A browser multi-core dynamic adaptation method, system, device and medium

By using a multi-kernel dynamic adaptation method, the browser can automatically detect and select the appropriate rendering kernel, thus solving the compatibility issues between national cryptographic security communication and the Internet, and achieving intelligent protocol switching and stable connection.

CN122394899APending Publication Date: 2026-07-14GUANGZHOU POWER SUPPLY BUREAU GUANGDONG POWER GRID CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
GUANGZHOU POWER SUPPLY BUREAU GUANGDONG POWER GRID CO LTD
Filing Date
2026-04-24
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing browsers struggle to balance the compatibility of secure Chinese cryptographic communication with a wide range of internet websites, and lack automatic detection mechanisms, resulting in complex user operations and compatibility risks.

Method used

It adopts a multi-kernel dynamic adaptation method, loads a secure kernel and a general kernel that support Chinese cryptographic algorithms, automatically detects the target website's communication mechanism, selects the appropriate kernel based on policy evaluation and establishes a connection, and displays the communication status in the address bar.

Benefits of technology

It enables intelligent switching between national cryptographic and standard protocols without the user's awareness, improving the browser's connection stability and security, and ensuring compatibility and compliance.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394899A_ABST
    Figure CN122394899A_ABST
Patent Text Reader

Abstract

The application relates to the technical field of browser operation, and discloses a browser multi-kernel dynamic adaptation method, system, device and medium, the method comprising the following steps: loading multiple rendering kernels, and the kernels comprising at least one security kernel supporting a national cryptographic algorithm; then, in response to a network access request, automatically detecting whether a target website supports a national cryptographic security communication mechanism; if yes, determining a first communication configuration based on a security evaluation strategy and activating the security kernel; if not, selecting a general kernel based on a general compatibility strategy and determining a second communication configuration; dynamically activating a corresponding kernel to establish a connection, and displaying a national cryptographic communication identifier in an address bar. The application can realize intelligent switching between a national cryptographic algorithm and a standard protocol under the premise that a user is not aware by means of kernel-level isolation and strategy-driven dynamic adaptation.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of browser operation technology, and in particular to a method, system, device, and medium for dynamic adaptation of browser multi-kernel. Background Technology

[0002] As the nation's requirements for network information security continue to rise, critical infrastructure needs to support domestically developed cryptographic algorithms such as SM2 / SM3 / SM4 and domestically certified SSL / TLS protocols, requiring independently controllable browsers. However, most mainstream browsers are based on a single rendering engine design, making it difficult to simultaneously meet the requirements of domestically certified secure communication and ensure compatibility with a wide range of internet websites.

[0003] Especially in mixed scenarios where accessing sites that contain both Chinese cryptographic protocols and standard HTTPS sites, traditional browsers either force the use of standard protocols at the expense of Chinese cryptographic support or require users to manually switch modes. Manually switching between modes is complex and prone to errors.

[0004] Furthermore, even though some browsers have integrated Chinese cryptographic capabilities, they still lack an automatic detection mechanism for the Chinese cryptographic support status of target websites, and cannot dynamically select the optimal communication method without the user's awareness.

[0005] Existing solutions typically do not deeply couple the Chinese cryptographic protocol stack with the kernel. Without this coupling, browsers may experience compatibility risks during certificate verification, two-way authentication, or protocol negotiation, affecting the stability and security of browser connections. Summary of the Invention

[0006] In view of the aforementioned existing problems, the present invention is proposed.

[0007] Therefore, this invention provides a browser multi-kernel dynamic adaptation method, system, device, and medium that can solve the problems existing in browsers regarding compatibility with national cryptographic secure communication and a wide range of Internet websites.

[0008] To solve the above-mentioned technical problems, the present invention provides the following technical solution: In a first aspect, the present invention provides a method for dynamic adaptation of browsers to multiple kernels, comprising: When the browser starts, it loads and initializes multiple rendering kernels, including at least one security kernel that supports Chinese cryptographic algorithms. In response to a user's network access request, the system automatically detects whether the target website supports the national cryptographic security communication mechanism, which includes communication based on the SM2 / SM3 / SM4 national cryptographic algorithms and the national cryptographic SSL / TLS protocol. If the target website is detected to support the national cryptographic security communication mechanism, the compatibility between the security kernel and the target website is evaluated based on a preset security assessment strategy, and a first communication configuration is determined; the first communication configuration is used to instruct the use of the security kernel and the establishment of a connection with the target website through the national cryptographic security communication mechanism. If the target website is found to be unsupported by the national cryptographic security communication mechanism, a general-purpose kernel is selected from the plurality of rendering kernels based on a preset general compatibility strategy, and a second communication configuration is determined; the second communication configuration is used to indicate the use of the general-purpose kernel and to establish a connection with the target website through the standard TLS protocol; Based on the first communication configuration or the second communication configuration, the corresponding rendering kernel is dynamically activated, and a secure communication connection with the target website is established. After establishing a national cryptographic security communication connection, the national cryptographic communication identifier is also displayed in the browser's address bar to inform the user of the current security status of the communication.

[0009] As a preferred embodiment of the browser multi-kernel dynamic adaptation method of the present invention, wherein: if the target website is detected to support the national cryptographic security communication mechanism, the compatibility between the security kernel and the target website is evaluated based on a preset security assessment strategy, including: If the security assessment results determine that the security kernel is incompatible with the target website, the security assessment results are fed back to the browser front-end interface, and the process reverts to the general kernel. The kernel selection process based on the preset general compatibility strategy is then repeated until a communication configuration that can successfully establish a connection is determined, and the finally activated kernel and corresponding communication method are output.

[0010] As a preferred embodiment of the browser multi-kernel dynamic adaptation method described in this invention, the method further includes: It comes pre-installed with a national cryptographic root certificate chain and supports users to import self-signed national cryptographic certificates through the certificate management interface; When establishing a national cryptographic security communication connection, the server certificate of the target website is verified based on the pre-set national cryptographic root certificate or the user-imported self-signed national cryptographic certificate. If certificate verification fails, the attempt to connect using the national cryptographic protocol is interrupted, and the kernel rollback mechanism is triggered to switch to the general kernel and retry the connection using the standard TLS protocol.

[0011] As a preferred embodiment of the browser multi-kernel dynamic adaptation method described in this invention, the security assessment strategy includes: Does the target website support the TLCP protocol? Does it provide a valid SM2 server certificate? Does it correctly respond to the negotiation of the national cryptographic encryption suite during the handshake phase? The general compatibility strategy includes: The target website supports TLS versions, a list of Cipher Suite instances, and compatibility ratings with major rendering standards.

[0012] As a preferred embodiment of the browser multi-kernel dynamic adaptation method described in this invention, the method further includes: If a system security policy update or a national cryptographic protocol standard upgrade is detected, the national cryptographic protocol stack and cryptographic algorithm module of the security kernel will be dynamically updated. The compatibility assessment of the security kernel and the target website based on the preset security assessment strategy includes: If an update event of the security kernel is detected within the first time frame, the compatibility assessment is re-executed according to the updated security assessment policy to determine the first communication configuration.

[0013] As a preferred embodiment of the browser multi-kernel dynamic adaptation method described in this invention, the multiple rendering kernels include the WebKit kernel, the Blink kernel, and a self-developed security kernel. The self-developed security kernel integrates a national cryptographic SSL two-way authentication module, which supports the automatic loading and sending of client SM2 certificates; The method further includes: When a user accesses a website that requires two-way authentication using Chinese cryptographic standards, the local SM2 client certificate is automatically invoked, and a two-way handshake using Chinese cryptographic standards is completed.

[0014] As a preferred embodiment of the browser multi-kernel dynamic adaptation method described in this invention, the automatic detection of whether the target website supports the national cryptographic security communication mechanism includes: Send a ClientHello message containing the identifier of the Chinese national cryptographic encryption suite to the target website; If a ServerHello response containing SM2 / SM3 / SM4 related parameters is received, it is determined that the target website supports the national cryptographic security communication mechanism. Otherwise, the target website is deemed not to support the national cryptographic security communication mechanism; The dynamically activated rendering kernel includes: Isolate the runtime environments of different kernels at the tab level; When a user accesses both national cryptographic websites and non-national cryptographic websites in the same browser window, a secure kernel or a general kernel is assigned to the corresponding tab to achieve parallel operation and dynamic adaptation of multiple kernels. The national cryptographic communication identifier is a visual icon, and its status includes: A green lock icon indicates that a national cryptographic encryption connection has been successfully established. The gray lock icon indicates that a connection using Chinese cryptographic standards is being attempted but the handshake has not yet been completed. A lockless icon or a standard lock icon indicates that the current kernel and standard TLS protocol are used for communication.

[0015] Secondly, the present invention provides a browser multi-kernel dynamic adaptation system, comprising: A kernel management module is used to load and initialize multiple rendering kernels when the browser starts, wherein at least one of the multiple rendering kernels includes a security kernel that supports Chinese cryptographic algorithms; The national cryptographic detection module is used to automatically detect whether a target website supports the national cryptographic secure communication mechanism in response to a user's network access request. The security assessment module is used to assess the compatibility between the security kernel and the target website based on a preset security assessment strategy and determine the first communication configuration if the target website is found to support the national cryptographic security communication mechanism. A general selection module is used to select a general kernel from the multiple rendering kernels and determine a second communication configuration based on a preset general compatibility strategy if the target website is detected to not support the national cryptographic security communication mechanism. The kernel activation module is used to dynamically activate the corresponding rendering kernel according to the first communication configuration or the second communication configuration, and establish a secure communication connection with the target website. The status indicator module is used to display the national cryptographic communication identifier in the browser's address bar after a national cryptographic security communication connection is established, so as to indicate the current security status of the communication to the user.

[0016] Thirdly, the present invention provides an electronic device including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to implement the steps of the method described above.

[0017] Fourthly, the present invention provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the method described above.

[0018] Compared with existing technologies, the beneficial effect of this invention is that it proposes a browser multi-kernel dynamic adaptation method. This method loads multiple rendering kernels, at least one of which is a secure kernel supporting Chinese cryptographic algorithms. Then, in response to network access requests, it automatically detects whether the target website supports the Chinese cryptographic secure communication mechanism. If supported, it determines a first communication configuration and activates the secure kernel based on a security assessment strategy; if not supported, it selects a general kernel and determines a second communication configuration based on a general compatibility strategy. The corresponding kernel is dynamically activated to establish a connection, and a Chinese cryptographic communication identifier is displayed in the address bar. This invention, through kernel-level isolation and policy-driven dynamic adaptation, can achieve intelligent switching between Chinese cryptographic and standard protocols without the user's awareness. Attached Figure Description

[0019] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0020] Figure 1 This is a flowchart of a browser multi-kernel dynamic adaptation method provided in one embodiment of the present invention.

[0021] Figure 2 This is a flowchart illustrating the process of executing a returned ServerHello message after sending a ClientHello message containing Chinese cryptographic software, as provided in an embodiment of the present invention, for a browser multi-kernel dynamic adaptation method.

[0022] Figure 3 This is a flowchart illustrating the security assessment strategy execution compatibility determination process of a browser multi-kernel dynamic adaptation method according to an embodiment of the present invention.

[0023] Figure 4 This document presents a comparative test result of the rendering performance of a multi-kernel browser using a browser multi-kernel dynamic adaptation method provided in one embodiment of the present invention.

[0024] Figure 5 The test results show the connection success rate of a browser multi-kernel dynamic adaptation method provided in one embodiment of the present invention compared with existing technical solutions.

[0025] Figure 6 This is an internal structure diagram of an electronic device that provides a browser multi-kernel dynamic adaptation method according to an embodiment of the present invention. Detailed Implementation

[0026] To make the above-mentioned objects, features, and advantages of the present invention more apparent and understandable, specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of the present invention, and not all of them. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort should fall within the protection scope of the present invention.

[0027] It should be noted in advance that the system mentioned in the embodiments as the subject of real-time operation refers to any system configured with this method.

[0028] Example 1, referring to Figures 1-5 This is the first embodiment of the present invention, which provides a browser multi-kernel dynamic adaptation method, including: This invention provides a method that can effectively solve the problems mentioned above. The following will describe in detail how to implement the browser multi-core dynamic adaptation method with multiple embodiments. Figure 1 A flowchart illustrating a method for dynamic multi-kernel adaptation in browsers is shown, including: S1, when the browser starts, load and initialize multiple rendering kernels, wherein at least one of the multiple rendering kernels includes a security kernel that supports Chinese cryptographic algorithms; In this embodiment of the invention, the multiple rendering kernels mentioned in step S1 include the WebKit kernel, the Blink kernel, and a self-developed security kernel; the self-developed security kernel integrates a national cryptographic SSL two-way authentication module and supports the automatic loading and sending of client SM2 certificates; It should be noted that most mainstream browsers currently use a single rendering kernel architecture, such as some browsers that only integrate the Blink or WebKit kernel. The secure communication capabilities of these browsers mainly rely on the internationally accepted TLS protocol and non-Chinese cryptographic algorithms such as RSA / ECC. When facing websites that are required to use domestic cryptographic algorithms such as SM2 / SM3 / SM4 in national critical information infrastructure, they cannot establish compliant secure connections.

[0029] In addition, although some browsers can temporarily support the national cryptographic functions through plugins or extensions, these plugin or extension methods lack kernel-level integration, which will result in incompatibility in certificate verification, protocol negotiation and two-way authentication and other related processes.

[0030] Understandably, this solution preloads multiple rendering kernels during the browser startup phase. These multiple rendering kernels include the WebKit kernel, the Blink kernel, and a self-developed security kernel that integrates a national cryptographic SSL two-way authentication module.

[0031] It should be noted that the self-developed security kernel natively supports SM2 public key encryption, SM3 hash operation and SM4 symmetric encryption, and has a built-in national cryptographic protocol stack, which can fully handle the handshake process based on TLCP or national cryptographic TLS.

[0032] Furthermore, completing the resource allocation and isolation environment construction of each kernel during system initialization lays the foundation for subsequent on-demand dynamic activation operations. It also ensures that when a user initiates any network request, the most suitable kernel can be invoked immediately to perform rendering and communication operations without restarting or reloading.

[0033] The aforementioned multiple rendering kernels refer to independent rendering engine instances maintained simultaneously in the browser's memory. Each instance has its own independent JavaScript execution environment, DOM parser, and network protocol stack. The aforementioned secure kernel supporting Chinese cryptographic algorithms specifically refers to a dedicated rendering kernel that integrates SM2 / SM3 / SM4 cryptographic algorithm modules, a Chinese cryptographic root certificate chain verification mechanism, and the ability to automatically load SM2 certificates on the client side. This kernel is specifically designed to handle secure communication scenarios conforming to the standards of the State Cryptography Administration. This kernel's protocol stack supports TLCP protocol and Chinese cryptographic suite negotiation, and can run in parallel with other general-purpose kernels at the tab level without interference.

[0034] S2, in response to a network access request initiated by a user, automatically detects whether the target website supports the national cryptographic security communication mechanism, which includes communication based on the SM2 / SM3 / SM4 national cryptographic algorithm and the national cryptographic SSL / TLS protocol; In some embodiments, the specific steps of automatically detecting whether the target website supports the national cryptographic security communication mechanism in step S2 may include: S21, Send a ClientHello message containing the identifier of the Chinese cryptographic suite to the target website; Specifically, after receiving a network access request from a user, the browser constructs an extended TLS ClientHello message using the Chinese cryptographic detection module. This extended message explicitly adds the Chinese cryptographic suite identifier to the standard Cipher Suites list. The aforementioned Chinese cryptographic suite identifiers include cryptographic suites that conform to the Chinese cryptographic specifications, such as TLS_SM4_GCM_SM3 and TLS_ECDHE_SM2_WITH_SM4_GCM_SM3. The extended field declares the support capability for the TLCP protocol or the Chinese cryptographic TLS protocol. Subsequently, this ClientHello message is sent to port 443 of the target website as the first handshake request.

[0035] In some embodiments, a ClientHello structure containing a mixed list of Chinese national cryptographic encryption suites and internationally recognized cryptographic suites can be constructed first.

[0036] Furthermore, a TCP connection is initiated to the target website through the underlying network module, and the ClientHello message obtained above is immediately sent.

[0037] Furthermore, if the target website's platform has deployed Chinese cryptographic SSL services, it will respond with a ServerHello message containing the SM2 public key parameter and the SM4 encryption algorithm selection.

[0038] Furthermore, if the target website only supports international standard protocols, then ignore the national cryptographic suite and select the response item from the general list.

[0039] Furthermore, the ServerHello content returned by the server is used to determine whether it contains SM2 or SM4 related parameters, which serves as the basis for judging whether it supports the national cryptographic security communication mechanism.

[0040] The aforementioned national cryptographic suite identifier refers to a set of standardized encryption parameter combinations based on the SM2 / SM3 / SM4 algorithm, defined in the Cipher Suites field of the TLS protocol. These identifiers are used to negotiate the key exchange method, symmetric encryption algorithm, and hash function during the handshake phase. These identifiers are issued by the State Cryptography Administration and clearly defined in the national cryptographic SSL / TLS protocol specification to ensure that clients and servers can interoperate under the national cryptographic ecosystem.

[0041] S22, if a ServerHello response containing SM2 / SM3 / SM4 related parameters is received, it is determined that the target website supports the national cryptographic security communication mechanism; Specifically, after sending a ClientHello message containing Chinese cryptographic encryption, the browser needs to listen for the ServerHello response message from the target website and parse the negotiation result field. The key is to check whether the server has selected the SM2 public key algorithm, SM4 symmetric encryption algorithm, or SM3 hash function related identifiers. At the same time, it also needs to check whether the extended field contains the TLCP protocol version or Chinese cryptographic certificate type declaration.

[0042] In some embodiments, after sending the ClientHello message containing the national cryptographic suite, the returned ServerHello message is processed as follows: Figure 2 The operations shown specifically include the following structured verification process: A1. Parse the Cipher Suite field in the ServerHello message and determine whether its value corresponds to the national cryptographic suite identifier defined by the State Cryptography Administration. If it matches any national cryptographic suite such as TLS_SM4_GCM_SM3 or TLS_ECDHE_SM2_WITH_SM4_GCM_SM3, proceed to step A2. Otherwise, determine that the target website does not support the national cryptographic secure communication mechanism and end the process. A2. Check if the ServerHello extension field contains the TLCP protocol version identifier or the national cryptographic TLS protocol negotiation extension; if it does, proceed to step A3; otherwise, retain the initial support status and proceed to step A3 for certificate layer verification. A3. Wait for the Certificate message sent by the server, extract the public key algorithm field from the server certificate, and determine whether it is explicitly marked as SM2; if the public key algorithm is SM2, proceed to step A4; otherwise, determine that it is a pseudo-national cryptographic implementation and end the process. A4. Verify whether the certificate signing algorithm is SM3 and whether the certificate chain can be built by a pre-installed national cryptographic root certificate or a user-imported self-signed national cryptographic certificate. If the verification passes, proceed to step A5; otherwise, determine that the certificate is invalid and end the process. A5 confirms that the target website uses SM2 curve parameters and SM4 key derivation logic in subsequent ServerKeyExchange or EncryptedExtensions; if the protocol context is consistent, it is finally determined that the target website supports the national cryptographic security communication mechanism and the security kernel activation process is triggered. A6: Release temporary parsing resources, record the judgment result, and end the current detection process.

[0043] The SM2 / SM3 / SM4 related parameters mentioned above refer to the specific protocol identifiers and key materials that the server explicitly declares in the ServerHello and subsequent extended messages during the TLS or TLCP handshake process. These parameters are used to indicate that the server uses the SM2 public key cryptography algorithm, SM4 block cipher algorithm, or SM3 hash algorithm approved by the State Cryptography Administration.

[0044] S23, otherwise, it is determined that the target website does not support the national cryptographic security communication mechanism; It should be noted that the ServerHello message is the server's response to the client's ClientHello message during the TLS or Chinese cryptographic security protocol handshake process. The ServerHello message contains the protocol version selected by the server, the cipher suite, the session identifier, and extended information. This information is the key basis for determining whether the server supports specific security capabilities.

[0045] The Cipher Suite field is a data field in the ServerHello message that declares the cipher suite ultimately selected by the server. This cipher suite is a combination of cryptographic algorithms, including key exchange methods, symmetric encryption algorithms, and hash functions.

[0046] TLS_SM4_GCM_SM3 is the name of a cryptographic suite defined by the Chinese national cryptographic standard. This cryptographic suite indicates that the two communicating parties will use the SM4 algorithm in GCM mode to encrypt data and the SM3 algorithm to verify message integrity. This suite is suitable for Chinese national cryptographic one-way authentication scenarios that only require server authentication.

[0047] TLS_ECDHE_SM2_WITH_SM4_GCM_SM3 is a more complete Chinese cryptographic suite name. This suite indicates that it uses the ECDHE key exchange mechanism based on SM2 elliptic curves to achieve forward security, uses SM4-GCM to encrypt transmitted data, and uses SM3 as the hash algorithm. This suite is usually used in two-way authentication scenarios with high security requirements.

[0048] The TLCP protocol version identifier refers to the transport layer cryptography protocol version number declared in the protocol extension, indicating that the server supports the TLCP secure transport protocol developed by the State Cryptography Administration of China, rather than the international standard TLS.

[0049] The Chinese national cryptographic TLS protocol negotiation extension refers to the custom extension items added to the standard TLS extension fields for negotiating the capabilities of Chinese national cryptographic algorithms, such as indication flags that support SM2 / SM3 / SM4, enabling the client and server to complete the Chinese national cryptographic handshake under the TLS framework.

[0050] The Certificate message is a digital certificate message sent by the server during the handshake process. The Certificate message contains the server's public key, identity information, and signature data. The client can verify the server's identity by parsing the Certificate message.

[0051] The SM3 signature algorithm refers to the digital signature of a certificate being generated using the SM3 hash algorithm in conjunction with an SM2 private key. This is one of the core features that distinguishes Chinese cryptographic certificates from international standard certificates.

[0052] Trust chain construction refers to the process by which a client verifies the issuer of a server certificate level by level until it finds a locally trusted root certificate, thereby confirming the legitimacy of the server's identity. The locally trusted root certificate can be a pre-installed national cryptographic root certificate or a user-imported self-signed certificate.

[0053] The ServerKeyExchange message is an additional message that the server needs to send under certain key exchange modes. The ServerKeyExchange message contains a temporary public key and SM2 curve parameters, which are used by the client to calculate the shared key in this invention.

[0054] The EncryptedExtensions message, in TLS 1.3 or later versions of the Chinese national standard TLS, is used to transmit extended information after the encrypted channel is established. The EncryptedExtensions message in this invention may contain the negotiation results related to the Chinese national standard.

[0055] S3, if the target website is detected to support the national cryptographic security communication mechanism, then based on the preset security assessment strategy, the compatibility between the security kernel and the target website is assessed, and a first communication configuration is determined; the first communication configuration is used to instruct the use of the security kernel and to establish a connection with the target website through the national cryptographic security communication mechanism; In some embodiments, the specific steps in step S3, which involve assessing the compatibility between the security kernel and the target website based on a preset security assessment strategy if the target website is detected to support Chinese cryptographic security communication mechanisms, may include: S31. If the security kernel is determined to be incompatible with the target website based on the security assessment results, the security assessment results are fed back to the browser front-end interface, and the process is reverted to the general kernel. The kernel selection step based on the preset general compatibility strategy is re-executed until a communication configuration that can successfully establish a connection is determined, and the finally activated kernel and corresponding communication method are output.

[0056] Specifically, after the security assessment module completes the compatibility test of the target website, if it finds that although the website responds to the Chinese national cryptographic ClientHello, it does not correctly implement the TLCP protocol, the provided SM2 server certificate is invalid, or it refuses to negotiate the Chinese national cryptographic encryption suite during the key exchange phase, it generates a clear incompatibility status code and pushes this status to the browser front-end interface in a user-readable form. At the same time, it triggers the kernel rollback process, releases the tab resources occupied by the security kernel, and calls the general selection module. Based on the target website's support for the standard TLS version, Cipher Suite list, and web page rendering specifications, it selects and activates the best general kernel such as WebKit or Blink.

[0057] In some embodiments, the security assessment module may first check whether the target website sends a certificate conforming to the SM2 format after ServerHello.

[0058] Furthermore, it verifies whether the exchange of national cryptographic keys was successfully completed during the handshake process.

[0059] Furthermore, if any of the above steps fail, the error type is recorded and displayed in the address bar dropdown notification area. The error types mentioned here may include "SM2 certificate signing algorithm mismatch" or "national cryptographic suite negotiation interrupted".

[0060] Furthermore, for example, when a user accesses a local government system, if the security kernel fails to handshake because the other party only partially implements the national cryptographic protocol, the system immediately switches to the Blink kernel and retryes using the TLS 1.3 standard protocol. After successfully loading the page, a standard lock icon is displayed in the address bar, completing the entire fault tolerance adaptation process.

[0061] The security assessment results mentioned above refer to the structured diagnostic information generated by the security assessment module based on the preset security assessment strategy to assess the integrity of the national cryptographic implementation of the target website. The security assessment results may include protocol support status, certificate validity, encryption suite negotiation results, and compatibility score.

[0062] In some embodiments, the security assessment strategy in step S3 includes: S32, whether the target website supports the TLCP protocol, provides a valid SM2 server certificate, and correctly responds to the negotiation of the national cryptographic encryption suite during the handshake phase; Specifically, the security assessment strategy performs compatibility determination sequentially through the following steps, such as... Figure 3 As shown: Step 1.1: Check whether the target website explicitly declares support for the TLCP protocol in the TLS extension or protocol version field; if the ServerHello message returned by the target website contains a TLCP protocol identifier or uses a dedicated TLCP port, proceed to Step 1.2; otherwise, it is determined that the national cryptographic security communication mechanism is not supported, and the current security kernel activation process is terminated. Step 1.2: Parse the server certificate provided by the target website in the Certificate message, and verify whether the certificate is issued by a pre-built national cryptographic root certificate chain or a self-signed national cryptographic certificate imported by the user, and whether the public key algorithm field is clearly marked as SM2; if the certificate chain verification is successful and the algorithm type matches, proceed to step 1.3; otherwise, determine that the SM2 server certificate is invalid and trigger the kernel rollback mechanism. Step 1.3: Check whether the target website correctly uses the SM2 key exchange parameters and SM4 cipher suite to complete key derivation and record layer encryption initialization during the ServerKeyExchange and ChangeCipherSpec phases. If the handshake message contains SM2 curve parameters, SM4 key length and SM3 hash output that conform to the national cryptographic standard, the compatibility assessment is deemed to have passed and the secure kernel is allowed to establish a connection. Otherwise, it is determined that the national cryptographic cipher suite negotiation has failed, and the system falls back to the general kernel and retryes using the standard TLS protocol.

[0063] In some embodiments, the general compatibility strategy described in step S31 includes: The target website supports TLS versions, a list of Cipher Suite instances, and compatibility ratings with major rendering standards.

[0064] To ensure optimal compatibility and performance after reverting to a generic kernel, this solution uses the following steps to quantitatively evaluate the target website's general compatibility and match it with the kernel: B1 parses the TLS protocol version declared by the target website in the ServerHello message, records the highest supported TLS version number, and maps it to the protocol compatibility level; B2. Extract the Cipher Suite list returned by the target website, compare it with the set of encryption suites supported by the browser's built-in general kernel, calculate the number of intersections between the two and whether it contains forward security or AEAD-type high-security suites, and generate an encryption compatibility score. B3, based on the HTTP response headers and HTML document structure returned by the target website, analyzes its support for mainstream Web standards such as HTML5 semantic tags, CSS3 animations, and ES6 syntax, and generates a rendering standard compatibility score by combining the rendering success rate in historical access data. B4 combines the TLS version level, encryption compatibility score, and rendering standard compatibility score into a comprehensive compatibility index, and selects the general kernel with the higher score from the WebKit kernel and Blink kernel as the activation object based on this index; B5 binds the selected generic kernel to the current tab and initiates a connection via the standard TLS protocol, while displaying the corresponding security status icon in the address bar, thus completing the entire generic path adaptation process.

[0065] See Figure 4 This presents the actual performance comparison results of multi-core browser rendering in this embodiment of the invention (sample size n=50). The test covers 30 government and financial websites that deploy national cryptographic security communication mechanisms, as well as 20 standard HTTPS internet websites. The horizontal axis represents the WebKit kernel and the Blink kernel, respectively, and the vertical axis represents the page load time (unit: seconds) and JavaScript execution speed (unit: milliseconds), respectively.

[0066] like Figure 4 As shown on the left, in the scenario of a national cryptographic site, the WebKit kernel (average loading time 1.32 seconds) significantly outperforms the Blink kernel (average 2.48 seconds). This result demonstrates that its deep integration with the national cryptographic protocol stack and rendering environment effectively improves compatibility. However, in the scenario of a standard site, the Blink kernel's JS execution speed is faster. Figure 4 On the right, the average is 162ms vs 230ms, which demonstrates its high-performance advantage under modern Web standards.

[0067] Therefore, when the national cryptographic path is unavailable, the present invention can dynamically select the most suitable general kernel based on the actual protocol and rendering capabilities of the target website, thus avoiding functional abnormalities or security degradation caused by the mismatch between the kernel and the website's technology stack.

[0068] Among them, TLS version refers to the version identifier of the transport layer security protocol, including TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3, etc. The TLS version is used to indicate the level of encrypted communication protocol supported by the server. The compatibility score of the mainstream rendering standard is a numerical index calculated based on the degree of support of the target website for modern Web technology specifications.

[0069] S4. If it is detected that the target website does not support the national cryptographic security communication mechanism, then based on the preset general compatibility strategy, a general kernel is selected from the multiple rendering kernels, and a second communication configuration is determined; the second communication configuration is used to indicate the use of the general kernel and to establish a connection with the target website through the standard TLS protocol; It should be noted that when faced with websites that do not support the national cryptographic protocol, existing browsers usually use a fixed kernel for uniform processing. This one-size-fits-all approach ignores the actual differences in support for Web standards, TLS versions, and encryption suites among different websites, which can lead to problems such as abnormal page rendering, script execution interruption, or connection rejection when accessing older systems or special industry platforms. For example, when a user visits an early-built social security query website that only supports TLS 1.0 and RC4 encryption suites, the modern Blink kernel has disabled such weak security configurations by default, which will cause the connection to fail. Or, when accessing some internal management systems that rely on WebKit's unique rendering behavior, forcing the use of the Blink kernel will cause form layout misalignment or function buttons to malfunction, which will seriously affect business continuity.

[0070] Understandably, after confirming that the target website does not support the national cryptographic security communication mechanism, this solution does not simply enable the default general kernel. Instead, based on a preset general compatibility strategy, it comprehensively evaluates the target website's support capabilities for standard TLS protocol versions, Cipher Suite lists, and mainstream Web rendering specifications, dynamically selects the most suitable general kernel from the WebKit kernel and the Blink kernel, and generates the corresponding second communication configuration.

[0071] It should be noted that the second communication configuration explicitly specifies the selected kernel identifier, the range of enabled TLS versions, the set of cipher suites allowed for negotiation, and the rendering mode parameters, which can ensure maximum compatibility and stability under the standard HTTPS framework. The entire process of step S4 is completed during the tab initialization phase, which allows users to obtain the best access experience without intervention.

[0072] S5, according to the first communication configuration or the second communication configuration, dynamically activate the corresponding rendering kernel and establish a secure communication connection with the target website; After establishing a national cryptographic security communication connection, the national cryptographic communication identifier is also displayed in the browser's address bar to inform the user of the current security status of the communication.

[0073] In some embodiments, the specific steps of dynamically activating the corresponding rendering kernel in step S5 may include: S51 isolates the operating environments of different kernels at the tab level; It should be noted that in the architecture of a multi-kernel browser, if multiple rendering kernels share the global process or memory space, it may lead to resource conflicts, state pollution, or blurred security boundaries between the national cryptographic security kernel and the general kernel. Therefore, it is necessary to strictly isolate the execution environment of different kernels at runtime.

[0074] Specifically, the browser can allocate an independent rendering process for each tab and bind a uniquely active rendering kernel instance to that rendering process. Finally, through operating system-level process isolation and sandboxing mechanisms, it ensures that the network protocol stack, certificate storage, DOM parser, and script execution environment of each kernel do not interfere with each other.

[0075] In some embodiments, a dedicated rendering process can be created when a user opens a new tab, and the corresponding kernel can be selected from the kernel pool and injected into the process based on the detection results of the target website.

[0076] Furthermore, the process can be configured with an independent TLS session cache and national / international cryptographic certificate verification context. For example, when a user opens a financial regulatory platform and an overseas e-commerce website at the same time, the former tab loads the self-developed security kernel and enables the SM2 certificate verification path, while the latter tab loads the Blink kernel and uses the standard CA trust chain.

[0077] Furthermore, it synchronizes the security state with the main browser process through an inter-process communication channel, prohibiting direct kernel calls or data sharing across tabs.

[0078] Furthermore, all kernel-related memory allocation, network connections, and encryption operations are confined to the process boundaries of their respective tabs. This process boundary setting ensures that even if one tab crashes or is attacked, it will not affect the security and stability of other tabs.

[0079] S52: When a user accesses both national cryptographic websites and non-national cryptographic websites in the same browser window, a secure kernel or a general kernel is assigned to the corresponding tab, enabling parallel operation and dynamic adaptation of multiple kernels. It should be noted that in mixed network access scenarios, users often need to operate national government platforms and ordinary internet services simultaneously. If browsers are forced to use a single kernel in such mixed network access scenarios, it will lead to a lack of compliance with national cryptographic standards or a crash in compatibility with standard websites.

[0080] For example, if a user opens a provincial electronic tax system (requiring SM2 two-way authentication) in the left tab of a window and accesses an international news portal in the right tab (assuming this international news portal only supports standard TLS 1.3), the handshake using the national cryptographic standard cannot be completed if both share the Blink kernel. If a secure kernel is forced, news websites may experience connection timeouts due to their inability to recognize Chinese cryptographic protocols.

[0081] Specifically, the browser can listen to network request events for each tab through the kernel activation module, and bind a dedicated rendering kernel to each tab based on the results of national cryptographic detection and security assessment. At the same time, the browser needs to maintain multiple kernel instances running in parallel in independent processes.

[0082] In some embodiments, after the user creates a new tab and enters a URL, the national cryptographic detection module is triggered to send a ClientHello message containing national cryptographic suites to the target website.

[0083] Furthermore, the ServerHello response is used to determine whether the website supports the national cryptographic security communication mechanism.

[0084] Furthermore, a self-developed security kernel is assigned to the tax system tab and SM2 client certificates are loaded, while a Blink kernel is assigned to the news website tab and standard CA verification chains are enabled.

[0085] Furthermore, within the same browser window, the two tabs run in isolated rendering processes, each using its own independent network protocol stack, certificate storage, and JavaScript context, without affecting each other. The address bars display green Chinese national security lock icons and standard lock icons respectively, achieving both visual and functional differentiation.

[0086] In some embodiments, the national cryptographic communication identifier mentioned in step S5 is a visual icon, and its state includes: S53, the green lock icon indicates that a national cryptographic encryption connection has been successfully established; S54, the gray lock icon indicates that it is attempting a national cryptographic connection but has not yet completed the handshake; S55, with no lock icon or standard lock icon, indicates that the current kernel and standard TLS protocol are used for communication.

[0087] Specifically, the national cryptographic communication identifier can be designed as a dynamic visual lock icon on the left side of the address bar. This dynamic visual lock icon changes its display form in real time according to the communication protocol and connection status used by the current tab, which can provide users with intuitive security status feedback.

[0088] Once the browser completes the national cryptographic detection and security assessment and successfully establishes an encrypted channel based on the SM2 / SM3 / SM4 algorithm with the target website through its self-developed security kernel, the icon immediately renders as a green lock shape, indicating that the communication complies with national commercial cryptography compliance requirements. If the browser has initiated a ClientHello with Chinese cryptographic suites but has not yet received a valid ServerHello response or is still performing certificate verification, the icon will be displayed as a gray lock, indicating to the user that the Chinese cryptographic connection is in progress. If the detection results confirm that the target website does not support the national cryptographic mechanism, or if the security assessment fails and the system reverts to the general kernel, the icon will revert to an unlocked state (such as an HTTP site) or a standard blue / black lock shape (such as a standard HTTPS site). An unlocked state or a standard blue / black lock shape indicates that the current connection uses the internationally recognized TLS protocol.

[0089] See Figure 5 The results show the comparative test results of the connection success rate between the present invention and the prior art. Figure 5 It consists of two parts. Figure 5 The upper part is a heatmap showing the specific connection status of 200 real websites; the lower part is a bar chart showing the average connection success rate of different strategies on different types of websites. The bar chart clearly shows that the "Invention (Dynamic Adaptation)" maintains a high connection success rate on all types of websites, thus providing a clear understanding that this invention solves the problem of traditional browsers not being able to simultaneously support Chinese national cryptographic standards and standard TLS.

[0090] In some embodiments, the method further includes: It comes pre-installed with a national cryptographic root certificate chain and supports users to import self-signed national cryptographic certificates through the certificate management interface; It should be noted that in the context of secure communication using Chinese cryptographic standards, the server certificate of the target website must be issued by a trusted Chinese cryptographic CA or be explicitly recognized by the user. Otherwise, even if the protocol negotiation is successful, the browser will not be able to complete the authentication, which will lead to the connection being interrupted. However, existing general-purpose browsers usually only have built-in international standard root certificate stores and completely lack support for the SM2 algorithm and the Chinese cryptographic CA system. This often causes users to be unable to establish a connection when accessing internal government systems, industry regulatory platforms, or test environments because the certificate is not trusted.

[0091] Specifically, the browser comes pre-installed with a national cryptographic root certificate chain certified by the State Cryptography Administration, including first-level and second-level SM2 root CA certificates, and opens an independent national cryptographic trust domain in the certificate storage module; it also provides a graphical certificate management interface that allows users to manually import self-signed or privately signed SM2 format national cryptographic certificates and add them to the national cryptographic trust list.

[0092] In some embodiments, a pre-built Chinese cryptographic root certificate chain is first loaded into a dedicated certificate storage area during the browser initialization phase. This area is physically isolated from the standard X.509 certificate store and is used only for certificate verification of Chinese cryptographic connections. Furthermore, the "National Cryptographic Certificate Management" entry is opened in the settings menu, through which users can select local SM2 certificate files (such as .cer or .der format) for import.

[0093] Furthermore, the imported certificate undergoes format verification to confirm that its public key algorithm is SM2, its signature algorithm is SM3, and it conforms to the Chinese national cryptographic standard X.509 extension specification.

[0094] Furthermore, when establishing a national cryptographic security communication connection, the server certificate of the target website is verified based on the pre-set national cryptographic root certificate or the user-imported self-signed national cryptographic certificate. Specifically, after completing the national cryptographic handshake and receiving the target website's server certificate, the browser calls the national cryptographic dedicated certificate verification module. It prioritizes using the pre-built national cryptographic root certificate chain to build a trust chain. If the verification fails and the target website uses a private or test certificate, it attempts to match the self-signed national cryptographic certificate imported by the user through the certificate management interface to complete the final identity verification.

[0095] Specifically, first parse the public key algorithm field in the server certificate to confirm that it is SM2 and the signature algorithm is SM3.

[0096] Furthermore, extract the certificate issuer information and search for a matching root CA or intermediate CA certificate in the pre-set national cryptographic root certificate chain. If no valid issuance chain is found, the system iterates through the list of self-signed national cryptographic certificates imported by the user and compares whether the certificate subject name matches the public key fingerprint.

[0097] Furthermore, verify the certificate validity period, key usage, and CRL / OCSP status (if supported).

[0098] Furthermore, for example, continuing with the scenario above, when a user accesses a local tax intranet system, the system uses an SM2 server certificate issued by the local national cryptographic CA, and the browser successfully builds a trust chain through the pre-installed provincial national cryptographic root certificate. In another test environment, the developers deployed a simulated application platform for a self-signed SM2 certificate. After the user imported the self-signed certificate in advance, the browser automatically matched and completed the verification when connecting, thus allowing the green lock icon to be displayed and a secure channel to be established.

[0099] Furthermore, if certificate verification fails, the attempt to connect using the national cryptographic protocol is interrupted, and the kernel rollback mechanism is triggered to switch to the general kernel and retry the connection using the standard TLS protocol.

[0100] Specifically, after the security kernel receives the server certificate during the national cryptographic handshake process, it calls the national cryptographic certificate verification module to verify the certificate's integrity, issuance chain, and algorithm compliance. If it finds that the certificate's public key is not in SM2 format, the signature algorithm is not SM3, the issuer is not in the pre-set national cryptographic root certificate chain or the user's imported self-signed certificate list, or the certificate has expired or been revoked, it immediately terminates the current national cryptographic connection process, releases the network and cryptographic resources occupied by the security kernel on this tab, and sends a rollback command to the kernel management module. The kernel management module then activates the general selection module, selects the most compatible general kernel from WebKit or Blink kernels based on the target website's support for the standard TLS protocol, re-initiates the standard ClientHello handshake, and attempts to establish an HTTPS connection based on international cryptographic algorithms. The entire process is completed automatically in the background, and the user only observes the address bar icon briefly transitioning from a gray lock shape to a standard lock shape before the page loads normally.

[0101] For example, when a user accesses an early-deployed industry regulatory platform, although the platform is configured with an SM2 server certificate, it uses SHA256 instead of SM3 for signing, causing the national cryptographic certificate verification to fail. The browser then interrupts the secure kernel connection, automatically switches to the Blink kernel, and reconnects using the standard TLS 1.2 protocol. Because the industry regulatory platform is also compatible with international protocols, the page is eventually successfully loaded and the standard lock icon is displayed.

[0102] For example, if a test site uses a self-signed SM2 certificate that has not been imported, and the user has not trusted the certificate through the certificate management interface in advance, the verification will also fail. If the target website does not support standard TLS after the system rolls back, the connection will fail completely and an error message will be displayed.

[0103] In some embodiments, the method further includes: If a system security policy update or a national cryptographic protocol standard upgrade is detected, the national cryptographic protocol stack and cryptographic algorithm module of the security kernel will be dynamically updated. Specifically, the kernel management module can periodically poll the local security policy configuration center or trusted remote policy server to detect whether there are any changes to the national cryptographic protocol standard version or system security policy update events. Once an update is detected, the incremental module package verified by digital signature is immediately downloaded from the security update channel, and the new version of the national cryptographic protocol stack and cryptographic algorithm module is loaded in the sandbox environment to replace the old components currently in operation. At the same time, the compatibility handling logic of the original connection session is retained to ensure that the update process does not affect the tabs that are already open.

[0104] In some embodiments, security policy change signals pushed by the operating system or enterprise security management platform can be listened for first.

[0105] Furthermore, the SM2 signature and SM3 hash value of the update package are verified to confirm that its source is trustworthy and has not been tampered with.

[0106] Furthermore, the new version of the national cryptographic SSL / TLS protocol parser, SM2 key exchange engine, and SM4 encryption / decryption unit are initialized in an independent memory space.

[0107] Furthermore, the new module is registered to the service scheduling table of the security kernel, and the old module is marked to enter a soft retirement state.

[0108] In some embodiments, the specific steps for assessing the compatibility between the security kernel and the target website based on a preset security assessment strategy may include: If an update event of the security kernel is detected within the first time frame, the compatibility assessment is re-executed according to the updated security assessment policy to determine the first communication configuration.

[0109] It should be noted that updates to the national cryptographic protocol stack or security policies may change the criteria for judging the compatibility of target websites. For example, adding support for TLCP 1.1, adjusting SM2 certificate verification rules, or deprecating certain older encryption suites. If the evaluation logic before the update is still used, sites that could have been successfully connected will be misjudged as incompatible, or deprecated weak security configurations will be enabled incorrectly.

[0110] Therefore, the evaluation context must be refreshed immediately after a valid update to the security kernel to ensure that subsequent connection decisions are based on the latest compliance requirements.

[0111] Specifically, the security assessment module can listen for security kernel update completion events issued by the kernel management module and check whether the update occurred within a preset first time range (e.g., within the last five minutes). If it is confirmed to be within the valid window period, the original cached compatibility assessment results are cleared, the new security assessment policy configuration is loaded, and a complete compatibility test process is re-initiated for the target website that is currently to be accessed or has recently failed.

[0112] In some embodiments, the version change timestamp and policy hash value of the security kernel module can be recorded first; then the timestamp can be compared to see if it falls within the first time range defined by the system.

[0113] Furthermore, updated security assessment rules are loaded from the policy store. These updated rules include new TLCP support thresholds, SM2 certificate field verification items, and a priority list of Chinese cryptographic suites.

[0114] Furthermore, for the target website to be accessed, the three core checks are re-executed: "whether it supports the TLCP protocol," "whether it provides a valid SM2 server certificate," and "whether it correctly responds to the national cryptographic encryption suite negotiation."

[0115] The first time range mentioned above refers to a time window preset by the system. The first time range is used to define whether a security kernel update is a "recent effective change". Updates that occur within this window will trigger policy reload and evaluation refresh.

[0116] In some embodiments, the method further includes: When a user accesses a website that requires two-way authentication using Chinese cryptographic standards, the local SM2 client certificate is automatically invoked, and a two-way handshake using Chinese cryptographic standards is completed.

[0117] Specifically, after receiving the CertificateRequest message from the server, the self-developed security kernel can parse the list of acceptable CAs or certificate type requirements declared therein, automatically select matching certificates from the local SM2 client certificate store, and embed them into the ClientCertificate message without user interaction, and continue to complete the subsequent key exchange and Finished verification process.

[0118] In some embodiments, the server first checks whether it has sent a CertificateRequest extension during the national cryptographic handshake process, indicating that the site has enabled two-way authentication.

[0119] Furthermore, extract the trusted national cryptographic CA identifier or certificate policy OID contained in the request; then iterate through all SM2 format client certificates in the browser's local certificate store and compare whether the issuer field matches a CA trusted by the server.

[0120] Furthermore, the first valid and unexpired matching certificate is selected as the response credential.

[0121] Furthermore, for example, when a user accesses a provincial-level tax electronic filing platform, the platform requires the enterprise's identity SM2 certificate to perform two-way authentication. The browser automatically calls the imported enterprise legal person SM2 client certificate in the background to complete the complete national cryptographic two-way handshake including ClientCertificate, ClientKeyExchange, and CertificateVerify. The page then loads successfully and displays a green lock icon, without the need for pop-up confirmation.

[0122] Among them, the national cryptographic website requiring two-way authentication refers to the target website that actively sends a CertificateRequest message during the national cryptographic SSL / TLS or TLCP handshake process, requesting the client to provide an SM2 format digital certificate to complete identity authentication; the local SM2 client certificate refers to the personal or organizational identity credential that the user imports in advance through the certificate management interface, which is generated using the SM2 public key algorithm and issued by a national cryptographic CA or a private CA, and is stored in the browser's dedicated security area; the national cryptographic two-way handshake refers to the complete protocol process in which the server and client exchange and verify each other's SM2 certificates during the establishment of national cryptographic communication, including key steps such as server certificate verification, client certificate submission, SM2 signature verification, and shared key generation.

[0123] Example 2, refer to Figure 6 This embodiment also provides a browser multi-kernel dynamic adaptation system, including: A kernel management module is used to load and initialize multiple rendering kernels when the browser starts, wherein at least one of the multiple rendering kernels includes a security kernel that supports Chinese cryptographic algorithms; The national cryptographic detection module is used to automatically detect whether a target website supports the national cryptographic secure communication mechanism in response to a user's network access request. The security assessment module is used to assess the compatibility between the security kernel and the target website based on a preset security assessment strategy and determine the first communication configuration if the target website is found to support the national cryptographic security communication mechanism. A general selection module is used to select a general kernel from the multiple rendering kernels and determine a second communication configuration based on a preset general compatibility strategy if the target website is detected to not support the national cryptographic security communication mechanism. The kernel activation module is used to dynamically activate the corresponding rendering kernel according to the first communication configuration or the second communication configuration, and establish a secure communication connection with the target website. The status indicator module is used to display the national cryptographic communication identifier in the browser's address bar after a national cryptographic security communication connection is established, so as to indicate the current security status of the communication to the user.

[0124] The above-mentioned unit modules can be embedded in the processor of the electronic device in hardware form or independent of it, or they can be stored in the memory of the electronic device in software form, so that the processor can call and execute the corresponding operations of the above modules.

[0125] This embodiment also provides an electronic device, which can be a terminal, and its internal structure diagram can be as follows. Figure 6 As shown, the electronic device includes a processor, memory, communication interface, display screen, and input device connected via a system bus. The processor provides computing and control capabilities. The memory includes a non-volatile storage medium and internal memory. The non-volatile storage medium stores the operating system and computer programs. The internal memory provides an environment for the operation of the operating system and computer programs stored in the non-volatile storage medium. The communication interface is used for wired or wireless communication with external terminals; wireless communication can be achieved through Wi-Fi, carrier networks, NFC (Near Field Communication), or other technologies. When the computer program is executed by the processor, it implements a browser multi-kernel dynamic adaptation method. The display screen can be an LCD screen or an e-ink screen. The input device can be a touch layer covering the display screen, buttons, a trackball, or a touchpad on the device's casing, or an external keyboard, touchpad, or mouse.

[0126] This embodiment also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, it performs the following steps: When the browser starts, it loads and initializes multiple rendering kernels, including at least one security kernel that supports Chinese cryptographic algorithms. In response to a user's network access request, the system automatically detects whether the target website supports the national cryptographic security communication mechanism, which includes communication based on the SM2 / SM3 / SM4 national cryptographic algorithms and the national cryptographic SSL / TLS protocol. If the target website is detected to support the national cryptographic security communication mechanism, the compatibility between the security kernel and the target website is evaluated based on a preset security assessment strategy, and a first communication configuration is determined; the first communication configuration is used to instruct the use of the security kernel and the establishment of a connection with the target website through the national cryptographic security communication mechanism. If the target website is found to be unsupported by the national cryptographic security communication mechanism, a general-purpose kernel is selected from the plurality of rendering kernels based on a preset general compatibility strategy, and a second communication configuration is determined; the second communication configuration is used to indicate the use of the general-purpose kernel and to establish a connection with the target website through the standard TLS protocol; Based on the first communication configuration or the second communication configuration, the corresponding rendering kernel is dynamically activated, and a secure communication connection with the target website is established. After establishing a national cryptographic security communication connection, the national cryptographic communication identifier is also displayed in the browser's address bar to inform the user of the current security status of the communication.

[0127] It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and are not intended to limit it. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, and all such modifications or substitutions should be covered within the scope of the claims of the present invention.

[0128] Although preferred embodiments of the invention have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of the invention.

[0129] Obviously, those skilled in the art can make various modifications and variations to this invention without departing from its spirit and scope. Therefore, if these modifications and variations fall within the scope of the claims of this invention and their equivalents, this invention also intends to include these modifications and variations.

Claims

1. A method for dynamic adaptation of browsers across multiple kernels, characterized in that, The method includes: When the browser starts, it loads and initializes multiple rendering kernels, including at least one security kernel that supports Chinese cryptographic algorithms. In response to a user's network access request, the system automatically detects whether the target website supports the national cryptographic security communication mechanism, which includes communication based on the SM2 / SM3 / SM4 national cryptographic algorithms and the national cryptographic SSL / TLS protocol. If the target website is detected to support the national cryptographic security communication mechanism, the compatibility between the security kernel and the target website is evaluated based on a preset security assessment strategy, and a first communication configuration is determined; the first communication configuration is used to instruct the use of the security kernel and the establishment of a connection with the target website through the national cryptographic security communication mechanism. If the target website is found to be unsupported by the national cryptographic security communication mechanism, a general-purpose kernel is selected from the plurality of rendering kernels based on a preset general compatibility strategy, and a second communication configuration is determined; the second communication configuration is used to indicate the use of the general-purpose kernel and to establish a connection with the target website through the standard TLS protocol; Based on the first communication configuration or the second communication configuration, the corresponding rendering kernel is dynamically activated, and a secure communication connection with the target website is established. After establishing a national cryptographic security communication connection, the national cryptographic communication identifier is also displayed in the browser's address bar to inform the user of the current security status of the communication.

2. The browser multi-kernel dynamic adaptation method as described in claim 1, characterized in that, If the target website is detected to support the national cryptographic security communication mechanism, then based on a preset security assessment strategy, the compatibility between the security kernel and the target website is assessed, including: If the security assessment results determine that the security kernel is incompatible with the target website, the security assessment results are fed back to the browser front-end interface, and the process reverts to the general kernel. The kernel selection process based on the preset general compatibility strategy is then repeated until a communication configuration that can successfully establish a connection is determined, and the finally activated kernel and corresponding communication method are output.

3. The browser multi-kernel dynamic adaptation method as described in claim 2, characterized in that, The method further includes: It comes pre-installed with a national cryptographic root certificate chain and supports users to import self-signed national cryptographic certificates through the certificate management interface; When establishing a national cryptographic security communication connection, the server certificate of the target website is verified based on the pre-set national cryptographic root certificate or the user-imported self-signed national cryptographic certificate. If certificate verification fails, the attempt to connect using the national cryptographic protocol is interrupted, and the kernel rollback mechanism is triggered to switch to the general kernel and retry the connection using the standard TLS protocol.

4. The browser multi-kernel dynamic adaptation method as described in claim 3, characterized in that, The security assessment strategy includes: Does the target website support the TLCP protocol? Does it provide a valid SM2 server certificate? Does it correctly respond to the negotiation of the national cryptographic encryption suite during the handshake phase? The general compatibility strategy includes: The target website supports TLS versions, a list of Cipher Suite instances, and compatibility ratings with major rendering standards.

5. A browser multi-kernel dynamic adaptation method as described in claim 4, characterized in that, The method further includes: If a system security policy update or a national cryptographic protocol standard upgrade is detected, the national cryptographic protocol stack and cryptographic algorithm module of the security kernel will be dynamically updated. The compatibility assessment of the security kernel and the target website based on the preset security assessment strategy includes: If an update event of the security kernel is detected within the first time frame, the compatibility assessment is re-executed according to the updated security assessment policy to determine the first communication configuration.

6. The browser multi-kernel dynamic adaptation method as described in claim 5, characterized in that, The multiple rendering kernels include the WebKit kernel, the Blink kernel, and a self-developed security kernel; The self-developed security kernel integrates a national cryptographic SSL two-way authentication module, which supports the automatic loading and sending of client SM2 certificates; The method further includes: When a user accesses a website that requires two-way authentication using Chinese cryptographic standards, the local SM2 client certificate is automatically invoked, and a two-way handshake using Chinese cryptographic standards is completed.

7. A browser multi-kernel dynamic adaptation method as described in claim 6, characterized in that, The automatic detection of whether the target website supports the national cryptographic security communication mechanism includes: Send a ClientHello message containing the identifier of the Chinese national cryptographic encryption suite to the target website; If a ServerHello response containing SM2 / SM3 / SM4 related parameters is received, it is determined that the target website supports the national cryptographic security communication mechanism. Otherwise, the target website is deemed not to support the national cryptographic security communication mechanism; The dynamically activated rendering kernel includes: Isolate the runtime environments of different kernels at the tab level; When a user accesses both national cryptographic websites and non-national cryptographic websites in the same browser window, a secure kernel or a general kernel is assigned to the corresponding tab to achieve parallel operation and dynamic adaptation of multiple kernels. The national cryptographic communication identifier is a visual icon, and its status includes: A green lock icon indicates that a national cryptographic encryption connection has been successfully established. The gray lock icon indicates that a connection using Chinese cryptographic standards is being attempted but the handshake has not yet been completed. A lockless icon or a standard lock icon indicates that the current kernel and standard TLS protocol are used for communication.

8. A browser multi-kernel dynamic adaptation system, using the method described in any one of claims 1 to 7, characterized in that, include: A kernel management module is used to load and initialize multiple rendering kernels when the browser starts, wherein at least one of the multiple rendering kernels includes a security kernel that supports Chinese cryptographic algorithms; The national cryptographic detection module is used to automatically detect whether a target website supports the national cryptographic secure communication mechanism in response to a user's network access request. The security assessment module is used to assess the compatibility between the security kernel and the target website based on a preset security assessment strategy and determine the first communication configuration if the target website is found to support the national cryptographic security communication mechanism. A general selection module is used to select a general kernel from the multiple rendering kernels and determine a second communication configuration based on a preset general compatibility strategy if the target website is detected to not support the national cryptographic security communication mechanism. The kernel activation module is used to dynamically activate the corresponding rendering kernel according to the first communication configuration or the second communication configuration, and establish a secure communication connection with the target website. The status indicator module is used to display the national cryptographic communication identifier in the browser's address bar after a national cryptographic security communication connection is established, so as to indicate the current security status of the communication to the user.

9. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the browser multi-kernel dynamic adaptation method according to any one of claims 1 to 7.

10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the steps of any one of the browser multi-kernel dynamic adaptation methods according to claims 1 to 7.