage medium based on a transmission layer security protocol, which relate to the technical field of communication and can use certificate-free key information to replace a traditional certificate in the communication process of the transmission layer security protocol, so that bandwidth resources occupied by processes such as certificate transmission and the like are reduced in the communication process. The method comprises the following steps: in a second handshake process based on a transport layer security protocol, receiving certificate-free key information of a server sent by the server, wherein the certificate-free key information of the server comprises an identifier of a first signature public key and an identifier of a first encryption public key; in a third handshake process based on a transport layer security protocol, verifying certificate-free key information of a server based on an identifier of the server; and after the verification is passed, sending the client-side certificateless key information to the server-side, wherein the client-side certificateless key information comprises the identification of the second signature public key and the identification of the second encryption public key.

Description

一种基于传输层安全性协议的通信方法、装置及存储介质Communication method, device and storage medium based on transport layer security protocol

技术领域technical field

本申请涉及通信技术领域,尤其涉及一种基于传输层安全性协议的通信方法、装置及存储介质。The present application relates to the technical field of communication, and in particular to a communication method, device and storage medium based on a transport layer security protocol.

背景技术Background technique

传输层安全协议及其前身安全套接层是一种安全协议,目的是为互联网通信提供安全及数据完整性保障。在传统的传输层安全协议的通信过程中,为了保障通信的安全性,需要由证书的签发机构(Cert ificate Author i ty,CA)为用户签发公钥证书,用于验证用户的真实身份,保障通信的安全性。TLS and its predecessor, Secure Sockets Layer, are security protocols designed to provide security and data integrity guarantees for Internet communications. In the communication process of the traditional transport layer security protocol, in order to ensure the security of the communication, it is necessary for the certificate issuing authority (Certificate Authority, CA) to issue a public key certificate for the user to verify the real identity of the user and ensure the security of the communication. Communication Security.

用户证书虽然保障了通信的安全性,但是在通信连接建立过程中,对于低功耗物联网设备而言,证书的传输将占据大量的带宽的资源。在服务端带宽固定的情况下,设备的接入数量将被证书的大小限制。证书的管理方式也比较复杂,对于海量物联网设备的证书存储、颁发、撤销等过程消耗较大。因此,如何保障通信连接轻量性,是亟待解决的问题。Although user certificates guarantee the security of communication, during the establishment of communication connections, for low-power IoT devices, the transmission of certificates will occupy a large amount of bandwidth resources. In the case of fixed server bandwidth, the number of devices connected will be limited by the size of the certificate. The certificate management method is also relatively complicated, and the process of certificate storage, issuance, and revocation for massive IoT devices consumes a lot. Therefore, how to ensure the lightness of the communication connection is an urgent problem to be solved.

发明内容Contents of the invention

本申请实施例提供一种基于传输层安全性协议的通信方法、装置及存储介质,用于降低基于传输层安全性协议的通信过程中因传输过程等操作消耗的带宽资源,且顾及通信连接过程中的安全性。The embodiment of the present application provides a communication method, device, and storage medium based on the transport layer security protocol, which are used to reduce the bandwidth resources consumed by operations such as the transmission process in the communication process based on the transport layer security protocol, and take into account the communication connection process security in .

第一方面,提供一种基于传输层安全性协议的通信方法,应用于客户端,该方法包括:在基于传输层安全性协议的第二次握手过程中,接收服务端发送的服务端的无证书密钥信息,服务端的无证书密钥信息包括第一签名公钥的标识和第一加密公钥的标识;在基于传输层安全性协议的第三次握手过程中,基于服务端的标识,对服务端的无证书密钥信息进行验证;在验证通过之后,向服务端发送客户端的无证书密钥信息,客户端的无证书密钥信息包括第二签名公钥的标识和第二加密公钥的标识。In the first aspect, a communication method based on the transport layer security protocol is provided, which is applied to the client, and the method includes: in the second handshake process based on the transport layer security protocol, receiving the certificateless certificate of the server sent by the server Key information, the non-certificate key information of the server includes the identification of the first signature public key and the identification of the first encryption public key; in the third handshake process based on the transport layer security protocol, based on the identification of the server, the service The non-certificate key information of the terminal is verified; after the verification is passed, the non-certificate key information of the client is sent to the server, and the non-certificate key information of the client includes the identification of the second signature public key and the identification of the second encryption public key.

本申请实施例提供的技术方案至少带来以下有益效果:可以看出,本申请通过在基于传输层安全性协议的第二次握手以及第三次握手过程中接收并验证由服务端发送的无证书密钥信息,在验证成功后,向服务端发送客户端的无证书密钥信息。在上述过程中使用无证书密钥信息取代传统通信过程中的证书,降低了基于传输层安全性协议的通信过程中因传出过程等操作消耗的带宽资源,且顾及通信连接过程中的安全性。The technical solutions provided by the embodiments of the present application bring at least the following beneficial effects: It can be seen that the present application receives and verifies the wireless data sent by the server during the second handshake and the third handshake based on the transport layer security protocol. Certificate key information, after the verification is successful, send the client's non-certificate key information to the server. In the above process, certificateless key information is used to replace the certificate in the traditional communication process, which reduces the bandwidth resources consumed by operations such as the outgoing process in the communication process based on the transport layer security protocol, and takes into account the security of the communication connection process .

作为一种可能的实现方式,在基于传输层安全性协议的第三次握手过程中,向服务端发送密钥交换报文,密钥交换报文包括由第二加密公钥加密的随机数。As a possible implementation, during the third handshake process based on the transport layer security protocol, a key exchange message is sent to the server, and the key exchange message includes a random number encrypted by the second encrypted public key.

作为一种可能的实现方式,在基于传输层安全性协议的第一次握手过程中,向服务端发送握手请求报文,握手请求报文用于指示采用无证书密钥的认证方式。As a possible implementation, in the first handshake process based on the transport layer security protocol, a handshake request message is sent to the server, and the handshake request message is used to indicate the use of an authentication method without a certificate key.

第二方面,提供一种基于传输层安全性协议的通信方法,应用于服务端,该方法包括:在基于传输层安全性协议的第二次握手过程中,向客户端发送服务端的无证书密钥信息,服务端的无证书密钥信息包括第一签名公钥的标识和第一加密公钥的标识;在基于传输层安全性协议的第三次握手过程中,接收客户端发送的客户端的无证书密钥信息,客户端的无证书密钥信息包括第二签名公钥的标识和第二加密公钥的标识;基于客户端的标识,对客户端的无证书密钥信息进行验证。In the second aspect, a communication method based on the transport layer security protocol is provided, which is applied to the server, and the method includes: in the second handshake process based on the transport layer security protocol, sending the certificateless encryption key of the server to the client. Key information, the non-certificate key information of the server includes the identification of the first signature public key and the identification of the first encryption public key; in the third handshake process based on the transport layer security The certificate key information, the certificate-free key information of the client includes the identification of the second signature public key and the identification of the second encryption public key; based on the identification of the client, the certificate-free key information of the client is verified.

本申请实施例提供的技术方案至少带来以下有益效果:可以看出,本申请通过在基于传输层安全性协议的第二次握手以及第三次握手过程中向客户端发送服务端的无证书密钥信息,以及接收并验证由客户端发送的客户端的无证书密钥信息。在上述过程中使用无证书密钥信息取代传统通信过程中的证书,降低了基于传输层安全性协议的通信过程中因传出过程等操作消耗的带宽资源,且顾及通信连接过程中的安全性。The technical solution provided by the embodiment of the application brings at least the following beneficial effects: It can be seen that the application sends the server's certificateless encryption key to the client during the second handshake and the third handshake based on the key information, and receive and verify the client's non-certificate key information sent by the client. In the above process, certificateless key information is used to replace the certificate in the traditional communication process, which reduces the bandwidth resources consumed by operations such as the outgoing process in the communication process based on the transport layer security protocol, and takes into account the security of the communication connection process .

作为一种可能的实现方式,在基于传输层安全性协议的第三次握手过程中,接收客户端发送的客户端密钥交换报文,客户端密钥交换报文包括由第二加密公钥加密的随机数;根据第二加密公钥的标识,生成第二加密公钥;以第二加密公钥,对由第二加密公钥加密的随机数进行解密。As a possible implementation, in the third handshake process based on the transport layer security protocol, the client key exchange message sent by the client is received, and the client key exchange message includes the key encrypted by the second encrypted public key An encrypted random number; according to the identification of the second encrypted public key, generate a second encrypted public key; use the second encrypted public key to decrypt the random number encrypted by the second encrypted public key.

作为一种可能的实现方式,在基于传输层安全性协议的第一次握手过程中,接收客户端发送的握手请求报文,握手请求报文用于指示采用无证书密钥的认证方式。As a possible implementation, in the first handshake process based on the transport layer security protocol, the handshake request message sent by the client is received, and the handshake request message is used to indicate the authentication mode without a certificate key.

第三方面,提供一种客户端装置,上述装置包括:接收模块,用于在基于传输层安全性协议的第二次握手过程中,接收服务端发送的服务端的无证书密钥信息,服务端的无证书密钥信息包括第一签名公钥的标识和第一加密公钥的标识;验证模块,用于在基于传输层安全性协议的第三次握手过程中,基于服务端的标识,对服务端的无证书密钥信息进行验证;发送模块,用于在验证通过之后,向服务端发送客户端的无证书密钥信息,客户端的无证书密钥信息包括第二签名公钥的标识和第二加密公钥的标识。In a third aspect, a client device is provided, and the device includes: a receiving module, configured to receive the certificate-less key information of the server sent by the server during the second handshake process based on the transport layer security protocol, and the server's The non-certificate key information includes the identification of the first signature public key and the identification of the first encryption public key; the verification module is used to verify the identity of the server based on the identification of the server during the third handshake process based on the transport layer security protocol. The non-certificate key information is verified; the sending module is used to send the client's non-certificate key information to the server after the verification is passed. The client's non-certificate key information includes the identity of the second signature public key and the second encryption public key Key ID.

作为一种可能的实现方式,发送模块还用于在基于传输层安全性协议的第三次握手过程中,向服务端发送密钥交换报文,密钥交换报文包括由第二加密公钥加密的随机数。As a possible implementation, the sending module is also used to send a key exchange message to the server during the third handshake process based on the transport layer security protocol. The key exchange message includes the key exchange message encrypted by the second encrypted public key Encrypted random number.

作为一种可能的实现方式,发送模块还用于在基于传输层安全性协议的第一次握手过程中,向所述服务端发送握手请求报文,所述握手请求报文用于指示采用无证书密钥的认证方式。As a possible implementation, the sending module is further configured to send a handshake request message to the server during the first handshake process based on the transport layer security protocol, and the handshake request message is used to indicate the use of wireless The authentication method of the certificate key.

第四方面,提供一种服务端装置,上述装置包括:发送模块,用于在基于传输层安全性协议的第二次握手过程中,向客户端发送的服务端的无证书密钥信息,服务端的无证书密钥信息包括第一签名公钥的标识和第一加密公钥的标识;接收模块,用于在基于传输层安全性协议的第三次握手过程中,接收客户端发送的所述客户端的无证书密钥信息,客户端的无证书密钥信息包括第二签名公钥的标识和第二加密公钥的标识;验证模块,用于基于客户端的标识,对客户端的无证书密钥信息进行验证。In a fourth aspect, a server device is provided, the device includes: a sending module, configured to send the certificate-less key information of the server to the client during the second handshake process based on the transport layer security protocol, and the certificate-free key information of the server. The non-certificate key information includes the identification of the first signature public key and the identification of the first encryption public key; the receiving module is used to receive the client's client-side message sent by the client during the third handshake process based on the transport layer security protocol. The non-certificate key information of the terminal, the non-certificate key information of the client includes the identification of the second signature public key and the identification of the second encrypted public key; verify.

作为一种可能的实现方式,接收模块还用于在基于传输层安全性协议的第三次握手过程中,接收客户端发送的客户端密钥交换报文,客户端密钥交换报文包括由第二加密公钥加密的随机数;上述装置还包括:生成模块,用于根据第二加密公钥的标识,生成第二加密公钥;解密模块,用于以第二加密公钥,对由第二加密公钥加密的随机数进行解密。As a possible implementation, the receiving module is also configured to receive the client key exchange message sent by the client during the third handshake process based on the transport layer security protocol, the client key exchange message includes the The random number encrypted by the second encryption public key; the above-mentioned device also includes: a generating module, which is used to generate a second encryption public key according to the identification of the second encryption public key; a decryption module, which is used to use the second encryption public key to generate The random number encrypted with the second encrypted public key is decrypted.

作为一种可能的实现方式,接收模块还用于在基于传输层安全性协议的第一次握手过程中,接收客户端发送的握手请求报文,握手请求报文用于指示采用无证书密钥的认证方式。As a possible implementation, the receiving module is also used to receive the handshake request message sent by the client during the first handshake process based on the transport layer security protocol. The handshake request message is used to indicate the use of a certificateless key authentication method.

第五方面,提供一种客户端装置,上述装置包括处理器,所述处理器执行计算机程序时实现如第一方面所述的基于传输层安全性协议的通信方法。According to a fifth aspect, there is provided a client device, the above-mentioned device includes a processor, and when the processor executes a computer program, the communication method based on the transport layer security protocol as described in the first aspect is implemented.

第六方面,提供一种服务端装置,上述装置包括处理器,所述处理器执行计算机程序时实现如第二方面所述的基于传输层安全性协议的通信方法。In a sixth aspect, there is provided a server device, the above-mentioned device includes a processor, and when the processor executes a computer program, the communication method based on the transport layer security protocol as described in the second aspect is implemented.

第七方面,提供一种计算机可读存储介质,上述计算机可读存储介质包括计算机指令;其中,当计算机指令被执行时,实现如第一方面或第二方面的基于传输层安全性协议的通信方法。In a seventh aspect, a computer-readable storage medium is provided, the above-mentioned computer-readable storage medium includes computer instructions; wherein, when the computer instructions are executed, the communication based on the transport layer security protocol as in the first aspect or the second aspect is realized method.

本申请中,第三方面至第七方面的描述的有益效果,可以参考第一方面或第二方面的有益效果分析,此处不再赘述。In this application, the beneficial effects described in the third aspect to the seventh aspect can refer to the beneficial effect analysis of the first aspect or the second aspect, and will not be repeated here.

附图说明Description of drawings

图1为本申请实施例提供的一种传统的基于传输层安全性协议的通信流程图;Fig. 1 is a kind of traditional communication flowchart based on transport layer security protocol provided by the embodiment of the present application;

图2为本申请实施例提供的一种通信系统的结构示意图;FIG. 2 is a schematic structural diagram of a communication system provided by an embodiment of the present application;

图3为本申请实施例提供的一种基于传输层安全性协议的通信方法的流程示意图;FIG. 3 is a schematic flowchart of a communication method based on a transport layer security protocol provided in an embodiment of the present application;

图4为本申请实施例提供的另一种基于传输层安全性协议的通信方法的流程示意图;FIG. 4 is a schematic flowchart of another communication method based on a transport layer security protocol provided in an embodiment of the present application;

图5为本申请实施例提供的一种基于传输层安全性协议的通信方法的完整流程示意图;FIG. 5 is a schematic diagram of a complete flow of a communication method based on a transport layer security protocol provided in an embodiment of the present application;

图6为本申请实施例提供的一种基于传输层安全性协议的通信方法的交互流程图;FIG. 6 is an interaction flowchart of a communication method based on a transport layer security protocol provided in an embodiment of the present application;

图7为本申请实施例提供的又一种基于传输层安全性协议的通信方法的交互流程图;FIG. 7 is an interactive flowchart of another communication method based on the transport layer security protocol provided by the embodiment of the present application;

图8为本申请实施例提供的又一种基于传输层安全性协议的通信方法的交互流程图;FIG. 8 is an interactive flowchart of another communication method based on the transport layer security protocol provided by the embodiment of the present application;

图9为本申请实施例提供的又一种基于传输层安全性协议的通信方法的交互流程图;FIG. 9 is an interactive flowchart of another communication method based on the transport layer security protocol provided by the embodiment of the present application;

图10为本申请实施例提供的一种客户端装置的结构示意图;FIG. 10 is a schematic structural diagram of a client device provided by an embodiment of the present application;

图11为本申请实施例提供的一种服务端装置的结构示意图;FIG. 11 is a schematic structural diagram of a server device provided in an embodiment of the present application;

图12为本申请实施例提供的一种通信装置的结构示意图。FIG. 12 is a schematic structural diagram of a communication device provided by an embodiment of the present application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图,对本申请实施例的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例,基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will clearly and completely describe the technical solutions of the embodiments of the present application in conjunction with the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are only some of the embodiments of the present application, not all of them. Based on this The embodiments in the application, and all other embodiments obtained by persons of ordinary skill in the art without creative efforts, all belong to the scope of protection of the present application.

在本申请的描述中,除非另有说明,“/”表示“或”的意思,例如,A/B可以表示A或B。本文中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。此外,“至少一个”是指一个或多个,“多个”是指两个或两个以上。“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。需要说明的是,本申请中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其他实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。在本申请实施例中,“指示”可以包括直接指示和间接指示。例如,以下文中第一控制信息为例,第一控制信息可以直接携带信息A的本身或者其索引,以实现直接指示信息A的目的。或者,第一控制信息也可以携带与信息A存在关联关系的信息B,从而在指示信息B的同时实现间接指示信息A的目的。In the description of the present application, unless otherwise specified, "/" means "or", for example, A/B may mean A or B. The "and/or" in this article is just an association relationship describing associated objects, which means that there can be three relationships, for example, A and/or B, which can mean: A exists alone, A and B exist at the same time, and B exists alone These three situations. In addition, "at least one" means one or more, and "plurality" means two or more. Words such as "first" and "second" do not limit the number and order of execution, and words such as "first" and "second" do not necessarily limit the difference. It should be noted that, in this application, words such as "exemplary" or "for example" are used as examples, illustrations or illustrations. Any embodiment or design described herein as "exemplary" or "for example" is not to be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete manner. In this embodiment of the application, "instruction" may include direct instruction and indirect instruction. For example, taking the first control information hereinafter as an example, the first control information may directly carry the information A itself or its index, so as to achieve the purpose of directly indicating the information A. Alternatively, the first control information may also carry information B that is associated with information A, so as to indirectly indicate information A while indicating information B.

如背景技术所述,当前基于传输层安全性协议TLS通信大多都是采用传统的公开密钥基础设施PKI/可信的证书权威机构CA证书体质。基于数字证书的PKI/CA是目前广泛使用的公钥密码体质,由CA为每个用户签发一个公钥证书。公钥证书包括用户的身份信息、用户的公钥和CA的签名。在PKI/CA过程中,证书的格式一般采用X.509格式,这种格式的证书一般具有1K-2K的数据长度。As mentioned in the background art, most of the current communication based on the transport layer security protocol TLS adopts the traditional public key infrastructure PKI/trusted certificate authority CA certificate structure. PKI/CA based on digital certificates is a public key cryptosystem widely used at present, and CA issues a public key certificate for each user. The public key certificate includes the user's identity information, the user's public key and the signature of the CA. In the PKI/CA process, the format of the certificate generally adopts the X.509 format, and the certificate in this format generally has a data length of 1K-2K.

其中,如图1所示,TLS建立安全连接需要经过四次握手的过程。Wherein, as shown in FIG. 1 , establishing a secure connection with TLS requires a four-way handshake process.

第一次握手过程包括:The first handshake process includes:

S1、客户端向服务端发送握手请求报文Cl ient Hel lo报文;相应地,服务端接收由客户端发送的Cl ient Hel lo报文。其中,Cl ient Hel lo报文包括客户端支持的TLS协议版本、客户端生成的随机数、会话ID、客户端支持的加密套件、客户端支持的压缩算法列表、扩展内容。S1. The client sends a handshake request message, a Cl ient Hello message, to the server; correspondingly, the server receives the Client Hello message sent by the client. Among them, the Client Hello message includes the TLS protocol version supported by the client, the random number generated by the client, the session ID, the encryption suite supported by the client, the list of compression algorithms supported by the client, and the extended content.

第二次握手过程包括:The second handshake process includes:

S2、服务端解析由客户端发送的Cl ient Hel lo报文,并向客户端发送握手应答报文Server Hel lo报文;相应地,客户端接收由服务端发送的Server Hel lo报文。其中,Server Hel lo报文包括服务端选定的TLS版本、服务端生成的随机数、会话ID、服务端选定的加密套件、服务端选定的压缩算法、扩展内容。S2. The server parses the Client Hello message sent by the client, and sends a handshake response message, a Server Hello message, to the client; correspondingly, the client receives the Server Hello message sent by the server. Among them, the Server Hello message includes the TLS version selected by the server, the random number generated by the server, the session ID, the encryption suite selected by the server, the compression algorithm selected by the server, and the extended content.

S3、服务端向客户端发送Cert if icate报文;相应地,客户端接收由服务端发送的密钥信息报文Cert ificate报文。其中,Cert ificate报文包括服务端的证书,证书为X.509标准格式,证书内容包括服务端的公钥、服务端的域名、签发方的信息、有效期信息。S3. The server sends a Cert ificate message to the client; correspondingly, the client receives the key information message Certificate message sent by the server. The Certificate message includes the certificate of the server, which is in the X.509 standard format, and the content of the certificate includes the public key of the server, the domain name of the server, the information of the issuer, and the information of the validity period.

S4、服务端向客户端发送服务端随机数报文Server Key Exchange报文;相应地,客户端接收由服务端发送的Server Key Exchange报文。其中,Server Key Exchange报文包括客户端用于生成随机数的安全参数。S4. The server sends a server random number message, a Server Key Exchange message, to the client; correspondingly, the client receives the Server Key Exchange message sent by the server. Wherein, the Server Key Exchange message includes security parameters used by the client to generate random numbers.

S5、服务端向客户端发送密钥请求报文Cer t if icate Reques t报文;相应地,客户端接收由服务端发送的Cert if icate Reques t报文。其中,Cert i f icate Request报文用于请求客户端发送客户端的证书。S5. The server sends a key request message Cert if icate Request t message to the client; correspondingly, the client receives the Cert if icate Request t message sent by the server. Wherein, the Certif icate Request message is used to request the client to send the certificate of the client.

S6、服务端向客户端发送密钥完成报文Server He l lo Done报文;相应地,客户端接收由服务端发送的Server Hel lo Done报文。其中,Server He l lo Done报文表示服务端已经将所有与密钥交换的相关内容发送完毕。S6. The server sends a key completion message, a Server Hello Done message, to the client; correspondingly, the client receives the Server Hello Done message sent by the server. Among them, the Server Hello Done message indicates that the server has sent all relevant content related to the key exchange.

第三次握手过程包括:The third handshake process includes:

S7、客户端向服务端发送密钥信息报文Cert if icate报文;相应地,服务端接收由客户端发送的Cert if icate报文。其中,Cert if icate报文包括客户端的证书。S7. The client sends the key information message Cert if icate message to the server; correspondingly, the server receives the Cert if icate message sent by the client. Wherein, the Cert if icate message includes the certificate of the client.

S8、客户端向服务端发送客户端随机数报文Cl ient Key Exchange报文;相应地,服务端接收由客户端发送的Cl ient Key Exchange报文。其中,C l ient Key Exchange报文包括由服务端发送的随机数。S8. The client sends a client random number message, a Client Key Exchange message, to the server; correspondingly, the server receives the Client Key Exchange message sent by the client. Wherein, the Client Key Exchange message includes a random number sent by the server.

S9、客户端向服务端发送数字签名报文Cert if icate Ver i fy报文;相应地,服务端接收由客户端发送的Cer t if icate Ver ify报文。其中,Cert i f icate Ver ify报文包括在三次握手过程中所有握手报文的数字签名。S9. The client sends a digital signature message Cert if icate Verify message to the server; correspondingly, the server receives the Cert if icate Verify message sent by the client. Wherein, the Certificate Verify message includes digital signatures of all handshake messages during the three-way handshake process.

S10、客户端向服务端发送加密指示报文Change C ipher Spec报文;相应地,服务端接收由客户端发送的Change C ipher Spec报文。其中,Change Cipher Spec报文用于表示客户端从下条握手信息开始进行加密传输。S10. The client sends an encrypted indication message Change Cipher Spec message to the server; correspondingly, the server receives the Change Cipher Spec message sent by the client. Among them, the Change Cipher Spec message is used to indicate that the client starts encrypted transmission from the next handshake information.

S11、客户端向服务端发送握手摘要报文Fini shed报文;相应地,服务端接收由客户端发送的Fini shed报文。其中,Fini shed报文包括所有握手信息的数字摘要。S11. The client sends a handshake summary message Fini shed message to the server; correspondingly, the server receives the Fini shed message sent by the client. Among them, the Fini shed message includes a digital summary of all handshake information.

在第四次握手包括:The fourth handshake includes:

S12、服务端向客户端发送加密指示报文Change C ipher Spec报文;相应地,客户端接收由服务端发送的Change C ipher Spec报文。其中,Change Cipher Spec报文用于表示服务端从下条握手信息开始进行加密传输。S12. The server sends an encrypted indication message Change Cipher Spec message to the client; correspondingly, the client receives the Change Cipher Spec message sent by the server. Among them, the Change Cipher Spec message is used to indicate that the server starts encrypted transmission from the next handshake information.

S13、服务端向客户端发送握手摘要报文Fini shed报文;相应地,客户端接收由服务端发送的Fini shed报文。其中,Fini shed报文包括所有握手信息的数字摘要。S13. The server sends the handshake summary message Fini shed message to the client; correspondingly, the client receives the Fini shed message sent by the server. Among them, the Fini shed message includes a digital summary of all handshake information.

在上述握手过程中,TLS通信虽然实现了身份认证与通信加密,但是在建立安全连接过程中使用了传统的认证和证书结构。对于低功耗的物联网设备而言,数据采集、证书传输将会占据大量的带宽资源。在服务端带宽固定的情况下,设备接入数量将被证书大小限制。基于TSL通信中使用PKI/CA证书进行认证主要包括两个缺点:(1)CA帧数字节数过多,证书在传输和存储的过程中需要占用大量的网络带宽和存储资源,不适合存储空间和网络宽带受限的物联网设备。(2)CA证书管理复杂,对于海量物联网设备证书的颁发、存储、撤销等过程中,需要消耗大量的时间资源以及带宽资源。如何在保障的通信安全的情况下,顾及通信过程中的轻便性,使得减少在通信过程中避免因传输证书等过程导致占用额外的带宽资源,是亟待解决的问题。In the above handshake process, although TLS communication implements identity authentication and communication encryption, traditional authentication and certificate structures are used in the process of establishing a secure connection. For low-power IoT devices, data collection and certificate transmission will occupy a large amount of bandwidth resources. When the bandwidth of the server is fixed, the number of devices connected will be limited by the size of the certificate. The use of PKI/CA certificates for authentication based on TSL communication mainly includes two disadvantages: (1) The number of bytes in the CA frame is too large, and the certificate needs to occupy a large amount of network bandwidth and storage resources during transmission and storage, which is not suitable for storage space and IoT devices with limited network bandwidth. (2) The management of CA certificates is complex, and the issuance, storage, and revocation of massive IoT device certificates consume a lot of time and bandwidth resources. How to take into account the portability of the communication process in the case of guaranteed communication security, so as to reduce the occupation of additional bandwidth resources caused by the transmission of certificates and other processes during the communication process, is an urgent problem to be solved.

基于此,本申请实施例提供一种基于传输层安全性协议的通信方法,其思路在于:在建立基于传输层安全性协议通信连接过程中,通过使用无证书密钥信息代替传统的CA证书,实现了基于传输层安全性协议通信的轻量化,并且保障了TLS通信过程中的安全性。Based on this, the embodiment of the present application provides a communication method based on the transport layer security protocol. The idea is: in the process of establishing a communication connection based on the transport layer security protocol, by using non-certificate key information instead of the traditional CA certificate, It realizes the lightweight communication based on the transport layer security protocol, and guarantees the security in the TLS communication process.

示例性的,图2示出了本申请实施例提供的一种通信系统的结构示意图。该通信系统可以包括无证书密码管理平台、客户端、以及服务端,服务端可以与一个或多个客户端通信连接。需要注意的是,图2所示仅为可以应用本申请实施例的通信系统的结果示意图,以帮助本领域技术人员理解本公开的技术内容,但并不意味着本申请实施例不可以用于其他设备、系统、环境或场景。Exemplarily, FIG. 2 shows a schematic structural diagram of a communication system provided by an embodiment of the present application. The communication system may include a non-certificate password management platform, a client, and a server, and the server may communicate with one or more clients. It should be noted that Figure 2 is only a schematic diagram of the results of the communication system to which the embodiment of the present application can be applied, to help those skilled in the art understand the technical content of the present disclosure, but it does not mean that the embodiment of the present application cannot be used for Other equipment, systems, environments or scenarios.

无证书密码管理平台,用于在初始化过程中,通过接收客户端/服务端的唯一标识信息和公钥为客户端/服务端生成无证书密钥信息,可以实现对客户端/服务端的无证书密钥信息进行管理、存储、撤销操作等。The certificateless password management platform is used to generate certificateless key information for the client/server by receiving the unique identification information and public key of the client/server during the initialization process, so as to realize the certificateless encryption of the client/server. Key information can be managed, stored, revoked, etc.

客户端上可以安装有支持多种类型的传输协议的各种应用程序,例如网页浏览器应用、搜索类应用、购物类应用、即时通信工具、邮箱客户端和/或社交平台软件等(仅为示例)。客户端可以是具有显示屏并且支持网页浏览的各种电子设备,包括但不限于智能手机、平板电脑、膝上型便携计算机和台式计算机等等。Various applications supporting multiple types of transmission protocols can be installed on the client, such as web browser applications, search applications, shopping applications, instant messaging tools, email clients and/or social platform software, etc. (only example). Clients can be various electronic devices that have a display screen and support web browsing, including but not limited to smartphones, tablet computers, laptops, desktop computers, and the like.

服务端可以是提供各种服务的服务器,例如对用户利用客户端所浏览的网站提供支持的后台管理服务器。后台管理服务端可以对接收到的用户请求等数据进行分析等处理,并将处理结果(例如根据用户请求获取或生成的网页、信息、或数据等)反馈给客户端。The server can be a server that provides various services, such as a background management server that provides support for the website that the user browses through the client. The background management server can analyze and process received data such as user requests, and feed back processing results (such as web pages, information, or data obtained or generated according to user requests) to the client.

如图3所示,本申请实施例提供了一种基于传输层安全性协议的通信方法,应用于客户端,该方法包括以下步骤:As shown in Figure 3, the embodiment of the present application provides a communication method based on the transport layer security protocol, which is applied to the client, and the method includes the following steps:

S301、在基于传输层安全性协议的第二次握手过程中,接收服务端发送的服务端的无证书密钥信息。S301. During the second handshake process based on the transport layer security protocol, receive the certificateless key information of the server sent by the server.

其中,服务端的无证书密钥信息包括第一签名公钥的标识和第一加密公钥的标识。Wherein, the non-certificate key information of the server includes the identification of the first signature public key and the identification of the first encryption public key.

S302、在基于传输层安全性协议的第三次握手过程中,基于服务端的标识,对服务端的无证书密钥信息进行验证;在验证通过之后,向服务端发送所述客户端的无证书密钥信息。S302. In the third handshake process based on the transport layer security protocol, based on the identification of the server, verify the certificate-free key information of the server; after the verification is passed, send the certificate-free key information of the client to the server information.

在一些实施例中,在基于传输层安全性协议的通信过程中,客户端与服务端使用的无证书密码标识的TLS加密套件中集成了基础密码运算功能。In some embodiments, during the communication process based on the transport layer security protocol, the TLS cipher suite identified by the certificateless cipher used by the client and the server integrates a basic cryptographic operation function.

其中,基础密码运算功能包括以下至少一项功能:无证书密钥信息的验证、握手信息的摘要验证或者握手信息的加密。无证书的密钥信息的验证基于国密SM2算法;握手信息的摘要验证基于国密SM3算法;握手信息的加密基于国密SM4算法。Wherein, the basic cryptographic operation function includes at least one of the following functions: certificateless key information verification, digest verification of handshake information or encryption of handshake information. The verification of the key information without a certificate is based on the national secret SM2 algorithm; the summary verification of the handshake information is based on the national secret SM3 algorithm; the encryption of the handshake information is based on the national secret SM4 algorithm.

示例性的,握手信息可以包括以下至少一项:握手请求报文、握手应答报文、密钥完成报文、密钥交换报文、加密指示报文或者握手摘要报文。上述报文所包含的内容具体如下文所述。Exemplarily, the handshake information may include at least one of the following: a handshake request message, a handshake response message, a key completion message, a key exchange message, an encryption instruction message, or a handshake summary message. The content contained in the above message is specifically described as follows.

在一些实施例中,在客户端对服务端的无证书密钥信息的验证过程中,对服务端的无证书密钥信息使用国密SM2算法进行运算,得到服务端的标识。若运算得到的服务端标识与握手过程中服务端的标识一致,即验证成功,客户端继续与服务端建立安全连接。In some embodiments, during the verification process of the client on the server's non-certificate key information, the server's non-certificate key information is calculated using the national secret SM2 algorithm to obtain the identification of the server. If the calculated server ID is consistent with the server ID in the handshake process, the verification is successful, and the client continues to establish a secure connection with the server.

示例性的,在基于传输层安全性协议的第三次握手过程中,服务端的标识为010101,客户端接收由服务端发送的无证书密钥信息,并对其进行验证。客户端通过无证书密码标识的套件中的基础密码运行功能对服务端的无证书密钥信息进行验证,使用国密SM2算法对服务端的无证书密钥信息进行运算,运算得到的服务端的标识为010101,与握手过程中的服务端的标识一致,即验证成功,客户端与服务端继续建立安全连接。Exemplarily, in the third handshake process based on the transport layer security protocol, the identifier of the server is 010101, and the client receives and verifies the non-certificate key information sent by the server. The client verifies the non-certificate key information of the server through the basic cipher operation function in the suite of the non-certificate cipher identification, and uses the national secret SM2 algorithm to calculate the non-certificate key information of the server, and the server identification obtained by the operation is 010101 , which is consistent with the identity of the server during the handshake process, that is, the verification is successful, and the client and the server continue to establish a secure connection.

又一示例性的,在基于传输层安全性协议的第三次握手过程中,服务端的标识为010101,客户端接收由服务端发送的无证书密钥信息,并对其进行验证。客户端通过无证书密码标识的套件中的基础密码运行功能对服务端的无证书密钥信息进行验证,使用国密SM2算法对服务端的无证书密钥信息进行运算,运算得到的服务端的标识为101010,与握手过程中的服务端的标识不一致,即验证失败,客户端中断与服务端的连接。In yet another example, in the third handshake process based on the transport layer security protocol, the identifier of the server is 010101, and the client receives and verifies the non-certificate key information sent by the server. The client verifies the non-certificate key information of the server through the basic cipher operation function in the suite of the non-certificate cipher identification, and uses the national secret SM2 algorithm to calculate the non-certificate key information of the server, and the server identification obtained by the operation is 101010 , is inconsistent with the identification of the server during the handshake process, that is, the authentication fails, and the client disconnects from the server.

在一些实施例中,客户端根据服务端的无证书密钥信息中的第一签名公钥标识生成第一签名公钥。第一签名公钥用于对由无证书私钥进行签名的报文进行验证。In some embodiments, the client generates the first public signature key according to the identifier of the first public signature key in the non-certificate key information of the server. The first signature public key is used to verify the message signed by the non-certificate private key.

在一些实施例中,客户端根据服务端的无证书密钥信息中的第一加密公钥的标识生成第一加密公钥。第一加密公钥用于对由第一加密公钥加密的报文进行解密。In some embodiments, the client generates the first encrypted public key according to the identifier of the first encrypted public key in the certificate-free key information of the server. The first encrypted public key is used to decrypt the message encrypted by the first encrypted public key.

本申请实施例提供的技术方案至少带来以下有益效果:基于传输层安全性协议的通信过程中,客户端接收并验证服务端的无证书密钥信息,并在验证通过后,发送客户端的无证书密钥信息至服务端。在上述过程中,使用无证书密钥信息取代了传统的证书,减小基于传输层安全性协议的握手流程中的传输负担,提高通信轻量性。The technical solution provided by the embodiment of the present application brings at least the following beneficial effects: During the communication process based on the transport layer security protocol, the client receives and verifies the certificate-free key information of the server, and sends the certificate-free key information of the client after the verification is passed. key information to the server. In the above process, the traditional certificate is replaced by non-certificate key information, which reduces the transmission burden in the handshake process based on the transport layer security protocol and improves the lightness of communication.

如图4所示,本申请实施例提供了另一种基于传输层安全性协议的通信方法,应用于服务端,该方法包括以下步骤:As shown in Figure 4, the embodiment of the present application provides another communication method based on the transport layer security protocol, which is applied to the server, and the method includes the following steps:

S401、在基于传输层安全性协议的第二次握手过程中,向客户端发送的服务端的无证书密钥信息。S401. During the second handshake process based on the transport layer security protocol, send the certificateless key information of the server to the client.

其中,服务端的无证书密钥信息包括第一签名公钥的标识和第一加密公钥的标识。Wherein, the non-certificate key information of the server includes the identification of the first signature public key and the identification of the first encryption public key.

在一些实施例中,服务端根据服务端的无证书密钥信息中的第一签名公钥的标识生成第一签名公钥。第一签名公钥用于对由服务端的无证书私钥进行签名的报文进行验证。In some embodiments, the server generates the first public signature key according to the identification of the first public signature key in the non-certificate key information of the server. The first signature public key is used to verify the message signed by the non-certificate private key of the server.

在一些实施例中,服务端根据服务端的无证书密钥信息中的第一加密公钥的标识生成第一加密公钥。第一加密公钥用于对基于传输层安全协议的握手过程中服务端发送的握手信息进行加密。In some embodiments, the server generates the first encrypted public key according to the identifier of the first encrypted public key in the non-certificate key information of the server. The first encryption public key is used to encrypt the handshake information sent by the server during the handshake process based on the transport layer security protocol.

S402、在基于传输层安全性协议的第三次握手过程中,接收客户端发送的客户端的无证书密钥信息。S402. During the third handshake process based on the transport layer security protocol, receive the client's non-certificate key information sent by the client.

其中,客户端的无证书密钥信息包括第二签名公钥的标识和第二加密公钥的标识。Wherein, the client's non-certificate key information includes the identifier of the second signature public key and the identifier of the second encryption public key.

在一些实施例中,服务端可以根据客户端的无证书密钥信息中的第二签名公钥标识生成第二签名公钥。第二签名公钥用于对由客户端的无证书私钥进行签名的报文进行验证。In some embodiments, the server may generate the second public signature key according to the second signature public key identifier in the certificate-free key information of the client. The second public signature key is used to verify the message signed by the non-certificate private key of the client.

在一些实施例中,服务端可以根据客户端的无证书密钥信息中的第二加密公钥的标识生成第二加密公钥。第二加密公钥用于对由第二加密公钥加密的报文进行解密。In some embodiments, the server may generate the second encryption public key according to the identifier of the second encryption public key in the certificate-free key information of the client. The second encrypted public key is used to decrypt the message encrypted by the second encrypted public key.

S403、基于客户端的标识,对客户端的无证书密钥信息进行验证。S403. Based on the identifier of the client, verify the non-certificate key information of the client.

一些实施例中,在服务端对客户端的无证书密钥信息的验证过程中,对客户端的无证书密钥信息使用国密SM2算法进行运算,得到客户端的标识。若运算得到的客户端标识与握手过程中客户端的标识一致,即验证成功,服务端继续与客户端建立安全连接。In some embodiments, during the process of verifying the client's non-certificate key information by the server, the client's non-certificate key information is calculated using the national secret SM2 algorithm to obtain the client's identity. If the calculated client ID is consistent with the client ID in the handshake process, the verification is successful, and the server continues to establish a secure connection with the client.

示例性的,在基于传输层安全性协议的第三次握手过程中,客户端的标识为111000,服务端接收由客户端发送的无证书密钥信息,并对其进行验证。服务端通过无证书密码标识的套件中的基础密码运行功能对客户端的无证书密钥信息进行验证,使用国密SM2算法对客户端的无证书密钥信息进行运算,运算得到的客户端的标识为010101,与握手过程中的客户端的标识一致,即验证成功,服务端与客户端继续建立安全连接。Exemplarily, in the third handshake process based on the transport layer security protocol, the identity of the client is 111000, and the server receives and verifies the non-certificate key information sent by the client. The server verifies the client's non-certificate key information through the basic cipher operation function in the non-certificate cipher suite, and uses the national secret SM2 algorithm to calculate the client's non-certificate key information. The client's identity obtained from the operation is 010101 , which is consistent with the identity of the client during the handshake process, that is, the verification is successful, and the server and client continue to establish a secure connection.

又一示例性的,在基于传输层安全性协议的第三次握手过程中,客户端的标识为111000,服务端接收由客户端发送的无证书密钥信息,并对其进行验证。服务端通过无证书密码标识的套件中的基础密码运行功能对客户端的无证书密钥信息进行验证,使用国密SM2算法对客户端的无证书密钥信息进行运算,运算得到的服务端的标识为000111,与握手过程中的客户端的标识不一致,即验证失败,服务端中断与客户端的连接。In yet another example, in the third handshake process based on the transport layer security protocol, the identity of the client is 111000, and the server receives and verifies the non-certificate key information sent by the client. The server verifies the client's non-certificate key information through the basic cipher operation function in the non-certificate cipher suite, and uses the national secret SM2 algorithm to calculate the client's non-certificate key information, and the calculated server ID is 000111 , is inconsistent with the identity of the client during the handshake process, that is, the verification fails, and the server terminates the connection with the client.

本申请实施例提供的技术方案至少带来以下有益效果:可以看出,基于传输层安全性协议的通信过程中,服务端向客户端发送服务端的无证书密钥信息,接收客户端发送的客户端的无证书密钥信息并验证;在上述通信过程中,使用无证书密钥信息,取代了传统过程中的证书,减小了通信过程中的带宽负担,提高了通信过程中的轻量,并保障了通信过程中的安全性。The technical solution provided by the embodiment of the present application brings at least the following beneficial effects: It can be seen that in the communication process based on the transport layer security protocol, the server sends the server's non-certificate key information to the client, and receives the client's key information sent by the client. The non-certificate key information of the terminal is verified; in the above communication process, the non-certificate key information is used to replace the certificate in the traditional process, which reduces the bandwidth burden in the communication process, improves the lightness of the communication process, and The security in the communication process is guaranteed.

如图5所示,本申请实施例提供了一种基于传输层安全性协议的完整通信方法,该方法包括以下步骤:As shown in Figure 5, the embodiment of the present application provides a complete communication method based on the transport layer security protocol, the method includes the following steps:

S501、初始化阶段。S501, an initialization phase.

如图6所示,步骤S1可以具体实现为以下步骤:As shown in Figure 6, step S1 can be specifically implemented as the following steps:

S5101、服务端调用无证书密码管理平台中的扩展接口,生成服务端的公钥与私钥。S5101. The server invokes an extension interface in the non-certificate password management platform to generate a public key and a private key of the server.

其中,无证书密码管理平台中的扩展接口用于提供服务端的密钥生成功能和服务端的无证书密钥信封解析功能。Among them, the extension interface in the certificateless password management platform is used to provide the key generation function of the server and the certificateless key envelope analysis function of the server.

S5102、服务端将服务端的标识与公钥发送至无证书密码管理平台,以使得无证书密码管理平台根据服务端的标识与公钥生成服务端的无证书密钥信息。S5102. The server sends the identification and public key of the server to the non-certificate password management platform, so that the non-certificate password management platform generates the non-certificate key information of the server according to the identification and public key of the server.

示例性的,无证书密码管理平台调用扩展接口,根据服务端的标识以及服务端的公钥并结合TLS加密套件中的基础密码运算功能,生成服务端的无证书密钥信息。Exemplarily, the non-certificate password management platform invokes the extension interface, and generates the non-certificate key information of the server according to the identification of the server and the public key of the server combined with the basic cryptographic operation function in the TLS encryption suite.

其中,服务端的无证书密钥信息包括第一签名公钥的标识和第一加密公钥的标识。Wherein, the non-certificate key information of the server includes the identification of the first signature public key and the identification of the first encryption public key.

在一些实施例中,无证书密码管理平台根据服务端的标识与公钥还生成了服务端的无证书密钥信封。其中,服务端的无证书密钥信封包括第一签名公钥信封和第一加密公钥信封。In some embodiments, the non-certificate password management platform also generates the non-certificate key envelope of the server according to the identification and public key of the server. Wherein, the non-certificate key envelope of the server includes a first signed public key envelope and a first encrypted public key envelope.

S5103、服务端获取由无证书密码管理平台生成的服务端的无证书密钥信息。S5103. The server acquires the non-certificate key information of the server generated by the non-certificate password management platform.

S5104、服务端调用无证书密码管理平台中的扩展接口,生成服务端的无证书私钥。S5104. The server invokes an extension interface in the certificateless password management platform to generate a certificateless private key of the server.

示例性的,无证书密码管理平台保存服务端的无证书密钥信息,并对服务端的无证书密钥信封进行解析,生成服务端的无证书私钥。Exemplarily, the non-certificate password management platform stores the non-certificate key information of the server, and parses the non-certificate key envelope of the server to generate the non-certificate private key of the server.

其中,服务端的无证书私钥用于在基于传输层安全性协议的握手过程中对握手信息进行签名,用于证明客户端接收的来自于服务端的无证书密钥信息与服务端相对应。Wherein, the non-certificate private key of the server is used to sign the handshake information during the handshake process based on the transport layer security protocol, and is used to prove that the non-certificate key information received by the client from the server corresponds to the server.

S5105、客户端调用无证书密码管理平台中的扩展接口,生成客户端的公钥与私钥。S5105. The client invokes the extension interface in the certificateless password management platform to generate a public key and a private key of the client.

S5106、客户端将客户端的标识与公钥发送至无证书密码管理平台,以使得无证书密码管理平台根据客户端的标识与公钥生成客户端的无证书密钥信息。S5106. The client sends the client's identification and public key to the certificateless password management platform, so that the certificateless password management platform generates the client's certificateless key information according to the client's identification and public key.

示例性的,无证书密码管理平台调用扩展接口,根据服务端的标识以及服务端的公钥并结合TLS加密套件中的基础密码运算功能,生成服务端的无证书密钥信息。Exemplarily, the non-certificate password management platform invokes the extension interface, and generates the non-certificate key information of the server according to the identification of the server and the public key of the server combined with the basic cryptographic operation function in the TLS encryption suite.

其中,客户端的无证书密钥信息包括第二签名公钥的标识和第二加密公钥的标识。Wherein, the client's non-certificate key information includes the identifier of the second signature public key and the identifier of the second encryption public key.

在一些实施例中,无证书密码管理平台根据客户端的标识与公钥还生成了客户端的无证书密钥信封。其中,客户端的无证书密钥信封包括第二签名公钥信封和第二加密公钥信封。In some embodiments, the certificateless password management platform also generates the client's certificateless key envelope according to the client's identifier and public key. Wherein, the non-certificate key envelope of the client includes a second signed public key envelope and a second encrypted public key envelope.

S5107、客户端获取由无证书密码管理平台生成的客户端的无证书密钥信息。S5107. The client acquires certificate-free key information of the client generated by the certificate-free password management platform.

S5108、客户端调用无证书密码管理平台中的扩展接口,生成客户端的无证书私钥。S5108. The client invokes an extension interface in the certificate-free password management platform to generate a certificate-free private key of the client.

示例性的,无证书密码管理平台保存客户端的无证书密钥信息,并对客户端的无证书密钥信封进行解析,生成客户端的无证书私钥。Exemplarily, the non-certificate password management platform stores the client non-certificate key information, and parses the client non-certificate key envelope to generate the client non-certificate private key.

其中,客户端的无证书私钥用于在基于传输层安全性协议的握手过程中对握手信息进行签名,用于证明服务端接收的来自于客户端的无证书密钥信息与客户端相对应。Among them, the client's non-certificate private key is used to sign the handshake information during the handshake process based on the transport layer security protocol, and is used to prove that the non-certificate key information received by the server from the client corresponds to the client.

S502、第一次握手流程。S502. A first handshake process.

客户端发送握手请求报文至服务端;相应地,服务端接收来自于客户端的握手请求报文。The client sends a handshake request message to the server; correspondingly, the server receives the handshake request message from the client.

其中,握手请求报文用于指示服务端在基于传输层安全性协议的通信过程中采用无证书密钥的认证方式。Wherein, the handshake request message is used to instruct the server to adopt an authentication mode without a certificate key in the communication process based on the transport layer security protocol.

握手请求报文相当于传统TLS通信过程中的Cl ient Hel lo报文。握手请求报文可以包括以下至少一项:客户端支持的无证书标识密码认证的TLS协议版本、客户端生成的随机数、客户端支持的无证书密码标识的TLS加密套件、客户端支持的压缩算法列表或客户端填充的扩展内容。The handshake request message is equivalent to the Client Hello message in the traditional TLS communication process. The handshake request message may include at least one of the following: the TLS protocol version supported by the client for authentication without a certificate-identified password, the random number generated by the client, the TLS cipher suite supported by the client without a certificate-identified password, and the compression supported by the client Algorithm list or extended content populated by the client.

无证书密码标识的TLS加密套件用于客户端的公钥生成、无证书信封解封解析和无证书密钥信息合成。The TLS cipher suite identified by the certificate-free cipher is used for client-side public key generation, certificate-free envelope decapsulation and analysis, and certificate-free key information synthesis.

示例性的,握手请求报文包括客户端支持的无证书标识密码认证的TLS协议版本,例如1.0、1.1、1.2;客户端生成的随机数,例如10;客户端支持的无证书密码标识的TLS加密套件,例如ECDH_RSA、ECDH_ECDSA;客户端支持的压缩算法列表,例如Def late、GZIP、LZO;客户端填充的扩展内容为SNI扩展。Exemplarily, the handshake request message includes the TLS protocol version supported by the client without certificate identification password authentication, such as 1.0, 1.1, 1.2; the random number generated by the client, such as 10; the TLS protocol version supported by the client without certificate identification password authentication Cipher suites, such as ECDH_RSA, ECDH_ECDSA; the list of compression algorithms supported by the client, such as Def late, GZIP, LZO; the extension content filled by the client is the SNI extension.

S503、第二次握手流程。S503. A second handshake process.

如图7所示,步骤S3可以具体实现为以下步骤:As shown in Figure 7, step S3 can be specifically implemented as the following steps:

S5201、服务端解析由客户端发送的握手请求报文。S5201. The server parses the handshake request message sent by the client.

其中,握手请求报文可以为cl ient hel lo报文。Wherein, the handshake request message may be a client hello message.

在一些实施例中,服务端通过解析由客户端发送的握手请求报文,确定建立连接过程中可选择的参数信息。In some embodiments, the server determines optional parameter information during connection establishment by analyzing the handshake request message sent by the client.

S5202、服务端向客户端发送握手应答报文;相应地,客户端接收来自于服务端的握手应答报文。S5202. The server sends a handshake response message to the client; correspondingly, the client receives the handshake response message from the server.

其中,握手应答报文为Server Hel lo报文。Wherein, the handshake response message is a Server Hello message.

Server Hel lo报文可以包括以下至少一项:服务端选择的无证书密码认证的TLS协议版本、服务端选择的随机数、服务端选择的无证书密码标识的TLS加密套件、服务端选择的压缩算法或服务端填充的扩展内容。The Server Hello message may include at least one of the following: the TLS protocol version selected by the server for authentication without a certificate password, the random number selected by the server, the TLS cipher suite identified by a certificateless password selected by the server, and the compression protocol selected by the server. Algorithm or extended content filled by the server.

示例性的,继S2中的示例,服务端选择客户端支持的协议版本的最高版本1.2作为本次通信过程中的TLS协议版本;在客户端支持的无证书密码标识的TLS加密套件随机选择一种,例如ECDH_RSA作为本次通信过程中的TLS加密套件;在客户端支持的压缩算法列表中随机选择一种,例如GZIP作为本次通信过程中的压缩算法列表。Exemplarily, following the example in S2, the server selects the highest version 1.2 of the protocol version supported by the client as the TLS protocol version in this communication process; randomly selects a One, such as ECDH_RSA as the TLS encryption suite in this communication process; randomly select one from the compression algorithm list supported by the client, such as GZIP as the compression algorithm list in this communication process.

S5203、服务端将服务端的无证书密钥信息发送至客户端;相应地,客户端接收来自于服务端的无证书密钥信息。S5203. The server sends the non-certificate key information of the server to the client; correspondingly, the client receives the non-certificate key information from the server.

其中,服务端的无证书密钥信息包括第一签名公钥的标识和第一加密公钥的标识。Wherein, the non-certificate key information of the server includes the identification of the first signature public key and the identification of the first encryption public key.

在本申请实施例中,服务端的无证书密钥信息格式可以为X.509,在实际应用的过程中可以根据需求对服务端的无证书密钥信息的格式进行设定,本申请实施例对此不做任何限定。In the embodiment of this application, the format of the non-certificate key information of the server can be X.509, and the format of the non-certificate key information of the server can be set according to the requirements during the actual application process. Do not make any restrictions.

S5204、服务端向客户端发送密钥信息请求报文;相应地,客户端接收来自于服务端的密钥信息请求报文。S5204. The server sends a key information request message to the client; correspondingly, the client receives the key information request message from the server.

其中,密钥信息请求报文用于请求客户端发送客户端的无证书密钥信息至服务端。示例性的,密钥信息请求报文可以为Cert ificate Reques t报文。Wherein, the key information request message is used to request the client to send the client's non-certificate key information to the server. Exemplarily, the key information request message may be a Certificate Request t message.

S5205、服务端向客户端发送密钥完成报文;相应地,客户端接收来自于服务端的密钥完成报文。S5205. The server sends a key completion message to the client; correspondingly, the client receives the key completion message from the server.

其中,密钥完成报文用于表示服务端的无证书密钥信息发送完毕。示例性的,密钥完成报文可以为Server He l lo Done报文。Wherein, the key completion message is used to indicate that the non-certificate key information of the server has been sent. Exemplarily, the key completion message may be a Server Hello Done message.

S504、第三次握手流程。S504. A third handshake process.

如图8所示,步骤S4可以具体实现为以下步骤:As shown in Figure 8, step S4 can be specifically implemented as the following steps:

S5301、客户端验证由服务端发送的无证书密钥信息。S5301. The client verifies the non-certificate key information sent by the server.

S5302、客户端向服务端发送客户端的无证书密钥信息;相应地,服务端接收来自于客户端的无证书密钥信息。S5302. The client sends the certificateless key information of the client to the server; correspondingly, the server receives the certificateless key information from the client.

在一些实施例中,客户端向服务端发送客户端的无证书密钥信息后,客户端使用客户端的无证书签名私钥对之后发送的握手信息进行数字签名,用于表示客户端向服务端发送的无证书密钥信息与客户端拥有的无证书签名私钥相对应。In some embodiments, after the client sends the client's non-certificate key information to the server, the client uses the client's non-certificate signature private key to digitally sign the handshake information sent later, which is used to indicate that the client sends to the server The non-certificate key information corresponds to the non-certificate signing private key owned by the client.

S5303、客户端发送密钥交换报文至服务端;相应地,服务端接收来自于客户端的密钥交换报文。S5303. The client sends a key exchange message to the server; correspondingly, the server receives the key exchange message from the client.

其中,密钥交换报文相当于传统TLS通信过程中的C l ient Key Exchange报文。密钥交换报文包括客户端使用客户端的无证书密钥信息中的第二加密公钥加密的随机数。Wherein, the key exchange message is equivalent to the Client Key Exchange message in the traditional TLS communication process. The key exchange message includes a random number encrypted by the client using the second encrypted public key in the certificateless key information of the client.

示例性的,客户端使用客户端的无证书密钥信息中的第二加密公钥的标识生成第二加密公钥,并使用第二加密公钥对密钥交换报文中的随机数进行加密。Exemplarily, the client uses the identifier of the second encryption public key in the client's non-certificate key information to generate a second encryption public key, and uses the second encryption public key to encrypt the random number in the key exchange message.

在一些实施例中,在基于传输层安全性协议的第三次握手过程中,服务端接收客户端发送的密钥交换报文;根据第二加密公钥的标识,生成第二加密公钥;以第二加密公钥,对由第二加密公钥加密的随机数进行解密。In some embodiments, during the third handshake process based on the transport layer security protocol, the server receives the key exchange message sent by the client; generates the second encrypted public key according to the identity of the second encrypted public key; The random number encrypted by the second encryption public key is decrypted with the second encryption public key.

S5304、客户端向服务端发送加密指示报文;相应地,服务端接收来自于客户端的加密指示报文。S5304. The client sends an encrypted indication message to the server; correspondingly, the server receives the encrypted indication message from the client.

其中,加密指示报文Change Ci pher Spec报文用于告知服务端下一条的握手信息开始加密传输。示例性的,加密指示报文可以为Change C ipher Spec报文。Wherein, the encryption instruction message Change Cipher Spec message is used to inform the server to start encrypted transmission of the next handshake information. Exemplarily, the encrypted indication message may be a Change C ipher Spec message.

S5305、客户端向服务端发送握手摘要报文,相应地,服务端接收来自于客户端的握手摘要报文。S5305. The client sends a handshake summary message to the server, and correspondingly, the server receives the handshake summary message from the client.

其中,握手摘要报文包括握手过程中全部握手信息的摘要。示例性的,握手摘要报文可以为Fini shed报文。Wherein, the handshake summary message includes a summary of all handshake information during the handshake process. Exemplarily, the handshake summary message may be a Fini shed message.

在一些实施例中,客户端使用国密SM3摘要算法对握手信息进行摘要,整合为Fini shed报文后,根据第二加密密钥标识生成第二加密密钥,并使用第二加密公钥进行加密发送至服务端。In some embodiments, the client uses the national secret SM3 digest algorithm to digest the handshake information, and after integrating it into a Fini shed message, generates a second encryption key according to the second encryption key identifier, and uses the second encryption public key to perform Encrypted and sent to the server.

S505、第四次握手流程。S505 , a fourth handshake process.

如图9所示,步骤S5可以具体实现为以下步骤:As shown in Figure 9, step S5 can be specifically implemented as the following steps:

S5401、服务端验证由客户端发送的无证书密钥信息。S5401. The server verifies the non-certificate key information sent by the client.

S5402、服务端验证客户端的数字签名。S5402. The server verifies the digital signature of the client.

服务端根据客户端的无证书密钥信息中的第二签名公钥的标识,生成第二签名公钥,并使用第二签名公钥对客户端的数字签名进行认证。The server generates the second signature public key according to the identification of the second signature public key in the certificate-free key information of the client, and uses the second signature public key to authenticate the digital signature of the client.

S5403、服务端向客户端发送加密指示报文;相应地,客户端接收来自于服务端的加密指示报文。S5403. The server sends an encrypted indication message to the client; correspondingly, the client receives the encrypted indication message from the server.

其中,加密指示报文用于告知客户端下一条的握手信息开始加密传输。示例性的,加密指示报文可以为Change Cipher Spec报文。Wherein, the encryption instruction message is used to inform the client that the next piece of handshake information starts encrypted transmission. Exemplarily, the encrypted indication message may be a Change Cipher Spec message.

S5404、服务端向客户端发送握手摘要报文;相应地,客户端接收来自于服务端的握手摘要报文。S5404. The server sends a handshake summary message to the client; correspondingly, the client receives the handshake summary message from the server.

其中,握手摘要报文包括握手过程中全部握手信息的摘要。示例性的,握手摘要报文可以为Fini shed报文。Wherein, the handshake summary message includes a summary of all handshake information during the handshake process. Exemplarily, the handshake summary message may be a Fini shed message.

在一些实施例中,服务端使用国密SM3摘要算法对握手信息进行摘要,整合为握手摘要报文发送至客户端。上述主要从方法的角度对本申请实施例提供的方案进行了介绍。为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请实施例能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。In some embodiments, the server uses the national secret SM3 digest algorithm to digest the handshake information, and integrates it into a handshake summary message and sends it to the client. The foregoing mainly introduces the solutions provided by the embodiments of the present application from the perspective of methods. In order to realize the above functions, it includes corresponding hardware structures and/or software modules for performing various functions. Those skilled in the art should easily realize that the embodiments of the present application can be implemented in the form of hardware or a combination of hardware and computer software in combination with the example units and algorithm steps described in the embodiments disclosed herein. Whether a certain function is executed by hardware or computer software drives hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.

本申请实施例可以根据上述方法示例对通信装置进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。可选的,本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。In the embodiment of the present application, the functional modules of the communication device may be divided according to the above method example. For example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The above-mentioned integrated modules can be implemented in the form of hardware or in the form of software function modules. Optionally, the division of modules in this embodiment of the present application is schematic, and is only a logical function division, and there may be another division manner in actual implementation.

图10示出本申请实施例提供的一种客户端装置的结构示意图。如图10所示,客户端装置60包括接收模块601、验证模块602、发送模块603。FIG. 10 shows a schematic structural diagram of a client device provided by an embodiment of the present application. As shown in FIG. 10 , the client device 60 includes a receiving module 601 , a verification module 602 , and a sending module 603 .

接收模块601,用于在基于传输层安全性协议的第二次握手过程中,接收服务端发送的服务端的无证书密钥信息,服务端的无证书密钥信息包括第一签名公钥的标识和第一加密公钥的标识。The receiving module 601 is configured to receive the certificateless key information of the server sent by the server during the second handshake process based on the transport layer security protocol. The certificateless key information of the server includes the identity of the first signature public key and Identification of the first encrypted public key.

验证模块602,用于在基于传输层安全性协议的第三次握手过程中,基于服务端的标识,对服务端的无证书密钥信息进行验证。The verification module 602 is configured to verify the non-certificate key information of the server based on the identifier of the server during the third handshake process based on the transport layer security protocol.

发送模块603,用于在验证通过之后,向服务端发送客户端无证书密钥信息,客户端的无证书密钥信息包括第二签名公钥的标识和第二加密公钥的标识。The sending module 603 is configured to send the certificateless key information of the client to the server after the verification is passed, and the certificateless key information of the client includes the identification of the second signature public key and the identification of the second encryption public key.

在一些实施例中,发送模块603还用于在基于传输层安全性协议的第三次握手过程中,向服务端发送密钥交换报文,密钥交换报文包括由第二加密公钥加密的随机数。In some embodiments, the sending module 603 is further configured to send a key exchange message to the server during the third handshake process based on the transport layer security protocol, the key exchange message includes of random numbers.

在一些实施例中,发送模块603还用于在基于传输层安全性协议的第一次握手过程中,向所述服务端发送握手请求报文,所述握手请求报文用于指示采用无证书密钥的认证方式。In some embodiments, the sending module 603 is further configured to send a handshake request message to the server during the first handshake process based on the transport layer security protocol, and the handshake request message is used to indicate that certificateless Authentication method of the key.

图11示出本申请实施例提供的一种服务端装置的结构示意图。如图11所示,该服务端装置70包括发送模块701、接收模块702、验证模块703、生成模块704、解密模块705。FIG. 11 shows a schematic structural diagram of a server device provided by an embodiment of the present application. As shown in FIG. 11 , the server device 70 includes a sending module 701 , a receiving module 702 , a verification module 703 , a generation module 704 , and a decryption module 705 .

发送模块701,用于在基于传输层安全性协议的第二次握手过程中,向客户端发送的服务端的无证书密钥信息,服务端的无证书密钥信息包括第一签名公钥的标识和第一加密公钥的标识。The sending module 701 is configured to send the certificateless key information of the server to the client during the second handshake process based on the transport layer security protocol. The certificateless key information of the server includes the identity of the first signature public key and Identification of the first encrypted public key.

接收模块702,用于在基于传输层安全性协议的第三次握手过程中,接收客户端发送的所述客户端的无证书密钥信息,客户端的无证书密钥信息包括第二签名公钥的标识和第二加密公钥的标识。The receiving module 702 is configured to receive the client's non-certificate key information sent by the client during the third handshake process based on the transport layer security protocol, the client's non-certificate key information includes the second signature public key ID and ID of the second encrypted public key.

验证模块703,用于基于客户端的标识,对客户端的无证书密钥信息进行验证。The verification module 703 is configured to verify the certificate-less key information of the client based on the identification of the client.

在一些实施例中,接收模块702还用于在基于传输层安全性协议的第三次握手过程中,接收客户端发送的客户端密钥交换报文,客户端密钥交换报文包括由第二加密公钥加密的随机数;上述装置还包括:生成模块704,用于根据第二加密公钥的标识,生成第二加密公钥;解密模块705,用于以第二加密公钥,对由第二加密公钥加密的随机数进行解密。In some embodiments, the receiving module 702 is further configured to receive the client key exchange message sent by the client during the third handshake process based on the transport layer security protocol, the client key exchange message includes the The random number encrypted by the second encrypted public key; the above-mentioned device also includes: a generation module 704, which is used to generate a second encrypted public key according to the identification of the second encrypted public key; a decryption module 705, which is used to use the second encrypted public key to The random number encrypted by the second encrypted public key is decrypted.

在一些实施例中,接收模块702还用于在基于传输层安全性协议的第一次握手过程中,接收客户端发送的握手请求报文,握手请求报文用于指示采用无证书密钥的认证方式。In some embodiments, the receiving module 702 is also configured to receive a handshake request message sent by the client during the first handshake process based on the transport layer security protocol, and the handshake request message is used to indicate the use of certificate-less key verification method.

在采用硬件的形式实现上述集成的模块的功能的情况下,本申请实施例提供了客户端装置和服务端装置的结果可以参考图12所示的通信装置的结果。如图12所示,通信装置80包括:处理器802、总线804以及通信接口803。In the case that the functions of the above-mentioned integrated modules are implemented in the form of hardware, the results of the client device and the server device provided in the embodiment of the present application may refer to the results of the communication device shown in FIG. 12 . As shown in FIG. 12 , the communication device 80 includes: a processor 802 , a bus 804 and a communication interface 803 .

通信接口803,用于与其他设备通过通信网络连接。该通信网络可以是以太网,无线接入网,无线局域网(wi reles s local area networks,WLAN)等。The communication interface 803 is used to connect with other devices through the communication network. The communication network may be Ethernet, wireless access network, wireless local area network (wireless local area networks, WLAN) and so on.

存储器801,可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(random access memory,RAM)或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(electr ical ly erasable programmable read-only memory,EEPROM)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。The memory 801 may be a read-only memory (read-only memory, ROM) or other types of static storage devices that can store static information and instructions, a random access memory (random access memory, RAM) or other types that can store information and instructions Type of dynamic storage device, also can be electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), magnetic disk storage medium or other magnetic storage devices, or can be used to carry or store instructions or Desired program code in the form of a data structure and any other medium capable of being accessed by a computer, but not limited thereto.

作为一种可能的实现方式,存储器801可以独立于处理器802存在,存储器801可以通过总线804与处理器802相连接,用于存储指令或者程序代码。处理器802调用并执行存储器801中存储的指令或程序代码时,能够实现本申请实施例提供的基于传输层安全性协议的通信方法。As a possible implementation manner, the memory 801 may exist independently of the processor 802, and the memory 801 may be connected to the processor 802 through the bus 804, and is used for storing instructions or program codes. When the processor 802 invokes and executes the instructions or program codes stored in the memory 801, the communication method based on the transport layer security protocol provided by the embodiment of the present application can be implemented.

另一种可能的实现方式中,存储器801也可以和处理器802集成在一起。In another possible implementation manner, the memory 801 may also be integrated with the processor 802 .

总线804,可以是扩展工业标准结构(extended indus try s tandard architecture,EISA)总线等。总线804可以分为地址总线、数据总线、控制总线等。为便于表示,图12中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The bus 804 may be an extended industry standard architecture (extended indus try standard architecture, EISA) bus or the like. The bus 804 can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 12 , but it does not mean that there is only one bus or one type of bus.

本申请实施例还提供一种计算机可读存储介质,计算机可读存储介质包括计算机执行指令,当计算机执行指令在计算机上运行时,使得计算机执行如上述实施例提供的方法。The embodiment of the present application also provides a computer-readable storage medium, the computer-readable storage medium includes computer-executable instructions, and when the computer-executable instructions are run on the computer, the computer is made to execute the method provided in the foregoing embodiments.

本申请实施例还提供一种计算机程序产品,该计算机程序产品可直接加载到存储器中,并含有软件代码,该计算机程序产品经由计算机载入并执行后能够实现上述实施例提供的方法。The embodiment of the present application also provides a computer program product, which can be directly loaded into a memory and contains software codes. After being loaded and executed by a computer, the computer program product can implement the methods provided in the above embodiments.

本领域技术人员应该可以意识到,在上述一个或多个示例中,本申请所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质,其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是通用或专用计算机能够存取的任何可用介质。Those skilled in the art should be aware that, in the above one or more examples, the functions described in this application may be implemented by hardware, software, firmware or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.

以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何在本申请揭露的技术范围内的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应该以权利要求的保护范围为准。The above is only a specific implementation of the application, but the protection scope of the application is not limited thereto, and any changes or replacements within the technical scope disclosed in the application should be covered within the protection scope of the application . Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims (15)

1.一种基于传输层安全性协议的通信方法,其特征在于,应用于客户端,所述方法包括:1. A communication method based on a transport layer security protocol, characterized in that it is applied to a client, and the method comprises: 在基于传输层安全性协议的第二次握手过程中,接收服务端发送的服务端的无证书密钥信息,所述服务端的无证书密钥信息包括第一签名公钥的标识和第一加密公钥的标识;In the second handshake process based on the transport layer security protocol, the certificateless key information of the server sent by the server is received, and the certificateless key information of the server includes the identity of the first signature public key and the first encrypted public key. identification of the key; 在基于传输层安全性协议的第三次握手过程中,基于所述服务端的标识,对所述服务端的无证书密钥信息进行验证;在验证通过之后,向所述服务端发送所述客户端的无证书密钥信息,所述客户端的无证书密钥信息包括第二签名公钥的标识和第二加密公钥的标识。In the third handshake process based on the transport layer security protocol, based on the identification of the server, verify the non-certificate key information of the server; after the verification is passed, send the client's key information to the server The non-certificate key information of the client includes the identification of the second signature public key and the identification of the second encryption public key. 2.根据权利要求1所述的方法,其特征在于,所述方法还包括:2. The method according to claim 1, characterized in that the method further comprises: 在基于传输层安全性协议的第三次握手过程中,向所述服务端发送密钥交换报文,所述密钥交换报文包括由第二加密公钥加密的随机数。In the third handshake process based on the transport layer security protocol, a key exchange message is sent to the server, and the key exchange message includes a random number encrypted by the second encrypted public key. 3.根据权利要求2所述的方法,其特征在于,所述方法还包括:3. The method according to claim 2, wherein the method further comprises: 在基于传输层安全性协议的第一次握手过程中,向所述服务端发送握手请求报文,所述握手请求报文用于指示采用无证书密钥的认证方式。In the first handshake process based on the transport layer security protocol, a handshake request message is sent to the server, and the handshake request message is used to indicate that an authentication mode without a certificate key is adopted. 4.一种基于传输层安全性协议的通信方法,其特征在于,应用于服务端,所述方法包括:4. A communication method based on a transport layer security protocol, characterized in that it is applied to a server, and the method comprises: 在基于传输层安全性协议的第二次握手过程中,向客户端发送服务端的无证书密钥信息,所述服务端的无证书密钥信息包括第一签名公钥的标识和第一加密公钥的标识;In the second handshake process based on the transport layer security protocol, the certificateless key information of the server is sent to the client, and the certificateless key information of the server includes the identification of the first signature public key and the first encryption public key logo; 在基于传输层安全性协议的第三次握手过程中,接收所述客户端发送的所述客户端的无证书密钥信息,所述客户端的无证书密钥信息包括第二签名公钥的标识和第二加密公钥的标识;In the third handshake process based on the transport layer security protocol, receiving the client's non-certificate key information sent by the client, the client's non-certificate key information includes the identity of the second signature public key and identification of the second encryption public key; 基于所述客户端的标识,对所述客户端的无证书密钥信息进行验证。Based on the identifier of the client, the certificateless key information of the client is verified. 5.根据权利要求4所述的方法,其特征在于,所述方法还包括:5. method according to claim 4, is characterized in that, described method also comprises: 在基于传输层安全性协议的第三次握手过程中,接收所述客户端发送的客户端密钥交换报文,所述客户端密钥交换报文包括由第二加密公钥加密的随机数;In the third handshake process based on the transport layer security protocol, receiving the client key exchange message sent by the client, the client key exchange message includes a random number encrypted by the second encrypted public key ; 根据所述第二加密公钥的标识,生成所述第二加密公钥;generating the second encrypted public key according to the identifier of the second encrypted public key; 以所述第二加密公钥,对由第二加密公钥加密的随机数进行解密。Decrypt the random number encrypted by the second encryption public key with the second encryption public key. 6.根据权利要求5所述的方法,其特征在于,所述方法还包括:6. The method according to claim 5, further comprising: 在基于传输层安全性协议的第一次握手过程中,接收所述客户端发送的握手请求报文,所述握手请求报文用于指示采用无证书密钥的认证方式。In the first handshake process based on the transport layer security protocol, a handshake request message sent by the client is received, and the handshake request message is used to indicate that an authentication mode without a certificate key is adopted. 7.一种客户端装置,其特征在于,所述装置包括:7. A client device, characterized in that the device comprises: 接收模块,用于在基于传输层安全性协议的第二次握手过程中,接收服务端发送的服务端的无证书密钥信息,所述服务端的无证书密钥信息包括第一签名公钥的标识和第一加密公钥的标识;The receiving module is configured to receive the certificateless key information of the server sent by the server during the second handshake process based on the transport layer security protocol, and the certificateless key information of the server includes the identification of the first signature public key and the identification of the first encrypted public key; 验证模块,用于在基于传输层安全性协议的第三次握手过程中,基于所述服务端的标识,对所述服务端的无证书密钥信息进行验证;A verification module, configured to verify the non-certificate key information of the server based on the identifier of the server during the third handshake process based on the transport layer security protocol; 发送模块,用于在验证通过之后,向所述服务端发送所述客户端的无证书密钥信息,所述客户端的无证书密钥信息包括第二签名公钥的标识和第二加密公钥的标识。A sending module, configured to send the certificate-free key information of the client to the server after the verification is passed, the certificate-free key information of the client includes the identity of the second signature public key and the identity of the second encryption public key logo. 8.根据权利要求7所述的装置,其特征在于,所述发送模块还用于在基于传输层安全性协议的第三次握手过程中,向所述服务端发送密钥交换报文,所述密钥交换报文包括由第二加密公钥加密的随机数。8. The device according to claim 7, wherein the sending module is further configured to send a key exchange message to the server during the third handshake process based on the transport layer security protocol, the The key exchange message includes a random number encrypted by the second encrypted public key. 9.根据权利要求8所述的装置,其特征在于,所述发送模块还用于在基于传输层安全性协议的第一次握手过程中,向所述服务端发送握手请求报文,所述握手请求报文用于指示采用无证书密钥的认证方式。9. The device according to claim 8, wherein the sending module is further configured to send a handshake request message to the server during the first handshake process based on the transport layer security protocol, the The handshake request message is used to indicate the authentication mode without certificate key. 10.一种服务端装置,其特征在于,所述装置包括:10. A server device, characterized in that the device comprises: 发送模块,用于在基于传输层安全性协议的第二次握手过程中,向客户端发送服务端的无证书密钥信息,所述服务端的无证书密钥信息包括第一签名公钥的标识和第一加密公钥的标识;The sending module is configured to send the certificate-free key information of the server to the client during the second handshake process based on the transport layer security protocol, and the certificate-free key information of the server includes the identity of the first signature public key and identification of the first encrypted public key; 接收模块,用于在基于传输层安全性协议的第三次握手过程中,接收所述客户端发送的所述客户端的无证书密钥信息,所述客户端的无证书密钥信息包括第二签名公钥的标识和第二加密公钥的标识;A receiving module, configured to receive the certificateless key information of the client sent by the client during the third handshake process based on the transport layer security protocol, where the certificateless key information of the client includes a second signature identification of the public key and identification of the second encrypted public key; 验证模块,用于基于所述客户端的标识,对所述客户端的无证书密钥信息进行验证。A verification module, configured to verify the certificate-less key information of the client based on the identifier of the client. 11.根据权利要求10所述的装置,其特征在于,所述接收模块还用于在基于传输层安全性协议的第三次握手过程中,接收所述客户端发送的客户端密钥交换报文,所述客户端密钥交换报文包括由第二加密公钥加密的随机数;所述装置还包括:11. The device according to claim 10, wherein the receiving module is further configured to receive the client key exchange message sent by the client during the third handshake process based on the transport layer security protocol. In the text, the client key exchange message includes a random number encrypted by the second encrypted public key; the device also includes: 生成模块,用于根据所述第二加密公钥的标识,生成所述第二加密公钥;A generating module, configured to generate the second encrypted public key according to the identifier of the second encrypted public key; 解密模块,用于以所述第二加密公钥,对由第二加密公钥加密的随机数进行解密。A decryption module, configured to use the second encryption public key to decrypt the random number encrypted by the second encryption public key. 12.根据权利要求11所述的装置,其特征在于,所述接收模块还用于在基于传输层安全性协议的第一次握手过程中,接收所述客户端发送的握手请求报文,所述握手请求报文用于指示采用无证书密钥的认证方式。12. The device according to claim 11, wherein the receiving module is further configured to receive the handshake request message sent by the client during the first handshake process based on the transport layer security protocol, the The above handshake request message is used to indicate the authentication mode without certificate key. 13.一种客户端装置,其特征在于,所述装置包括处理器,所述处理器执行计算机程序时实现如权利要求1至3任一项所述的基于传输层安全性协议的通信方法。13. A client device, characterized in that the device comprises a processor, and when the processor executes a computer program, the communication method based on the transport layer security protocol according to any one of claims 1 to 3 is implemented. 14.一种服务端装置,其特征在于,所述装置包括处理器,所述处理器执行计算机程序时实现如权利要求4至6任一项所述的基于传输层安全性协议的通信方法。14. A server device, characterized in that the device comprises a processor, and when the processor executes a computer program, the communication method based on the transport layer security protocol according to any one of claims 4 to 6 is realized. 15.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质包括计算机指令;其中,当所述计算机指令被执行时,实现如权利要求1至6任一项所述的基于传输层安全性协议的通信方法。15. A computer-readable storage medium, characterized in that the computer-readable storage medium comprises computer instructions; wherein, when the computer instructions are executed, the method based on any one of claims 1 to 6 is realized The communication method of the Transport Layer Security protocol.
CN202310222447.2A 2023-03-09 2023-03-09 Communication method, device and storage medium based on transport layer security protocol Pending CN116318943A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310222447.2A CN116318943A (en) 2023-03-09 2023-03-09 Communication method, device and storage medium based on transport layer security protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310222447.2A CN116318943A (en) 2023-03-09 2023-03-09 Communication method, device and storage medium based on transport layer security protocol

Publications (1)

Publication Number Publication Date
CN116318943A true CN116318943A (en) 2023-06-23

Family

ID=86782885

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310222447.2A Pending CN116318943A (en) 2023-03-09 2023-03-09 Communication method, device and storage medium based on transport layer security protocol

Country Status (1)

Country Link
CN (1) CN116318943A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143160A (en) * 2002-01-12 2011-08-03 英特尔公司 Mechanism for supporting wired and wireless methods for client and server side authentication
US20120023336A1 (en) * 2009-12-10 2012-01-26 Vijayarangan Natarajan System and method for designing secure client-server communication protocols based on certificateless public key infrastructure
US20150288514A1 (en) * 2014-04-08 2015-10-08 Cloudflare, Inc. Secure session capability using public-key cryptography without access to the private key
CN112564923A (en) * 2021-03-01 2021-03-26 南京信息工程大学 Certificateless-based secure network connection handshake method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143160A (en) * 2002-01-12 2011-08-03 英特尔公司 Mechanism for supporting wired and wireless methods for client and server side authentication
US20120023336A1 (en) * 2009-12-10 2012-01-26 Vijayarangan Natarajan System and method for designing secure client-server communication protocols based on certificateless public key infrastructure
US20150288514A1 (en) * 2014-04-08 2015-10-08 Cloudflare, Inc. Secure session capability using public-key cryptography without access to the private key
CN112564923A (en) * 2021-03-01 2021-03-26 南京信息工程大学 Certificateless-based secure network connection handshake method

Similar Documents

Publication Publication Date Title
CN113438071B (en) Method and device for secure communication
US20160269176A1 (en) Key Configuration Method, System, and Apparatus
US20250158831A1 (en) Systems, methods, and apparatuses for network management
CN101459506B (en) Cipher key negotiation method, system, customer terminal and server for cipher key negotiation
CN108512846A (en) Mutual authentication method and device between a kind of terminal and server
EP3633949A1 (en) Method and system for performing ssl handshake
US20200314647A1 (en) Message authentication method and communication method of communication network system, and communication network system
WO2022100356A1 (en) Identity authentication system, method and apparatus, device, and computer readable storage medium
CN105376216A (en) Remote access method, agent server and client end
WO2023231774A1 (en) Identity verification method for handshake process for tlcp protocol
CN113992346B (en) Implementation method of security cloud desktop based on national security reinforcement
CN114650181B (en) E-mail encryption and decryption method, system, device and computer-readable storage medium
CN102984045A (en) Access method of Virtual Private Network and Virtual Private Network client
CN113382002B (en) Data request method, request response method, data communication system, and storage medium
KR20210061801A (en) Method and system for mqtt-sn security management for security of mqtt-sn protocol
WO2023141876A1 (en) Data transmission method, apparatus and system, electronic device, and readable medium
CN114417309A (en) Bidirectional identity authentication method, device, equipment and storage medium
CN111600903A (en) Communication method, system, equipment and readable storage medium
CN116633582A (en) Secure communication method, apparatus, electronic device and storage medium
WO2024012318A1 (en) Device access method and system and non-volatile computer storage medium
CN115473648A (en) A certificate issuing system and related equipment
CN115460562A (en) Secure and trusted peer-to-peer offline communication system and method
CN109995723A (en) A kind of method, apparatus and system of the interaction of domain name analysis system DNS information
CN117081869A (en) Smart grid security data aggregation method and device, storage medium and related equipment
CN116318943A (en) Communication method, device and storage medium based on transport layer security protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination