58 results about "Cipher suite" patented technology

A method and apparatus are disclosed for providing data from a service to a client based on the encryption capabilities of the client. Cipher suite lists are exchanged between a client and an endpoint. On the endpoint, the cipher suite list incorporates a mapping of cipher suite names to services. The endpoint uses the client's list of cipher suites in conjunction with the mapping of cipher suite names to services to determine a cipher suite match. A service is selected based on the cipher suite match. A server farm is selected based on the service. The client is informed of this cipher suite match and the endpoint retains knowledge of the cipher suite match throughout the session. Therefore, the encrypted connection between the client and the endpoint can be disconnected and later reestablished to provide data from the particular server.

The invention relates to the technical field of network safety and provides a transport layer security (TLS) channel constructing method based on a cryptographic algorithm. The TLS channel constructing method includes steps that: a server side launches a request and a client side respond to a hello message, or the client side launches the hello message; the server side responds to the hello message of the server side; the server side transmits an SM2 certificate to the server side and then transmits a hello completing message; the client side receives the hello completing message and then transmits a secret key exchange message; the client side transmits a cipher suite change message and a finishing message, and the server side transmits the cipher suite change message and the finishing message after receiving the finishing message of the client side; and the server side and the client side perform data safe transmission according to the agreed safety parameters after receiving the finishing messages of each other and passing verification. According to the TLS channel constructing method, the cryptographic algorithm is blended into a TLS protocol to perform safety communication, the signature speed is obviously superior to that of a remote signaling alarm (RSA) algorithm by aid of short secret key length, and the TLS channel constructing method is a data safety method with the 2048-bit safety level of the RSA algorithm.

A method for a secure handshake protocol between A and B, connected by a slow channel is provided in which A sends a first message indicating a set of cipher suites with parameters, and its identifier and B selects a cipher suite, obtains A's certificate over a fast connection, verifies A's certificate and obtains A's public key. Next B sends a second message comprising B's certificate, and an indication that B has verified A's certificate, and an indication about the selected cipher suite. A begins to use the selected cipher suite, verifies B's certificate and obtains B's public key. Next A sends a third message indicating that A has verified B's certificate.

The invention discloses a transport layer security (TLS) handshaking method, a TLS handshaking device and a trusted third party (TTP). The method comprises the following steps that: on the basis of the TLS handshaking process of two parties, a first party sends a question of the first party and a cipher suite list which is supported by the first party to the TTP; the TTP informs the first party of the question of the TTP, a temporary public key of the TTP and a TTP-first-party cipher suite; the first party informs the TTP of a first-party-TTP message authentication code by using a session key which is generated between the first party and the TTP; the TTP identifies the first-party-TTP message authentication code by using the session key which is generated between the first party and the TTP; after the first-party-TTP message authentication code passes identification, the TTP sends a TTP-first-party message authentication code to the first party; the first party identifies the TTP-first-party message authentication code; and if the TTP-first-party message authentication code passes identification, a secure tunnel between the first party and the TTP is established. The invention has the advantages that: on the basis of the TLS handshaking method of the two parties, the secure tunnel is established between the first party and the TTP, the security is improved, and high downward compatibility is realized.

The invention refers to a handshake method and a handshake system based on a datagram secure transmission protocol. The handshake method comprises: sending a client greeting message to the server by the client, wherein the client greeting message contains a list of all domestic commercial cipher suites supported by the client; receiving and determining whether the client greeting message carries astateless message authentication code by the server: if so, calculating to obtain a message authentication code by using a domestic hash algorithm, and comparing with the message authentication codecarried by the client greeting message to authenticate the client; sending a server greeting message to the client after the authentication, and informing the client of the domestic commercial ciphersuite selected by the client; and replacing the key specification according to the selected domestic commercial cipher suite by the client and the server, thereby establishing a data transmission link. The invention is capable of meeting the requirement of self-controllable information security in China and fully utilizing the unique advantages of the domestic encryption algorithm, and is compatible with the original DTLS protocol, and convenient for horizontal expansion.

The invention discloses a TLS handshake protocol for an identity-based cryptosystem, and in particular relates to the field of basic communication of trusted security networks. The problems of high delay, high calculation amount and the like due to finding, transferring, verifying and the like of a certificate in a TLS handshake process in the traditional PKI system can be solved by defining a new ciphersuite; and the handshake protocol performance is improved while the security is ensured. The handshake protocol comprises the following steps of: (1), establishing the identity-based cryptosystem, and distributing secret keys; and (2), handshaking to negotiate a security parameter. The TLS handshake protocol disclosed by the invention has the advantages that: the certificate is unnecessary to send and verify, such that the network flow and the memory are saved; authentication and secret key negotiation are completed simultaneously; the number of messages is reduced; the network delay is reduced while the high security is ensured; and the TLS handshake protocol is perfectly compatible with a TLS by newly increasing a selective ciphersuite and an expansion option.

Described herein are methods and systems for updating digital certificates on a computer and testing to confirm that the update was performed correctly. The testing may involve confirming that a server's common name (CN) and/or a server's subject alternative name (SAN) matches the domain name server (DNS) name utilized to access the server, confirming that, for all the certificates sent in chain, each certificate's expiration date is less than or equal to the expiration date of that certificate's parent certificate, confirming that the certificates' authority key identifier (AKI), subject key identifier (SKI), and/or authority information access (AIA) are in compliance, and comparing available cipher suites to a list of pre-approved cipher suites.

An encryption/decryption device and a method thereof use an RC4 algorithm to reduce a waiting time for encryption/decryption thereby avoiding data process delay. The encryption/decryption device includes a management unit, an encryption/decryption unit, and a first interface. The management unit includes a WEP seed key generator for generating a WEP seed key based on a transmitter address of first data and a cipher suite value representing a cipher protocol type for the transmitter address, an RC4 key scheduler for generating S-Box data using the WEP seed key, and an S-Box data memory storing the S-Box data generated from the RC4 key scheduler for the transmitter addresses. The encryption/decryption unit has a core for performing the RC4 algorithm-corresponding to the cipher suite, encrypting/decrypting the first data using the S-Box data transmitted from the management unit, and transmitting a signal for generating the S-Box data of second data to the management unit. The first interface transmits a control signal and a data signal between the management unit and the encryption/decryption unit.

The invention discloses a secure socket layer protocol extension method supporting a domestic cipher algorithm. The secure socket layer protocol extension method comprises the following steps: adding a cipher suite supporting the domestic cipher algorithm into a secure socket layer extended source code of the secure socket layer protocol; setting corresponding parameters and alias for the cipher suite; establishing an algorithm provider for implementing the domestic cipher algorithm; establishing a corresponding relationship between the alias of the cipher suite and an implementation class of the algorithm provider. According to the secure socket layer protocol extension method provided by the invention, an operating mechanism of the SSL (secure socket layer) protocol is not changed and extra security problems are not caused; after adoption of the cipher suite supporting the domestic cipher algorithm, the domestic cipher algorithm can be used during handshake and interaction of the SSL, so that the safety performance of online banking is enhanced, and thus the secure socket layer protocol extension method has an important significance in autonomy and the product security of an online banking application system and the security of a whole system.

The invention provides a bidirectional authentication method and a communication system. The bidirectional authentication method comprises the following steps: a client sending a first request messageto a server; wherein the first request message is used for requesting a certificate and a password suite of the server; the server sending a first response message to the client; wherein the first response message comprises a certificate, a password suite and a first random number of the server; the client verifying the certificate of the server, selecting a target encryption algorithm in the password suite after the certificate passes the verification, and sending the target encryption algorithm and a second random number to the server; the server signing the target encryption algorithm andthe second random number, and sending signed signature data to the client; the client performing signature verification on the signature data to complete bidirectional authentication; wherein the first random number and the second random number are used for generating a key. The communication efficiency is improved.

The embodiment of the invention discloses a method and a device for forwarding a user datagram protocol message. After a proxy server receives the identifier and the secret key authentication code sent by the Internet of Things equipment, when the identifier is consistent with the stored identifier and the secret key authentication code corresponding to the stored identifier is consistent with thesecret key authentication code. The service information of forwarding service is sent to the Internet of Things equipment. Based on the at least one password suite sent by the Internet of Things device, a target password suite is sent to the Internet of Things device. Then, a first UDP message sent by the Internet of Things device is received. After the first UDP message comprises the position information and the first data of the target service server, the first UDP message is decrypted based on the target password suite to obtain the position information and the first data of the target server. Finally, the first data is sent to the target service server corresponding to the position information, thereby realizing forwarding of the UDP message completely based on the UDP protocol, and improving the safety of the UDP message.

The invention provides an identity authentication method realizing a dynamic password encryption mode. The technical scheme comprises the following steps of: I, registering a new user, generating a mask picture M of the new user, and storing the other information and the mask picture M of the new user in a database as the registration information of the new user; II, authenticating the legal identity of the user; if the identity of any user needs authentication, executing the following steps: (1) generating a random cipher; (2) generating a cipher picture; (3) generating a cipher sub-picture;and (4) entering passwords to prove whether the user to be authenticated is a registered user. The invention has the beneficial effects that dynamic passwords can be realized, the decryption mode is simple, and the security is high. In spite of dynamic passwords, cipher transfer is not involved in the authentication process, thus the security is further improved.

The invention provides a negotiation method for a cryptographic algorithm of data transport services in a distribution network. The negotiation method is characterized by comprising a service security label, an algorithm security label and two matching modes, wherein the negotiation process of the cryptographic algorithm between network nodes in the distribution network completely refers to the service security label of the current data transport service. The negotiation method avoids the problem of weak cipher suite matching security caused by the client cryptographic algorithm priority in the traditional network security protocol. The two matching modes not only consider the quick matching requirement of novel distribution equipment, but also consider the compatibility matching requirement of old equipment, thereby effectively solving the problem of transition from the cryptographic algorithm to national cryptographic algorithm standards in the distribution network.

The embodiment of the invention discloses a configuration method and a device of a cipher suite. The configuration method of a cipher suite comprises the steps: obtaining a preset cipher suite list, wherein the cipher suite list comprises a region code list item, and one cipher suite is uniquely determined by a suite serial number and a region code together; configuring the region code, and selecting the cipher suite corresponding to the region code according to the region code in the cipher suite list. The embodiment selects the cipher suite corresponding to the region code according to the configured region code in the obtained cipher suite list so as to realize the selection of the cipher suite according to the region code, solves the problem that the cipher suite of equipment in different regions can conflict with each other, and increases the flexibility of the equipment.

Automatically and dynamically ascertain by means of autoconfiguration whether used or activated and usable cipher suites and/or key lengths are sufficiently strong for current cryptographic protection of the control communication and/or other service access by virtue of 1) “cipher-suite”-based/-specific information available in the network/system being called up to ascertain reference cipher suites and/or 2) block chain information available in the network/system, containing data records referred to as “proof of work” for solving complex computation tasks, being called up or ascertained, with the ascertainment of block chain difficulty parameters as key length estimation parameters to ascertain appropriate reference key lengths, in particular reference minimum key lengths required for cryptoalgorithms, and 3) the ascertained reference cipher suites and/or the reference key lengths ascertained by the key length estimation parameters being compared with the used or activated and usable cipher suites and/or key lengths.

An apparatus for an integrated dynamic encryption and/or decryption for use in an application includes a policy filter, a policy filter module coupled to said policy filter, a service module coupled to said policy filter, and a cryptographic module, where the apparatus retrieves the cryptographic module and configures the policy filter in accordance with the cryptographic module and the policy filter module performs a plurality of verification upon the cryptographic module, and further where the service module is configured to generate a plurality of cipher suites and the policy filter is configured to filter the plurality of cipher suites in accordance with a predetermined policy filter parameters to generate a plurality of filtered cipher suites.

Moreover, an apparatus for an integrated dynamic encryption and/or decryption for use in an application includes storage means for storing a plurality of predetermined attributes and corresponding values, and a digital signature, a controller for controlling selective retrieval of said plurality of attributes and values, and said digital signature from said storage means, processing means for selectively processing said plurality of predetermined attributes and values, and said digital signature and in accordance thereto, providing a supportable encryption and/or decryption level to said application, compression means for compressing said plurality of attributes and values and in accordance thereto generating a compressed plurality of attributes and values for storing in said storage means, and decompressing means for decompressing said compressed plurality of attributes and values in accordance to said controller retrieving said compressed plurality of attributes and values.

The invention discloses a security configuration method for an Nginx server cipher suite of an SSR, and relates to the field of website security configuration. The cipher suite of an Nginx server is rationally selected, and the cipher suite of an Nginx server of the SSR is increased and decreased to realize an expected encryption accessory. The security configuration method mainly comprises the following steps: 1) checking the SSR cipher suite; 2) carrying out security analysis on the SSR cipher suite; and 3) modifying the cipher suite in an Nginx server configuration file of the SSR. According to the security configuration method disclosed by the invention, different parts of the suites are analyzed and compared; the unsecure cipher suite is selected and forbidden; a client and a server can only use the cipher suite with high security; the transmission security of transmission layer information is guaranteed; and the security of the SSR is enhanced, so that the SSR runs more safely.

The invention provides a security configuration method of a Tomact cipher suite of SSR, and relates to the website security configuration field. The security configuration method includes the steps of: (1) checking an SSR cipher suite; (2) performing security analysis on the SSR cipher suite; and (3) modifying the cipher suite in a Tomcat configuration file of the SSR. Through addition and deletion of the cipher suite, the cipher suite wanted to be used is realized, and the SSR self security is increased.

The invention provides a bidirectional authentication method and device. The method comprises the steps: receiving a server certificate, a second random number, a target password suite and a server public key which are sent by a server in response to an authentication request, obtaining data in the server certificate if the server certificate is checked to be signed and issued by a preset signing and issuing mechanism; and if the data are consistent with the data provided by the server, generating a third random number, and generating a first main communication password through a preset key exchange algorithm; encrypting the third random number by using the server public key to obtain an encrypted third random number, and generating a client communication ciphertext by using the first main communication password and the target password suite; sending the encrypted third random number, the client certificate and the client communication ciphertext to the server; and after a server-side communication ciphertext returned by the server side is received, the server-side communication ciphertext is decrypted according to the first main communication password and the target password suite, and if data carried in the server-side communication ciphertext is not tampered, the bidirectional authentication is confirmed to pass.