CN103001976A - A Safe Network Information Transmission Method - Google Patents

Abstract

Translated fromChinese

本发明公开了一种安全的网络信息传输方法。本方法为：1)客户端向服务器发起服务请求；2)服务器端对服务请求中的用户信息和客户端IP地址进行验证，如果验证通过则与其建立一会话；3)服务器端生成一密钥，并通过该客户端公钥对该密钥加密后发给该客户端；4)该客户端利用私钥对该密钥信息进行解密，并将解密出的密钥信息通过服务器端公钥加密后发给服务器端；5)服务器端将该服务请求的数据进行数字签名，并用该密钥对数据以及数字签名信息进行加密发送给该客户端；6)该客户端对数据进行解密和一致性验证，对一致性验证不通过的信息进行丢弃并申请服务器端重传，验证通过的信息存入本地数据库。本发明大大提高了信息传输的安全性。

The invention discloses a safe network information transmission method. The method is as follows: 1) the client initiates a service request to the server; 2) the server verifies the user information and the client IP address in the service request, and establishes a session with it if the verification passes; 3) the server generates a key , and encrypt the key with the client public key and send it to the client; 4) The client uses the private key to decrypt the key information, and encrypts the decrypted key information with the server-side public key Then send it to the server; 5) The server digitally signs the data requested by the service, and uses the key to encrypt the data and digital signature information and sends it to the client; 6) The client decrypts the data and confirms the consistency Verification, discard the information that fails the consistency verification and apply for server-side retransmission, and store the information that passes the verification into the local database. The invention greatly improves the security of information transmission.

Description

A kind of safe network information transfer method

Technical field

The invention belongs to areas of information technology, relate to a kind of safely and efficiently network information transfer method, be mainly used in server end and client and carry out the fields such as network data communication, information encryption, safety identification authentication.

Technical background

Along with the develop rapidly of computer networking technology, network has become the in the world common data source of maximum-norm, and its scale is still increasing fast.The Internet change greatly people the life looks, promote social progress in, because it is the open system towards masses, continuous expansion along with the network application scope, it is day by day serious that the leakage problem of confidential information also becomes, the network security problem that causes thus also becomes increasingly conspicuous, computer network information may illegally be usurped, be exposed or be distorted in the processes such as use, transmission, in addition, because user information safety consciousness is thin, the factors such as the relative backwardness with facility of information security technology are also so that network information security situation is severeer.In order to solve these safety problems, various safe information transmission mechanism, Information Encryption Algorithm, network security tool are by constantly development and application.

Computer network is take TCP/IP as the basis, this agreement exists a lot of potential safety hazards in design, therefore based on application service such as the www service of TCP/IP, EMAIL service, FTP service etc. all in various degree exist safety problem, easily by other people by the protocol bug steal information.Therefore need to come the protecting network information security by specific prevention policies.Common security strategy be improved the webserver stores level of security, by check user profile network security verification, utilize information encryption come the enciphered message transport stream, by strategies such as system's fire compartment wall and antivirus protection technology.

The storage security of strengthening server is the information security by the memory of specific mode protecting network server; skill commonly used is that RAID (Redundant Arrays of Inexpensive Disks) is disk array technology at present; utilize the mode of array to do the disk group; the design of cooperation data dispersed arrangement promotes the fail safe of data; disk array can utilize the method for parity check; when certain hard disk breaks down in array; by the data redundancy technology; but still sense data and again data writing, thereby realized safeguard protection to data.

The user profile verification technique is the system access control technology namely, is the strategy commonly used of network security defence and protection.Information Authentication mainly shows that by authorization informations such as user name/password the disabled user enters network, purpose is to guarantee that resource in the network do not accessed by the disabled user and use, control simultaneously the scope of the Internet resources of user-accessible, only allow the user to access the resource of authorizing by the system manager.But user name/password is stolen and just means losing of corresponding Internet resources, therefore need to carry out safekeeping to user profile.System also can come anti-illegal-inbreak person to enter network by the restriction that set to network in addition, and the user can only enter network by oneself user name/password at the specific network segment, improves thus the network information security.

Information encryption carries out recompile to information exactly and hides original information content, thereby makes a kind of technological means that the disabled user can't the acquired information true content.Data encryption technology can be divided into the administrative skill of data storage, transfer of data, data integrity discriminating and key according to the difference of effect.Data storage encryption technology is in order to prevent the loss of data on the storage link, be divided into two kinds of ciphertext storage and storage controls, the ciphertext storage is to be encrypted and digital signature by the file of the modes such as cryptographic algorithm conversion, additional password, encrypting module to this locality storage; Storage control is examined, is prevented that to user's qualification, authority the disabled user from obtaining data.It is by cryptographic algorithm the data flow in the data transmission procedure to be encrypted that transfer of data is encrypted.Data integrity differentiates it is to getting involved the transmission of information; access, handler's identity and related data content are verified, to reach the requirement of data confidentiality; whether system meets predefined parameter by the characteristic value of contrast verification object input, realizes the safeguard protection to data.The administrative skill of key comprises the secrecy provision on the links such as generation, distribution, preservation, replacing and destruction of key.Safety defect for http protocol; the HTTPS that people have proposed on SSL realizes; adopt the separate port strategy; encrypting and decrypting all has SSL to carry out in data transmission procedure, and is irrelevant with the HTTP on upper strata, but HTTPS provides point-to-point safeguard protection; encryption and decryption occurs in transport layer; namely be intended to message in the transmission course and be only encryption, just become after reaching home expressly, so information may be stolen in the message queue.

Fire compartment wall is to use at present widely a kind of network security technology, its core concept is comparatively safe subnet environment of structure in unsafe network environment, by predefined security strategy, communication enforces access control to intranet and extranet, the packet that transmits between two or more networks is implemented to check according to certain security strategy, whether be allowed to the communication between the decision network, and the monitor network running status.The antivirus protection technology is normally used to be anti-virus software, is divided into Network anti-virus software and unit anti-virus software from function.The unit anti-virus software generally is installed on the unit, adopts the mode of analysis scan to detect to local resource, eliminates virus.Network anti-virus software is mainly paid attention to Network anti-virus, in case virus invading network or the Resources Spread from network to other, internet worm software will detect and immediately with its deletion.

In the present Network Information epoch; because the potential safety hazard of network self can't be eradicated; in the process of network information transfer; although people have proposed a lot of strategies that are used for network safety prevention; but security incident still constantly occurs; therefore need integrated use diverse network safe practice, come the protecting network information transmission security.

Summary of the invention

Problem for the existence of present network information transfer aspect, on the basis of the advantage of having summed up existing information secure transmission method and shortcoming, the object of the invention is to propose a kind of integrated use user profile verification technique, information encryption, digital signature technology, firewall technology guarantees the Secure Information Tanslation Through Netware method based on C/S (client and server structure), server end is information data source, the system manager is for applying for obtaining the client distribution system authority of data, comprise user profile, subscriber authorisation IP address (client is initiated the IP address of request), user identity public/private keys pair, server end public key information etc.Communication overall procedure schematic diagram as shown in Figure 1.

1, client is initiated data transfer request

Client is according to the server info of this locality configuration, initiate service request to server, required parameter comprises that (server end obtains client ip address by resolving the IP packet for client user's information, IP address information, the IP address is not as the explicit parament transmission), acquisition request data type information etc., only have by just carrying out Network Data Capture after the server identity authentication.

2, server end carries out authentication

The serviced device end fire compartment wall interception of client data transmission request, filter out undelegated invalid information, legal client-requested is submitted to server, after server end receives client data transmission request, checking in the user profile that client is submitted to and the servers' data storehouse verifies that the request of passing through just can enter next step of information transmission process.

3, server end carries out the IP checking

Parse the IP address of client in the IP packet of server end from client-requested, only have this IP of checking identical with the legal IP of the initialized client of server, and after authentication of users information is legal, for the session of this client server end foundation with client, in this session, preserve user profile, call for each step of transfer of data as parameter, until delete session behind the DTD.

4, server end is that transfer of data generates key

Because the data volume of transmission is larger, server end and client data transmission course adopt the fast symmetry algorithm of enciphering rate to encrypt, server end generates the random key that is used for data encryption for this data transfer, and by client public key with secret key encryption, the key information after encrypting is sent back client.

5, client key

Client is decrypted by client private key after the data encryption key information of server end transmission, is submitted to server end after the key information that decrypts is encrypted again by the server end PKI.Server end is deciphered by the server end private key after receiving key information, the key that decrypts and the random key of generation are compared, if both show then that unanimously client receives safely data decryption key information, can carry out next step data encryption work.

6, server end carries out information encryption

Accurate for guaranteeing the data that client arrives, server end carries out digital signature with the data of client-requested, the random key of server end by generating, by symmetric encipherment algorithm client-requested data and digital signature information are carried out data encryption, send to client with the ciphertext form.

7, communication

Information after server end will be encrypted by the Internet sends to client, because data are form transmission of ciphertext, can largely improve information transmission safety.

8, client data deciphering

After the information of client after encrypt, the key that obtains by step 5 is decrypted data, the data that decrypt comprise raw information and digital signature information, client is carried out consistency checking by digital signature to raw information, the information that consistency checking is not passed through abandons and applies for that server end retransmits, and the information that checking is passed through deposits local data base in.The backward server end of DTD sends end mark, and server end interrupts the session information with client.

It is the mode of client dynamic assignment user profile that the present invention adopts server end, and to client distributing user information, private key for user information, server public key information, server end keeps the user's who distributes public key information.In message transmitting procedure; consider the factors such as enciphering rate, data encryption adopts symmetric encipherment algorithm to be encrypted, and keys for encryption/decryption generates in data transmission procedure at random; safe by client for Protective Key, carry out cipher key change and authentication by rivest, shamir, adelman.

The present invention in message transmitting procedure integrated use identity validation technology, firewall technology, data encryption/decryption technology, and by rivest, shamir, adelman, symmetric encipherment algorithm and digital signature technology in guaranteeing data security property, guaranteed data encryption speed.

Compared with prior art, advantage of the present invention:

User profile by the server end fire compartment wall being unified configuration, has reduced the possibility of disabled user's intrusion system by server end unified management, mandate.

Symmetric encipherment algorithm is encrypted, decrypting process is undertaken by same key, enciphering rate is fast, be fit to encrypt fairly large data, but key is lost the unauthorized user deciphering that means that then raw information can obtained key, therefore the key of symmetry algorithm is the key of safe information transmission, the present invention is by the mode of Random assignment key, and each communication key is not identical, has guaranteed Information Security.

It is large that rivest, shamir, adelman cracks difficulty, but the symmetry algorithm enciphering rate is slow relatively, is fit to encrypt low volume data.The present invention utilizes the safe characteristics of rivest, shamir, adelman, server end utilizes this algorithm that the secret key encryption of symmetric encipherment algorithm is ciphertext, client is obtained the key that decrypts symmetric encipherment algorithm after the ciphertext by rivest, shamir, adelman, return to server after again encrypting this key by rivest, shamir, adelman, server is deciphered rear and primary key is checked, determine that thus whether client has successfully obtained the required key of symmetry algorithm encrypt/decrypt, has guaranteed the secure exchange of symmetric encipherment algorithm thus.

Utilize digital signature technology that raw information is signed, raw information and signing messages are encrypted simultaneously, client can be carried out consistency checking to raw information, thereby guarantee the correctness of communication after having been obtained enciphered data and deciphering.

Description of drawings

Fig. 1 information transmission process figure;

Fig. 2 information encryption procedure chart;

Fig. 3 server information processing procedure figure;

Fig. 4 client-side information processing procedure figure;

Fig. 5 MD5 algorithm flow chart;

Fig. 6 DES algorithm flow chart.

Embodiment

Data transfer server end of the present invention is issued at server by the form of Web Services, client regularly proposes data transfer request to server end by the thread mode, rivest, shamir, adelman is realized by RSA Algorithm, symmetric encipherment algorithm is realized by the DES algorithm, Information Signature realizes that by the MD5 algorithm whole data encryption process as shown in Figure 2.Server end initialization client user's information and RSA Algorithm PKI and private key information (key is made of 5 decimal system prime numbers and 308 decimal system prime numbers), and the server end public key information is saved in the client database simultaneously.

1, server information processing procedure (as shown in Figure 3)

(1) authentication

Server end fire compartment wall interception user request information, illegal request is carried out filtration treatment, legal user profile is submitted to the authentication process program, after server end was received client data transmission request, the user name/password information by client, client ip information etc. were carried out the client identity checking.

(2) initialization user

The request that checking is passed through, server end is that session is set up in transfer of data work, preserves this user profile in session, comprises this user's user name/password information, IP information, RSA Algorithm client public key information, server end private key information etc.

(3) generate the DES key

Server end generates 8 DES algorithm for encryption/required key information of deciphering at random, and utilizes client public key with secret key encryption by RSA Algorithm, and the key after encrypting is sent to client.

(4) checking DES key

Client is received behind the key of encryption by self secret key decryption, the key of deciphering is encrypted by the server end PKI again, key after encrypting is submitted to server end, server end is compared by self private key deciphering key rear and that step (3) generates, when both were identical, the expression client had accurately received the DES key.

(5) digital signature

Server end carries out digital signature by MD5 algorithm (as shown in Figure 5) to the information that will transmit, and digital signature information is appended to the raw information end.

(6) enciphered message

Server end is encrypted the raw information of having added digital signature information by 8 keys that DES algorithm (as shown in Figure 6) utilizes step (3) to generate.

(7) transmission information

Information exchange after server end will be encrypted is crossed the Internet and is sent to client, by the DES algorithm secret key of obtaining from server end information is decrypted processing behind the client obtaining information, from the information that decrypts, isolate raw information and digital signature information, by the MD5 algorithm information of transmission is carried out digital signature, with the signing messages that obtains and the signing messages contrast that receives from server end, represent that when both are identical this data transfer is errorless.

(8) disconnect

After communication finished, server end was received the disconnection service request that client is submitted to, and server end ends at the session of client, and disconnection is connected until client is submitted data service request again to client.

2, client-side information processing procedure (as shown in Figure 4)

(1) initiation parameter

Client regularly sends to server in the thread mode and obtains request of data, and after thread started, client reads client user's information and is submitted to server end from local data base carried out authentication.

(2) user rs authentication

User profile and IP information that server end is submitted to by checking client will be proved to be successful the result and return to client.

(3) obtain the DES key

Client is obtained the DES key information that server utilizes client public key to encrypt by RSA Algorithm.

(4) checking DES key

Client is decrypted the key information of encrypting by private key, information after the deciphering is encrypted and is submitted to server end by the server end PKI again, server end is proved to be successful backward client and returns and be proved to be successful sign, and the client awaits server end carries out transfer of data.

(5) obtain enciphered message

Client is obtained server end by the ciphertext of the raw information of DES algorithm for encryption.

(6) decryption information

The information that the DES key that client is obtained by step (4) obtains step (5) is decrypted, and the raw information and the digital signature information that decrypt are carried out consistency checking.

(7) disconnect

Client will deposit local data base in by the information of consistency checking, and send the request of disconnecting to server end,

This communication finishes.

The network information transfer method that the present invention proposes, server end carries out information encryption before communication, and client is decrypted in this locality after receiving data, thus the defective of having avoided ICP/IP protocol to exist.Simultaneously, integrated use of the present invention the characteristics of various information processing algorithms, under the prerequisite that does not affect data transmission bauds, guaranteed fail safe and the accuracy of network information transfer process.

Claims (7)

Translated fromChinese

1.一种安全的网络信息传输方法，其步骤为：1. A safe network information transmission method, the steps of which are:1)客户端向服务器发起服务请求；其中，所述服务请求包括客户端用户信息、请求获取数据类型信息；1) The client initiates a service request to the server; wherein, the service request includes client user information and request data type information;2)服务器端对收到的服务请求进行过滤，并对过滤所得合法的服务请求中的用户信息进行验证，如果验证通过则进行步骤3)，否则拒绝该服务请求；2) The server side filters the service request received, and verifies the user information in the legal service request obtained by filtering, if the verification is passed, proceed to step 3), otherwise the service request is rejected;3)服务器端从客户端发送请求的IP数据包中解析出客户端IP地址，并进行验证，如果验证通过则建立与该客户端的会话，进行步骤4)；否则拒绝该服务请求；3) the server end resolves the client IP address from the IP packet sent by the client, and verifies, if the verification is passed, then establishes a session with the client, and proceeds to step 4); otherwise, the service request is rejected;4)服务器端生成一密钥，并通过该客户端公钥对该密钥加密后的密钥信息发给该客户端；4) The server generates a key, and sends the key information encrypted by the client public key to the client;5)该客户端利用私钥对该密钥信息进行解密，并将解密出的密钥信息通过服务器端公钥加密后发给服务器端；5) The client uses the private key to decrypt the key information, and encrypts the decrypted key information with the server-side public key and sends it to the server;6)服务器端确认该客户端已安全接收到该密钥后进行步骤7)；6) After the server confirms that the client has safely received the key, proceed to step 7);7)服务器端将该服务请求的数据进行数字签名，并用该密钥对该服务请求的数据以及数字签名信息进行加密，以密文形式发送给该客户端；7) The server side digitally signs the data requested by the service, encrypts the data requested by the service and the digital signature information with the key, and sends them to the client in ciphertext;8)该客户端利用该密钥对收到的数据进行解密和一致性验证，对一致性验证不通过的信息进行丢弃并申请服务器端重传，验证通过的信息存入本地数据库。8) The client uses the key to decrypt and verify the consistency of the received data, discard the information that fails the consistency verification and apply for retransmission on the server side, and store the information that passes the verification into the local database.2.如权利要求1所述的方法，其特征在于所述服务器端确认该客户端已安全接收到该密钥的方法为：服务器端利用私钥对接收到的密钥信息解密，将解密出的密钥与步骤4)生成的密钥进行对比，若两者一致则确认该客户端已安全接收到该密钥。2. The method according to claim 1, wherein the method for the server to confirm that the client has safely received the key is: the server uses a private key to decrypt the received key information, and the decrypted key information is decrypted. The key is compared with the key generated in step 4), and if the two are consistent, it is confirmed that the client has safely received the key.3.如权利要求1或2所述的方法，其特征在于所述密钥为一随机密钥。3. The method according to claim 1 or 2, wherein the key is a random key.4.如权利要求1或2所述的方法，其特征在于该客户端判断数据传输结束后，向服务器端发出结束标志，服务器端中断与该客户端的会话。4. The method according to claim 1 or 2, wherein the client sends an end sign to the server after judging that the data transmission is over, and the server terminates the session with the client.5.如权利要求1或2所述的方法，其特征在于步骤4)中，服务器端采用非对称加密算法通过该客户端公钥对该密钥进行加密后发送给该客户端；步骤5)中，该客户端采用非对称加密算法对解密出的密钥信息通过服务器端公钥进行加密后发送给服务器端。5. The method according to claim 1 or 2, characterized in that in step 4), the server end adopts an asymmetric encryption algorithm to encrypt the key by the client public key and sends it to the client; step 5) , the client uses an asymmetric encryption algorithm to encrypt the decrypted key information with the server's public key and then sends it to the server.6.如权利要求5所述的方法，其特征在于步骤7)中，服务器端采用对称加密算法对该服务请求的数据以及数字签名信息进行加密。6. The method according to claim 5, characterized in that in step 7), the server uses a symmetric encryption algorithm to encrypt the data and digital signature information of the service request.7.如权利要求1所述的方法，其特征在于所述客户端向服务器发起服务请求的方法为：客户端以线程方式定时向服务器发送获取数据请求，线程启动后，客户端从本地数据库中读取客户端用户信息并提交到服务器端。7. The method according to claim 1, wherein the method for the client to initiate a service request to the server is: the client regularly sends a data acquisition request to the server in a thread mode, and after the thread starts, the client retrieves the data from the local database. Read the client user information and submit it to the server.

Images