58 results about "Cipher suite" patented technology

A method and apparatus are disclosed for providing data from a service to a client based on the encryption capabilities of the client. Cipher suite lists are exchanged between a client and an endpoint. On the endpoint, the cipher suite list incorporates a mapping of cipher suite names to services. The endpoint uses the client's list of cipher suites in conjunction with the mapping of cipher suite names to services to determine a cipher suite match. A service is selected based on the cipher suite match. A server farm is selected based on the service. The client is informed of this cipher suite match and the endpoint retains knowledge of the cipher suite match throughout the session. Therefore, the encrypted connection between the client and the endpoint can be disconnected and later reestablished to provide data from the particular server.

The invention relates to the technical field of network safety and provides a transport layer security (TLS) channel constructing method based on a cryptographic algorithm. The TLS channel constructing method includes steps that: a server side launches a request and a client side respond to a hello message, or the client side launches the hello message; the server side responds to the hello message of the server side; the server side transmits an SM2 certificate to the server side and then transmits a hello completing message; the client side receives the hello completing message and then transmits a secret key exchange message; the client side transmits a cipher suite change message and a finishing message, and the server side transmits the cipher suite change message and the finishing message after receiving the finishing message of the client side; and the server side and the client side perform data safe transmission according to the agreed safety parameters after receiving the finishing messages of each other and passing verification. According to the TLS channel constructing method, the cryptographic algorithm is blended into a TLS protocol to perform safety communication, the signature speed is obviously superior to that of a remote signaling alarm (RSA) algorithm by aid of short secret key length, and the TLS channel constructing method is a data safety method with the 2048-bit safety level of the RSA algorithm.

A method for a secure handshake protocol between A and B, connected by a slow channel is provided in which A sends a first message indicating a set of cipher suites with parameters, and its identifier and B selects a cipher suite, obtains A's certificate over a fast connection, verifies A's certificate and obtains A's public key. Next B sends a second message comprising B's certificate, and an indication that B has verified A's certificate, and an indication about the selected cipher suite. A begins to use the selected cipher suite, verifies B's certificate and obtains B's public key. Next A sends a third message indicating that A has verified B's certificate.

The invention refers to a handshake method and a handshake system based on a datagram secure transmission protocol. The handshake method comprises: sending a client greeting message to the server by the client, wherein the client greeting message contains a list of all domestic commercial cipher suites supported by the client; receiving and determining whether the client greeting message carries astateless message authentication code by the server: if so, calculating to obtain a message authentication code by using a domestic hash algorithm, and comparing with the message authentication codecarried by the client greeting message to authenticate the client; sending a server greeting message to the client after the authentication, and informing the client of the domestic commercial ciphersuite selected by the client; and replacing the key specification according to the selected domestic commercial cipher suite by the client and the server, thereby establishing a data transmission link. The invention is capable of meeting the requirement of self-controllable information security in China and fully utilizing the unique advantages of the domestic encryption algorithm, and is compatible with the original DTLS protocol, and convenient for horizontal expansion.

The invention discloses a TLS handshake protocol for an identity-based cryptosystem, and in particular relates to the field of basic communication of trusted security networks. The problems of high delay, high calculation amount and the like due to finding, transferring, verifying and the like of a certificate in a TLS handshake process in the traditional PKI system can be solved by defining a new ciphersuite; and the handshake protocol performance is improved while the security is ensured. The handshake protocol comprises the following steps of: (1), establishing the identity-based cryptosystem, and distributing secret keys; and (2), handshaking to negotiate a security parameter. The TLS handshake protocol disclosed by the invention has the advantages that: the certificate is unnecessary to send and verify, such that the network flow and the memory are saved; authentication and secret key negotiation are completed simultaneously; the number of messages is reduced; the network delay is reduced while the high security is ensured; and the TLS handshake protocol is perfectly compatible with a TLS by newly increasing a selective ciphersuite and an expansion option.

The invention discloses a secure socket layer protocol extension method supporting a domestic cipher algorithm. The secure socket layer protocol extension method comprises the following steps: adding a cipher suite supporting the domestic cipher algorithm into a secure socket layer extended source code of the secure socket layer protocol; setting corresponding parameters and alias for the cipher suite; establishing an algorithm provider for implementing the domestic cipher algorithm; establishing a corresponding relationship between the alias of the cipher suite and an implementation class of the algorithm provider. According to the secure socket layer protocol extension method provided by the invention, an operating mechanism of the SSL (secure socket layer) protocol is not changed and extra security problems are not caused; after adoption of the cipher suite supporting the domestic cipher algorithm, the domestic cipher algorithm can be used during handshake and interaction of the SSL, so that the safety performance of online banking is enhanced, and thus the secure socket layer protocol extension method has an important significance in autonomy and the product security of an online banking application system and the security of a whole system.

The invention provides a bidirectional authentication method and a communication system. The bidirectional authentication method comprises the following steps: a client sending a first request messageto a server; wherein the first request message is used for requesting a certificate and a password suite of the server; the server sending a first response message to the client; wherein the first response message comprises a certificate, a password suite and a first random number of the server; the client verifying the certificate of the server, selecting a target encryption algorithm in the password suite after the certificate passes the verification, and sending the target encryption algorithm and a second random number to the server; the server signing the target encryption algorithm andthe second random number, and sending signed signature data to the client; the client performing signature verification on the signature data to complete bidirectional authentication; wherein the first random number and the second random number are used for generating a key. The communication efficiency is improved.

The invention provides an identity authentication method realizing a dynamic password encryption mode. The technical scheme comprises the following steps of: I, registering a new user, generating a mask picture M of the new user, and storing the other information and the mask picture M of the new user in a database as the registration information of the new user; II, authenticating the legal identity of the user; if the identity of any user needs authentication, executing the following steps: (1) generating a random cipher; (2) generating a cipher picture; (3) generating a cipher sub-picture;and (4) entering passwords to prove whether the user to be authenticated is a registered user. The invention has the beneficial effects that dynamic passwords can be realized, the decryption mode is simple, and the security is high. In spite of dynamic passwords, cipher transfer is not involved in the authentication process, thus the security is further improved.

The invention provides a negotiation method for a cryptographic algorithm of data transport services in a distribution network. The negotiation method is characterized by comprising a service security label, an algorithm security label and two matching modes, wherein the negotiation process of the cryptographic algorithm between network nodes in the distribution network completely refers to the service security label of the current data transport service. The negotiation method avoids the problem of weak cipher suite matching security caused by the client cryptographic algorithm priority in the traditional network security protocol. The two matching modes not only consider the quick matching requirement of novel distribution equipment, but also consider the compatibility matching requirement of old equipment, thereby effectively solving the problem of transition from the cryptographic algorithm to national cryptographic algorithm standards in the distribution network.

The embodiment of the invention discloses a configuration method and a device of a cipher suite. The configuration method of a cipher suite comprises the steps: obtaining a preset cipher suite list, wherein the cipher suite list comprises a region code list item, and one cipher suite is uniquely determined by a suite serial number and a region code together; configuring the region code, and selecting the cipher suite corresponding to the region code according to the region code in the cipher suite list. The embodiment selects the cipher suite corresponding to the region code according to the configured region code in the obtained cipher suite list so as to realize the selection of the cipher suite according to the region code, solves the problem that the cipher suite of equipment in different regions can conflict with each other, and increases the flexibility of the equipment.

An apparatus for an integrated dynamic encryption and/or decryption for use in an application includes a policy filter, a policy filter module coupled to said policy filter, a service module coupled to said policy filter, and a cryptographic module, where the apparatus retrieves the cryptographic module and configures the policy filter in accordance with the cryptographic module and the policy filter module performs a plurality of verification upon the cryptographic module, and further where the service module is configured to generate a plurality of cipher suites and the policy filter is configured to filter the plurality of cipher suites in accordance with a predetermined policy filter parameters to generate a plurality of filtered cipher suites.

Moreover, an apparatus for an integrated dynamic encryption and/or decryption for use in an application includes storage means for storing a plurality of predetermined attributes and corresponding values, and a digital signature, a controller for controlling selective retrieval of said plurality of attributes and values, and said digital signature from said storage means, processing means for selectively processing said plurality of predetermined attributes and values, and said digital signature and in accordance thereto, providing a supportable encryption and/or decryption level to said application, compression means for compressing said plurality of attributes and values and in accordance thereto generating a compressed plurality of attributes and values for storing in said storage means, and decompressing means for decompressing said compressed plurality of attributes and values in accordance to said controller retrieving said compressed plurality of attributes and values.