WO2016176858A1 - Request transmission method and client - Google Patents

Request transmission method and client Download PDF

Info

Publication number
WO2016176858A1
WO2016176858A1 PCT/CN2015/078467 CN2015078467W WO2016176858A1 WO 2016176858 A1 WO2016176858 A1 WO 2016176858A1 CN 2015078467 W CN2015078467 W CN 2015078467W WO 2016176858 A1 WO2016176858 A1 WO 2016176858A1
Authority
WO
WIPO (PCT)
Prior art keywords
proxy entity
client
preset indication
tls connection
indication
Prior art date
Application number
PCT/CN2015/078467
Other languages
French (fr)
Chinese (zh)
Inventor
魏鑫鹏
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201580033110.0A priority Critical patent/CN106464603B/en
Priority to PCT/CN2015/078467 priority patent/WO2016176858A1/en
Publication of WO2016176858A1 publication Critical patent/WO2016176858A1/en

Links

Images

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method and a client for transmitting a request.
  • HTTP Hypertext Transfer Protocol
  • TCP Transmission Control Protocol
  • the SSL (Security Socket Layer) protocol was originally designed to protect the security of network information transmission.
  • the protocol is located below the application layer above the transport layer.
  • the SSL protocol was first proposed by Netscape in November 1994 and was first implemented (SSLv2). After many modifications, it was finally adopted and formulated as a TLS (Transport Layer Security) protocol.
  • the TLS protocol is The location in the TCP/IP (Internet Protocol) protocol stack and the basic building blocks of the TLS protocol are shown in FIG. 1B. As can be seen from FIG. 1B, the TLS protocol includes the TLS Record Protocol. , TLS Handshaking Protocol (TLS handshake protocol), TLS Change Cipher Spec Protocol (TLS Security Algorithm Change Protocol) and TLS Alter Protocol (TLS Warning Protocol).
  • TLS handshake protocol TLS Change Cipher Spec Protocol
  • TLS Alter Protocol TLS Alter Protocol
  • the TLS protocol is in the HTTP protocol and the TCP protocol. between.
  • the SSL protocol and its successor TLS protocol as a security protocol that provides encryption, identity authentication, and data integrity assurance for network communications, have been widely used for secure communication between clients and servers.
  • the communication process using the TLS protocol is divided into two phases:
  • the first stage is: handshake negotiation process
  • the client uses the handshake protocol to negotiate and exchange related protocol versions, compression methods, encryption algorithms and session keys with the server, and can also verify the identity of the server.
  • the second phase is: the data transfer process, the server and the client use the negotiated session secret
  • the key and the algorithm process the data; after the data is transmitted, the server and the client disconnect the session in an identifiable manner.
  • the transmitted data is encrypted by using an encryption method.
  • the commonly used encryption methods are : A symmetric encryption algorithm, an asymmetric encryption algorithm, in which an asymmetric encryption algorithm includes a digital certificate.
  • the URL (Uniform Resource Locator) in the HTTP message can be divided into an http URL (for example: http://www.example.com) and an https URL (for example, https://www.example.com).
  • an http URL for example: http://www.example.com
  • an https URL for example, https://www.example.com.
  • TLS is required for security protection. Since the accessed resources are protected by TLS, the end-to-end security between the client and the server can be implemented. Therefore, a trend of security protection is commonly used, that is, the resource identified by the http URL and the https URL are identified. Resources are secured using TLS.
  • the client determines the preset indication according to whether the resource to be accessed uses the identifier of the http URL, and then sends the preset indication to the proxy entity, and the proxy entity determines to decrypt the subsequent message according to the preset indication. , or forward processing.
  • the client determines the preset indication according to whether the resource to be accessed uses the identifier of the http URL, and then sends the preset indication to the proxy entity, and the proxy entity determines to decrypt the subsequent message according to the preset indication. , or forward processing.
  • more and more resources that can be identified by the https URL can be identified by the http URL. Therefore, the current method of transmitting the request has the defect of low service quality.
  • the current method of transmitting requests has the defect of low service quality.
  • the embodiment of the invention provides a method and a client for transmitting a request, which are used to solve the defect that the service quality in the prior art is low.
  • a method for transmitting a request including:
  • the client determines the preset indication according to the attribute of the resource to be accessed or the first user indication
  • the preset indication is used to indicate that the proxy entity that receives the TLS connection establishment request processes the target message, where the target message is a TLS established by the TLS connection establishment request. Connect the transmitted message.
  • the attributes of the to-be-accessed resource include: at least one of a type of the resource to be accessed and a domain name of the resource to be accessed.
  • the method before the determining, by the client, the preset indication according to the attribute of the resource to be accessed or the first user indication, the method further includes:
  • attributes of the to-be-accessed resource including:
  • the client determines an attribute of the resource to be accessed according to a uniform resource locator URL and/or a hypertext markup language HTML file.
  • the preset indication includes a first preset indication, and a second preset indication at least one;
  • the first preset indication is used to indicate that the proxy entity that received the TLS connection establishment request decrypts the target message
  • the second preset indication is used to indicate that the proxy entity that received the TLS connection setup request forwards the target message.
  • the preset indication is a first preset indication
  • the first preset indication Determining, by the proxy entity receiving the TLS connection establishment request, the target message
  • the method further includes:
  • the client determines to send a message to the proxy entity to continue to establish the TLS connection when the proxy entity is trusted.
  • Determining, by the client, that the proxy entity is trusted according to the digital certificate including:
  • the client determines that the proxy entity is trusted according to the second user indication.
  • the method further includes:
  • a message that continues to establish the TLS connection to the proxy entity or, the client returns a TLS connection establishment request that carries a second preset indication to the proxy entity, where the second preset indication
  • the proxy entity for indicating that the TLS connection setup request is received forwards the target message.
  • the preset indication is a third preset indication, and the third preset indication And configured to instruct the proxy entity to query the client whether the proxy entity processes the received target message;
  • the method further includes:
  • a message that continues to establish the TLS connection to the proxy entity or, the client returns a TLS connection establishment request that carries a second preset indication to the proxy entity, where the second preset indication
  • the proxy entity for indicating that the TLS connection setup request is received forwards the target message.
  • the digital certificate is configured to add at least the first information and the second information to the digital certificate in the X.509 format a digital certificate
  • the first information is information for verifying an operation performed by the proxy entity after the proxy entity is trusted
  • the second information is an operation performed by the proxy entity on the decrypted target message Information.
  • a client including:
  • a processor configured to determine a preset indication according to an attribute of the resource to be accessed or a first user indication
  • a transmitter configured to send a transport layer secure TLS connection establishment request that carries the preset indication
  • the preset indication is used to indicate that the proxy entity that receives the TLS connection establishment request processes the target message, where the target message is a message transmitted by using the TLS connection established by the TLS connection establishment request.
  • the attributes of the to-be-accessed resource include: at least one of a type of the resource to be accessed and a domain name of the resource to be accessed.
  • the processor is further configured to determine an attribute of the resource to be accessed
  • the client further includes a receiver, configured to receive the first user indication
  • the attribute of the resource to be accessed is determined according to a uniform resource locator URL and/or a hypertext markup language HTML file.
  • the preset indication includes a first preset indication, and a second preset indication at least one;
  • the first preset indication is used to indicate that the proxy entity that received the TLS connection establishment request decrypts the target message
  • the second preset indication is used to indicate that the proxy entity that received the TLS connection setup request forwards the target message.
  • the preset indication is a first preset indication
  • the first preset indication Determining, by the proxy entity receiving the TLS connection establishment request, the target message
  • the client further includes a receiver, configured to receive a digital certificate of the proxy entity sent by the proxy entity;
  • the processor is further configured to verify the credibility of the proxy entity according to the digital certificate
  • the transmitter is further configured to send a message to the proxy entity to continue to establish the TLS connection when the processor determines that the proxy entity is trusted.
  • the determining, by the processor, that the proxy entity is trusted according to the digital certificate is specifically:
  • the proxy entity is determined to be trusted according to the second user indication.
  • the transmitter is further configured to send a TLS connection that does not carry the preset indication Establish a request;
  • the client further includes a receiver, configured to receive a digital certificate of the proxy entity sent by the proxy entity;
  • the transmitter is further configured to: return, to the proxy entity, a message that continues to establish the TLS connection; or return a TLS connection establishment request that carries a second preset indication to the proxy entity, where the second preset indication
  • the proxy entity for indicating that the TLS connection setup request is received forwards the target message.
  • the preset indication is a third preset indication, and the third preset indication And configured to instruct the proxy entity to query the client whether the proxy entity processes the received target message;
  • the client further includes a receiver, configured to receive a digital certificate of the proxy entity sent by the proxy entity;
  • the transmitter is further configured to: return, to the proxy entity, a message that continues to establish the TLS connection; or return a TLS connection establishment request that carries a second preset indication to the proxy entity, where the second preset indication
  • the proxy entity for indicating that the TLS connection setup request is received forwards the target message.
  • the digital certificate is a digital certificate that adds at least one of the first information and the second information to the digital certificate in the X.509 format, the first information being the proxy entity after verifying that the proxy entity is trusted Information of the performed operation, the second information being information of an operation performed by the proxy entity on the decrypted target message.
  • the embodiment of the present invention provides a method for transmitting a request: the client determines a preset indication according to the attribute of the resource to be accessed or the first user indication; the client sends a TLS connection establishment request that carries the preset indication; Determining, by the proxy entity receiving the TLS connection establishment request, the target message, the target message is a message transmitted by the TLS connection established by the TLS connection establishment request, because the client is according to the attribute of the resource to be accessed or the first user indication.
  • the preset indication is determined according to whether the resource to be accessed is identified by the https URL or the http URL identifier. Even if the resource identified by the https URL is used, the https URL identifier is used, and the client can accurately determine the identifier.
  • the preset indication in this way, the proxy entity can accurately decrypt the target message according to the received TLS connection establishment request, and then process the decrypted target message to improve the service quality.
  • FIG. 1A is a schematic diagram of working in the prior art using the HTTP protocol
  • 1B is a schematic diagram of a TLS protocol in the prior art
  • FIG. 2 is a schematic structural diagram of a transmission request according to an embodiment of the present invention.
  • FIG. 3A is a flowchart of a transmission request according to an embodiment of the present invention.
  • 3B is a schematic diagram of a digital certificate of a proxy entity in an embodiment of the present invention.
  • 4A is an embodiment of a transmission request in an embodiment of the present invention.
  • 4B is another embodiment of a transmission request in an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of a client in an embodiment of the present invention.
  • the communication system involved in the present invention is mainly a communication core network portion.
  • the core network here may be the core network of the mobile network as shown in FIG. 2, and the core network shown in FIG. 2 refers to the E-UTRAN (Evolved Universal Terrestrial Radio Access Network).
  • Network architecture consisting of devices other than the IP (Internet Protocol) data network, including: MME (Mobility Management Entity), HSS (Home Subscriber Server), Serving Gateway ( Service Gateway), PDN (Packet Data Network), and Policy and Charging Rules Function (PCRF).
  • MME Mobility Management Entity
  • HSS Home Subscriber Server
  • Serving Gateway Service Gateway
  • PDN Packet Data Network
  • PCRF Policy and Charging Rules Function
  • E-UTRAN refers to
  • the network may be a core network of a fixed network.
  • the fixed network refers to a traditional IP network. Since the IP network is a well-known technology for those skilled in the art, it will not be described in detail herein.
  • the entity involved in the present invention includes a client, a PDN (Packet Data Network) gateway, and a service gateway.
  • the proxy entity may be located in the PDN Gateway, or may be a separate network device.
  • the proxy entity mentioned in the embodiment of the present invention may optionally be configured to intercept the TLS connection establishment request and decrypt or directly forward the target message transmitted based on the TLS connection according to the preset indication carried in the TLS connection establishment request.
  • the function it should be noted that the proxy entity is only the name of the device having the above functions, and may also be referred to as a TLS connection processing device, or may be another name, as long as it has the above functions, and is not specifically limited herein. The following describes the name of the device having the above functions as a proxy entity.
  • Multiple means two or more. "and / or”, describing the association relationship of the associated object, the table There may be three relationships, for example, A and/or B, which may indicate that there are three cases where A exists separately, A and B exist at the same time, and B exists separately.
  • the character "/" generally indicates that the contextual object is an "or" relationship.
  • a process for transmitting a request is as follows:
  • Step 300 The client determines a preset indication according to an attribute of the resource to be accessed or a first user indication.
  • Step 310 The client sends a TLS connection establishment request that carries a preset indication.
  • the first preset indication is used to indicate that the proxy entity that receives the TLS connection establishment request processes the target message, and the target message is a message that is transmitted through the TLS connection established by the TLS connection establishment request.
  • the client mentioned in the embodiment of the present invention may be referred to as a user equipment, and may also be a terminal.
  • the attribute of the resource to be accessed includes at least one of a type of the resource to be accessed and a domain name of the resource to be accessed.
  • the resource to be accessed is a resource that needs to be encrypted end-to-end, such as a resource of a bank website or a resource of a login type; or, the resource to be accessed is a resource of the mpeg type (moving image expert group).
  • the client can determine the type of the resource to be accessed through the URL, and can also determine the type of the resource to be accessed through an HTML (HyperText Markup Language) file, and determine the to-be-viewed by using the HTML file.
  • HTML HyperText Markup Language
  • the type of the resource to be accessed can be determined according to the context information of the content in the HTML file.
  • the preset indication may include at least one of a first preset indication and a second preset indication
  • the first preset indication may be used to indicate that the proxy entity that received the TLS connection establishment request decrypts the target message
  • the second preset indication may be used to indicate that the proxy entity that received the TLS connection setup request forwards the target message.
  • the TLS connection establishment request For example, for a resource of a login type (login) type or a resource of a bank type, the TLS connection establishment request carries a first preset indication; for the mpeg (moving image expert group) type to be accessed The resource, the TLS connection establishment request carries a second preset indication.
  • the client may carry the first preset indication in the TLS connection establishment request, and the proxy entity may be used to decrypt the target message.
  • the TLS connection establishment request may not carry the first preset indication.
  • the second preset indication is carried, indicating that the proxy entity does not decrypt the target message, but directly forwards the target message.
  • the preset indication includes the first preset indication
  • the client sends the TLS connection establishment request that carries the preset indication
  • the client receives a digital certificate of the proxy entity sent by the proxy entity;
  • the client verifies the authenticity of the proxy entity based on the digital certificate
  • the client determines to send a message to the proxy entity to continue to establish a TLS connection when the proxy entity is trusted.
  • the client determines the trustedness of the proxy entity according to the digital certificate.
  • the method may be as follows:
  • the client determines that the digital certificate successfully passes the detection of the certificate chain, and determines that the client entity is trusted when storing the digital certificate;
  • the client can determine that the proxy entity is trusted according to the second user indication.
  • the verification process of the digital certificate of the proxy entity is different from the verification process of the common SSL certificate in the prior art.
  • the main difference is that, in the embodiment of the present invention, the number of the proxy entity is not
  • the certificate performs verification of the domain name information, that is, whether the domain name information of the accessed resource is not compared with the Common Name field in the digital certificate.
  • the TLS connection establishment request carries the first preset indication or the second preset indication.
  • the TLS connection establishment request may not carry the first preset indication or the second preset indication.
  • the proxy entity sends the digital certificate of the proxy entity to the client, and queries the client.
  • the proxy entity receives the target message, whether the target message is to be decrypted or the target message is to be forwarded. Therefore, in the embodiment of the present invention, the method further includes:
  • the client sends a TLS connection establishment request that does not carry the preset indication.
  • the client receives a digital certificate of the proxy entity sent by the proxy entity;
  • the client returns a message to the proxy entity to continue to establish a TLS connection; or the client returns a TLS connection establishment request carrying the second preset indication to the proxy entity, and the second preset indication is used to indicate the proxy entity that receives the TLS connection establishment request Forward the target message.
  • the proxy entity sends a digital certificate of the proxy entity to the client, asking whether the client decrypts the target message or forwards the target message.
  • the proxy entity may also decide whether to decrypt the target message or forward the target message, or It is processed directly according to decryption, and will not be detailed here.
  • the proxy entity asks the client to decrypt the target message or forward the target message.
  • the preset indication is used to instruct the proxy entity to query whether the client proxy entity processes the received target message, and the proxy entity also asks the client to decrypt The target message is forwarded or forwarded to the target message.
  • the specific implementation process is as follows:
  • the preset indication is a third preset indication, where the third preset indication is used to instruct the proxy entity to query the client proxy entity whether to process the received target message;
  • the method further includes:
  • the client receives a digital certificate of the proxy entity sent by the proxy entity;
  • the client returns a message to the proxy entity to continue to establish a TLS connection; or the client returns a TLS connection establishment request carrying the second preset indication to the proxy entity, where the second preset indication is used to indicate The proxy entity that received the TLS connection setup request forwards the target message.
  • the digital certificate has multiple forms.
  • a digital certificate of at least one of the first information and the second information may be added to the digital certificate in the X.509 format; the first information is a verification proxy entity.
  • the information of the operation performed by the post-letter proxy entity, and the second information is information of the operation performed by the proxy entity on the decrypted target message.
  • 3B is a schematic diagram of a digital certificate of a proxy entity in an embodiment of the present invention.
  • a key usage (KeyUsage) field is added to the digital certificate, and the field is used to indicate that the proxy entity decrypts the target message when the client verifies that the proxy entity is trusted according to the data certificate;
  • the field of function (Functions) is also added to the digital certificate shown in FIG. 3B. This field is used to indicate what the proxy entity should perform on the decrypted target message.
  • the client determines the preset indication according to the attribute of the resource to be accessed or the first user indication, and determines whether the preset indication is based on whether the resource to be accessed is identified by the https URL or the http URL identifier.
  • the accuracy of the preset indication is determined according to the attribute of the resource to be accessed or the first user indication, so that the proxy entity can accurately decrypt the target message, and then process the decrypted target message to improve the service quality.
  • the client sends a TLS connection establishment request, and the proxy entity according to Flowchart of the received TLS connection establishment request to perform the corresponding process:
  • step 400 the client receives the first user indication sent by the user, and determines the first preset indication according to the first user indication;
  • Step 410 The client carries the first preset indication in the TLS connection establishment request, and sends the TLS connection establishment request.
  • Step 420 After receiving the TLS connection establishment request, the proxy entity sends the digital certificate of the proxy entity to the client.
  • Step 430 The client determines whether the proxy entity is trusted according to the digital certificate of the proxy entity, and if so, step 440 is performed, otherwise, step 470 is performed;
  • Step 440 The client sends a message to the proxy entity to continue to establish a TLS connection.
  • Step 450 After completing the establishment of the TLS connection, the proxy entity decrypts the target message.
  • Step 460 The proxy entity sends the decrypted target message to the server.
  • Step 470 The client sends a TLS connection establishment request that carries the second preset indication to the proxy entity.
  • Step 480 The proxy entity does not decrypt the target message, and forwards the target message directly to the server.
  • the proxy entity in order to improve the security of the transmitted target message, after receiving the TLS connection establishment request carrying the first preset indication, the proxy entity sends the digital certificate of the proxy entity to the client, the client. According to the digital certificate to verify the credibility of the proxy entity, when the client determines that the proxy entity is trusted, the proxy entity continues to establish a TLS connection and decrypts the target message.
  • the proxy entity may also directly establish a TLS connection without sending the digital certificate of the proxy entity. And decrypt the target message.
  • step 400, step 410, step 450, and step 460 are mandatory steps, and step 420, step 430, step 440, step 470, and step 480 are optional steps.
  • the client determines the first preset indication according to the first user indication of the user.
  • the client may also determine the second preset indication according to the first user indication, and the following is based on the user's first
  • the process of the user instructing to determine the second preset indication is described as shown in FIG. 4B:
  • Step 4000 The client receives the first user indication sent by the user, and determines a second preset indication according to the first user indication.
  • Step 4100 The client carries the second preset indication in the TLS connection establishment request, and sends a TLS connection establishment request.
  • Step 4200 After receiving the second preset indication TLS connection establishment request, the proxy entity does not decrypt the target message and directly forwards the target message to the server.
  • a client which includes a processor 50 and a transmitter 51, wherein:
  • the processor 50 is configured to determine, according to an attribute of the resource to be accessed or a first user indication, a preset finger Show
  • a transmitter 51 configured to send a transport layer secure TLS connection establishment request that carries a preset indication
  • the preset indication is used to indicate that the proxy entity receiving the TLS connection establishment request processes the target message, and the target message is a message transmitted by using the TLS connection established by the TLS connection establishment request.
  • the attribute of the resource to be accessed includes at least one of a type of the resource to be accessed and a domain name of the resource to be accessed.
  • the processor 50 is further configured to determine an attribute of the resource to be accessed
  • the client further includes a receiver 52, configured to receive the first user indication
  • processor 50 determines an attribute of the resource to be accessed, specifically:
  • the attributes of the resource to be accessed are determined according to the URL and/or the HTML file.
  • the preset indication includes at least one of a first preset indication and a second preset indication
  • the first preset indication is used to indicate that the proxy entity that received the TLS connection establishment request decrypts the target message
  • the second preset indication is used to indicate that the proxy entity that received the TLS connection setup request forwards the target message.
  • the preset indication is a first preset indication, where the first preset indication is used to indicate that the proxy entity that receives the TLS connection establishment request decrypts the target message;
  • the client further includes a receiver 52, configured to receive a digital certificate of the proxy entity sent by the proxy entity;
  • processor 50 is further configured to verify the credibility of the proxy entity according to the digital certificate
  • the transmitter 51 is further configured to send a message to the proxy entity to continue to establish a TLS connection when the processor 50 determines that the proxy entity is trusted.
  • the processor 50 determines that the proxy entity is trusted according to the digital certificate, specifically:
  • the proxy entity is determined to be trusted according to the second user indication.
  • the transmitter 51 is further configured to send a TLS connection establishment request that does not carry the preset indication
  • the client further includes a receiver 52, configured to receive a digital certificate of the proxy entity sent by the proxy entity;
  • the transmitter 51 is further configured to: return a message to the proxy entity to continue to establish a TLS connection; or return a TLS connection establishment request carrying a second preset indication to the proxy entity, where the second preset indication is used to indicate that the TLS connection establishment request is received
  • the proxy entity forwards the target message.
  • the preset indication is a third preset indication, where the third preset indication is used to instruct the proxy entity to query the client proxy entity whether to process the received target message;
  • the client further includes a receiver 52, configured to receive a digital certificate of the proxy entity sent by the proxy entity;
  • the transmitter 51 is further configured to: return a message to the proxy entity to continue to establish a TLS connection; or return a TLS connection establishment request carrying a second preset indication to the proxy entity, where the second preset indication is used to indicate that the TLS is received.
  • the proxy entity that connects to the setup request forwards the target message.
  • the digital certificate is a digital certificate that adds at least one of the first information and the second information to the digital certificate in the X.509 format, where the first information is verified by the proxy entity after the trusted proxy entity
  • the information of the performed operation, the second information is information of the operation performed by the proxy entity on the decrypted target message.
  • These computer program instructions can also be stored in a bootable computer or other programmable data processing device.
  • a computer readable memory that operates in a particular manner, causing instructions stored in the computer readable memory to produce an article of manufacture comprising an instruction device implemented in one or more flows and/or block diagrams of the flowchart The function in a box or multiple boxes.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions in one or more blocks of the flowchart or in a flow or block of the flowchart.

Abstract

Provided in embodiments of the present invention are a request transmission method and client. The method comprises: determining, by a client, a preset instruction according to an attribute of a resource to be accessed or a first user instruction; and transmitting, by the client, a TLS connection establishment request carrying the preset instruction, wherein the preset instruction is configured to instruct a proxy entity receiving the TLS connection establishment request to process a target message, and the target message is a message transmitted via a TLS connection established based on the TLS connection establishment request. Since the client determines the preset instruction according to the attribute of the resource to be accessed or the first user instruction and does not determine the preset instruction according to whether the resource to be accessed utilizes a https URL identifier or a http URL identifier, the client accurately determines the preset instruction, such that the proxy entity accurately decrypts the target message, and processes the decrypted target message, thus improving service quality.

Description

一种传输请求的方法及客户端Method and client for transmitting request 技术领域Technical field
本发明涉及通信技术领域,特别涉及一种传输请求的方法及客户端。The present invention relates to the field of communications technologies, and in particular, to a method and a client for transmitting a request.
背景技术Background technique
HTTP(Hypertext Transfer Protocol,超文本传输协议)是Internet上目前使用最广泛的无状态的应用层协议,基于传输层的TCP(Transmission Control Protocol,传输控制协议)进行通信。采用HTTP协议工作的示意图如图1A所示。HTTP (Hypertext Transfer Protocol) is the most widely used stateless application layer protocol on the Internet, and communicates based on the transmission layer TCP (Transmission Control Protocol). A schematic diagram of working with the HTTP protocol is shown in Figure 1A.
SSL(Security Socket Layer,安全套接层)协议最初的设计目的是保护网络信息传输的安全性,该协议位于传输层之上应用层之下。SSL协议最早由Netscape公司于1994年11月提出并率先实现(SSLv2)的,之后经过多次修改,最终被采纳,并制定为TLS(Transport Layer Security,传输层安全)协议,其中,TLS协议在TCP/IP(Internet Protocol,网络互连协议)协议栈中的位置,以及TLS协议的基本构成模块如图1B所示,从图1B中可以看出,TLS协议包括TLS Record Protocol(TLS记录协议)、TLS Handshaking Protocol(TLS握手协议)、TLS Change Cipher Spec Protocol(TLS安全算法更改协议)以及TLS Alter Protocol(TLS警告协议)这几部分,进一步,还可以看出TLS协议处于HTTP协议和TCP协议之间。SSL协议及其继任者TLS协议作为为网络通信提供加密、身份认证及数据完整性保证的一种安全协议,已被广泛地应用客户端与服务器之间的安全通信。采用TLS协议通信过程分为两个阶段:The SSL (Security Socket Layer) protocol was originally designed to protect the security of network information transmission. The protocol is located below the application layer above the transport layer. The SSL protocol was first proposed by Netscape in November 1994 and was first implemented (SSLv2). After many modifications, it was finally adopted and formulated as a TLS (Transport Layer Security) protocol. The TLS protocol is The location in the TCP/IP (Internet Protocol) protocol stack and the basic building blocks of the TLS protocol are shown in FIG. 1B. As can be seen from FIG. 1B, the TLS protocol includes the TLS Record Protocol. , TLS Handshaking Protocol (TLS handshake protocol), TLS Change Cipher Spec Protocol (TLS Security Algorithm Change Protocol) and TLS Alter Protocol (TLS Warning Protocol). Further, it can be seen that the TLS protocol is in the HTTP protocol and the TCP protocol. between. The SSL protocol and its successor TLS protocol, as a security protocol that provides encryption, identity authentication, and data integrity assurance for network communications, have been widely used for secure communication between clients and servers. The communication process using the TLS protocol is divided into two phases:
第一阶段是:握手协商过程,客户端在与服务器双方利用握手协议协商和交换相关协议版本、压缩方法、加密算法和会话密钥等信息,同时还可以验证服务器的身份。The first stage is: handshake negotiation process, the client uses the handshake protocol to negotiate and exchange related protocol versions, compression methods, encryption algorithms and session keys with the server, and can also verify the identity of the server.
第二阶段是:数据传输过程,服务器和客户端使用已经协商好的会话密 钥和算法对数据进行处理;数据传输完后服务器和客户端会以可认证的方式断开会话连接,在数据传输过程中,会采用加密方式对传输的数据进行加密,目前常用的加密方式有:对称加密算法,非对称加密算法,其中,非对称加密算法中又包括数字证书这种加密方式。The second phase is: the data transfer process, the server and the client use the negotiated session secret The key and the algorithm process the data; after the data is transmitted, the server and the client disconnect the session in an identifiable manner. In the data transmission process, the transmitted data is encrypted by using an encryption method. Currently, the commonly used encryption methods are : A symmetric encryption algorithm, an asymmetric encryption algorithm, in which an asymmetric encryption algorithm includes a digital certificate.
HTTP消息中的URL(Uniform Resource Locator,统一资源定位符)可以分为http URL(例如:http://www.example.com)和https URL(例如:https://www.example.com),对于使用http URL所标识的资源是不需要使用TLS进行安全保护的;而对于使用https URL所标识的资源需要使用TLS进行安全保护。由于所访问的资源使用TLS进行安全保护,可以实现客户端和服务器之间端到端的安全保障,因此,导致一个普遍使用TLS进行安全保护的趋势,即http URL所标识的资源和https URL所标识的资源均使用TLS进行安全保护。The URL (Uniform Resource Locator) in the HTTP message can be divided into an http URL (for example: http://www.example.com) and an https URL (for example, https://www.example.com). For the resource identified by using the http URL, it is not required to use TLS for security; for the resource identified by using the https URL, TLS is required for security protection. Since the accessed resources are protected by TLS, the end-to-end security between the client and the server can be implemented. Therefore, a trend of security protection is commonly used, that is, the resource identified by the http URL and the https URL are identified. Resources are secured using TLS.
现有技术中,客户端仅根据待访问的资源是否使用http URL所标识确定预设指示,然后,将预设指示发送至代理实体,代理实体根据预设指示来确定对后续的消息进行解密处理,还是进行转发处理。而现在越来越多原本可以使用https URL所标识的资源用http URL进行标识,这样,目前传输请求的方式存在业务质量较低的缺陷。In the prior art, the client determines the preset indication according to whether the resource to be accessed uses the identifier of the http URL, and then sends the preset indication to the proxy entity, and the proxy entity determines to decrypt the subsequent message according to the preset indication. , or forward processing. Nowadays, more and more resources that can be identified by the https URL can be identified by the http URL. Therefore, the current method of transmitting the request has the defect of low service quality.
综上所述,目前传输请求的方法存在业务质量较低的缺陷。In summary, the current method of transmitting requests has the defect of low service quality.
发明内容Summary of the invention
本发明实施例提供一种传输请求的方法及客户端,用以解决现有技术中存在的业务质量较低的缺陷。The embodiment of the invention provides a method and a client for transmitting a request, which are used to solve the defect that the service quality in the prior art is low.
第一方面,提供一种传输请求的方法,包括:In a first aspect, a method for transmitting a request is provided, including:
客户端根据待访问的资源的属性或者第一用户指示确定预设指示;The client determines the preset indication according to the attribute of the resource to be accessed or the first user indication;
所述客户端发送携带所述预设指示的传输层安全TLS连接建立请求;Transmitting, by the client, a transport layer secure TLS connection establishment request that carries the preset indication;
其中,所述预设指示用于指示接收到所述TLS连接建立请求的代理实体处理目标消息,所述目标消息为通过基于所述TLS连接建立请求建立的TLS 连接所传输的消息。The preset indication is used to indicate that the proxy entity that receives the TLS connection establishment request processes the target message, where the target message is a TLS established by the TLS connection establishment request. Connect the transmitted message.
结合第一方面,在第一种可能的实现方式中,所述待访问的资源的属性包括:所述待访问的资源的类型、所述待访问的资源的域名中的至少一个。With reference to the first aspect, in a first possible implementation, the attributes of the to-be-accessed resource include: at least one of a type of the resource to be accessed and a domain name of the resource to be accessed.
结合第一方面的第一种可能的实现方式,在第二种可能的实现方式中,所述客户端根据待访问的资源的属性或者第一用户指示确定预设指示之前,还包括:With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner, before the determining, by the client, the preset indication according to the attribute of the resource to be accessed or the first user indication, the method further includes:
所述客户端确定所述待访问的资源的属性,或者,所述客户端接收所述第一用户指示;Determining, by the client, an attribute of the resource to be accessed, or the client receiving the first user indication;
所述客户端确定所述待访问的资源的属性,包括:Determining, by the client, attributes of the to-be-accessed resource, including:
所述客户端根据统一资源定位符URL和/或超级文本标记语言HTML文件确定所述待访问的资源的属性。The client determines an attribute of the resource to be accessed according to a uniform resource locator URL and/or a hypertext markup language HTML file.
结合第一方面,或者第一方面的第一至第二种可能的实现方式,在第三种可能的实现方式中,所述预设指示包括第一预设指示、第二预设指示中的至少一个;With reference to the first aspect, or the first to the second possible implementation manners of the first aspect, in a third possible implementation manner, the preset indication includes a first preset indication, and a second preset indication at least one;
所述第一预设指示用于指示接收到所述TLS连接建立请求的代理实体解密所述目标消息;The first preset indication is used to indicate that the proxy entity that received the TLS connection establishment request decrypts the target message;
所述第二预设指示用于指示接收到所述TLS连接建立请求的代理实体转发所述目标消息。The second preset indication is used to indicate that the proxy entity that received the TLS connection setup request forwards the target message.
结合第一方面,或者第一方面的第一至第三种可能的实现方式,在第四种可能的实现方式中,所述预设指示为第一预设指示,所述第一预设指示用于指示接收到所述TLS连接建立请求的代理实体解密所述目标消息;With reference to the first aspect, or the first to third possible implementation manners of the first aspect, in a fourth possible implementation manner, the preset indication is a first preset indication, and the first preset indication Determining, by the proxy entity receiving the TLS connection establishment request, the target message;
所述客户端发送携带所述预设指示的TLS连接建立请求之后,还包括:After the client sends the TLS connection establishment request that carries the preset indication, the method further includes:
所述客户端接收所述代理实体发送的所述代理实体的数字证书;Receiving, by the client, a digital certificate of the proxy entity sent by the proxy entity;
所述客户端根据所述数字证书验证所述代理实体的可信性;Determining, by the client, the credibility of the proxy entity according to the digital certificate;
所述客户端确定所述代理实体可信时向所述代理实体发送继续建立所述TLS连接的消息。The client determines to send a message to the proxy entity to continue to establish the TLS connection when the proxy entity is trusted.
结合第一方面的第四种可能的实现方式,在第五种可能的实现方式中, 所述客户端根据所述数字证书确定所述代理实体可信,包括:In conjunction with the fourth possible implementation of the first aspect, in a fifth possible implementation, Determining, by the client, that the proxy entity is trusted according to the digital certificate, including:
所述客户端确定所述数字证书成功通过证书链的检测,并确定所述客户端存储有所述数字证书时,确定所述代理实体可信;或者Determining, by the client, that the digital certificate successfully passes the detection of the certificate chain, and determining that the client stores the digital certificate, determining that the proxy entity is trusted; or
所述客户端根据第二用户指示确定所述代理实体可信。The client determines that the proxy entity is trusted according to the second user indication.
结合第一方面,或者第一方面的第一至第五种可能的实现方式,在第六种可能的实现方式中,所述方法还包括:With reference to the first aspect, or the first to fifth possible implementation manners of the first aspect, in a sixth possible implementation, the method further includes:
所述客户端发送未携带所述预设指示的TLS连接建立请求;Sending, by the client, a TLS connection establishment request that does not carry the preset indication;
所述客户端接收所述代理实体发送的所述代理实体的数字证书;Receiving, by the client, a digital certificate of the proxy entity sent by the proxy entity;
所述客户端向所述代理实体返回继续建立所述TLS连接的消息;或者,所述客户端向所述代理实体返回携带第二预设指示的TLS连接建立请求,所述第二预设指示用于指示接收到所述TLS连接建立请求的代理实体转发所述目标消息。Returning, by the client, a message that continues to establish the TLS connection to the proxy entity; or, the client returns a TLS connection establishment request that carries a second preset indication to the proxy entity, where the second preset indication The proxy entity for indicating that the TLS connection setup request is received forwards the target message.
结合第一方面,或者第一方面的第一至第五种可能的实现方式,在第七种可能的实现方式中,所述预设指示为第三预设指示,所述第三预设指示用于指示所述代理实体询问所述客户端所述代理实体是否处理接收到的目标消息;With reference to the first aspect, or the first to fifth possible implementation manners of the first aspect, in a seventh possible implementation manner, the preset indication is a third preset indication, and the third preset indication And configured to instruct the proxy entity to query the client whether the proxy entity processes the received target message;
所述客户端发送携带所述预设指示的TLS连接建立请求之后,还包括:After the client sends the TLS connection establishment request that carries the preset indication, the method further includes:
所述客户端接收所述代理实体发送的所述代理实体的数字证书;Receiving, by the client, a digital certificate of the proxy entity sent by the proxy entity;
所述客户端向所述代理实体返回继续建立所述TLS连接的消息;或者,所述客户端向所述代理实体返回携带第二预设指示的TLS连接建立请求,所述第二预设指示用于指示接收到所述TLS连接建立请求的代理实体转发所述目标消息。Returning, by the client, a message that continues to establish the TLS connection to the proxy entity; or, the client returns a TLS connection establishment request that carries a second preset indication to the proxy entity, where the second preset indication The proxy entity for indicating that the TLS connection setup request is received forwards the target message.
结合第一方面的第四至第七种可能的实现方式,在第八种可能的实现方式中,所述数字证书为在X.509格式的数字证书中增加第一信息和第二信息中至少一个的数字证书,所述第一信息为验证所述代理实体可信后所述代理实体所执行的操作的信息,所述第二信息为所述代理实体对解密后的目标消息所执行的操作的信息。 With reference to the fourth to seventh possible implementation manners of the first aspect, in the eighth possible implementation, the digital certificate is configured to add at least the first information and the second information to the digital certificate in the X.509 format a digital certificate, the first information is information for verifying an operation performed by the proxy entity after the proxy entity is trusted, and the second information is an operation performed by the proxy entity on the decrypted target message Information.
第二方面,提供一种客户端,包括:In a second aspect, a client is provided, including:
处理器,用于根据待访问的资源的属性或者第一用户指示确定预设指示;a processor, configured to determine a preset indication according to an attribute of the resource to be accessed or a first user indication;
发射器,用于发送携带所述预设指示的传输层安全TLS连接建立请求;a transmitter, configured to send a transport layer secure TLS connection establishment request that carries the preset indication;
其中,所述预设指示用于指示接收到所述TLS连接建立请求的代理实体处理目标消息,所述目标消息为通过基于所述TLS连接建立请求建立的TLS连接所传输的消息。The preset indication is used to indicate that the proxy entity that receives the TLS connection establishment request processes the target message, where the target message is a message transmitted by using the TLS connection established by the TLS connection establishment request.
结合第二方面,在第一种可能的实现方式中,所述待访问的资源的属性包括:所述待访问的资源的类型、所述待访问的资源的域名中的至少一个。With reference to the second aspect, in a first possible implementation, the attributes of the to-be-accessed resource include: at least one of a type of the resource to be accessed and a domain name of the resource to be accessed.
结合第二方面的第一种可能的实现方式,在第二种可能的实现方式中,所述处理器还用于,确定所述待访问的资源的属性;With reference to the first possible implementation of the second aspect, in a second possible implementation, the processor is further configured to determine an attribute of the resource to be accessed;
所述客户端还包括接收器,用于接收所述第一用户指示;The client further includes a receiver, configured to receive the first user indication;
所述处理器确定所述待访问的资源的属性时,具体为:When the processor determines the attribute of the resource to be accessed, specifically:
根据统一资源定位符URL和/或超级文本标记语言HTML文件确定所述待访问的资源的属性。The attribute of the resource to be accessed is determined according to a uniform resource locator URL and/or a hypertext markup language HTML file.
结合第二方面,或者第二方面的第一至第二种可能的实现方式,在第三种可能的实现方式中,所述预设指示包括第一预设指示、第二预设指示中的至少一个;With reference to the second aspect, or the first to the second possible implementation manners of the second aspect, in a third possible implementation manner, the preset indication includes a first preset indication, and a second preset indication at least one;
所述第一预设指示用于指示接收到所述TLS连接建立请求的代理实体解密所述目标消息;The first preset indication is used to indicate that the proxy entity that received the TLS connection establishment request decrypts the target message;
所述第二预设指示用于指示接收到所述TLS连接建立请求的代理实体转发所述目标消息。The second preset indication is used to indicate that the proxy entity that received the TLS connection setup request forwards the target message.
结合第二方面,或者第二方面的第一至第三种可能的实现方式,在第四种可能的实现方式中,所述预设指示为第一预设指示,所述第一预设指示用于指示接收到所述TLS连接建立请求的代理实体解密所述目标消息;With reference to the second aspect, or the first to third possible implementation manners of the second aspect, in a fourth possible implementation manner, the preset indication is a first preset indication, and the first preset indication Determining, by the proxy entity receiving the TLS connection establishment request, the target message;
所述客户端还包括接收器,用于接收所述代理实体发送的所述代理实体的数字证书;The client further includes a receiver, configured to receive a digital certificate of the proxy entity sent by the proxy entity;
所述处理器还用于,根据所述数字证书验证所述代理实体的可信性; The processor is further configured to verify the credibility of the proxy entity according to the digital certificate;
所述发射器还用于,在所述处理器确定所述代理实体可信时向所述代理实体发送继续建立所述TLS连接的消息。The transmitter is further configured to send a message to the proxy entity to continue to establish the TLS connection when the processor determines that the proxy entity is trusted.
结合第二方面的第四种可能的实现方式,在第五种可能的实现方式中,所述处理器根据所述数字证书确定所述代理实体可信时,具体为:With reference to the fourth possible implementation manner of the second aspect, in a fifth possible implementation, the determining, by the processor, that the proxy entity is trusted according to the digital certificate is specifically:
确定所述数字证书成功通过证书链的检测,并确定所述客户端存储有所述数字证书时,确定所述代理实体可信;或者Determining that the digital certificate successfully passes the detection of the certificate chain, and determining that the client stores the digital certificate, determining that the proxy entity is trusted; or
根据第二用户指示确定所述代理实体可信。The proxy entity is determined to be trusted according to the second user indication.
结合第二方面,或者第二方面的第一至第五种可能的实现方式,在第六种可能的实现方式中,所述发射器还用于,发送未携带所述预设指示的TLS连接建立请求;With reference to the second aspect, or the first to fifth possible implementation manners of the second aspect, in a sixth possible implementation, the transmitter is further configured to send a TLS connection that does not carry the preset indication Establish a request;
所述客户端还包括接收器,用于接收所述代理实体发送的所述代理实体的数字证书;The client further includes a receiver, configured to receive a digital certificate of the proxy entity sent by the proxy entity;
所述发射器还用于,向所述代理实体返回继续建立所述TLS连接的消息;或者,向所述代理实体返回携带第二预设指示的TLS连接建立请求,所述第二预设指示用于指示接收到所述TLS连接建立请求的代理实体转发所述目标消息。The transmitter is further configured to: return, to the proxy entity, a message that continues to establish the TLS connection; or return a TLS connection establishment request that carries a second preset indication to the proxy entity, where the second preset indication The proxy entity for indicating that the TLS connection setup request is received forwards the target message.
结合第二方面,或者第二方面的第一至第五种可能的实现方式,在第七种可能的实现方式中,所述预设指示为第三预设指示,所述第三预设指示用于指示所述代理实体询问所述客户端所述代理实体是否处理接收到的目标消息;With reference to the second aspect, or the first to fifth possible implementation manners of the second aspect, in a seventh possible implementation manner, the preset indication is a third preset indication, and the third preset indication And configured to instruct the proxy entity to query the client whether the proxy entity processes the received target message;
所述客户端还包括接收器,用于接收所述代理实体发送的所述代理实体的数字证书;The client further includes a receiver, configured to receive a digital certificate of the proxy entity sent by the proxy entity;
所述发射器还用于,向所述代理实体返回继续建立所述TLS连接的消息;或者,向所述代理实体返回携带第二预设指示的TLS连接建立请求,所述第二预设指示用于指示接收到所述TLS连接建立请求的代理实体转发所述目标消息。The transmitter is further configured to: return, to the proxy entity, a message that continues to establish the TLS connection; or return a TLS connection establishment request that carries a second preset indication to the proxy entity, where the second preset indication The proxy entity for indicating that the TLS connection setup request is received forwards the target message.
结合第二方面的第四至第七种可能的实现方式,在第八种可能的实现方 式中,所述数字证书为在X.509格式的数字证书中增加第一信息和第二信息中至少一个的数字证书,所述第一信息为验证所述代理实体可信后所述代理实体所执行的操作的信息,所述第二信息为所述代理实体对解密后的目标消息所执行的操作的信息。Combining the fourth to seventh possible implementations of the second aspect, in the eighth possible implementation Wherein the digital certificate is a digital certificate that adds at least one of the first information and the second information to the digital certificate in the X.509 format, the first information being the proxy entity after verifying that the proxy entity is trusted Information of the performed operation, the second information being information of an operation performed by the proxy entity on the decrypted target message.
本发明实施例提供一种传输请求的方法:客户端根据待访问的资源的属性或者第一用户指示确定预设指示;客户端发送携带预设指示的TLS连接建立请求;其中,预设指示用于指示接收到TLS连接建立请求的代理实体处理目标消息,目标消息为通过基于TLS连接建立请求建立的TLS连接所传输的消息,由于客户端是根据待访问的资源的属性或者第一用户指示来确定预设指示的,不是根据待访问的资源是用https URL标识还是使用http URL标识来确定预设指示,即使原本使用https URL所标识的资源也使用https URL标识,客户端也可以准确确定出预设指示,这样,代理实体根据接收到的TLS连接建立请求就能准确对目标消息进行解密,进而对解密后的目标消息进行处理,提高业务质量。The embodiment of the present invention provides a method for transmitting a request: the client determines a preset indication according to the attribute of the resource to be accessed or the first user indication; the client sends a TLS connection establishment request that carries the preset indication; Determining, by the proxy entity receiving the TLS connection establishment request, the target message, the target message is a message transmitted by the TLS connection established by the TLS connection establishment request, because the client is according to the attribute of the resource to be accessed or the first user indication. The preset indication is determined according to whether the resource to be accessed is identified by the https URL or the http URL identifier. Even if the resource identified by the https URL is used, the https URL identifier is used, and the client can accurately determine the identifier. The preset indication, in this way, the proxy entity can accurately decrypt the target message according to the received TLS connection establishment request, and then process the decrypted target message to improve the service quality.
附图说明DRAWINGS
图1A为现有技术中采用HTTP协议工作的示意图;FIG. 1A is a schematic diagram of working in the prior art using the HTTP protocol; FIG.
图1B为现有技术中TLS协议的示意图;1B is a schematic diagram of a TLS protocol in the prior art;
图2为本发明实施例中传输请求的架构示意图;2 is a schematic structural diagram of a transmission request according to an embodiment of the present invention;
图3A为本发明实施例中传输请求的一种流程图;FIG. 3A is a flowchart of a transmission request according to an embodiment of the present invention; FIG.
图3B为本发明实施例中代理实体的数字证书的示意图;3B is a schematic diagram of a digital certificate of a proxy entity in an embodiment of the present invention;
图4A为本发明实施例中传输请求的一种实施例;4A is an embodiment of a transmission request in an embodiment of the present invention;
图4B为本发明实施例中传输请求的另一种实施例;4B is another embodiment of a transmission request in an embodiment of the present invention;
图5为本发明实施例中客户端的结构示意图。FIG. 5 is a schematic structural diagram of a client in an embodiment of the present invention.
具体实施方式detailed description
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发 明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solution and advantages of the embodiments of the present invention clearer, the following will be combined with the present invention. The technical solutions in the embodiments of the present invention are clearly and completely described in the drawings, and the embodiments are described as a part of the embodiments of the present invention, rather than all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
以下,对本申请中的所涉及的系统进行说明,以便于本领域技术人员理解。Hereinafter, the system involved in the present application will be described so as to be understood by those skilled in the art.
本发明中所涉及的通信系统主要是通信核心网部分。此处的核心网可以为如图2所示的移动网络的核心网,图2所示的核心网指的是除客户端、E-UTRAN(Evolved Universal Terrestrial Radio Access Network,演进的通用陆地无线网络)和IP(Internet Protocol,互联网协议)数据网之外的设备组成的网络架构,主要包括:MME(Mobility Management Entity,移动性管理实体)、HSS(Home Subscriber Server,归属用户服务器)、Serving Gateway(服务网关),PDN(Packet Data Network,分组数据)Gateway(网关),及PCRF(Policy and Charging Rules Function,策略和计费规则功能)实体,此处需要说明的是,E-UTRAN指的是接入网;当然,核心网也可以是固定网络的核心网,其中固定网络指的是传统的IP网络,由于IP网络为本领域技术人员比较熟知的技术,在此不再进行详述。The communication system involved in the present invention is mainly a communication core network portion. The core network here may be the core network of the mobile network as shown in FIG. 2, and the core network shown in FIG. 2 refers to the E-UTRAN (Evolved Universal Terrestrial Radio Access Network). Network architecture consisting of devices other than the IP (Internet Protocol) data network, including: MME (Mobility Management Entity), HSS (Home Subscriber Server), Serving Gateway ( Service Gateway), PDN (Packet Data Network), and Policy and Charging Rules Function (PCRF). It should be noted that E-UTRAN refers to The network may be a core network of a fixed network. The fixed network refers to a traditional IP network. Since the IP network is a well-known technology for those skilled in the art, it will not be described in detail herein.
本发明所涉及到的实体包括客户端、PDN(Packet Data Network,分组数据网)Gateway(网关)以及服务网关,其中,代理实体可以位于PDN Gateway中,当然,也可以是一个单独的网络设备。The entity involved in the present invention includes a client, a PDN (Packet Data Network) gateway, and a service gateway. The proxy entity may be located in the PDN Gateway, or may be a separate network device.
本发明实施例中所提及的代理实体,可选的,可以为具有截获TLS连接建立请求,并根据TLS连接建立请求携带的预设指示对基于TLS连接所传输的目标消息解密或者直接转发的功能,需要说明的是,代理实体仅仅是具有上述功能的设备的名称,当然也可以称为TLS连接处理设备,或者也可以是其他名称,只要具有上述功能即可,在此不做具体限定,下面以具有上述功能的设备的名称为代理实体为例进行说明。The proxy entity mentioned in the embodiment of the present invention may optionally be configured to intercept the TLS connection establishment request and decrypt or directly forward the target message transmitted based on the TLS connection according to the preset indication carried in the TLS connection establishment request. The function, it should be noted that the proxy entity is only the name of the device having the above functions, and may also be referred to as a TLS connection processing device, or may be another name, as long as it has the above functions, and is not specifically limited herein. The following describes the name of the device having the above functions as a proxy entity.
“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表 示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。"Multiple" means two or more. "and / or", describing the association relationship of the associated object, the table There may be three relationships, for example, A and/or B, which may indicate that there are three cases where A exists separately, A and B exist at the same time, and B exists separately. The character "/" generally indicates that the contextual object is an "or" relationship.
下面结合说明书附图对本发明优选的实施方式进行详细说明,应当理解,此处所描述的优选实施例仅用于说明和解释本发明,并不用于限定本发明,并且在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。The preferred embodiments of the present invention are described in detail below with reference to the accompanying drawings, and the preferred embodiments of the present invention are intended to illustrate and explain the invention, and not to limit the invention, and The embodiments in the application and the features in the embodiments may be combined with each other.
下面结合附图对本发明实施例进行详细说明。The embodiments of the present invention are described in detail below with reference to the accompanying drawings.
参阅图3A所示,本发明实施例中,传输请求的一种流程如下:Referring to FIG. 3A, in the embodiment of the present invention, a process for transmitting a request is as follows:
步骤300:客户端根据待访问的资源的属性或者第一用户指示确定预设指示;Step 300: The client determines a preset indication according to an attribute of the resource to be accessed or a first user indication.
步骤310:客户端发送携带预设指示的TLS连接建立请求;Step 310: The client sends a TLS connection establishment request that carries a preset indication.
其中,第一预设指示用于指示接收到TLS连接建立请求的代理实体处理目标消息,目标消息为通过基于TLS连接建立请求建立的TLS连接所传输的消息。The first preset indication is used to indicate that the proxy entity that receives the TLS connection establishment request processes the target message, and the target message is a message that is transmitted through the TLS connection established by the TLS connection establishment request.
本发明实施例中所提及的客户端可以指用户设备,也可以指终端,当然,也可以指其他形式的设备,在此不做具体限定。The client mentioned in the embodiment of the present invention may be referred to as a user equipment, and may also be a terminal.
本发明实施例中,可选的,待访问的资源的属性包括待访问的资源的类型、待访问的资源的域名中的至少一种。In the embodiment of the present invention, the attribute of the resource to be accessed includes at least one of a type of the resource to be accessed and a domain name of the resource to be accessed.
例如,待访问的资源为需要端到端加密的资源,如,银行网站的资源、登录类型的资源;或者,待访问的资源为mpeg(动态图像专家组)类型的资源。For example, the resource to be accessed is a resource that needs to be encrypted end-to-end, such as a resource of a bank website or a resource of a login type; or, the resource to be accessed is a resource of the mpeg type (moving image expert group).
其中,可选的,客户端可以通过URL来判断待访问的资源的类型,也可以通过HTML(HyperText Markup Language,超级文本标记语言)文件判断待访问的资源的类型,在通过HTML文件判断待访问的资源的类型时,可以根据HTML文件中内容的上下文信息来判断待访问的资源的类型。Optionally, the client can determine the type of the resource to be accessed through the URL, and can also determine the type of the resource to be accessed through an HTML (HyperText Markup Language) file, and determine the to-be-viewed by using the HTML file. When the type of the resource is used, the type of the resource to be accessed can be determined according to the context information of the content in the HTML file.
本发明实施例中,可选的,预设指示可以包括第一预设指示、第二预设指示中的至少一个; In the embodiment of the present invention, optionally, the preset indication may include at least one of a first preset indication and a second preset indication;
其中,可选的,第一预设指示可以用于指示接收到TLS连接建立请求的代理实体解密目标消息;Optionally, the first preset indication may be used to indicate that the proxy entity that received the TLS connection establishment request decrypts the target message;
第二预设指示可以用于指示接收到TLS连接建立请求的代理实体转发目标消息。The second preset indication may be used to indicate that the proxy entity that received the TLS connection setup request forwards the target message.
例如,对于待访问的是login(登录)类型的资源,或者bank(银行)类型的资源,TLS连接建立请求中携带第一预设指示;对于待访问的是mpeg(动态图像专家组)类型的资源,TLS连接建立请求中携带第二预设指示。For example, for a resource of a login type (login) type or a resource of a bank type, the TLS connection establishment request carries a first preset indication; for the mpeg (moving image expert group) type to be accessed The resource, the TLS connection establishment request carries a second preset indication.
也就是说,本发明实施例中,客户端可以在TLS连接建立请求中携带第一预设指示,告诉代理实体解密目标消息,当然,TLS连接建立请求中也可以不携带第一预设指示,而是携带第二预设指示,指示代理实体不解密目标消息,而是直接转发目标消息。That is, in the embodiment of the present invention, the client may carry the first preset indication in the TLS connection establishment request, and the proxy entity may be used to decrypt the target message. Of course, the TLS connection establishment request may not carry the first preset indication. Instead, the second preset indication is carried, indicating that the proxy entity does not decrypt the target message, but directly forwards the target message.
当预设指示包括第一预设指示时,进一步的,为了提高安全性,客户端发送携带预设指示的TLS连接建立请求之后,还包括如下操作:When the preset indication includes the first preset indication, further, in order to improve the security, after the client sends the TLS connection establishment request that carries the preset indication, the following operations are also included:
客户端接收代理实体发送的代理实体的数字证书;The client receives a digital certificate of the proxy entity sent by the proxy entity;
客户端根据数字证书验证代理实体的可信性;The client verifies the authenticity of the proxy entity based on the digital certificate;
客户端确定代理实体可信时向代理实体发送继续建立TLS连接的消息。The client determines to send a message to the proxy entity to continue to establish a TLS connection when the proxy entity is trusted.
本发明实施例中,客户端根据数字证书确定代理实体可信的方式有多种,可选的,可以采用如下方式:In the embodiment of the present invention, there are multiple ways for the client to determine the trustedness of the proxy entity according to the digital certificate. Alternatively, the method may be as follows:
客户端确定数字证书成功通过证书链的检测,并确定客户端存储有数字证书时,确定代理实体可信;或者The client determines that the digital certificate successfully passes the detection of the certificate chain, and determines that the client entity is trusted when storing the digital certificate; or
如果客户端中没有存储数字证书时,客户端可以根据第二用户指示确定代理实体可信。If the digital certificate is not stored in the client, the client can determine that the proxy entity is trusted according to the second user indication.
本发明实施例中,客户端对代理实体的数字证书的验证流程与现有技术中的对普通的SSL证书的验证流程是不同的,主要区别为,本发明实施例中,不对代理实体的数字证书进行域名信息的验证,即不使用所访问资源的域名信息与数字证书中的Common Name字段进行是否相同的比较。In the embodiment of the present invention, the verification process of the digital certificate of the proxy entity is different from the verification process of the common SSL certificate in the prior art. The main difference is that, in the embodiment of the present invention, the number of the proxy entity is not The certificate performs verification of the domain name information, that is, whether the domain name information of the accessed resource is not compared with the Common Name field in the digital certificate.
上述讲述的是TLS连接建立请求中携带第一预设指示或者第二预设指 示,在实际应用中,TLS连接建立请求中可以既不携带第一预设指示,也不携带第二预设指示,此时,代理实体要向客户端发送代理实体的数字证书,询问客户端代理实体接收到目标消息时,是要解密目标消息,还是要转发目标消息,因此,本发明实施例中,方法还包括:The above describes that the TLS connection establishment request carries the first preset indication or the second preset indication. In the actual application, the TLS connection establishment request may not carry the first preset indication or the second preset indication. In this case, the proxy entity sends the digital certificate of the proxy entity to the client, and queries the client. When the proxy entity receives the target message, whether the target message is to be decrypted or the target message is to be forwarded. Therefore, in the embodiment of the present invention, the method further includes:
客户端发送未携带预设指示的TLS连接建立请求;The client sends a TLS connection establishment request that does not carry the preset indication.
客户端接收代理实体发送的代理实体的数字证书;The client receives a digital certificate of the proxy entity sent by the proxy entity;
客户端向代理实体返回继续建立TLS连接的消息;或者,客户端向代理实体返回携带第二预设指示的TLS连接建立请求,第二预设指示用于指示接收到TLS连接建立请求的代理实体转发目标消息。The client returns a message to the proxy entity to continue to establish a TLS connection; or the client returns a TLS connection establishment request carrying the second preset indication to the proxy entity, and the second preset indication is used to indicate the proxy entity that receives the TLS connection establishment request Forward the target message.
上述讲述的是代理实体向客户端发送代理实体的数字证书,询问客户端是解密目标消息还是转发目标消息,在应用中,代理实体也可以是自行决定是解密目标消息,还是转发目标消息,或者是直接按照解密进行处理,在此不再进行一一详述。The above description is that the proxy entity sends a digital certificate of the proxy entity to the client, asking whether the client decrypts the target message or forwards the target message. In the application, the proxy entity may also decide whether to decrypt the target message or forward the target message, or It is processed directly according to decryption, and will not be detailed here.
需要说明的是,即使代理实体自行决定是否解密目标消息,但是,最终是否解密成功的决定权还是在客户端。It should be noted that even if the proxy entity decides whether to decrypt the target message, the final decision whether to decrypt the decryption is still on the client side.
上述讲述的是,当TLS连接建立请求中未携带预设指示的时候,代理实体要询问客户端解密目标消息,还是转发目标消息,当然,在实际应用中,也可以是当TLS连接建立请求中携带预设指示,而预设指示是第三预设指示的时候,第三预设指示用于指示代理实体询问客户端代理实体是否处理接收到的目标消息,代理实体也要询问客户端是解密目标消息,还是转发目标消息,具体实现过程如下:The above description is that when the TLS connection establishment request does not carry the preset indication, the proxy entity asks the client to decrypt the target message or forward the target message. Of course, in the actual application, it may also be in the TLS connection establishment request. Carrying the preset indication, and when the preset indication is the third preset indication, the third preset indication is used to instruct the proxy entity to query whether the client proxy entity processes the received target message, and the proxy entity also asks the client to decrypt The target message is forwarded or forwarded to the target message. The specific implementation process is as follows:
预设指示为第三预设指示,第三预设指示用于指示代理实体询问客户端代理实体是否处理接收到的目标消息;The preset indication is a third preset indication, where the third preset indication is used to instruct the proxy entity to query the client proxy entity whether to process the received target message;
客户端发送携带预设指示的TLS连接建立请求之后,还包括:After the client sends a TLS connection establishment request that carries the preset indication, the method further includes:
客户端接收代理实体发送的代理实体的数字证书;The client receives a digital certificate of the proxy entity sent by the proxy entity;
客户端向代理实体返回继续建立TLS连接的消息;或者,客户端向代理实体返回携带第二预设指示的TLS连接建立请求,第二预设指示用于指示接 收到TLS连接建立请求的代理实体转发目标消息。The client returns a message to the proxy entity to continue to establish a TLS connection; or the client returns a TLS connection establishment request carrying the second preset indication to the proxy entity, where the second preset indication is used to indicate The proxy entity that received the TLS connection setup request forwards the target message.
本发明实施例中,数字证书有多种形式,可选的,可以在X.509格式的数字证书中增加第一信息和第二信息中至少一个的数字证书;第一信息为验证代理实体可信后代理实体所执行的操作的信息,第二信息为代理实体对解密后的目标消息所执行的操作的信息。In the embodiment of the present invention, the digital certificate has multiple forms. Optionally, a digital certificate of at least one of the first information and the second information may be added to the digital certificate in the X.509 format; the first information is a verification proxy entity. The information of the operation performed by the post-letter proxy entity, and the second information is information of the operation performed by the proxy entity on the decrypted target message.
图3B为本发明一个实施例中代理实体的数字证书的示意图。如图3B中所示,数字证书中增加了密钥用途(KeyUsage)这个字段,这个字段用于表示客户端根据数据证书验证代理实体可信时,代理实体要解密目标消息;3B is a schematic diagram of a digital certificate of a proxy entity in an embodiment of the present invention. As shown in FIG. 3B, a key usage (KeyUsage) field is added to the digital certificate, and the field is used to indicate that the proxy entity decrypts the target message when the client verifies that the proxy entity is trusted according to the data certificate;
如图3B中所示的数字证书中还增加了功能(Functions)这个字段,这个字段用于表示代理实体对解密后的目标消息要执行什么操作。The field of function (Functions) is also added to the digital certificate shown in FIG. 3B. This field is used to indicate what the proxy entity should perform on the decrypted target message.
本发明实施例中,由于客户端是根据待访问的资源的属性或者第一用户指示来确定预设指示的,不是根据待访问的资源是用https URL标识还是使用http URL标识来确定预设指示,根据待访问的资源的属性或者第一用户指示确定出预设指示的准确度高,这样,代理实体就能准确对目标消息进行解密,进而对解密后的目标消息进行处理,提高业务质量。In the embodiment of the present invention, the client determines the preset indication according to the attribute of the resource to be accessed or the first user indication, and determines whether the preset indication is based on whether the resource to be accessed is identified by the https URL or the http URL identifier. The accuracy of the preset indication is determined according to the attribute of the resource to be accessed or the first user indication, so that the proxy entity can accurately decrypt the target message, and then process the decrypted target message to improve the service quality.
为了更好地理解本发明实施例,以下给出具体应用场景,针对传输请求的过程,进行举例描述,参阅图4A和图4B所示,给出了客户端发送TLS连接建立请求,代理实体根据接收到的TLS连接建立请求执行相应过程的流程图:For a better understanding of the embodiments of the present invention, a specific application scenario is given below. For the process of transmitting a request, an example is described. Referring to FIG. 4A and FIG. 4B, the client sends a TLS connection establishment request, and the proxy entity according to Flowchart of the received TLS connection establishment request to perform the corresponding process:
在图4A中,步骤400:客户端接收用户发送的第一用户指示,并根据第一用户指示确定第一预设指示;In FIG. 4A, step 400: the client receives the first user indication sent by the user, and determines the first preset indication according to the first user indication;
步骤410:客户端将第一预设指示携带在TLS连接建立请求中,并发送该TLS连接建立请求;Step 410: The client carries the first preset indication in the TLS connection establishment request, and sends the TLS connection establishment request.
步骤420:代理实体接收到TLS连接建立请求后,将代理实体的数字证书发送至客户端;Step 420: After receiving the TLS connection establishment request, the proxy entity sends the digital certificate of the proxy entity to the client.
步骤430:客户端根据代理实体的数字证书判断代理实体是否可信,若是,执行步骤440,否则,执行步骤470; Step 430: The client determines whether the proxy entity is trusted according to the digital certificate of the proxy entity, and if so, step 440 is performed, otherwise, step 470 is performed;
步骤440:客户端向代理实体发送继续建立TLS连接的消息;Step 440: The client sends a message to the proxy entity to continue to establish a TLS connection.
步骤450:代理实体在完成TLS连接的建立后,对目标消息进行解密;Step 450: After completing the establishment of the TLS connection, the proxy entity decrypts the target message.
步骤460:代理实体将解密后的目标消息发送至服务器;Step 460: The proxy entity sends the decrypted target message to the server.
步骤470:客户端向代理实体发送携带第二预设指示的TLS连接建立请求;Step 470: The client sends a TLS connection establishment request that carries the second preset indication to the proxy entity.
步骤480:代理实体不对目标消息进行解密处理,将目标消息直接转发至服务器。Step 480: The proxy entity does not decrypt the target message, and forwards the target message directly to the server.
图4A所示的实施例中,为了提高传输的目标消息的安全性,代理实体接收到携带第一预设指示的TLS连接建立请求后,要将代理实体的数字证书发送至客户端,客户端根据数字证书验证代理实体的可信性,客户端确定代理实体可信时,代理实体继续建立TLS连接,并解密目标消息,当然,代理实体也可以不发送代理实体的数字证书,直接建立TLS连接,并解密目标消息。In the embodiment shown in FIG. 4A, in order to improve the security of the transmitted target message, after receiving the TLS connection establishment request carrying the first preset indication, the proxy entity sends the digital certificate of the proxy entity to the client, the client. According to the digital certificate to verify the credibility of the proxy entity, when the client determines that the proxy entity is trusted, the proxy entity continues to establish a TLS connection and decrypts the target message. Of course, the proxy entity may also directly establish a TLS connection without sending the digital certificate of the proxy entity. And decrypt the target message.
也就是说,步骤400、步骤410、步骤450和步骤460是必选的步骤,步骤420、步骤430、步骤440、步骤470和步骤480是可选的步骤。That is, step 400, step 410, step 450, and step 460 are mandatory steps, and step 420, step 430, step 440, step 470, and step 480 are optional steps.
上述讲述的是客户端根据用户的第一用户指示确定第一预设指示的过程,当然,客户端也可以根据第一用户指示确定出第二预设指示,以下对客户端根据用户的第一用户指示确定第二预设指示的过程进行描述,如图4B所示:The above describes a process in which the client determines the first preset indication according to the first user indication of the user. Of course, the client may also determine the second preset indication according to the first user indication, and the following is based on the user's first The process of the user instructing to determine the second preset indication is described as shown in FIG. 4B:
步骤4000:客户端接收用户发送的第一用户指示,并根据第一用户指示确定第二预设指示;Step 4000: The client receives the first user indication sent by the user, and determines a second preset indication according to the first user indication.
步骤4100:客户端将第二预设指示携带在TLS连接建立请求中,并发送TLS连接建立请求;Step 4100: The client carries the second preset indication in the TLS connection establishment request, and sends a TLS connection establishment request.
步骤4200:代理实体接收到携带第二预设指示TLS连接建立请求后,不解密目标消息,直接转发目标消息至服务器。Step 4200: After receiving the second preset indication TLS connection establishment request, the proxy entity does not decrypt the target message and directly forwards the target message to the server.
参阅图5所示,提出一种客户端,该客户端包括处理器50、发射器51,其中:Referring to FIG. 5, a client is provided, which includes a processor 50 and a transmitter 51, wherein:
处理器50,用于根据待访问的资源的属性或者第一用户指示确定预设指 示;The processor 50 is configured to determine, according to an attribute of the resource to be accessed or a first user indication, a preset finger Show
发射器51,用于发送携带预设指示的传输层安全TLS连接建立请求;a transmitter 51, configured to send a transport layer secure TLS connection establishment request that carries a preset indication;
其中,预设指示用于指示接收到TLS连接建立请求的代理实体处理目标消息,目标消息为通过基于TLS连接建立请求建立的TLS连接所传输的消息。The preset indication is used to indicate that the proxy entity receiving the TLS connection establishment request processes the target message, and the target message is a message transmitted by using the TLS connection established by the TLS connection establishment request.
本发明实施例中,可选的,待访问的资源的属性包括:待访问的资源的类型、待访问的资源的域名中的至少一个。In the embodiment of the present invention, the attribute of the resource to be accessed includes at least one of a type of the resource to be accessed and a domain name of the resource to be accessed.
本发明实施例中,进一步的,处理器50还用于,确定待访问的资源的属性;In the embodiment of the present invention, the processor 50 is further configured to determine an attribute of the resource to be accessed;
进一步的,客户端还包括接收器52,用于接收第一用户指示;Further, the client further includes a receiver 52, configured to receive the first user indication;
可选的,处理器50确定待访问的资源的属性时,具体为:Optionally, when the processor 50 determines an attribute of the resource to be accessed, specifically:
根据URL和/或HTML文件确定待访问的资源的属性。The attributes of the resource to be accessed are determined according to the URL and/or the HTML file.
本发明实施例中,可选的,预设指示包括第一预设指示、第二预设指示中的至少一个;In the embodiment of the present invention, optionally, the preset indication includes at least one of a first preset indication and a second preset indication;
第一预设指示用于指示接收到TLS连接建立请求的代理实体解密目标消息;The first preset indication is used to indicate that the proxy entity that received the TLS connection establishment request decrypts the target message;
第二预设指示用于指示接收到TLS连接建立请求的代理实体转发目标消息。The second preset indication is used to indicate that the proxy entity that received the TLS connection setup request forwards the target message.
本发明实施例中,可选的,预设指示为第一预设指示,第一预设指示用于指示接收到TLS连接建立请求的代理实体解密目标消息;In the embodiment of the present invention, optionally, the preset indication is a first preset indication, where the first preset indication is used to indicate that the proxy entity that receives the TLS connection establishment request decrypts the target message;
进一步的,客户端还包括接收器52,用于接收代理实体发送的代理实体的数字证书;Further, the client further includes a receiver 52, configured to receive a digital certificate of the proxy entity sent by the proxy entity;
进一步的,处理器50还用于,根据数字证书验证代理实体的可信性;Further, the processor 50 is further configured to verify the credibility of the proxy entity according to the digital certificate;
进一步的,发射器51还用于,在处理器50确定代理实体可信时向代理实体发送继续建立TLS连接的消息。Further, the transmitter 51 is further configured to send a message to the proxy entity to continue to establish a TLS connection when the processor 50 determines that the proxy entity is trusted.
本发明实施例中,可选的,处理器50根据数字证书确定代理实体可信时,具体为:In the embodiment of the present invention, optionally, when the processor 50 determines that the proxy entity is trusted according to the digital certificate, specifically:
确定数字证书成功通过证书链的检测,并确定客户端存储有数字证书时, 确定代理实体可信;或者Determine that the digital certificate successfully passes the certificate chain detection and determines that the client stores a digital certificate. Determining that the proxy entity is trusted; or
根据第二用户指示确定代理实体可信。The proxy entity is determined to be trusted according to the second user indication.
进一步的,发射器51还用于,发送未携带预设指示的TLS连接建立请求;Further, the transmitter 51 is further configured to send a TLS connection establishment request that does not carry the preset indication;
客户端还包括接收器52,用于接收代理实体发送的代理实体的数字证书;The client further includes a receiver 52, configured to receive a digital certificate of the proxy entity sent by the proxy entity;
发射器51还用于,向代理实体返回继续建立TLS连接的消息;或者,向代理实体返回携带第二预设指示的TLS连接建立请求,第二预设指示用于指示接收到TLS连接建立请求的代理实体转发目标消息。The transmitter 51 is further configured to: return a message to the proxy entity to continue to establish a TLS connection; or return a TLS connection establishment request carrying a second preset indication to the proxy entity, where the second preset indication is used to indicate that the TLS connection establishment request is received The proxy entity forwards the target message.
本发明实施例中,可选的,预设指示为第三预设指示,第三预设指示用于指示代理实体询问客户端代理实体是否处理接收到的目标消息;In the embodiment of the present invention, optionally, the preset indication is a third preset indication, where the third preset indication is used to instruct the proxy entity to query the client proxy entity whether to process the received target message;
进一步的,客户端还包括接收器52,用于接收代理实体发送的代理实体的数字证书;Further, the client further includes a receiver 52, configured to receive a digital certificate of the proxy entity sent by the proxy entity;
进一步的,发射器51还用于,向代理实体返回继续建立TLS连接的消息;或者,向代理实体返回携带第二预设指示的TLS连接建立请求,第二预设指示用于指示接收到TLS连接建立请求的代理实体转发目标消息。Further, the transmitter 51 is further configured to: return a message to the proxy entity to continue to establish a TLS connection; or return a TLS connection establishment request carrying a second preset indication to the proxy entity, where the second preset indication is used to indicate that the TLS is received. The proxy entity that connects to the setup request forwards the target message.
本发明实施例中,可选的,数字证书为在X.509格式的数字证书中增加第一信息和第二信息中至少一个的数字证书,第一信息为验证代理实体可信后代理实体所执行的操作的信息,第二信息为代理实体对解密后的目标消息所执行的操作的信息。In the embodiment of the present invention, optionally, the digital certificate is a digital certificate that adds at least one of the first information and the second information to the digital certificate in the X.509 format, where the first information is verified by the proxy entity after the trusted proxy entity The information of the performed operation, the second information is information of the operation performed by the proxy entity on the decrypted target message.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器50以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器50执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中的功能的装置。The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions may be provided to a processor 50 of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that instructions are executed by a processor 50 of a computer or other programmable data processing device. Means for implementing the functions in one or more of the flow or in a block or blocks of a flow diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设 备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中的功能。These computer program instructions can also be stored in a bootable computer or other programmable data processing device. In a computer readable memory that operates in a particular manner, causing instructions stored in the computer readable memory to produce an article of manufacture comprising an instruction device implemented in one or more flows and/or block diagrams of the flowchart The function in a box or multiple boxes.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions in one or more blocks of the flowchart or in a flow or block of the flowchart.
尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。While the preferred embodiment of the invention has been described, it will be understood that Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and the modifications and
显然,本领域的技术人员可以对本发明实施例进行各种改动和变型而不脱离本发明实施例的精神和范围。这样,倘若本发明实施例的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。 It is apparent that those skilled in the art can make various modifications and variations to the embodiments of the invention without departing from the spirit and scope of the embodiments of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the embodiments of the invention.

Claims (18)

  1. 一种传输请求的方法,其特征在于,包括:A method for transmitting a request, comprising:
    客户端根据待访问的资源的属性或者第一用户指示确定预设指示;The client determines the preset indication according to the attribute of the resource to be accessed or the first user indication;
    所述客户端发送携带所述预设指示的传输层安全TLS连接建立请求;Transmitting, by the client, a transport layer secure TLS connection establishment request that carries the preset indication;
    其中,所述预设指示用于指示接收到所述TLS连接建立请求的代理实体处理目标消息,所述目标消息为通过基于所述TLS连接建立请求建立的TLS连接所传输的消息。The preset indication is used to indicate that the proxy entity that receives the TLS connection establishment request processes the target message, where the target message is a message transmitted by using the TLS connection established by the TLS connection establishment request.
  2. 如权利要求1所述的方法,其特征在于,所述待访问的资源的属性包括:所述待访问的资源的类型、所述待访问的资源的域名中的至少一个。The method of claim 1, wherein the attribute of the resource to be accessed comprises at least one of a type of the resource to be accessed and a domain name of the resource to be accessed.
  3. 如权利要求2所述的方法,其特征在于,所述客户端根据待访问的资源的属性或者第一用户指示确定预设指示之前,还包括:The method according to claim 2, wherein before the determining, by the client, the preset indication according to the attribute of the resource to be accessed or the first user indication, the method further includes:
    所述客户端确定所述待访问的资源的属性,或者,所述客户端接收所述第一用户指示;Determining, by the client, an attribute of the resource to be accessed, or the client receiving the first user indication;
    所述客户端确定所述待访问的资源的属性,包括:Determining, by the client, attributes of the to-be-accessed resource, including:
    所述客户端根据统一资源定位符URL和/或超级文本标记语言HTML文件确定所述待访问的资源的属性。The client determines an attribute of the resource to be accessed according to a uniform resource locator URL and/or a hypertext markup language HTML file.
  4. 如权利要求1-3任一项所述的方法,其特征在于,所述预设指示包括第一预设指示、第二预设指示中的至少一个;The method according to any one of claims 1-3, wherein the preset indication comprises at least one of a first preset indication and a second preset indication;
    所述第一预设指示用于指示接收到所述TLS连接建立请求的代理实体解密所述目标消息;The first preset indication is used to indicate that the proxy entity that received the TLS connection establishment request decrypts the target message;
    所述第二预设指示用于指示接收到所述TLS连接建立请求的代理实体转发所述目标消息。The second preset indication is used to indicate that the proxy entity that received the TLS connection setup request forwards the target message.
  5. 如权利要求1-4任一项所述的方法,其特征在于,所述预设指示为第一预设指示,所述第一预设指示用于指示接收到所述TLS连接建立请求的代理实体解密所述目标消息;The method according to any one of claims 1 to 4, wherein the preset indication is a first preset indication, and the first preset indication is used to indicate an agent that receives the TLS connection establishment request Entity decrypting the target message;
    所述客户端发送携带所述预设指示的TLS连接建立请求之后,还包括:After the client sends the TLS connection establishment request that carries the preset indication, the method further includes:
    所述客户端接收所述代理实体发送的所述代理实体的数字证书; Receiving, by the client, a digital certificate of the proxy entity sent by the proxy entity;
    所述客户端根据所述数字证书验证所述代理实体的可信性;Determining, by the client, the credibility of the proxy entity according to the digital certificate;
    所述客户端确定所述代理实体可信时向所述代理实体发送继续建立所述TLS连接的消息。The client determines to send a message to the proxy entity to continue to establish the TLS connection when the proxy entity is trusted.
  6. 如权利要求5所述的方法,其特征在于,所述客户端根据所述数字证书确定所述代理实体可信,包括:The method of claim 5, wherein the client determines that the proxy entity is trusted according to the digital certificate, comprising:
    所述客户端确定所述数字证书成功通过证书链的检测,并确定所述客户端存储有所述数字证书时,确定所述代理实体可信;或者Determining, by the client, that the digital certificate successfully passes the detection of the certificate chain, and determining that the client stores the digital certificate, determining that the proxy entity is trusted; or
    所述客户端根据第二用户指示确定所述代理实体可信。The client determines that the proxy entity is trusted according to the second user indication.
  7. 如权利要求1-6任一项所述的方法,其特征在于,所述方法还包括:The method of any of claims 1-6, wherein the method further comprises:
    所述客户端发送未携带所述预设指示的TLS连接建立请求;Sending, by the client, a TLS connection establishment request that does not carry the preset indication;
    所述客户端接收所述代理实体发送的所述代理实体的数字证书;Receiving, by the client, a digital certificate of the proxy entity sent by the proxy entity;
    所述客户端向所述代理实体返回继续建立所述TLS连接的消息;或者,所述客户端向所述代理实体返回携带第二预设指示的TLS连接建立请求,所述第二预设指示用于指示接收到所述TLS连接建立请求的代理实体转发所述目标消息。Returning, by the client, a message that continues to establish the TLS connection to the proxy entity; or, the client returns a TLS connection establishment request that carries a second preset indication to the proxy entity, where the second preset indication The proxy entity for indicating that the TLS connection setup request is received forwards the target message.
  8. 如权利要求1-6任一项所述的方法,其特征在于,所述预设指示为第三预设指示,所述第三预设指示用于指示所述代理实体询问所述客户端所述代理实体是否处理接收到的目标消息;The method according to any one of claims 1-6, wherein the preset indication is a third preset indication, and the third preset indication is used to instruct the proxy entity to query the client Whether the proxy entity processes the received target message;
    所述客户端发送携带所述预设指示的TLS连接建立请求之后,还包括:After the client sends the TLS connection establishment request that carries the preset indication, the method further includes:
    所述客户端接收所述代理实体发送的所述代理实体的数字证书;Receiving, by the client, a digital certificate of the proxy entity sent by the proxy entity;
    所述客户端向所述代理实体返回继续建立所述TLS连接的消息;或者,所述客户端向所述代理实体返回携带第二预设指示的TLS连接建立请求,所述第二预设指示用于指示接收到所述TLS连接建立请求的代理实体转发所述目标消息。Returning, by the client, a message that continues to establish the TLS connection to the proxy entity; or, the client returns a TLS connection establishment request that carries a second preset indication to the proxy entity, where the second preset indication The proxy entity for indicating that the TLS connection setup request is received forwards the target message.
  9. 如权利要求5-8任一项所述的方法,其特征在于,所述数字证书为在X.509格式的数字证书中增加第一信息和第二信息中至少一个的数字证书,所述第一信息为验证所述代理实体可信后所述代理实体所执行的操作的信息, 所述第二信息为所述代理实体对解密后的目标消息所执行的操作的信息。The method according to any one of claims 5-8, wherein the digital certificate is a digital certificate in which at least one of the first information and the second information is added to the digital certificate in the X.509 format, the A message is information for verifying operations performed by the proxy entity after the proxy entity is trusted, The second information is information of an operation performed by the proxy entity on the decrypted target message.
  10. 一种客户端,其特征在于,包括:A client, comprising:
    处理器,用于根据待访问的资源的属性或者第一用户指示确定预设指示;a processor, configured to determine a preset indication according to an attribute of the resource to be accessed or a first user indication;
    发射器,用于发送携带所述预设指示的传输层安全TLS连接建立请求;a transmitter, configured to send a transport layer secure TLS connection establishment request that carries the preset indication;
    其中,所述预设指示用于指示接收到所述TLS连接建立请求的代理实体处理目标消息,所述目标消息为通过基于所述TLS连接建立请求建立的TLS连接所传输的消息。The preset indication is used to indicate that the proxy entity that receives the TLS connection establishment request processes the target message, where the target message is a message transmitted by using the TLS connection established by the TLS connection establishment request.
  11. 如权利要求10所述的客户端,其特征在于,所述待访问的资源的属性包括:所述待访问的资源的类型、所述待访问的资源的域名中的至少一个。The client according to claim 10, wherein the attribute of the resource to be accessed comprises at least one of a type of the resource to be accessed and a domain name of the resource to be accessed.
  12. 如权利要求11所述的客户端,其特征在于,所述处理器还用于,确定所述待访问的资源的属性;The client according to claim 11, wherein the processor is further configured to determine an attribute of the resource to be accessed;
    所述客户端还包括接收器,用于接收所述第一用户指示;The client further includes a receiver, configured to receive the first user indication;
    所述处理器确定所述待访问的资源的属性时,具体为:When the processor determines the attribute of the resource to be accessed, specifically:
    根据统一资源定位符URL和/或超级文本标记语言HTML文件确定所述待访问的资源的属性。The attribute of the resource to be accessed is determined according to a uniform resource locator URL and/or a hypertext markup language HTML file.
  13. 如权利要求10-12任一项所述的客户端,其特征在于,所述预设指示包括第一预设指示、第二预设指示中的至少一个;The client according to any one of claims 10 to 12, wherein the preset indication comprises at least one of a first preset indication and a second preset indication;
    所述第一预设指示用于指示接收到所述TLS连接建立请求的代理实体解密所述目标消息;The first preset indication is used to indicate that the proxy entity that received the TLS connection establishment request decrypts the target message;
    所述第二预设指示用于指示接收到所述TLS连接建立请求的代理实体转发所述目标消息。The second preset indication is used to indicate that the proxy entity that received the TLS connection setup request forwards the target message.
  14. 如权利要求10-13任一项所述的客户端,其特征在于,所述预设指示为第一预设指示,所述第一预设指示用于指示接收到所述TLS连接建立请求的代理实体解密所述目标消息;The client according to any one of claims 10 to 13, wherein the preset indication is a first preset indication, and the first preset indication is used to indicate that the TLS connection establishment request is received. The proxy entity decrypts the target message;
    所述客户端还包括接收器,用于接收所述代理实体发送的所述代理实体的数字证书;The client further includes a receiver, configured to receive a digital certificate of the proxy entity sent by the proxy entity;
    所述处理器还用于,根据所述数字证书验证所述代理实体的可信性; The processor is further configured to verify the credibility of the proxy entity according to the digital certificate;
    所述发射器还用于,在所述处理器确定所述代理实体可信时向所述代理实体发送继续建立所述TLS连接的消息。The transmitter is further configured to send a message to the proxy entity to continue to establish the TLS connection when the processor determines that the proxy entity is trusted.
  15. 如权利要求14所述的客户端,其特征在于,所述处理器根据所述数字证书确定所述代理实体可信时,具体为:The client according to claim 14, wherein the processor determines, when the proxy entity is trusted according to the digital certificate, specifically:
    确定所述数字证书成功通过证书链的检测,并确定所述客户端存储有所述数字证书时,确定所述代理实体可信;或者Determining that the digital certificate successfully passes the detection of the certificate chain, and determining that the client stores the digital certificate, determining that the proxy entity is trusted; or
    根据第二用户指示确定所述代理实体可信。The proxy entity is determined to be trusted according to the second user indication.
  16. 如权利要求10-15任一项所述的客户端,其特征在于,所述发射器还用于,发送未携带所述预设指示的TLS连接建立请求;The client according to any one of claims 10-15, wherein the transmitter is further configured to send a TLS connection establishment request that does not carry the preset indication;
    所述客户端还包括接收器,用于接收所述代理实体发送的所述代理实体的数字证书;The client further includes a receiver, configured to receive a digital certificate of the proxy entity sent by the proxy entity;
    所述发射器还用于,向所述代理实体返回继续建立所述TLS连接的消息;或者,向所述代理实体返回携带第二预设指示的TLS连接建立请求,所述第二预设指示用于指示接收到所述TLS连接建立请求的代理实体转发所述目标消息。The transmitter is further configured to: return, to the proxy entity, a message that continues to establish the TLS connection; or return a TLS connection establishment request that carries a second preset indication to the proxy entity, where the second preset indication The proxy entity for indicating that the TLS connection setup request is received forwards the target message.
  17. 如权利要求10-15任一项所述的客户端,其特征在于,所述预设指示为第三预设指示,所述第三预设指示用于指示所述代理实体询问所述客户端所述代理实体是否处理接收到的目标消息;The client according to any one of claims 10-15, wherein the preset indication is a third preset indication, and the third preset indication is used to instruct the proxy entity to query the client Whether the proxy entity processes the received target message;
    所述客户端还包括接收器,用于接收所述代理实体发送的所述代理实体的数字证书;The client further includes a receiver, configured to receive a digital certificate of the proxy entity sent by the proxy entity;
    所述发射器还用于,向所述代理实体返回继续建立所述TLS连接的消息;或者,向所述代理实体返回携带第二预设指示的TLS连接建立请求,所述第二预设指示用于指示接收到所述TLS连接建立请求的代理实体转发所述目标消息。The transmitter is further configured to: return, to the proxy entity, a message that continues to establish the TLS connection; or return a TLS connection establishment request that carries a second preset indication to the proxy entity, where the second preset indication The proxy entity for indicating that the TLS connection setup request is received forwards the target message.
  18. 如权利要求14-17任一项所述的客户端,其特征在于,所述数字证书为在X.509格式的数字证书中增加第一信息和第二信息中至少一个的数字证书,所述第一信息为验证所述代理实体可信后所述代理实体所执行的操作的 信息,所述第二信息为所述代理实体对解密后的目标消息所执行的操作的信息。 The client according to any one of claims 14-17, wherein the digital certificate is a digital certificate in which at least one of the first information and the second information is added to the digital certificate in the X.509 format, The first information is an operation performed by the proxy entity after verifying that the proxy entity is trusted Information, the second information being information of an operation performed by the proxy entity on the decrypted target message.
PCT/CN2015/078467 2015-05-07 2015-05-07 Request transmission method and client WO2016176858A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201580033110.0A CN106464603B (en) 2015-05-07 2015-05-07 Request transmission method and client
PCT/CN2015/078467 WO2016176858A1 (en) 2015-05-07 2015-05-07 Request transmission method and client

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2015/078467 WO2016176858A1 (en) 2015-05-07 2015-05-07 Request transmission method and client

Publications (1)

Publication Number Publication Date
WO2016176858A1 true WO2016176858A1 (en) 2016-11-10

Family

ID=57217881

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/078467 WO2016176858A1 (en) 2015-05-07 2015-05-07 Request transmission method and client

Country Status (2)

Country Link
CN (1) CN106464603B (en)
WO (1) WO2016176858A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413060A (en) * 2018-10-19 2019-03-01 深信服科技股份有限公司 Message processing method, device, equipment and storage medium
WO2023130970A1 (en) * 2022-01-05 2023-07-13 华为技术有限公司 Trusted measurement-integrated communication method and apparatus

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7320073B2 (en) * 2003-04-07 2008-01-15 Aol Llc Secure method for roaming keys and certificates
WO2012122773A1 (en) * 2011-03-16 2012-09-20 中兴通讯股份有限公司 Method and apparatus for controlling an access request based on a proxy gateway
CN104322001A (en) * 2012-05-17 2015-01-28 思科技术公司 Transport layer security traffic control using service name identification
CN104364761A (en) * 2012-06-15 2015-02-18 思杰系统有限公司 Systems and methods for forwarding traffic in a cluster network

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060294366A1 (en) * 2005-06-23 2006-12-28 International Business Machines Corp. Method and system for establishing a secure connection based on an attribute certificate having user credentials
CN102932350B (en) * 2012-10-31 2016-06-15 华为技术有限公司 A kind of method and apparatus of TLS scanning

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7320073B2 (en) * 2003-04-07 2008-01-15 Aol Llc Secure method for roaming keys and certificates
WO2012122773A1 (en) * 2011-03-16 2012-09-20 中兴通讯股份有限公司 Method and apparatus for controlling an access request based on a proxy gateway
CN104322001A (en) * 2012-05-17 2015-01-28 思科技术公司 Transport layer security traffic control using service name identification
CN104364761A (en) * 2012-06-15 2015-02-18 思杰系统有限公司 Systems and methods for forwarding traffic in a cluster network

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413060A (en) * 2018-10-19 2019-03-01 深信服科技股份有限公司 Message processing method, device, equipment and storage medium
WO2023130970A1 (en) * 2022-01-05 2023-07-13 华为技术有限公司 Trusted measurement-integrated communication method and apparatus

Also Published As

Publication number Publication date
CN106464603A (en) 2017-02-22
CN106464603B (en) 2020-07-10

Similar Documents

Publication Publication Date Title
US11038854B2 (en) Terminating SSL connections without locally-accessible private keys
US10341302B2 (en) Optimized transport layer security
US10911409B2 (en) Engagement and disengagement of transport layer security proxy services with encrypted handshaking
US8370296B2 (en) Method for transmitting SyncML synchronization data
CN110190955B (en) Information processing method and device based on secure socket layer protocol authentication
US20190268764A1 (en) Data transmission method, apparatus, and system
US20190140823A1 (en) Method for Detecting Encrypted Content, and Device
US20130312054A1 (en) Transport Layer Security Traffic Control Using Service Name Identification
EP3633949A1 (en) Method and system for performing ssl handshake
WO2016150169A1 (en) Secure communication method, gateway, network side server and system
CN111756529B (en) Quantum session key distribution method and system
WO2017066910A1 (en) Method, device and system for determining control policy
CN107547559B (en) Message processing method and device
US20180198762A1 (en) Distribution of secure data with entitlement enforcement
US20170317836A1 (en) Service Processing Method and Apparatus
CN109040059B (en) Protected TCP communication method, communication device and storage medium
US20170127280A1 (en) Secure handling of secure socket layer ("ssl") traffic
JP2012100206A (en) Cryptographic communication relay system, cryptographic communication relay method and cryptographic communication relay program
KR101448866B1 (en) Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof
US20180183584A1 (en) IKE Negotiation Control Method, Device and System
WO2016176858A1 (en) Request transmission method and client
KR101971995B1 (en) Method for decryping secure sockets layer for security
CN115766119A (en) Communication method, communication apparatus, communication system, and storage medium
CN112470438B (en) Method for discovering intermediate functions and selecting a path between two communication devices
CN108809632B (en) Quantum safety sleeving layer device and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15891110

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15891110

Country of ref document: EP

Kind code of ref document: A1