[go: up one dir, main page]

CN115529129B - Encrypted communication method, system, computer device, readable storage medium, and program product - Google Patents

Encrypted communication method, system, computer device, readable storage medium, and program product Download PDF

Info

Publication number
CN115529129B
CN115529129B CN202211197467.0A CN202211197467A CN115529129B CN 115529129 B CN115529129 B CN 115529129B CN 202211197467 A CN202211197467 A CN 202211197467A CN 115529129 B CN115529129 B CN 115529129B
Authority
CN
China
Prior art keywords
server
client
key
negotiation information
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211197467.0A
Other languages
Chinese (zh)
Other versions
CN115529129A (en
Inventor
杨路江
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Pudong Development Bank Co Ltd
Original Assignee
Shanghai Pudong Development Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Pudong Development Bank Co Ltd filed Critical Shanghai Pudong Development Bank Co Ltd
Priority to CN202211197467.0A priority Critical patent/CN115529129B/en
Publication of CN115529129A publication Critical patent/CN115529129A/en
Application granted granted Critical
Publication of CN115529129B publication Critical patent/CN115529129B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present application relates to an encrypted communication method, apparatus, computer device, storage medium and computer program product. The encryption communication method comprises the following steps: receiving an encrypted communication request sent by a client; selecting a supported target cipher suite from the initial cipher suites, and generating server-side key negotiation information; the target cipher suite and the server-side key negotiation information are sent to the client-side, and are used for indicating the client-side and the server-side to carry out key negotiation to obtain a target key; and carrying out encrypted communication with the client through the target key. By adopting the method, the server can provide a plurality of server public keys for the client, the client can randomly generate the client public keys to carry out key negotiation, and randomly select a key exchange algorithm to process one of the server public keys, so that the randomness of the key generation process is improved, the difficulty of cracking the target key which is finally used is greatly increased, and the information security is ensured.

Description

Encrypted communication method, system, computer device, readable storage medium, and program product
Technical Field
The present application relates to the field of network encryption communication technology, and in particular, to an encryption communication method, apparatus, computer device, storage medium, and computer program product.
Background
With the rapid popularization of the internet, the importance of communication security is increasing. Currently, most encrypted communications employ TLS/SSL communication protocols that are capable of providing data integrity protection, data confidentiality protection, and identity authentication functions for data communications.
However, the existing method for carrying out encrypted communication by adopting the TLS/SSL communication protocol has low security, and an unauthorized third party can easily steal a secret key when a client communicates with a server, so that the server is illegally accessed, data stored by the server are cracked, the data security of a user is threatened, and the security performance of a secure transmission service and a remote access service is reduced.
Disclosure of Invention
In view of the foregoing, it is desirable to provide an encrypted communication method, apparatus, computer device, storage medium, and computer program product that can improve the security of encrypted communication.
In a first aspect, the present application provides an encrypted communication method, applied to a server, including:
Receiving an encrypted communication request sent by a client, wherein the encrypted communication request carries an initial cipher suite;
selecting a supported target cipher suite from the initial cipher suites, and generating server-side key negotiation information; the server key negotiation information carries at least one encryption certificate;
The target cipher suite and the server-side key negotiation information are sent to the client-side, and the target cipher suite and the server-side key negotiation information are used for indicating the client-side to carry out key negotiation with the server-side to obtain a target key;
and carrying out encrypted communication with the client through the target key.
In one embodiment, the sending the target cipher suite and the server-side key negotiation information to the client, where the target cipher suite and the server-side key negotiation information are used to instruct the client to perform key negotiation with the server-side to obtain a target key, includes:
The target cipher suite and the server-side key negotiation information are sent to the client, the target cipher suite and the server-side key negotiation information are used for indicating the client to determine at least one encryption certificate and signature information from the server-side key negotiation information, verify the server-side key negotiation information based on the signature information, determine a server-side public key based on any encryption certificate, generate client-side key negotiation information based on the server-side public key and the client-side public key, and send the client-side key negotiation information to the server-side;
receiving the client key negotiation information sent by a client;
and obtaining the client public key according to the client key negotiation information, and determining the target key according to the client public key.
In one embodiment, the obtaining the client public key according to the client key negotiation information, and determining the target key according to the client public key, includes:
and decrypting the client key negotiation information according to at least one server private key corresponding to the encryption certificate to obtain the client public key, and determining the target key according to the client public key.
In a second aspect, the present application further provides an encrypted communication method, applied to a client, including:
Sending an encrypted communication request to a server, wherein the encrypted communication request carries an initial password suite;
Receiving target cipher suite and server key negotiation information sent by the server, and performing key negotiation with the server according to the server key negotiation information and the target cipher suite to obtain a target key; the target cipher suite is one of the initial cipher suites selected by the server, and the server key negotiation information carries at least one encryption certificate;
And carrying out encrypted communication with the server through the target secret key.
In one embodiment, the performing key negotiation with the server according to the server key negotiation information and the target cipher suite to obtain a target key includes:
Determining the target key according to the server key negotiation information and the target cipher suite, generating client key negotiation information according to the server key negotiation information and a client public key, and sending the client key negotiation information to the server, wherein the client key negotiation information is used for indicating the server to decrypt the client key negotiation information according to at least one server private key corresponding to the encryption certificate, obtaining the client public key, and determining the target key according to the client public key; the client public key is randomly generated for the client.
In one embodiment, the generating the client key negotiation information according to the server key negotiation information and the client public key includes:
determining at least one encryption certificate and signature information according to the server key negotiation information;
Verifying the server key negotiation information based on the signature information;
And determining a server public key based on any one encryption certificate, and generating the client key negotiation information based on the server public key and the client public key.
In a third aspect, the present application also provides an encrypted communication system, including a server and a client;
The server is used for:
Receiving an encrypted communication request sent by the client, wherein the encrypted communication request carries an initial password suite;
selecting a supported target cipher suite from the initial cipher suites, and generating server-side key negotiation information; the server key negotiation information carries at least one encryption certificate;
The target cipher suite and the server-side key negotiation information are sent to the client-side, and the target cipher suite and the server-side key negotiation information are used for indicating the client-side to carry out key negotiation with the server-side to obtain a target key;
Receiving client key negotiation information sent by the client, and negotiating with the server according to the client key negotiation information to obtain the target key;
carrying out encrypted communication with the client through the target key;
The client is used for:
Sending the encrypted communication request to a server, wherein the encrypted communication request carries an initial password suite;
receiving target cipher suite and server key negotiation information sent by the server, and performing key negotiation with the server according to the server key negotiation information and the target cipher suite to obtain a target key;
Carrying out encrypted communication with the server through the target secret key;
Generating client key negotiation information according to the server key negotiation information and the client public key, and sending the client key negotiation information to the server, wherein the client key negotiation information is used for indicating the server to negotiate with the client to generate a target key.
In a fourth aspect, the present application also provides a computer device. The computer device includes a memory storing a computer program and a processor implementing the encrypted communication method according to any one of the above embodiments when the processor executes the computer program.
In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the encrypted communication method according to any one of the above embodiments.
In a fifth aspect, the present application also provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the encrypted communication method according to any one of the embodiments described above.
According to the encryption communication method, the device, the computer equipment, the storage medium and the computer program product, the server can provide a plurality of server public keys for the client, the client can randomly generate one client public key, and randomly select a key exchange algorithm to process one of the server public keys to carry out key negotiation, so that the randomness of the key generation process is improved, the difficulty in cracking a target key which is finally used is greatly increased, the target key obtained by the final negotiation is higher in safety and is not easy to crack by a third party; therefore, the safety of encrypted communication is greatly improved, and the information safety is ensured.
Drawings
FIG. 1 is an application environment diagram of an encrypted communication method in one embodiment;
FIG. 2 is a flow chart of a method of encrypted communication in a first embodiment;
FIG. 3 is a flow chart of a method of encrypted communication in a second embodiment;
FIG. 4 is a flow chart of a method of encrypted communication in a third embodiment;
fig. 5 is a flow chart of an encrypted communication method in a fourth embodiment;
fig. 6 is a flow chart of an encrypted communication method in a fifth embodiment;
FIG. 7 is a flow diagram of an encrypted communication system in one embodiment;
fig. 8 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The encryption communication method provided by the embodiment of the application can be applied to an application environment shown in figure 1. Wherein the client 104 communicates with the server 102 over a network. The data storage system may store data that the server 102 needs to process.
The server 102 receives an encrypted communication request sent by the client 104, wherein the encrypted communication request carries an initial cipher suite; the server 102 selects a supported target cipher suite from the initial cipher suites and generates server key negotiation information; the server key negotiation information carries at least one encryption certificate; the server 102 sends the target cipher suite and the server key negotiation information to the client 104, where the target cipher suite and the server key negotiation information are used to instruct the client 104 to perform key negotiation with the server 102 to obtain a target key; client 104 communicates with server 102 in encrypted form with the target key. The client 104 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, where the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server 102 may be implemented as a stand-alone server or as a server cluster formed by a plurality of servers. The client 104 and the server 102 may be connected directly or indirectly through wired or wireless communication, such as through a network connection.
For another example, the encryption communication method is applied to the client 104, and the client 104 sends an encryption communication request to the server 102, where the encryption communication request carries an initial cipher suite; the client 104 receives the target cipher suite and the server key negotiation information sent by the server 102, and performs key negotiation with the server 102 according to the server key negotiation information and the target cipher suite to obtain a target key; the target cipher suite is one initial cipher suite selected by the server, and the server key negotiation information carries at least one encryption certificate; client 104 communicates with server 102 in encrypted form with the target key. It will be appreciated that the memory may be a separate storage device or it may be located on a server or it may be located on another terminal.
In one embodiment, an encryption communication method is provided, and this embodiment is illustrated by applying the encryption communication method to the server 102. As shown in fig. 2, the encryption communication method includes:
Step 202, an encrypted communication request sent by a client is received, where the encrypted communication request carries an initial cipher suite.
The encrypted communication request may be a request sent by the client 104 to perform data encrypted communication with the server 102, for example, the encrypted communication request may be a handshake authentication request based on a condom hierarchy protocol (Secure Socket Layer, SSL), and the connection mode corresponding to the encrypted communication request is SSL connection.
The initial cipher suite is a plurality of cipher suites supported by the client 104. The initial cipher suite may be a cipher suite that supports a cryptographic algorithm. The initial cipher suite may include national commercial asymmetric cipher algorithms, various key exchange algorithms, digest algorithms, and foreign standard symmetric cipher algorithms.
In this embodiment, the server 102 receives a request for performing data encryption communication sent by the client 104, and obtains all the cipher suites supported by the client 104 at the same time.
Step 204, selecting a supported target cipher suite from the initial cipher suites, and generating server-side key negotiation information; the server key negotiation information carries at least one encryption certificate.
The target cipher suite refers to one cipher suite selected by the server 102 from all initial cipher suites supported by the client 104, and the server 102 supports the target cipher suite.
The encryption certificate is a digital authentication identifier issued by the certificate issuing authority for identifying the identity of the server 102. Each encryption certificate includes an encrypted public-private key pair, and the public-private key pair uniquely identifies the server 102 and binds with the identity information of the server 102. It may be understood that the server key negotiation information carries at least one server public key corresponding to the server 102.
The server key negotiation information refers to a data packet containing at least one encryption certificate, and it can also be understood that the server key negotiation information refers to a data packet containing at least one server public key.
As an example, the server public key may be a server public key required by the ECC key exchange algorithm, or may be a server public key required by the DH key exchange algorithm.
In this embodiment, the server 102 selects one from all the password suites supported by the client 104 as a target password suite, and generates server key negotiation information including a plurality of encryption certificates for integrating at least one server public key corresponding to the server 102.
And 206, transmitting the target cipher suite and the server-side key negotiation information to the client, wherein the target cipher suite and the server-side key negotiation information are used for indicating the client to carry out key negotiation with the server-side to obtain a target key.
Key agreement refers to two or more communicating parties negotiating to establish a session key together.
The target key refers to a session key established by the server 102 and the client 104.
As an example, the server 102 may generate server key negotiation information according to an encryption certificate containing a server public key required by the ECC key exchange algorithm and an encryption certificate containing a server public key required by the DH key exchange algorithm, the client 104 randomly selects a server public key corresponding to the encryption certificate after receiving the server key negotiation information, when selecting the encryption certificate containing the server public key required by the ECC key exchange algorithm, the client 104 uses any suitable ECC key exchange algorithm to implement key negotiation with the server 102, and when selecting the encryption certificate containing the server public key required by the DH key exchange algorithm, the client 104 uses the DH key exchange algorithm to implement key negotiation with the server 102.
In this embodiment, the server 102 sends the supported target cipher suite and the server key negotiation information including at least one server public key to the client 104, and the server 102 and the client 104 determine the target key after negotiating according to the target cipher suite and the at least one server public key supported by the server 102, so as to perform the encryption session.
Step 208, the target key is used for carrying out encrypted communication with the client.
In this embodiment, the server 102 and the client 104 perform the encryption session through the target key acquired after negotiation.
In the above encryption communication method, the server 102 receives an encryption communication request from the client 104, selects a supported cipher suite from a plurality of initial cipher suites supported by the client 104 as a target cipher suite, and sends the client 104 with the target cipher suite and the server key negotiation information carrying at least one encryption certificate, so that the client 104 can use the target cipher suite and the server public key corresponding to any encryption certificate to perform key negotiation with the server 102 to obtain the target key, and the server 102 uses the target key and the client 104 to perform an encryption session. Through the arrangement, the server 102 can provide a plurality of server public keys for the client 104, the client 104 can randomly select one server public key to carry out key negotiation, randomness of a key generation process is improved, and the target key obtained by final negotiation is higher in security and is not easy to crack by a third party.
As shown in fig. 3, in some alternative embodiments, step 206 includes:
Step 2062, transmitting the target cipher suite and the server-side key negotiation information to the client, where the target cipher suite and the server-side key negotiation information are used to instruct the client to determine at least one encryption certificate and signature information from the server-side key negotiation information, verify the server-side key negotiation information based on the signature information, determine a server-side public key based on any encryption certificate, generate client-side key negotiation information based on the server-side public key and the client-side public key, and transmit the client-side key negotiation information to the server.
Step 2064, receiving client key negotiation information sent by the client.
Step 2066, obtaining the client public key according to the client key negotiation information, and determining the target key according to the client public key.
The signature information may be a signature certificate of the server 102, which is used to sign and encrypt the information of the server 102, so as to ensure validity and non-repudiation of the information sent by the server 102. After receiving the target cipher suite and the server-side key negotiation information, the client 104 verifies the signature information by adopting the signature public key of the server-side 102 according to the signature information of the server-side 102, if the verification is passed, further randomly selects an encryption certificate, extracts the server-side public key corresponding to the selected encryption certificate to encrypt the client-side public key, and generates the client-side key negotiation information.
The client key negotiation information refers to a data packet containing a client public key encrypted by a server public key.
Further, the server 102 receives the client key negotiation information sent by the client 104, obtains the client public key from the client key negotiation information, and determines the target key of the server 102 according to the client public key.
In this embodiment, the server 102 sends the target cipher suite and the server key negotiation information to the client 104, so that the client 104 can determine a server public key according to at least one encryption certificate included in the target cipher suite and the server key negotiation information, encrypt the client public key according to the determined server public key, generate client key negotiation information, and send the client key negotiation information to the server 102, and then the server 102 obtains the client key from the client key negotiation information, and determines the target key of the server 102 according to the client public key. By the arrangement, the server 102 can complete key negotiation with the client 104 to acquire the target key for encrypted communication, so that the security of data transmission is enhanced, and the possibility of data theft or data loss caused by cracking of the target key by a third party is reduced.
In some alternative embodiments, step 2066 includes:
And decrypting the client key negotiation information according to the server private key corresponding to the at least one encryption certificate to obtain a client public key, and determining a target key according to the client public key.
Specifically, the server 102 may obtain the server private keys corresponding to all the encryption certificates included in the server key negotiation information, and sequentially decrypt the client key negotiation information until the decryption is successful, obtain the client public key included in the client key negotiation information, and generate the target key according to the successfully decrypted server private key and the decrypted client public key.
In this embodiment, the server 102 decrypts the client key negotiation information by using its own server private key, thereby improving the security in the key negotiation process.
In one embodiment, an encrypted communication method is provided, and this embodiment is illustrated with the encrypted communication method applied to the client 104. As shown in fig. 4, the encryption communication method includes:
step 402, an encrypted communication request is sent to a server, where the encrypted communication request carries an initial cipher suite.
The encrypted communication request may be issued by the client 104 in accordance with the user's instructions.
The initial cipher suite is a plurality of cipher suites supported by the client 104. The initial cipher suite may be a cipher suite that supports a cryptographic algorithm. The initial cipher suite may include a national commercial asymmetric cipher algorithm, various key exchange protocols, a digest algorithm, and a foreign standard symmetric cipher algorithm.
As an example, the client 104 stores a supported cipher suite list in advance, where the cipher suite list includes a plurality of cipher suites, and in step 402, the client 104 extracts a preset number of cipher suites from the cipher suite list as initial cipher suites, and sends an encrypted communication request including the initial cipher suites to the server 102.
In this embodiment, the client 104 attaches the cipher suites supported by the plurality of clients 104 to the encrypted communication request according to the instruction of the user, and sends the encrypted communication request to the server 102.
Step 404, receiving the target cipher suite and the server-side key negotiation information sent by the server-side, and performing key negotiation with the server-side according to the server-side key negotiation information and the target cipher suite to obtain a target key; the target cipher suite is one initial cipher suite selected by the server, and the server key negotiation information carries at least one encryption certificate.
In this embodiment, after receiving the target cipher suite and the server-side key negotiation information, the client 104 adopts the target cipher suite, and performs key negotiation with the server-side 102 according to the server-side key negotiation information to obtain the target key.
Step 406, carrying out encrypted communication with the server through the target key.
In this embodiment, the client 104 and the server 102 perform the encryption session through the target key acquired after negotiation.
In some alternative embodiments, step 404 includes:
Generating client key negotiation information according to the server key negotiation information and the client public key, and sending the client key negotiation information to the server, wherein the client key negotiation information is used for indicating the server to decrypt the client key negotiation information according to the server private key corresponding to at least one encryption certificate, so as to obtain the client public key, and determining a target key according to the client public key; the client public key is randomly generated for the client.
As an example, the client 104 randomly generates a random number as a client public key, and generates client negotiation information according to the client public key and at least one server public key carried in the server key negotiation information.
In this embodiment, the client 104 randomly generates the client key, and randomly adopts the server key negotiation information and the client key to perform key negotiation with the server 102, so that the randomness of the finally obtained target key is higher, the cracking difficulty is higher, and the security of the encrypted communication between the client 104 and the server 102 is enhanced.
As shown in fig. 5, in some alternative embodiments, generating client key agreement information from the server key agreement information and the client public key includes:
Step 502, determining at least one encryption certificate and signature information according to the server-side key negotiation information.
Step 504, verifying the server-side key negotiation information based on the signature information.
Step 506, determining a server public key based on any encryption certificate, and generating client key negotiation information based on the server public key and the client public key.
The client 104 determines at least one encryption certificate and signature information carried by the server key agreement information from the server key agreement information, and further verifies the server key agreement information according to the signature information.
As an example, the client 104 performs verification of the signature information of the server 102, for example, by using the signature public key of the server 102, and if the verification is passed, further randomly selects an encryption certificate of the server 102, extracts a client public key randomly generated by encrypting the server public key corresponding to the selected encryption certificate, and obtains client key negotiation information.
In one embodiment, after receiving the server key negotiation information, the client 104 first verifies the validity of the encrypted certificate carried in the server key negotiation information: such as checking the integrity of the encryption certificate, whether the domain name to be resolved is in the encryption certificate, etc. If the verification fails, the server 102 and the client 104 are prompted that the key agreement fails, and if successful, the step 502 is continued.
In this embodiment, after authenticating the server 102 according to the signature information carried by the server key negotiation information, the client 104 randomly extracts an encryption certificate from the server key negotiation information, obtains a server public key corresponding to the encryption certificate, and encrypts the randomly generated client public key by using the server public key to obtain the client key negotiation information. By the arrangement, after the client 104 is ensured to receive the server key negotiation information from the server 102, the final client key negotiation information can be randomly generated, so that the difficulty of information cracking in the key negotiation process is improved, and the information safety is ensured.
As shown in fig. 6, in this embodiment, the encryption communication method includes:
Step 602, the client 104 sends an encrypted communication request to the server 102.
Step 604, the server 102 obtains the initial cipher suite supported by the client 104 from the encrypted communication request, and selects a target cipher suite from the initial cipher suite.
Step 606, the server 102 generates server key negotiation information according to the at least one encryption certificate, and sends the server key negotiation information and the target cipher suite to the client 104.
Step 608, the client 104 obtains signature information according to the server key negotiation information, and adopts a signature public key of an issuing mechanism corresponding to the signature information to check the signature information, and judges whether the check is successful; if successful, proceed to step 610; if not, step 620 is performed.
In step 610, the client 104 selects a server public key required by the ECC key exchange algorithm from the server key negotiation information.
Step 612, the client 104 randomly generates at least one random number as a client public key, and also generates a corresponding client private key, and adopts any one of appropriate ECC key exchange algorithms to generate a target key of the client according to the server public key and the client private key, and then encrypts the client public key through the server public key to obtain client key negotiation information.
Step 614, client 104 sends client key agreement information to server 102.
Step 616, the server 102 obtains the server private keys corresponding to all the encrypted certificates, and sequentially decrypts the client key negotiation information until the client public key is obtained, and generates the target key of the server according to the client public key and the server private key successfully decrypted.
Step 618, client 104 and server 102 conduct encrypted communications using the target key.
Step 620, prompting the client 104 and the server 102 for a failure in key agreement.
In the above encryption communication method, the client 104 sends a plurality of self-supported cipher suites to the server 102 to pick, then the server 102 sends the picked cipher suites and at least one encryption certificate containing a corresponding public-private key pair to the client, the client randomly picks a server public key corresponding to the encryption certificate to encrypt a randomly generated client public key, and sends the encrypted client public key to the server 102, the server 102 decrypts the client public key by using the server private keys corresponding to all the encryption certificates, and generates a target key of the server according to the successfully decrypted server private key and the decrypted client public key, and then the target key is used to carry out encryption communication with the client 104.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides an encryption communication device for realizing the above-mentioned encryption communication method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of one or more encryption communication devices provided below may be referred to the limitation of the encryption communication method hereinabove, and will not be repeated here.
In one embodiment, as shown in fig. 7, there is provided an encrypted communication system 700 comprising: a server 102 and a client 104, wherein:
The server 102 is configured to:
receiving an encrypted communication request sent by a client 104, wherein the encrypted communication request carries an initial cipher suite;
selecting a supported target cipher suite from the initial cipher suites, and generating server-side key negotiation information; the server key negotiation information carries at least one encryption certificate;
the target cipher suite and the server-side key negotiation information are sent to the client 104, and the target cipher suite and the server-side key negotiation information are used for indicating the client 104 to carry out key negotiation with the server-side 102 to obtain a target key;
Encrypted communication with client 104 via the target key;
the client 104 is configured to:
sending an encrypted communication request to the server 102, wherein the encrypted communication request carries an initial cipher suite;
Receiving target cipher suite and server key negotiation information sent by a server 102, and performing key negotiation with the server according to the server key negotiation information and the target cipher suite to obtain a target key;
The target key is used for encrypted communication with the server 102.
In some alternative embodiments, the server 102 is further configured to:
the method comprises the steps that a target cipher suite and server-side key negotiation information are sent to a client, the target cipher suite and the server-side key negotiation information are used for indicating the client to determine at least one encryption certificate and signature information from the server-side key negotiation information, verifying the server-side key negotiation information based on the signature information, determining a server-side public key based on any encryption certificate, generating client-side key negotiation information based on the server-side public key and the client-side public key, and sending the client-side key negotiation information to the server;
Receiving client key negotiation information sent by a client;
and obtaining the client public key according to the client key negotiation information, and determining the target key according to the client public key.
In some alternative embodiments, the server 102 is further configured to:
And decrypting the client key negotiation information according to the server private key corresponding to the at least one encryption certificate to obtain a client public key, and determining a target key according to the client public key.
In some alternative embodiments, the client 104 is further configured to:
Generating client key negotiation information according to the server key negotiation information and the client public key, and sending the client key negotiation information to the server, wherein the client key negotiation information is used for indicating the server to decrypt the client key negotiation information according to the server private key corresponding to at least one encryption certificate, so as to obtain the client public key, and determining a target key according to the client public key; the client public key is randomly generated for the client.
In some alternative embodiments, the client 104 is further configured to:
determining at least one encryption certificate and signature information according to the server key negotiation information;
verifying server-side key negotiation information based on signature information;
and determining a server public key based on any encryption certificate, and generating client key negotiation information based on the server public key and the client public key.
In one embodiment, a computer device is provided, which may be a terminal, and the internal structure thereof may be as shown in fig. 8. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement an encrypted communication method. The display unit of the computer device is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in FIG. 8 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, can implement the steps of:
receiving an encrypted communication request sent by a client, wherein the encrypted communication request carries an initial cipher suite;
selecting a supported target cipher suite from the initial cipher suites, and generating server-side key negotiation information; the server key negotiation information carries at least one encryption certificate;
The target cipher suite and the server-side key negotiation information are sent to the client-side, and are used for indicating the client-side and the server-side to carry out key negotiation to obtain a target key;
And carrying out encrypted communication with the client through the target key.
In some optional embodiments, the sending the target cipher suite and the server-side key negotiation information to the client, where the target cipher suite and the server-side key negotiation information are used to instruct the client to perform key negotiation with the server to obtain the target key includes:
the method comprises the steps that a target cipher suite and server-side key negotiation information are sent to a client, the target cipher suite and the server-side key negotiation information are used for indicating the client to determine at least one encryption certificate and signature information from the server-side key negotiation information, verifying the server-side key negotiation information based on the signature information, determining a server-side public key based on any encryption certificate, generating client-side key negotiation information based on the server-side public key and the client-side public key, and sending the client-side key negotiation information to the server;
Receiving client key negotiation information sent by a client;
and obtaining the client public key according to the client key negotiation information, and determining the target key according to the client public key.
In some alternative embodiments, obtaining the client public key from the client key negotiation information and determining the target key from the client public key includes:
And decrypting the client key negotiation information according to the server private key corresponding to the at least one encryption certificate to obtain a client public key, and determining a target key according to the client public key.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, can implement the steps of:
Sending an encrypted communication request to a server, wherein the encrypted communication request carries an initial password suite;
receiving target cipher suite and server key negotiation information sent by a server, and performing key negotiation with the server according to the server key negotiation information and the target cipher suite to obtain a target key; the target cipher suite is one initial cipher suite selected by the server, and the server key negotiation information carries at least one encryption certificate;
and carrying out encrypted communication with the server through the target key.
In some optional embodiments, performing key negotiation with the server according to the server key negotiation information and the target cipher suite to obtain the target key includes:
Generating client key negotiation information according to the server key negotiation information and the client public key, and sending the client key negotiation information to the server, wherein the client key negotiation information is used for indicating the server to decrypt the client key negotiation information according to the server private key corresponding to at least one encryption certificate, so as to obtain the client public key, and determining a target key according to the client public key; the client public key is randomly generated for the client.
In some alternative embodiments, generating client key agreement information from the server key agreement information and the client public key includes:
determining at least one encryption certificate and signature information according to the server key negotiation information;
verifying server-side key negotiation information based on signature information;
and determining a server public key based on any encryption certificate, and generating client key negotiation information based on the server public key and the client public key.
In one embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, performs the steps of:
receiving an encrypted communication request sent by a client, wherein the encrypted communication request carries an initial cipher suite;
selecting a supported target cipher suite from the initial cipher suites, and generating server-side key negotiation information; the server key negotiation information carries at least one encryption certificate;
The target cipher suite and the server-side key negotiation information are sent to the client-side, and are used for indicating the client-side and the server-side to carry out key negotiation to obtain a target key;
And carrying out encrypted communication with the client through the target key.
In some optional embodiments, the sending the target cipher suite and the server-side key negotiation information to the client, where the target cipher suite and the server-side key negotiation information are used to instruct the client to perform key negotiation with the server to obtain the target key includes:
the method comprises the steps that a target cipher suite and server-side key negotiation information are sent to a client, the target cipher suite and the server-side key negotiation information are used for indicating the client to determine at least one encryption certificate and signature information from the server-side key negotiation information, verifying the server-side key negotiation information based on the signature information, determining a server-side public key based on any encryption certificate, generating client-side key negotiation information based on the server-side public key and the client-side public key, and sending the client-side key negotiation information to the server;
Receiving client key negotiation information sent by a client;
and obtaining the client public key according to the client key negotiation information, and determining the target key according to the client public key.
In some alternative embodiments, obtaining the client public key from the client key negotiation information and determining the target key from the client public key includes:
And decrypting the client key negotiation information according to the server private key corresponding to the at least one encryption certificate to obtain a client public key, and determining a target key according to the client public key.
In one embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, performs the steps of:
Sending an encrypted communication request to a server, wherein the encrypted communication request carries an initial password suite;
receiving target cipher suite and server key negotiation information sent by a server, and performing key negotiation with the server according to the server key negotiation information and the target cipher suite to obtain a target key; the target cipher suite is one initial cipher suite selected by the server, and the server key negotiation information carries at least one encryption certificate;
and carrying out encrypted communication with the server through the target key.
In some optional embodiments, performing key negotiation with the server according to the server key negotiation information and the target cipher suite to obtain the target key includes:
Generating client key negotiation information according to the server key negotiation information and the client public key, and sending the client key negotiation information to the server, wherein the client key negotiation information is used for indicating the server to decrypt the client key negotiation information according to the server private key corresponding to at least one encryption certificate, so as to obtain the client public key, and determining a target key according to the client public key; the client public key is randomly generated for the client.
In some alternative embodiments, generating client key agreement information from the server key agreement information and the client public key includes:
determining at least one encryption certificate and signature information according to the server key negotiation information;
verifying server-side key negotiation information based on signature information;
and determining a server public key based on any encryption certificate, and generating client key negotiation information based on the server public key and the client public key.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magneto-resistive random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (PHASE CHANGE Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in various forms such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), etc. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims (10)

1. An encrypted communication method, applied to a server, comprising:
Receiving an encrypted communication request sent by a client, wherein the encrypted communication request carries an initial cipher suite;
Selecting a supported target cipher suite from the initial cipher suites, and generating server-side key negotiation information; the server key negotiation information carries a plurality of encryption certificates;
The target cipher suite and the server-side key negotiation information are sent to the client-side, and the target cipher suite and the server-side key negotiation information are used for indicating the client-side to carry out key negotiation with the server-side to obtain a target key;
carrying out encrypted communication with the client through the target key;
The sending the target cipher suite and the server-side key negotiation information to the client, where the target cipher suite and the server-side key negotiation information are used to instruct the client to perform key negotiation with the server-side to obtain a target key, and the method includes:
The target cipher suite and the server-side key negotiation information are sent to the client, the target cipher suite and the server-side key negotiation information are used for indicating the client to determine a plurality of encryption certificates and signature information from the server-side key negotiation information, the server-side key negotiation information is verified based on the signature information, if verification is passed, one encryption certificate and the target cipher suite are selected randomly, a server-side public key is determined based on the selected encryption certificates, client-side key negotiation information is generated based on the target cipher suite, the server-side public key and the client-side public key, and the client-side key negotiation information is sent to the server-side;
receiving the client key negotiation information sent by a client;
and obtaining the client public key according to the client key negotiation information, and determining the target key according to the client public key.
2. The method of claim 1, wherein the obtaining the client public key according to the client key negotiation information and determining the target key according to the client public key comprise:
and decrypting the client key negotiation information according to the server private keys corresponding to the plurality of encryption certificates to obtain the client public key, and determining the target key according to the client public key.
3. An encrypted communication method, applied to a client, comprising:
Sending an encrypted communication request to a server, wherein the encrypted communication request carries an initial password suite;
Receiving target cipher suite and server key negotiation information sent by the server, and performing key negotiation with the server according to the server key negotiation information and the target cipher suite to obtain a target key, wherein the method comprises the following steps: determining a plurality of encryption certificates and signature information from the server key negotiation information, verifying the server key negotiation information based on the signature information, randomly selecting one encryption certificate and the target cipher suite if verification is passed, determining a server public key based on the selected encryption certificate, generating client key negotiation information based on the target cipher suite, the server public key and a client public key, and transmitting the client key negotiation information to the server; the client key negotiation information is used for indicating the server to obtain the client public key according to the client key negotiation information and determining the target key according to the client public key; the target cipher suite is one of the initial cipher suites selected by the server, and the server key negotiation information carries a plurality of encryption certificates;
And carrying out encrypted communication with the server through the target secret key.
4. The method of claim 3, wherein the client key negotiation information is used for indicating the server to decrypt the client key negotiation information according to server private keys corresponding to the encryption certificates to obtain the client public key, and determining the target key according to the client public key; the client public key is randomly generated for the client.
5. An encrypted communication system is characterized by comprising a server and a client;
The server is used for:
Receiving an encrypted communication request sent by the client, wherein the encrypted communication request carries an initial password suite;
Selecting a supported target cipher suite from the initial cipher suites, and generating server-side key negotiation information; the server key negotiation information carries a plurality of encryption certificates;
The target cipher suite and the server-side key negotiation information are sent to the client-side, and the target cipher suite and the server-side key negotiation information are used for indicating the client-side to carry out key negotiation with the server-side to obtain a target key;
Receiving client key negotiation information sent by the client, and negotiating with the server according to the client key negotiation information to obtain the target key;
carrying out encrypted communication with the client through the target key;
The client is used for:
Sending the encrypted communication request to a server, wherein the encrypted communication request carries an initial password suite;
receiving target cipher suite and server key negotiation information sent by the server, and performing key negotiation with the server according to the server key negotiation information and the target cipher suite to obtain a target key;
Carrying out encrypted communication with the server through the target secret key;
generating client key negotiation information according to the server key negotiation information and the client public key, and sending the client key negotiation information to the server, wherein the client key negotiation information is used for indicating the server to negotiate with the client to generate a target key;
The sending the target cipher suite and the server-side key negotiation information to the client, where the target cipher suite and the server-side key negotiation information are used to instruct the client to perform key negotiation with the server-side to obtain a target key, and the method includes:
The target cipher suite and the server-side key negotiation information are sent to the client, the target cipher suite and the server-side key negotiation information are used for indicating the client to determine a plurality of encryption certificates and signature information from the server-side key negotiation information, the server-side key negotiation information is verified based on the signature information, if verification is passed, one encryption certificate and the target cipher suite are selected randomly, a server-side public key is determined based on the selected encryption certificates, client-side key negotiation information is generated based on the target cipher suite, the server-side public key and the client-side public key, and the client-side key negotiation information is sent to the server-side;
receiving the client key negotiation information sent by a client;
and obtaining the client public key according to the client key negotiation information, and determining the target key according to the client public key.
6. The system of claim 5, the obtaining the client public key from the client key negotiation information and determining the target key from the client public key, comprising:
and decrypting the client key negotiation information according to the server private keys corresponding to the plurality of encryption certificates to obtain the client public key, and determining the target key according to the client public key.
7. The system of claim 5, wherein the server-side key agreement information includes a plurality of encryption certificates.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the encrypted communication method of claim 1 or 2 or the encrypted communication method of claim 3 or 4 when the computer program is executed.
9. A computer-readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the encrypted communication method according to claim 1 or 2 or the encrypted communication method according to claim 3 or 4.
10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the encrypted communication method according to claim 1 or 2 or the encrypted communication method according to claim 3 or 4.
CN202211197467.0A 2022-09-29 2022-09-29 Encrypted communication method, system, computer device, readable storage medium, and program product Active CN115529129B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211197467.0A CN115529129B (en) 2022-09-29 2022-09-29 Encrypted communication method, system, computer device, readable storage medium, and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211197467.0A CN115529129B (en) 2022-09-29 2022-09-29 Encrypted communication method, system, computer device, readable storage medium, and program product

Publications (2)

Publication Number Publication Date
CN115529129A CN115529129A (en) 2022-12-27
CN115529129B true CN115529129B (en) 2024-10-18

Family

ID=84700625

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211197467.0A Active CN115529129B (en) 2022-09-29 2022-09-29 Encrypted communication method, system, computer device, readable storage medium, and program product

Country Status (1)

Country Link
CN (1) CN115529129B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119484052A (en) * 2024-10-31 2025-02-18 超聚变数字技术有限公司 Encrypted communication method and server

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009076811A1 (en) * 2007-12-14 2009-06-25 Huawei Technologies Co., Ltd. A method, a system, a client and a server for key negotiating

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9923923B1 (en) * 2014-09-10 2018-03-20 Amazon Technologies, Inc. Secure transport channel using multiple cipher suites
CN111614637B (en) * 2020-05-08 2022-03-15 郑州信大捷安信息技术股份有限公司 Secure communication method and system based on software cryptographic module
CN113596046B (en) * 2021-08-03 2022-10-11 中电金信软件有限公司 Bidirectional authentication method, device, computer equipment and computer readable storage medium

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009076811A1 (en) * 2007-12-14 2009-06-25 Huawei Technologies Co., Ltd. A method, a system, a client and a server for key negotiating

Also Published As

Publication number Publication date
CN115529129A (en) 2022-12-27

Similar Documents

Publication Publication Date Title
CN111130803B (en) Method, system and device for digital signature
CN113691502B (en) Communication method, device, gateway server, client and storage medium
WO2017097041A1 (en) Data transmission method and device
WO2019020051A1 (en) Method and apparatus for security authentication
CN110049016B (en) Data query method, device, system, equipment and storage medium of block chain
US9178881B2 (en) Proof of device genuineness
CN111971929A (en) Secure distributed key management system
CN110958209B (en) Bidirectional authentication method, system and terminal based on shared secret key
CN110445840B (en) File storage and reading method based on block chain technology
CN101005357A (en) Method and system for updating certification key
CN110912685B (en) Establishing a protected communication channel
CN116232639B (en) Data transmission method, device, computer equipment and storage medium
TW202231014A (en) Message transmitting system, user device and hardware security module for use therein
CN114553557B (en) Key calling method, device, computer equipment and storage medium
CN113904830B (en) SPA authentication method, SPA authentication device, electronic equipment and readable storage medium
CN110365472B (en) Quantum communication service station digital signature method and system based on asymmetric key pool pair
CN117560150A (en) Key determination method, device, electronic equipment and computer-readable storage medium
CN115801232A (en) Private key protection method, device, equipment and storage medium
CN117041956A (en) Communication authentication method, device, computer equipment and storage medium
CN115529129B (en) Encrypted communication method, system, computer device, readable storage medium, and program product
WO2025148510A1 (en) Authentication method based on dual quantum random number protection, client, and system
CN113595742A (en) Data transmission method, system, computer device and storage medium
CN116049802B (en) Application single sign-on method, system, computer equipment and storage medium
JP2025518427A (en) Network communication method, device, computer device and computer program
CN118827070A (en) Network communication method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant