阅读说明：本技术 通信方法、客户端、服务器、通信装置和系统 (Communication method, client, server, communication device and system ) 是由 李畅 于 2018-08-07 设计创作，主要内容包括：本公开提出一种通信方法、客户端、服务器、通信装置和系统，涉及信息安全技术领域。本公开的一种通信方法包括：客户端根据当前时刻信息生成动态口令；客户端将动态口令和报文通过客户端对称密钥加密，生成加密数据；客户端将加密数据发送给服务器，以便服务器根据服务器对称密钥解密加密数据，并在解密成功且动态口令在有效期内的情况下，读取数据中的客户端报文。通过这样的方法，客户端能够基于时间信息生成动态口令，并将动态密钥和报文一起采用与服务器端的对称密钥加密后发送给服务器端，使得服务器端在采用密钥解密和验证动态密钥有效性的双重保障情况下读取报文，从而提高了通信的安全性。(The disclosure provides a communication method, a client, a server, a communication device and a system, and relates to the technical field of information security. The communication method of the present disclosure includes: the client generates a dynamic password according to the current time information; the client encrypts the dynamic password and the message through a client symmetric key to generate encrypted data; the client sends the encrypted data to the server so that the server decrypts the encrypted data according to the server symmetric key, and reads a client message in the data under the condition that the decryption is successful and the dynamic password is within the validity period. By the method, the client can generate the dynamic password based on the time information, and the dynamic key and the message are encrypted together by adopting the symmetric key of the server and then are sent to the server, so that the server reads the message under the double guarantee of key decryption and dynamic key validity verification, and the communication safety is improved.)

1. A method of communication, comprising:

the client generates a dynamic password according to the current time information;

the client encrypts the dynamic password and the message through a client symmetric key to generate encrypted data;

and the client sends the encrypted data to a server so that the server can decrypt the encrypted data according to the server symmetric key and read the client message in the data under the conditions that the decryption is successful and the dynamic password is within the validity period.

2. The method of claim 1, further comprising:

the client receives encrypted data from the server;

and decrypting the encrypted data from the server according to the client symmetric key, and reading a server message.

3. The method of claim 1, further comprising:

the client generates a client public key and a client private key and sends the client public key to the server, so that the server generates a server symmetric key based on an asymmetric algorithm according to the server public key, the server private key and the client public key.

4. The method of claim 3, further comprising:

the client receives server handshake information from the server;

and generating a client symmetric key based on an asymmetric algorithm according to the client public key, the client private key and the server public key in the server handshake information.

5. The method of claim 4, further comprising at least one of:

the client checks the verification information in the server handshake information, and allows the generated client symmetric key to be used for encrypting the message under the condition that the verification is passed;

the client synchronizes the time of the client according to the time information in the server handshake information so as to generate a dynamic password according to the synchronized current time information; or

And according to the symmetric key expiration instruction from the server, re-executing the operation of generating the client public key and the client private key.

6. A method of communication, comprising:

the server receives encrypted data from a client, wherein the encrypted data is encrypted by the client according to a client symmetric key;

decrypting the encrypted data according to a server symmetric key;

under the condition of successful decryption, acquiring a dynamic password in the data;

and if the dynamic password is in the valid period, reading a client message in the data.

7. The method of claim 6, further comprising:

and encrypting the message through the server symmetric key to generate encrypted data and sending the encrypted data to the client so that the client can decrypt the encrypted data from the server according to the client symmetric key.

8. The method of claim 6, further comprising:

the server receives a client public key from a client;

generating a server private key and the client public key;

and generating a server symmetric key based on an asymmetric algorithm according to the server public key, the server private key and the client public key.

9. The method of claim 8, further comprising:

the server generates server handshake information according to the server public key;

and sending server handshake information to the client so that the client generates a client symmetric key based on an asymmetric algorithm according to a client private key, a client public key and the server public key.

10. The method of claim 9, further comprising at least one of:

the server generates server handshake information according to the server public key and the verification information; sending server handshake information to a client so that the client generates a client symmetric key based on an asymmetric algorithm according to a client private key, a client public key and the server public key under the condition that the client passes verification according to the verification information;

the server generates server handshake information according to the server public key and the current time; sending server handshake information to a client so that the client synchronizes the time of the client according to the time information in the server handshake information; or the like, or, alternatively,

and sending a symmetric key expiration instruction to the client when at least one of the server symmetric key or the client symmetric key reaches a preset validity period.

11. A client, comprising:

a dynamic password generation unit configured to generate a dynamic password according to the current time information;

the client encryption unit is configured to encrypt the dynamic password and the message through a client symmetric key to generate encrypted data;

and the client data sending unit is configured to send the encrypted data to a server so that the server can decrypt the encrypted data according to the server symmetric key and read a client message in the data under the conditions that the decryption is successful and the dynamic password is within the validity period.

12. The client of claim 11, further comprising:

a client data receiving unit configured to receive encrypted data from a server;

and the client decryption unit is configured to decrypt the encrypted data from the server according to the client symmetric key and read the server message.

13. The client of claim 11, further comprising:

a client key generation unit configured to generate a client public key and a client private key, and send the client public key to the server, so that the server generates the server symmetric key based on an asymmetric algorithm according to the server public key, the server private key, and the client public key.

14. The client according to claim 13, wherein,

the client key generation unit is further configured to:

receiving server handshake information from the server;

and generating a client symmetric key based on an asymmetric algorithm according to the client public key, the client private key and the server public key in the server handshake information.

15. The client of claim 14, further comprising at least one of:

the verification unit is configured to verify the verification information in the server handshake information, and allow the generated client symmetric key to be used for encrypting the message under the condition that the verification is passed;

and the time synchronization unit is configured to synchronize the time of the server according to the time information in the server handshake information so as to generate a dynamic password according to the synchronized current time information.

16. A server, comprising:

a server data receiving unit configured to receive encrypted data from a client, wherein the encrypted data is encrypted by the client according to a client symmetric key;

a server decryption unit configured to decrypt the encrypted data according to a server symmetric key;

the server dynamic password verification unit is configured to acquire a dynamic password in the data under the condition that decryption is successful;

and the server message reading unit is configured to read the client message in the data under the condition that the dynamic password verification unit determines that the dynamic password is within the validity period.

17. The server of claim 16, further comprising:

the server encryption unit is configured to encrypt the message through the server symmetric key to generate encrypted data;

a server data transmission unit configured to transmit the generated encrypted data to the client so that the client decrypts the encrypted data from the server according to the client symmetric key.

18. The server according to claim 16, further comprising a server key generation unit configured to:

receiving a client public key from a client;

generating a server private key and the client public key;

and generating a server symmetric key based on an asymmetric algorithm according to the server public key, the server private key and the client public key.

19. The server of claim 18, further comprising a handshake information generation and transmission unit configured to:

generating server handshake information according to the server public key;

and sending server handshake information to the client so that the client generates a client symmetric key based on an asymmetric algorithm according to a client private key, a client public key and the server public key.

20. The server of claim 19, wherein the handshake information generation and transmission unit is further configured to perform at least one of the following functions:

generating server handshake information according to the server public key and the verification information; sending server handshake information to a client so that the client generates a client symmetric key based on an asymmetric algorithm according to a client private key, a client public key and the server public key under the condition that the client passes verification according to the verification information; or the like, or, alternatively,

generating server handshake information according to the server public key and the current time; and sending server handshake information to the client so that the client synchronizes the time of the client according to the time information in the server handshake information.

21. The server of claim 18, further comprising:

an expiration instruction sending unit configured to send a symmetric key expiration instruction to a client if at least one of the server symmetric key or the client symmetric key reaches a predetermined validity period.

22. A communication device, comprising:

a memory; and

a processor coupled to the memory, the processor configured to perform the method of any of claims 1-10 based on instructions stored in the memory.

23. A computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the steps of the method of any one of claims 1 to 10.

24. A communication system, comprising:

the client of any one of claims 11 to 15; and

the server according to any one of claims 16 to 21.

Technical Field

The present disclosure relates to the field of information security technologies, and in particular, to a communication method, a client, a server, a communication device, and a system.

Background

With the coming of the internet + era, information security is gradually valued by governments of various countries, and China has introduced the network security law, and the European Union general data protection regulations (GDPR for short) has come into effect in 2018 in 5 and 25 months. Some large internet portals have forced the total station to use HTTPS (hypertext Transfer Protocol over Secure socket layer) Protocol to Secure communications. The importance of communication security for data has reached a consensus throughout the industry.

HTTPS, HTTP (hypertext Transfer Protocol), adds SSL (Secure Sockets Layer). The initial development of the system is carried out by Netscape, a network scene company, and is built in a browser Netscape Navigator thereof, and an identity authentication and encrypted communication method is provided. It is now widely used for security sensitive communications over the world wide web, such as in transaction payments.

A server employing HTTPS must apply for a Certificate of a type for proving the use of the server from a CA (Certificate Authority). The client trusts this host only if the certificate is for the corresponding server. All banking system websites, the key part of the application is HTTPS. The client trusts the host by trusting the certificate.

Disclosure of Invention

The inventor finds that the security of the communication with the server adopting the HTTPS cannot be completely guaranteed, for example, the server itself cannot be guaranteed to be secure, which is utilized even by an attacker, a common example is a phishing attack imitating a bank domain name, a few rare attacks occur when a website transmits client data, and the attacker can try to eavesdrop the data in transmission, so that loss is brought to users.

It is an object of the present disclosure to improve the security of communications.

According to an aspect of the present disclosure, a communication method is provided, including: the client generates a dynamic password according to the current time information; the client encrypts the dynamic password and the message through a client symmetric key to generate encrypted data; the client sends the encrypted data to the server so that the server decrypts the encrypted data according to the server symmetric key, and reads a client message in the data under the condition that the decryption is successful and the dynamic password is within the validity period.

In some embodiments, the communication method further comprises: the client receives encrypted data from the server; and decrypting the encrypted data from the server according to the client symmetric key, and reading a server message.

In some embodiments, the communication method further comprises: the client generates a client public key and a client private key and sends the client public key to the server, so that the server generates a server symmetric key based on an asymmetric algorithm according to the server public key, the server private key and the client public key.

In some embodiments, the communication method further comprises: the client receives server handshake information from the server; and generating a client symmetric key based on an asymmetric algorithm according to the client public key, the client private key and the server public key in the server handshake information.

In some embodiments, the communication method further comprises at least one of: the client checks the verification information in the server handshake information, and allows the generated client symmetric key to be used for encrypting the message under the condition that the verification is passed; the client synchronizes the time of the client according to the time information in the server handshake information so as to generate a dynamic password according to the synchronized current time information; or according to the symmetric key expiration instruction from the server, the operation of generating the client public key and the client private key is executed again.

By the method, the client can generate the dynamic password based on the time information, and the dynamic key and the message are encrypted together by adopting the symmetric key of the server and then are sent to the server, so that the server reads the message under the double guarantee of key decryption and dynamic key validity verification, and the communication safety is improved.

According to another aspect of the present disclosure, a communication method is provided, including: the server receives encrypted data from the client, wherein the encrypted data is encrypted by the client according to the client symmetric key; decrypting the encrypted data according to the server symmetric key; under the condition of successful decryption, acquiring a dynamic password in the data; and if the dynamic password is in the valid period, reading the client message in the data.

In some embodiments, the communication method further comprises: and encrypting the message through the server symmetric key to generate encrypted data and sending the encrypted data to the client so that the client can decrypt the encrypted data from the server according to the client symmetric key.

In some embodiments, the communication method further comprises: the server receives a client public key from the client; generating a server private key and a client public key; and generating a server symmetric key based on an asymmetric algorithm according to the server public key, the server private key and the client public key.

In some embodiments, the communication method further comprises: the server generates server handshake information according to the server public key; and sending server handshake information to the client so that the client generates a client symmetric key based on an asymmetric algorithm according to the client private key, the client public key and the server public key.

In some embodiments, the communication method further comprises at least one of: the server generates server handshake information according to the server public key and the verification information; sending server handshake information to the client so that the client generates a client symmetric key based on an asymmetric algorithm according to the client private key, the client public key and the server public key under the condition that the client passes verification according to the verification information; the server generates server handshake information according to the server public key and the current time; sending server handshake information to the client so that the client synchronizes the time of the client according to the time information in the server handshake information; or, in the case that at least one of the server symmetric key or the client symmetric key reaches a predetermined validity period, sending a symmetric key expiration instruction to the client.

By the method, the server can perform double authentication on the data from the client by decrypting the key and verifying the validity of the dynamic key, and reads the message under the condition that the double authentication is passed, so that the communication safety is improved.

According to yet another aspect of the present disclosure, a client is proposed, including: a dynamic password generation unit configured to generate a dynamic password according to the current time information; the client encryption unit is configured to encrypt the dynamic password and the message through a client symmetric key to generate encrypted data; and the client data sending unit is configured to send the encrypted data to the server so that the server decrypts the encrypted data according to the server symmetric key and reads a client message in the data under the condition that the decryption is successful and the dynamic password is within the validity period.

In some embodiments, the client further comprises: a client data receiving unit configured to receive encrypted data from a server; and the client decryption unit is configured to decrypt the encrypted data from the server according to the client symmetric key and read the server message.

In some embodiments, the client further comprises: and the client key generation unit is configured to generate a client public key and a client private key and send the client public key to the server, so that the server generates a server symmetric key based on an asymmetric algorithm according to the server public key, the server private key and the client public key.

In some embodiments, the client key generation unit is further configured to: receiving server handshake information from a server; and generating a client symmetric key based on an asymmetric algorithm according to the client public key, the client private key and the server public key in the server handshake information.

In some embodiments, the client further comprises at least one of: the verification unit is configured to verify the verification information in the server handshake information, and allow the generated client symmetric key to be used for encrypting the message under the condition that the verification is passed; and the time synchronization unit is configured to synchronize the time of the time synchronization unit according to the time information in the server handshake information so as to generate the dynamic password according to the synchronized current time information.

The client can generate the dynamic password based on the time information, and sends the dynamic password and the message to the server after being encrypted by the symmetric key of the server, so that the server reads the message under the double guarantee of key decryption and dynamic key validity verification, and the communication safety is improved.

According to yet another aspect of the present disclosure, a server is provided, including: a server data receiving unit configured to receive encrypted data from the client, wherein the encrypted data is encrypted by the client according to a client symmetric key; a server decryption unit configured to decrypt the encrypted data according to the server symmetric key; the server dynamic password verification unit is configured to acquire a dynamic password in the data under the condition that decryption is successful; and the server message reading unit is configured to read the client message in the data under the condition that the dynamic password verification unit determines that the dynamic password is within the validity period.

In some embodiments, the server further comprises: the server encryption unit is configured to encrypt the message through a server symmetric key to generate encrypted data; a server data transmission unit configured to transmit the generated encrypted data to the client so that the client decrypts the encrypted data from the server according to the client symmetric key.

In some embodiments, the server further comprises a server key generation unit configured to: receiving a client public key from a client; generating a server private key and a client public key; and generating a server symmetric key based on an asymmetric algorithm according to the server public key, the server private key and the client public key.

In some embodiments, the server further comprises a handshake information generation and transmission unit configured to: generating server handshake information according to the server public key; and sending server handshake information to the client so that the client generates a client symmetric key based on an asymmetric algorithm according to the client private key, the client public key and the server public key.

In some embodiments, the handshake information generation and transmission unit is further configured to perform at least one of the following functions: generating server handshake information according to the server public key and the verification information; sending server handshake information to the client so that the client generates a client symmetric key based on an asymmetric algorithm according to the client private key, the client public key and the server public key under the condition that the client passes verification according to the verification information; or generating server handshake information according to the server public key and the current time; and sending server handshake information to the client so that the client synchronizes the time of the client according to the time information in the server handshake information.

In some embodiments, the server further comprises: an expiration instruction sending unit configured to send a symmetric key expiration instruction to the client in a case where at least one of the server symmetric key or the client symmetric key reaches a predetermined validity period.

The server can perform double authentication on data from the client by adopting key decryption and dynamic key validity verification, and reads messages under the condition that the double authentication is passed, so that the communication safety is improved.

According to one aspect of the present disclosure, a communication apparatus is provided, including: a memory; and a processor coupled to the memory, the processor configured to perform any of the above communication methods based on instructions stored in the memory.

When the communication device executes the communication method executed by the client, the dynamic password can be generated based on the time information, the dynamic key and the message are encrypted by adopting the symmetric key of the server and then are sent to the server, when the communication method executed by the server is executed, the key decryption and the verification of the validity of the dynamic key can be adopted to carry out double authentication on the data from the client, and the message is read under the condition that the double authentication is passed, so that the communication safety is improved.

According to another aspect of the disclosure, a computer-readable storage medium is proposed, on which computer program instructions are stored, which instructions, when executed by a processor, perform the steps of any of the above communication methods.

By executing the execution on the computer-readable storage medium, a dynamic password can be generated based on the time information, and the dynamic password and the message are encrypted together by adopting a symmetric key of the server side and then are sent to the server side; the data from the client can be subjected to double authentication by adopting key decryption and dynamic key validity verification, and the message is read under the condition that the double authentication is passed, so that the communication safety is improved.

Further, according to an aspect of the present disclosure, there is provided a communication system including: any of the above clients; and a server as any of the above.

In the communication system, the client can generate a dynamic password based on the time information, and the dynamic password and the message are encrypted together by adopting the symmetric key of the server and then sent to the server, the server can perform double authentication on the data from the client by adopting key decryption and dynamic key validity verification, and the message is read under the condition that the double authentication is passed, so that the communication safety is improved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this disclosure, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure and not to limit the disclosure. In the drawings:

fig. 1 is a flow chart of one embodiment of a communication method of the present disclosure.

Fig. 2 is a flow chart of another embodiment of a communication method of the present disclosure.

Fig. 3 is a flow chart of yet another embodiment of a communication method of the present disclosure.

Fig. 4 is a signaling interaction diagram of an embodiment of a communication method of the present disclosure.

Fig. 5 is a schematic diagram of one embodiment of a client of the present disclosure.

Fig. 6 is a schematic diagram of one embodiment of a server of the present disclosure.

Fig. 7 is a schematic diagram of one embodiment of a communication device of the present disclosure.

Fig. 8 is a schematic diagram of another embodiment of a communication device of the present disclosure.

Fig. 9 is a schematic diagram of one embodiment of a communication system of the present disclosure.

Fig. 10 is a diagram illustrating the operation efficiency of a communication system employing the present disclosure.

Detailed Description

The technical solution of the present disclosure is further described in detail by the accompanying drawings and examples.

A flow chart of one embodiment of a communication method of the present disclosure is shown in fig. 1.

In step 101, the client generates a dynamic Password (OTP) according to the current Time information. In some embodiments, the dynamic password may be generated according to the time information of the client, so that the server determines whether the dynamic password is expired according to the time information in the parsed dynamic password and in combination with a predetermined validity period.

In step 102, the client encrypts the dynamic password and the message through the client symmetric key to generate encrypted data. The client-side symmetric key and the server-side symmetric key are respectively generated by adopting different original key information, and the client-side symmetric key and the server-side symmetric key are the same. In some embodiments, a DH (Diffie-Hellman, key exchange) algorithm may be employed to generate the symmetric key.

In step 103, the client sends the encrypted data to the server, so that the server decrypts the encrypted data according to the server symmetric key, and reads the client message in the data when the decryption is successful and the dynamic password is within the validity period.

By the method, the client can generate the dynamic password based on the time information, the dynamic key and the message are sent to the server after being encrypted by the symmetric key of the server as a whole, and the server needs to decrypt the encrypted data by the key and verify the validity of the dynamic key before reading each message, so that replay attack is effectively prevented, and the communication safety is improved.

A flow chart of another embodiment of the communication method of the present disclosure is shown in fig. 2.

In step 201, the server receives encrypted data from the client, wherein the encrypted data is encrypted by the client according to the client symmetric key. The client-side symmetric key and the server-side symmetric key are respectively generated by adopting different original key information, and the client-side symmetric key and the server-side symmetric key are the same. In some embodiments, a DH algorithm may be employed to generate the symmetric key.

In step 202, the server decrypts the obtained encrypted data by using the server symmetric key, and if the decryption is successful, step 203 is executed, otherwise, step 204 is executed.

In step 203, the dynamic password is obtained from the decrypted data, and it is determined whether the dynamic password is within the validity period. In some embodiments, the dynamic password may be located in a predetermined field of data, and the dynamic password is read by data location. If the dynamic password is determined to exceed the validity period, executing step 204; if the dynamic password is determined to be within the validity period, step 205 is performed. In some embodiments, the dynamic password may be generated according to the time information of the client, and the server determines whether the dynamic password is expired according to the analyzed time information in the dynamic password and a predetermined validity period.

In step 204, the acquired data is determined to be data of an unauthorized client, tampered data, or data exceeding the validity period, and the acquired data is discarded.

In step 205, the client message in the data is read.

By the method, the server can perform double authentication on the data from the client by decrypting the key and verifying the validity of the dynamic key, and reads the message under the condition that the double authentication is passed, so that the communication safety is improved.

In some embodiments, the encrypted data received by the client from the server is generated by encrypting the server with a server symmetric key, and the client decrypts and reads the received encrypted data with the client symmetric key. By the method, the message received by the client can be ensured to be not tampered, and the safety of two-way communication is ensured.

In some embodiments, the client may generate the symmetric key by initiating an exchange of a communication public key with the server. In some embodiments, the client may generate a client public key and a client private key, and send the client public key to the server, and the server generates the server symmetric key based on the asymmetric algorithm according to the server public key and the server private key after receiving the public key, and according to the server public key, the server private key, and the client public key. The server sends the server public key to the client, and the client generates a client symmetric key based on an asymmetric algorithm matched with the server according to the client public key, the client private key and the server public key.

A flow chart of yet another embodiment of the communication method of the present disclosure is shown in fig. 3.

In step 301, the client generates a client public key and a client private key and sends the client public key to the server. In some embodiments, the client public key and the client private key may be random numbers generated by the client.

In step 302, the server receives the client public key from the client, and generates a server private key and a server public key. In some embodiments, the server may generate a private server private key and a server public key that communicate with the client triggered by the client public key. In some embodiments, the server private key and the server public key may be random numbers, or may be generated by using a predetermined algorithm according to the client public key.

In step 303, the server generates a server symmetric key based on an asymmetric algorithm based on the server public key, the server private key, and the client public key. In some embodiments, the asymmetric algorithm may comprise a DH algorithm.

In step 304, the server generates server handshake information according to the server public key and sends the server handshake information to the client.

In some embodiments, the server may further generate the verification information, generate handshake information after being encrypted together with the public key, and send the handshake information to the client, where the client needs to analyze the handshake information to obtain the verification information and the public key. The client can judge the integrity and reliability of the handshake information by checking the verification information. And if the authentication fails, the server is requested to send handshake information again, so that a correct and reliable server public key is ensured to be obtained. In some embodiments, the verification information may be a Hash-based Message Authentication Code (HMAC), and a Message digest is generated as an output by using a Hash algorithm and taking a key and a Message as inputs, so that the Message can be prevented or discovered in time to be tampered.

In some embodiments, the handshake information may further include current time information of the server, and the client calibrates its own time according to the current time information, so as to avoid that the actual validity period of the dynamic key is affected due to an excessively large clock difference between the server and the device where the client is located, and ensure the success rate of communication.

In step 305, the client generates a client symmetric key based on a symmetric algorithm based on the client public key and the client private key, and the server public key in the server handshake information.

In step 306, the client generates a dynamic password according to the current time information. In some embodiments, after calibrating the time of the client according to the current time information of the server, the client needs to generate a dynamic password according to the calibrated current time information.

In step 307, the client encrypts the dynamic password and the message with the client symmetric key to generate encrypted data.

In step 308, the client sends the encrypted data to the server.

In step 309, the server receives the encrypted data from the client and decrypts the encrypted data according to the server symmetric key. In case the decryption is successful, step 310 is performed.

In step 310, the server verifies the validity period of the dynamic password. In case the verification passes, step 311 is performed.

In step 311, the server reads the client message in the data.

By the method, the client and the server can generate the symmetric key by using the public key of the two parties and the private key of the client and the server on the basis of only interacting the public key of the two parties, and the private key is not interacted in the communication process, so that the confidentiality of the symmetric key can be improved, and the safety of communication is improved.

The inventor finds that the HTTPS technology only protects the public network communication segment for HTML (HyperText Markup Language) pages or data using HTTP communication protocol, and the data is lack of protection and is easy to be cracked after the data enters the intranet from the user client to the route; the default use of HTTPS is that the certificate of the server side is not forcibly verified, so that the communication data is breakable; if the HTTPS information is intercepted, the HTTPS information does not have the capability of preventing replay attack in the life cycle of handshake; the mobile application APP still cannot fully protect the data security of the HTTP communication header using HTTPS; secure communication cannot be performed until handshake establishment is completed. Its security protection relies on the correct implementation of the browser and the support of the server software, the actual encryption algorithm.

By adopting the method in the embodiment of the invention, the communication process has the safety characteristic of HTTPS, and simultaneously, the safety defects of the HTTPS are solved: the communication method is not limited to a data communication Protocol, and communication protocols such as HTTP, HTTPs, TCP (Transmission Control Protocol), UDP (User Datagram Protocol), and the like can be used; the data public network communication safety is protected, meanwhile, the data is routed from the user client to the local area network, and the data enters the enterprise intranet, so that the safety of the full data communication cycle is protected; the attack of the mature man-in-the-middle at present can be effectively prevented; the security guarantee of the HTTP communication header can be realized; the security information, if intercepted, may prevent replay attacks even during the lifetime of the handshake. Before the handshake establishment of the secure channel is completed, the reliability of communication can be ensured by means of retaining information, not sending, adding verification information and the like.

In some embodiments, when the server sends a symmetric key expiration instruction to the client when at least one of the server symmetric key or the client symmetric key reaches a predetermined validity period, the client regenerates the client public key and the client private key and sends the client public key to the server, triggering the server to generate the server public key and the server private key. In some embodiments, if the key expires, the client receives an error return that the message failed to be sent. And the client performs active retry of message sending according to the message sending error information.

By this method, the key can have a life cycle, and the possibility that the key is decoded and used can be reduced by replacing the key periodically, thereby further improving the security.

In some embodiments, considering the influence of system performance overhead and communication delay under the access requirement of a server under ten thousand TPS (Transaction Per Second, number of messages processed Per Second), performance and function volume optimization needs to be performed on an asymmetric envelope scheme, so as to ensure decryption performance of the server and reduce the collapse rate and time efficiency of clients of various devices. Meanwhile, the size problem of the library function of the mobile APP end can be considered, for example, because optimizing a general OPENSSL (open secure socket layer protocol) library can only ensure the performance of the system function, but for APPs with strict requirements on packet volume, OPENSSL is too large in size, so that the consumption of resources of the mobile device end can be reduced by using an encryption and decryption solution using OPENSSL.

A signaling interaction diagram of one embodiment of the communication method of the present disclosure is shown in fig. 4.

In 401, the client generates a client public key and a client private key.

In 402, the client sends the client public key to the server.

In 403, the server receives the client public key from the client, and generates a server private key and a server public key.

At 404, the server generates a server symmetric key based on an asymmetric algorithm from the server public key, the server private key, and the client public key.

In 405, the server generates authentication information.

In 406, the server obtains current time information.

In 407, the server generates handshake information according to the server public key, the verification information and the current time information, and sends the handshake information to the client.

At 408, the client generates a client symmetric key based on a symmetric algorithm based on the client public key and the client private key, and the server public key in the server handshake information.

In 409, the client determines the integrity and reliability of the handshake information by checking the authentication information. And if the authentication is not passed, requesting the server to resend the handshake information. If the verification is passed, the next steps are continuously executed.

In some embodiments, the operations in 408, 409 may be permuted.

In 410, the client calibrates its time according to the current time information in the handshake information.

In 411, the client generates a dynamic password according to the current time information.

At 412, the client encrypts the dynamic password and the message with the client symmetric key to generate encrypted data, and sends the encrypted data to the server.

In 413, the server receives the encrypted data from the client, decrypts the encrypted data based on the server symmetric key, and if the decryption is successful, continues with the next steps.

At 414, the server verifies the validity period of the dynamic password. In case the verification passes, the following steps are performed.

At 415, the server reads the client message in the data.

By the method, an asymmetric algorithm can be adopted in the handshake process of the client and the server, so that the symmetric key of the server and the symmetric key of the client cannot be leaked through the interaction process; in the handshake process, the reliability of the handshake process is ensured through the verification of verification information, and the time of two communication parties is ensured to be close through time calibration, so that the dynamic password can be normally used; and the reliability of communication is further improved by dual guarantee of dynamic passwords and encryption in the message transmission process.

In some embodiments, as shown in fig. 4, the process of sending a message from the server to the client may include:

at 416, the server encrypts the message with the server symmetric key. In some embodiments, the server may generate a dynamic password based on the current time and encrypt the dynamic password with the message to generate an encrypted message.

At 417, the server sends the encrypted message to the client.

At 418, the client decrypts and reads the received encrypted data using the client symmetric key to obtain the message. In some embodiments, the client may also verify the validity of the dynamic password and read the message if the dynamic password is confirmed to be valid.

By the method, the message received by the client can be ensured to be not tampered, and the safety of two-way communication is ensured. The function of adding the dynamic password into the encrypted data sent by the server to the client can further increase the security guarantee.

By adopting the mode in the embodiment, the secret keys of each client side and the server are different when the client side communicates with the server each time, so that the communication dimension integral channel encryption is realized, and the establishment of a many-to-many dynamic encryption channel of the mobile client side and the server side is supported; multi-thread is supported, and the independence of threads is ensured; a system server is not needed, and normal decryption of mobile access among multiple servers is guaranteed; supporting a dynamic overdue current mobile communication encryption channel; the time validity of the OTP verification message is supported, and replay attack is prevented; and signing the message by using the HMAC to realize the tamper resistance of the message.

In some embodiments, before the generation of the server symmetric key and the client symmetric key is completed, the data packet transmission can be performed in a digital envelope manner and an asynchronous asymmetric manner, so that the reliability of communication at each stage is ensured.

A schematic diagram of one embodiment of a client 50 of the present disclosure is shown in fig. 5. The dynamic password generation unit 501 can generate a dynamic password from the current time information. The client encryption unit 502 can encrypt the dynamic password and the message by a client symmetric key to generate encrypted data. The client-side symmetric key and the server-side symmetric key are respectively generated by adopting different original key information, and the client-side symmetric key and the server-side symmetric key are the same. The client data sending unit 503 can send the encrypted data to the server, so that the server decrypts the encrypted data according to the server symmetric key, and reads the client message in the data if the decryption is successful and the dynamic password is within the validity period.

The client can generate the dynamic password based on the time information, the dynamic key and the message are sent to the server after being encrypted by the symmetric key of the server as a whole, and the server needs to perform double verification of key decryption and dynamic key validity verification on the encrypted data before reading each message, so that the communication safety is improved.

In some embodiments, as shown in fig. 5, the client 50 may further include a client data receiving unit 504 and a client decryption unit 505. The client data receiving unit 504 is capable of receiving encrypted data from the server, the encrypted data being generated by the server using server symmetric key encryption. The client decryption unit 505 is capable of decrypting and reading the received encrypted data using the client symmetric key.

The client can ensure that the read message is not tampered, and the safety of two-way communication is ensured.

In some embodiments, as shown in fig. 5, the client 50 may further include a client key generation unit 506, which is capable of generating a client public key and a client private key, and sending the client public key to the server, so that the server generates a server symmetric key based on an asymmetric algorithm according to the server public key, the server private key, and the client public key, and ensures that the client private key does not interact in a handshake process, thereby improving the privacy of the key and improving the security of communication.

In some embodiments, the client key generation unit 506 is also capable of receiving server handshake information from the server; and generating a client symmetric key based on an asymmetric algorithm according to the client public key, the client private key and the server public key in the server handshake information, so that the server private key and the server symmetric key are ensured not to interact in a handshake process, the privacy of the keys is improved, and the safety of communication is improved.

In some embodiments, the client 50 may further include an authentication unit 507, which is capable of verifying authentication information in the server handshake information, and in case of passing the authentication, performing an operation of generating a client symmetric key. In some embodiments, the client symmetric key may be generated prior to the verification by the verification unit 507, and in case the verification passes, the generated client symmetric key may be allowed to be used for encrypting the message. The client can ensure to obtain the correct and reliable server public key, thereby ensuring the consistency of the client symmetric key and the server symmetric key.

In some embodiments, the client 50 may further include a time synchronization unit 508, which is capable of synchronizing its own time according to the time information in the server handshake information, so that the client generates a dynamic password according to the synchronized current time information, thereby avoiding that the actual validity period of the dynamic key is affected due to an excessively large clock difference between the server and the device where the client is located, and ensuring the success rate of communication.

In some embodiments, the client-side key generation unit 506 can also handshake with the server again to generate the client-side symmetric key in case of receiving the symmetric key expiration instruction from the server, so as to reduce the possibility that the key is decoded and used, and further improve the security.

A schematic diagram of one embodiment of a server 60 of the present disclosure is shown in fig. 6. The server data receiving unit 601 can receive encrypted data from the client, wherein the encrypted data is encrypted by the client according to the client symmetric key. The server decryption unit 602 can decrypt the obtained encrypted data with the server symmetric key. The server dynamic password verification unit 603 can acquire a dynamic password from the decrypted data and determine whether the dynamic password is within the validity period. The server message reading unit 604 can read the client message in the data when determining that the dynamic password is within the validity period.

The server can perform double authentication on data from the client by adopting key decryption and dynamic key validity verification, and reads messages under the condition that the double authentication is passed, so that the communication safety is improved.

In some embodiments, the server 60 may further include a server encryption unit 605 and a server data transmission unit 606. The server encryption unit 605 can encrypt the message with the server symmetric key. The server data transmission unit 606 can transmit the encrypted message to the client. The server can ensure that the client identifies whether the message is falsified or not, and the safety of two-way communication is ensured.

In some embodiments, the server 60 may further include a server key generation unit 607, which is capable of receiving the client public key from the client, generating a server private key and a client public key, and generating a server symmetric key based on an asymmetric algorithm according to the server public key, the server private key and the client public key, so as to ensure that the client private key does not interact in a handshake process, improve the privacy of the key, and improve the security of communication.

In some embodiments, the server 60 may further include a handshake information generating and sending unit 608, which is capable of generating server handshake information according to the server public key and sending the server handshake information to the client, so that the client can generate a client symmetric key based on an asymmetric algorithm according to the client private key, the client public key, and the server public key, thereby ensuring that the server private key and the server symmetric key do not interact in a handshake process, improving the privacy of the key, and improving the security of communication.

In some embodiments, the handshake information generating and sending unit 608 is further capable of generating server handshake information according to the server public key and the verification information, so that the client generates or uses the client symmetric key only when the client passes the verification according to the verification information, thereby ensuring that the server public key is correctly and reliably obtained, and ensuring consistency of the client symmetric key and the server symmetric key.

In another embodiment, the handshake information generating and sending unit 608 can also generate server handshake information according to the server public key and the current time, so that the client synchronizes its own time according to the time information in the server handshake information, thereby avoiding that the actual validity period of the dynamic key is affected due to an excessively large clock difference between the server and the device where the client is located, and ensuring the success rate of communication.

In some embodiments, the server 60 may further include an expiration instruction sending unit 609, which is capable of sending a symmetric key expiration instruction to the client when at least one of the server symmetric key or the client symmetric key reaches a predetermined validity period, so that the key is regenerated in a double-sending manner, the possibility that the key is decoded and used is reduced, and the security is further improved.

A schematic structural diagram of an embodiment of the communication device of the present disclosure is shown in fig. 7. The communication device includes a memory 701 and a processor 702. Wherein: the memory 701 may be a magnetic disk, flash memory, or any other non-volatile storage medium. The memory is for storing instructions in corresponding embodiments of the communication method above. Processor 702 is coupled to memory 701 and may be implemented as one or more integrated circuits, such as a microprocessor or microcontroller. The processor 702 is configured to execute instructions stored in a memory, which can improve the security of communications.

In some embodiments, as also shown in fig. 8, the communication device 800 includes a memory 801 and a processor 802. The processor 802 is coupled to the memory 801 by a BUS 803. The communication device 800 may also be coupled to an external storage device 805 through the storage interface 804 to facilitate retrieval of external data, and may also be coupled to a network or another computer system (not shown) through the network interface 806. And will not be described in detail herein.

In this embodiment, the data instructions are stored in the memory, and then the instructions are processed by the processor, so that the communication security can be improved.

In another embodiment, a computer-readable storage medium has stored thereon computer program instructions which, when executed by a processor, implement the steps of the method in the corresponding embodiment of the communication method. As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, apparatus, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

A schematic diagram of one embodiment of the communication system of the present disclosure is shown in fig. 9. The server 91 may be any of the above servers, and may execute any of the above communication methods executed by the servers; the clients 921-92 n may be any of the above clients, and operate any of the above communication methods executed by the clients. In some embodiments, the server may interact with multiple clients simultaneously, and different keys are used between the server and different clients to encrypt messages. In some embodiments, a terminal device may include multiple clients, each client interacts with its corresponding server, and different clients use different keys for encrypting and decrypting messages.

In the communication system, the client can generate a dynamic password based on the time information, and the dynamic password and the message are encrypted together by adopting the symmetric key of the server and then sent to the server, the server can perform double authentication on the data from the client by adopting key decryption and dynamic key validity verification, and the message is read under the condition that the double authentication is passed, so that the communication safety is improved.

In some embodiments, the communication system of the present disclosure and the device native AES (advanced encryption Standard) are adopted for test comparison, and table 1 below is an APP environment tested by using 2 ten thousand genuine machines or simulators, and a comparison table of the Android and IOS native algorithms and the communication method delay performance of the present invention.

In addition, as shown in fig. 10, the ordinate represents the arithmetic operation time, the unit is millisecond, the abscissa is APP native AES algorithm, the arithmetic operation time of the communication method of the present disclosure is arranged in descending order, and the slowest machine is on the left of the coordinate. The thick two lines are the time consumption indicating lines (the upper one is encryption, the lower one is decryption) of the encryption and decryption of the native encryption algorithm, and the thin two lines are the time consumption indicating lines (the upper one is encryption, the lower one is decryption) of the encryption and decryption of the communication system of the invention.

Therefore, the communication system of the invention can not only solve the widely existed attack means of man-in-the-middle attack, replay attack, message cracking, message tampering and the like in network communication, but also improve the efficiency and stability.

The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Thus far, the present disclosure has been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.

The methods and apparatus of the present disclosure may be implemented in a number of ways. For example, the methods and apparatus of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. Further, in some embodiments, the present disclosure may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.

Finally, it should be noted that: the above examples are intended only to illustrate the technical solutions of the present disclosure and not to limit them; although the present disclosure has been described in detail with reference to preferred embodiments, those of ordinary skill in the art will understand that: modifications to the specific embodiments of the disclosure or equivalent substitutions for parts of the technical features may still be made; all such modifications are intended to be included within the scope of the claims of this disclosure without departing from the spirit thereof.