CN112968971B - Method, device, electronic equipment and readable storage medium for establishing session connection - Google Patents
Method, device, electronic equipment and readable storage medium for establishing session connection Download PDFInfo
- Publication number
- CN112968971B CN112968971B CN202110277998.XA CN202110277998A CN112968971B CN 112968971 B CN112968971 B CN 112968971B CN 202110277998 A CN202110277998 A CN 202110277998A CN 112968971 B CN112968971 B CN 112968971B
- Authority
- CN
- China
- Prior art keywords
- client
- information
- verification
- public key
- acquiring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application belongs to the technical field of communication, and discloses a method, a device, electronic equipment and a readable storage medium for establishing session connection, wherein the method comprises the following steps: receiving an SPA data packet sent by a client; acquiring a digital signature and transmission information contained in an SPA data packet; acquiring a public key of the client according to the transmission information; verifying the digital signature according to the public key; if the verification result of the digital signature is based on the verification result of the digital signature, the client is confirmed to pass the verification, and session connection is established with the client. Therefore, the digital signature is adopted to perform validity verification on the SPA data packet, a private key for the digital signature is not required to be transmitted, the problem that the private key is stolen is avoided, and the network security of the SPA session is improved.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, an electronic device, and a readable storage medium for session connection establishment.
Background
The single packet authorization technique (Single Packet Authorization, SPA) refers to a technique in which a network connection responder authenticates and authorizes a requester through a SPA packet sent by the requester of the network connection before a network session is established. SPA technology can prevent unauthorized requesters from establishing session connections with responders, thereby identifying and blocking attacker connection requests prior to session establishment.
However, in the prior art, when establishing an SPA session connection, an attacker may generally forge a legal SPA packet, and establish a session connection with a responder through the forged SPA packet.
Therefore, how to improve the security of the SPA session establishment when the SPA session connection is established is a technical problem to be solved.
Disclosure of Invention
The embodiment of the application aims to provide a method, a device, electronic equipment and a readable storage medium for establishing session connection, which are used for improving the safety of SPA session establishment when the SPA session connection is established.
In one aspect, a method for establishing a session connection is provided, including:
receiving an SPA data packet sent by a client;
the method comprises the steps of obtaining a digital signature and transmission information contained in an SPA data packet, wherein the digital signature is obtained after the transmission information is signed;
acquiring a public key of the client according to the transmission information;
verifying the digital signature according to the public key;
if the verification result of the digital signature is based on the verification result of the digital signature, the client is confirmed to pass the verification, and session connection is established with the client.
In the implementation process, when the SPA session connection is established, the digital signature is adopted to perform validity verification on the SPA data packet, a private key for the digital signature is not required to be transmitted, the problem that the private key is stolen is avoided, and the network security of the SPA session is improved.
Preferably, obtaining the public key of the client according to the transmission information includes:
acquiring client identification information contained in the transmission information, and locally acquiring a public key stored in association with the client identification information; or alternatively, the process may be performed,
acquiring client identification information contained in the transmission information, locally acquiring a digital certificate stored in association with the client identification information, and acquiring a public key of the client from the digital certificate; or alternatively, the process may be performed,
and acquiring the digital certificate contained in the transmission information, and acquiring the public key of the client from the digital certificate.
In the implementation process, a local database or a digital certificate can be adopted to store the public key, so that the security of public key storage is improved.
Preferably, if the verification result of the signature based on the digital signature determines that the verification of the client passes, session connection is established with the client, including:
if the signature verification result of the digital signature represents that the signature verification is passed, verifying the freshness number contained in the transmission information;
if the verification of the fresh number is confirmed to pass, acquiring authorization permission information according to the transmission information;
performing authorization permission verification on the client according to the authorization permission information;
if the authorization permission verification is determined to pass, session connection is established with the client.
In the implementation process, the repeated SPA data packets can be identified only by fresh numbers without storing data such as hash values of all historical SPA data packets, and the steps of SPA data packet replay attack protection are simplified.
Preferably, verifying the freshness number contained in the transmission information includes:
determining the time difference between the fresh number and the current time, and if the time difference is lower than a preset time threshold value, determining that the verification of the fresh number is passed; or alternatively, the process may be performed,
and acquiring the current sequence number stored locally, if the fresh number is determined to be larger than the current sequence number, determining that the verification of the fresh number is passed, and updating the current sequence number to the fresh number.
In the above implementation, time-dependent data or sequence numbers may be employed as freshness numbers.
Preferably, before receiving the SPA data packet sent by the client, the method further includes:
receiving a registration request message sent by a client;
acquiring client identification information, a public key and private key proving information contained in a registration request message, wherein the private key proving information is generated for the public key and the client identification information based on a private key;
verifying the private key certification information according to the public key and the client identification information to obtain a private key verification result;
If the registration verification is determined to pass based on the private key verification result, the client identification information and the public key are stored in an associated mode;
a registration pass response message is returned to the client.
In the implementation process, before the session is established, the client registration is performed through the client identification information, the public key and the private key certification information, so that the security of the subsequent network session establishment is improved.
Preferably, if the registration verification is determined to pass based on the private key verification result, storing the client identification information and the public key in association, including:
if the private key verification result represents that the private key verification is passed, acquiring client side credential information further contained in the registration request message;
acquiring locally stored legal credential information set for client identification information;
and if the legal credential information is consistent with the client credential information, storing the client identification information and the public key in an associated manner.
In the implementation process, the validity of the client is ensured through the client credential information.
Preferably, if it is determined that the legal credential information is consistent with the client credential information, storing the client identification information and the public key in association, including:
if the legal credential information is consistent with the client credential information, generating authorization permission information of the client;
Storing the client identification information, the public key and the authorization permission information in a local association mode, or sending the authorization permission information to the client and receiving a digital certificate returned by the client;
wherein the digital certificate is generated based on the client identification information, the public key, and the authorization permission information.
In the implementation process, the client identification information, the public key and the authorization permission information are stored in a local database or a digital certificate in an associated mode, so that the storage safety of the client identification information, the public key and the authorization permission information is improved.
In one aspect, a method for establishing a session connection is provided, including:
signing the transmission information through a private key to obtain a digital signature;
the SPA data packet containing the digital signature and the transmission information is sent to the server, so that the server verifies the digital signature according to the transmission information;
and determining that the received verification passing response message returned by the server based on the signature verification result establishes session connection with the server.
Preferably, before sending the SPA data packet containing the digital signature and the transmission information to the server, the method further includes:
acquiring client identification information, and generating a public key and a corresponding private key;
Generating private key certification information according to the private key and aiming at the public key and the client identification information;
a registration request message containing client identification information, a public key and private key certification information is sent to a server, so that the server verifies the private key certification information according to the public key and the client identification information;
and the receiving server determines that the registration passes the response message returned when the registration passes the verification based on the private key verification result.
In one aspect, an apparatus for session connection establishment is provided, including:
the receiving unit is used for receiving the SPA data packet sent by the client;
the first acquisition unit is used for acquiring a digital signature and transmission information contained in the SPA data packet, wherein the digital signature is obtained after the transmission information is signed;
the second acquisition unit is used for acquiring the public key of the client according to the transmission information;
the verification unit is used for verifying the digital signature according to the public key;
and the connection unit is used for establishing session connection with the client if the client verification is determined to pass based on the signature verification result of the digital signature.
Preferably, the second obtaining unit is configured to:
acquiring client identification information contained in the transmission information, and locally acquiring a public key stored in association with the client identification information; or alternatively, the process may be performed,
Acquiring client identification information contained in the transmission information, locally acquiring a digital certificate stored in association with the client identification information, and acquiring a public key of the client from the digital certificate; or alternatively, the process may be performed,
and acquiring the digital certificate contained in the transmission information, and acquiring the public key of the client from the digital certificate.
Preferably, the connection unit is configured to:
if the signature verification result of the digital signature represents that the signature verification is passed, verifying the freshness number contained in the transmission information;
if the verification of the fresh number is confirmed to pass, acquiring authorization permission information according to the transmission information;
performing authorization permission verification on the client according to the authorization permission information;
if the authorization permission verification is determined to pass, session connection is established with the client.
Preferably, the connection unit is configured to:
determining the time difference between the fresh number and the current time, and if the time difference is lower than a preset time threshold value, determining that the verification of the fresh number is passed; or alternatively, the process may be performed,
and acquiring the current sequence number stored locally, if the fresh number is determined to be larger than the current sequence number, determining that the verification of the fresh number is passed, and updating the current sequence number to the fresh number.
Preferably, the receiving unit is further configured to:
receiving a registration request message sent by a client;
Acquiring client identification information, a public key and private key proving information contained in a registration request message, wherein the private key proving information is generated for the public key and the client identification information based on a private key;
verifying the private key certification information according to the public key and the client identification information to obtain a private key verification result;
if the registration verification is determined to pass based on the private key verification result, the client identification information and the public key are stored in an associated mode;
a registration pass response message is returned to the client.
Preferably, the receiving unit is further configured to:
if the private key verification result represents that the private key verification is passed, acquiring client side credential information further contained in the registration request message;
acquiring locally stored legal credential information set for client identification information;
and if the legal credential information is consistent with the client credential information, storing the client identification information and the public key in an associated manner.
Preferably, the receiving unit is further configured to:
if the legal credential information is consistent with the client credential information, generating authorization permission information of the client;
storing the client identification information, the public key and the authorization permission information in a local association mode, or sending the authorization permission information to the client and receiving a digital certificate returned by the client;
Wherein the digital certificate is generated based on the client identification information, the public key, and the authorization permission information.
In one aspect, an apparatus for session connection establishment is provided, including:
the obtaining unit is used for signing the transmission information through the private key to obtain a digital signature;
the sending unit is used for sending the SPA data packet containing the digital signature and the transmission information to the server, so that the server verifies the digital signature according to the transmission information;
and the connection unit is used for determining that the received verification passing response message returned by the server based on the signature verification result establishes session connection with the server.
Preferably, the obtaining unit is configured to:
acquiring client identification information, and generating a public key and a corresponding private key;
generating private key certification information according to the private key and aiming at the public key and the client identification information;
a registration request message containing client identification information, a public key and private key certification information is sent to a server, so that the server verifies the private key certification information according to the public key and the client identification information;
and the receiving server determines that the registration passes the response message returned when the registration passes the verification based on the private key verification result.
In one aspect, an electronic device is provided comprising a processor and a memory storing computer readable instructions that, when executed by the processor, perform the steps of a method as provided in various alternative implementations of any of the session connection establishment described above.
In one aspect, a readable storage medium is provided, on which a computer program is stored which, when executed by a processor, performs the steps of a method as provided in various alternative implementations of any of the session connection establishment described above.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;
FIG. 2 is a flowchart of a registration method according to an embodiment of the present application;
Fig. 3 is a flowchart of a method for establishing a session connection according to an embodiment of the present application;
FIG. 4 is an interactive flowchart of a registration method according to an embodiment of the present application;
fig. 5 is an interaction flow chart of a session connection establishment method according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a device for establishing session connection according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a device for establishing session connection according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the application, as presented in the figures, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by a person skilled in the art without making any inventive effort, are intended to be within the scope of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
Some of the terms involved in the embodiments of the present application will be described first to facilitate understanding by those skilled in the art.
Terminal equipment: the mobile terminal, stationary terminal or portable terminal may be, for example, a mobile handset, a site, a unit, a device, a multimedia computer, a multimedia tablet, an internet node, a communicator, a desktop computer, a laptop computer, a notebook computer, a netbook computer, a tablet computer, a personal communications system device, a personal navigation device, a personal digital assistant, an audio/video player, a digital camera/camcorder, a positioning device, a television receiver, a radio broadcast receiver, an electronic book device, a game device, or any combination thereof, including the accessories and peripherals of these devices, or any combination thereof. It is also contemplated that the terminal device can support any type of interface (e.g., wearable device) for the user, etc.
And (3) a server: the cloud server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and can also be a cloud server for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, basic cloud computing services such as big data and artificial intelligent platforms and the like.
SPA technology: the network security technology is a novel network security technology, and is characterized in that before the network session is established, a response party of network connection authenticates and authorizes a request party through an SPA data packet sent by the request party of the network connection. The core of the SPA technology is a set of network protocols, which are interactively completed by a client installed on the requester device and a server installed on the responder device. The server does not respond to any access SPA packets in the default state, but continuously checks the contents of all received SPA packets. When detecting a legal SPA data packet constructed and sent by a legal client, the server temporarily opens a specific connection mode according to the request information in the SPA data packet, and allows the specific client to establish an effective session with the server. After the session is established, the server resumes the default state and still does not respond to any access SPA data packet. The established session is not affected and the network resources required for access are continuously used by the requesting party. SPA technology can prevent unauthorized requesters from establishing session connections with responders, thereby identifying and blocking attacker connection requests prior to session establishment.
Commercial secret number 2 (SM 2) algorithm: the elliptic curve public key cryptographic algorithm is issued by the national cryptographic administration and is mainly used for digital signature, data encryption, key exchange, identity authentication and the like.
Commercial secret number 9 (SM 9) algorithm: the identification cipher algorithm is an algorithm using the identification of the user (such as mail address, mobile phone number, QQ number, etc.) as public key. The SM9 algorithm omits the process of exchanging the digital certificate and the public key, so that the security system is easy to deploy and manage, and is very suitable for various occasions of end-to-end offline security communication, cloud data encryption, attribute-based encryption and policy-based encryption.
Physical address (Media Access Control Address, MAC): the network card identification device is used for identifying the address of the position of the network equipment, in particular, is used for uniquely marking one network card in the network, and if one or more network cards exist in one piece of equipment, each network card needs and has a unique MAC address.
In order to improve security of SPA session establishment when establishing SPA session connection, embodiments of the present application provide a method, an apparatus, an electronic device, and a readable storage medium for session connection establishment.
Referring to fig. 1, a schematic diagram of an application scenario provided in an embodiment of the present application is shown. The application scenario includes an electronic device 101 and a requester device 102. The electronic device 101 is a responder device that requests to establish a session connection, and may be a server or a terminal device. The requestor device 102 may be a terminal device. The electronic device 101 is provided with a service end, the requester device 102 is provided with a client end, optionally, the electronic device 101 can be provided with an SPA service end, and the requester device 102 can be provided with an SPA client end.
In the embodiment of the application, the application scenario includes a registration stage of the client and a session connection establishment stage.
In the registration stage, the client generates private key certification information for verifying whether the client holds a legal private key based on the private key and aiming at the public key and the client identification information, and sends a registration request message containing the client identification information, the public key and the private key certification information to the server. The server verifies the private key certification information according to the public key and the client identification information, judges whether registration verification is passed or not based on a private key verification result, and if the client registration verification is confirmed to be passed, the client identification information and the public key are stored in a correlated mode, so that a session connection request of the client can be verified through the client identification information and the public key in a subsequent session connection establishment stage, and if the client registration verification is confirmed not to be passed, the client cannot perform subsequent session connection.
In the session connection establishment phase, the client sends an SPA data packet containing transmission information and a corresponding digital signature to the server. And the server side verifies the digital signature based on the transmission information in the SPA data packet, establishes session connection with the client side when the client side passes verification based on the signature verification result, and refuses to establish session connection with the client side if the client side passes the verification result.
In the embodiment of the application, before establishing the session connection based on SPA, the client registers on the server. Referring to fig. 2, a flowchart of an implementation of a registration method according to an embodiment of the present application is shown, where a specific implementation flow of the method is as follows:
step 200: the client acquires the client identification information and adopts an asymmetric encryption algorithm to generate a key pair comprising a public key and a private key.
Specifically, the asymmetric encryption algorithm is an algorithm supporting digital signature operation. The public key pk and the private key sk contained in each key pair are not identical.
Alternatively, the asymmetric encryption algorithm may be a national encryption SM2 algorithm, a national encryption SM9 algorithm, a public key encryption (Rivest Shamir Adleman, RSA) algorithm, an elliptic curve digital signature (Elliptic Curve Digital Signature Algorithm, ECDSA) algorithm, or the like.
In practical application, the asymmetric encryption algorithm may also be set according to the practical application scenario, which is not limited herein.
It should be noted that, the private key is stored and used by the client and is not provided for other entity devices, so that an attacker cannot steal the private key of the client in the process of key transmission, and the security of the private key is ensured.
Step 201: the client generates private key attestation information for the public key and the client identification information based on the private key.
Specifically, the client digitally signs verification information composed of the client identification information and the public key through the private key to generate private key certification information.
In one embodiment, the client forms verification information based on the client identification information and the public key, and performs hash calculation on the verification information by adopting a hash algorithm to obtain a hash value, namely a message digest, and encrypts the hash value by adopting the private key to obtain an encrypted hash value, namely private key certification information (PoP).
The verification information at least comprises client identification information and a public key. Optionally, the authentication information may also contain client credential information as well as other additional information. The client Identification Information (ID) is used to uniquely identify the client.
The private key proof information is used to prove that the client holds a legal private key, and the client credential information (IDProof) is used to verify the validity of the client, and may be a one-time password or the like, which is not limited herein.
Alternatively, the client ID may be a device serial number, a user name, and a MAC address. The additional information may be time, sequence number, etc. The verification information may be in the form of a structure, an array, a set, etc., which is not limited herein.
In practical application, the client ID and the additional information may be set according to the practical application scenario, which is not limited herein.
Step 202: the client sends a registration request message containing client identification information, a public key and private key certification information to the server.
Furthermore, the client may also obtain client credential information of the client, and send a registration request message including the client identification information, the public key, the private key attestation information, and the client credential information to the server.
It should be noted that, before executing step 202, the administrator may generate the client credential information for the client in advance, and may send the client credential information to the client in a manner of manual distribution, offline interaction or manual audit, and send the client identification information and the client credential information to the server, so as to avoid the client credential information from being stolen in the distribution process, and ensure the security of the client credential information distribution.
In one embodiment, the administrator inputs the client credential information in the client and the server by manual input, respectively.
In one embodiment, an administrator distributes client credential information to a client and a server respectively by means of a sms or email.
In practical applications, other distribution methods may be used to distribute the client credential information, which is not limited herein.
It should be noted that, since each device installed with the client only needs to register once to perform the subsequent session connection step, the offline interaction or the manual auditing or distribution manner has less influence on the session connection efficiency.
Further, if the client has been registered in the server before, when re-registration is applied for again, the registration request message may not include the client credential information, and after the server obtains the public key of the client through the private key credential information, if it is determined that the public key has been registered and stored, it may be determined that the client is legal.
Step 203: the server receives the registration request message sent by the client.
Step 204: the server acquires client identification information, a public key and private key proving information contained in the registration request message.
Step 205: and the server verifies the private key proving information according to the public key and the client identification information to obtain a private key verification result.
Specifically, the server decrypts the private key certification information through the public key to obtain decryption information, and verifies the decryption information based on verification information consisting of the client identification information and the public key.
In one embodiment, the server performs hash calculation on verification information based on the client identification information and the public key by adopting a hash algorithm, obtains a first hash value, decrypts the private key certification information by the public key, and obtains a second hash value, namely decryption information, if the first hash value is the same as the second hash value, the private key verification is determined to be passed, otherwise, the private key verification is determined to be failed.
Further, if the private key verification is determined to fail, determining that the registration of the client is failed, and returning a registration failure response message to the client.
Therefore, the client can prove that the client really holds the legal private key to other participants, such as the server, on the premise of not revealing the private key.
Step 206: if the registration verification is determined to pass based on the private key verification result, the server side stores the client identification information and the public key in an associated mode.
Specifically, when executing step 206, the server may use the following two methods:
the first way is: if the private key verification result represents that the private key verification is passed, determining that the registration verification is passed, and storing the client ID and the public key in an associated mode.
Therefore, the registration verification can be judged to pass only through the private key proving information when the client side is determined to actually hold the legal private key.
The second mode is as follows: if the private key verification result represents that the private key verification is passed and the client side credential information verification is passed, determining that the registration verification is passed, and storing the client side ID and the public key in an associated mode.
Specifically, when the second mode is adopted, the following steps may be adopted:
s2061: if the private key verification result indicates that the private key verification is passed, the client side credential information contained in the registration request message is obtained.
S2062: and acquiring legal credential information corresponding to the client identification information of the client according to the corresponding relation between the stored client identification information and the legal credential information.
Specifically, before executing step 202, the administrator generates client credential information for the client in advance, and sends the client credential information to the client and sends the client identification information and the client credential information to the server in a manner of manual distribution, offline interaction, and the like. The server takes the received client side credential information as legal credential information of the client side, and stores the legal credential information of the client side and the client side identification information in a correlated way.
S2063: if the legal credential information is consistent with the client credential information, the server stores the client identification information and the public key in an associated manner.
Specifically, if the legal credential information is determined to be consistent with the client credential information, that is, the client is a legal client, the server stores the client identification information and the public key in an associated manner.
When the client identification information and the public key are stored in an associated mode, the following two modes can be adopted:
the first way is: the client identification information and the public key are stored in local association.
In one embodiment, the client identification information and the public key are stored as a database record in a local database.
Further, if the legal credential information is determined to be consistent with the client credential information, determining that the client registration is failed, and returning a registration failure response message to the client.
Furthermore, the server may generate authorization permission information for the client, and store the client identification information, the public key, and the authorization permission information in association.
In this way, the client identification information and the public key can be stored locally at the server or the client identification information, the public key and the authorization permission information can be stored locally at the server by adopting a database storage mode.
The second mode is as follows: and sending the client identification information and the public key to the client, and receiving the digital certificate returned by the client based on the client identification information and the public key.
Specifically, the server side sends the client side identification information and the public key to the client side. The client generates a digital certificate based on the client identification information and the public key, and returns the digital certificate to the server.
Further, the server side sends the client side identification information, the public key and the authorization permission information to the client side. The client generates a digital certificate based on the client identification information, the public key and the authorization permission information, and returns the digital certificate to the server.
Further, after the client generates and stores the digital certificate, the client may not send the digital certificate to the server. That is, the server does not store the digital certificate, but stores the digital certificate by the client, and when the subsequent client sends a session connection request to the server, the digital certificate is sent to the server.
The digital certificate may be generated based on the client identification information, the public key, and the authorization permission information, or may be generated based on the client identification information and the public key.
In this way, the client identification information and the public key, or the client identification information, the public key and the authorization permission information, are respectively used as different fields of the digital certificate, the digital certificate is used as a carrier, and the digital certificate is issued into the digital certificate after being checked by a certificate authority (CA, certificate Authority) or a system with corresponding qualification. Thereby, the client identification information and the public key are stored or the client identification information, the public key and the authorized license information are stored in a digital certificate mode. And the digital certificate can be stored in the server side or the client side.
Wherein the authorization permission information (Auth) indicates that the server side allows the client side to perform session operation in the network session. The authorization permission information includes authorization permission conditions set for the client, for example, through the authorization permission information, the server may set an IP address, a TCP port or a UDP port, an application layer protocol that may be used, a session frequency range, a traffic range, and the like that may be accessed by the client.
Alternatively, the authorization permission information may be set according to any one or any combination of the following parameters:
internet protocol (Internet Protocol, IP) addresses, transmission control protocol (TCP, transmission Control Protocol) ports, user datagram protocol (User Datagram Protocol, UDP) ports, application layer protocols, session request frequencies, traffic restrictions, and the like.
In practical application, the authorization permission information may be set according to a practical application scenario, which is not limited herein.
Therefore, the data such as the public key is stored by adopting a safe database system or a digital certificate, so that an attacker is prevented from tampering or damaging the data, and the data security is improved.
Step 207: the server returns a registration passing response message to the client.
In practical application, the registration stage is required to be performed in a secure network transmission environment, in the embodiment of the application, client credential information is distributed in a manual distribution or off-line interaction mode, so that the client is registered in the secure network environment, the client credential information is prevented from being stolen, whether the client holds a legal private key is verified through private key proof information, the validity of the client is verified through the client credential information, and the security of client registration is improved.
In the embodiment of the application, after the client finishes registration, the client can send a session connection request to the server and establish session connection with the server. Referring to fig. 3, a flowchart of a method for establishing session connection according to an embodiment of the present application is shown, where a specific implementation flow of the method is as follows:
step 300: the client signs the transmission information through the private key to obtain a digital signature.
Specifically, the transmission information includes any one or any combination of the following parameters: client identification information, digital certificates, freshness numbers, additional information, and authorization permission information.
The digital signature is obtained after the transmission information is signed. The freshness number Nonce is used for preventing an attacker from attacking the server by repeatedly sending the SPA data packet to the server for a plurality of times. The additional information is information added according to the actual application scene. The digital certificate is generated for the client identification information and public key for the client registration phase.
Alternatively, the freshness number may be a sequence number, such as an SPA packet sequence number, or may be time-varying data, such as time, without limitation.
Alternatively, the additional information (Info) may be device information, personnel information, a port requesting connection, a digital certificate, or a requested service, etc. Optionally, the additional information may also contain a digital certificate.
In practical application, the fresh number and the additional information can be set according to the practical application scene, and the method is not limited herein.
Step 301: the client sends SPA data packets containing transmission information and digital signatures to the server.
When sending the SPA data packet, the SPA data packet can be sent in a clear text, or can be sent after being encrypted, so that the security of the SPA session is not affected.
Step 302: the server receives the SPA data packet sent by the client and acquires the digital signature and the transmission information contained in the SPA data packet.
Step 303: and the server acquires the public key of the client according to the transmission information.
Specifically, when executing step 303, the server may use the following ways:
the first way is: and acquiring the client identification information contained in the transmission information, and locally acquiring the public key stored in association with the client identification information.
Specifically, if it is determined that the client identification information and the public key are stored in the local association of the server, the public key corresponding to the client identification information of the client is directly obtained.
In one embodiment, after the registration of each client is completed, the server uses a database storage mode to store the identification information of each client and the corresponding public key in a correlation manner, and then the server searches the public key of the client from the database through the client identification information of the client.
Thus, the public key can be directly obtained from the database local to the server.
The second mode is as follows: the method comprises the steps of obtaining client identification information contained in transmission information, locally obtaining a digital certificate stored in association with the client identification information, and obtaining a public key of a client from the digital certificate.
Specifically, if it is determined that the public key is stored in a digital certificate manner and each digital certificate is locally stored in the server, the server acquires the digital certificate corresponding to the client identification information, and acquires the public key of the client from the digital certificate.
Thus, the public key can be obtained from the digital certificate locally stored at the server.
The third way is: and acquiring the digital certificate contained in the transmission information, and acquiring the public key of the client from the digital certificate.
Specifically, if the transmission information of the SPA data packet includes a digital certificate, the server obtains the digital certificate from the transmission information, and obtains a public key included in the digital certificate.
Thus, the public key can be obtained from the digital certificate stored by the client.
Step 304: and the server verifies the digital signature according to the public key.
Specifically, the server decrypts the digital signature through the public key to obtain decryption information, and judges whether the digital signature passes verification or not through the decryption information and the transmission information.
In one embodiment, if the decryption information is consistent with the transmission information, the server determines that the signature verification is passed, otherwise, determines that the signature verification is not passed.
In one embodiment, the server performs hash calculation on the transmission information to obtain a third hash value, decrypts the digital signature through the public key to obtain a fourth hash value, namely the decrypted information, and determines that the signature verification is passed if the third hash value is the same as the fourth hash value, or determines that the signature verification is not passed if the third hash value is not the same as the fourth hash value.
Step 305: if the verification result of the digital signature is based on the verification result of the digital signature, the client verification is confirmed to pass, and the server and the client establish session connection.
Specifically, when step 305 is executed, the server may use the following steps:
s3051: and if the signature verification result of the digital signature represents that the signature verification is passed, acquiring the freshness number contained in the input information.
Specifically, the transmission information also includes a freshness number.
S3052: and verifying the fresh number, and if the verification of the fresh number is confirmed to pass, acquiring authorization permission information according to the transmission information.
Specifically, the freshness number is used for preventing an attacker from attacking the server by repeatedly sending the SPA data packet to the server for a plurality of times. The additional information is information added according to the actual application scene.
Alternatively, the freshness number may be a sequence number, such as an SPA packet sequence number, or may be time-varying data, such as time.
In one embodiment, when the freshness number is set as time, the server side obtains the current time, determines a time difference between the freshness number and the current time, and determines that the freshness number passes verification if the time difference is lower than a preset time threshold.
The preset time threshold represents a time size, for example, 5s, and in practical application, the preset time threshold may be set according to a practical application scenario, which is not limited herein.
In one embodiment, the server obtains the current sequence number stored locally by setting the fresh number as the sequence number, and if the fresh number is determined to be greater than the current sequence number, the verification of the fresh number is determined to pass, and the current sequence number is updated to the fresh number.
When obtaining the authorization permission information according to the transmission information, the server may adopt the following modes:
the first way is: and acquiring corresponding authorization permission information stored locally according to the client identification information in the transmission information.
Thus, the server can directly obtain the authorization permission information stored in association with the client identification information from the local database.
The second mode is as follows: and acquiring a corresponding digital certificate stored locally according to the client identification information in the transmission information, and acquiring authorization permission information contained in the digital certificate.
Thus, the server can obtain the authorization permission information from the locally stored digital certificate.
The third way is: and acquiring the digital certificate contained in the additional information of the transmission information, and acquiring the authorization permission information contained in the digital certificate.
Thus, the server can acquire the authorization permission information stored in the client.
S3053: and carrying out authorization permission verification on the client according to the authorization permission information.
Specifically, if the client is determined to be in accordance with the authorization permission condition in the authorization permission information, determining that the authorization permission verification is passed, otherwise, determining that the authorization permission verification is not passed.
In one embodiment, the authorization permission condition in the authorization permission information is that the session request frequency is lower than the request frequency threshold, the server side obtains the session request frequency of the client side in a specified time period, if the session request frequency is determined to be lower than the request frequency threshold, the authorization permission verification is determined to be passed, and otherwise, the authorization permission verification is determined not to be passed.
In one embodiment, the authorization condition in the authorization permission information is that the application layer protocol is a specified protocol, the server side obtains the application layer protocol currently transmitted by the client side, if the application layer protocol is the specified protocol, the authorization permission verification is determined to pass, otherwise, the authorization permission verification is determined not to pass.
Further, the grant permission condition may also be whether the port that the client requests to access is a designated port, whether the concurrency number of the client is lower than a preset concurrency number threshold, and so on. In practical application, the authorization permission condition may be set according to the practical application scenario, which is not limited herein.
S3054: if the authorization permission verification is determined to pass, session connection is established with the client.
Specifically, if the authorization permission verification is determined to be passed, the server side returns a verification passing response message to the client side, and session connection is established with the client side.
The session connection establishment process may specifically further include steps of configuring a temporary permission rule in the local firewall by the server, waiting for the client to establish session connection, and clearing the temporary permission rule after the session connection is established or after the session connection is overtime, which is not described herein.
The above embodiments are further specifically described below using a specific registration application scenario. Referring to fig. 4, an interactive flowchart of a registration method provided by an embodiment of the present application is shown, where a specific implementation flow of the method is as follows:
step 400: the SPA client generates a key pair that includes a public key and a private key.
Specifically, when step 400 is performed, specific steps refer to step 200 described above, and are not described herein.
Step 401: the SPA client generates private key attestation information for the public key and the client identification information based on the private key.
Specifically, when step 401 is performed, specific steps refer to step 201 described above, and are not described herein.
Step 402: the SPA client sends a registration request message containing client identification information, a public key and private key certification information to the SPA server.
Specifically, when step 402 is performed, specific steps refer to step 202 described above, and are not described herein.
Step 403: and the SPA server verifies the corresponding private key certification information according to the public key and the client identification information in the registration request message, and obtains a private key verification result.
Specifically, when step 403 is performed, specific steps refer to step 205 described above, and are not described herein.
Step 404: if the registration verification is determined to pass based on the private key verification result, the SPA server side stores the client identification information and the public key in an associated mode.
Specifically, when step 404 is performed, specific steps refer to step 206, which is not described herein.
Step 405: the SPA server returns a registration passing response message to the SPA client.
The above embodiments are further specifically described below using an application scenario for a specific session connection establishment. Referring to fig. 5, an interactive flowchart of a session connection establishment method provided by an embodiment of the present application is shown, where a specific implementation flow of the method is as follows:
step 500: the SPA client signs the transmission information through the private key to obtain a digital signature.
Specifically, when step 500 is performed, specific steps refer to step 300 described above, and are not described herein.
Step 501: the SPA client sends SPA data packets containing transmission information and digital signatures to the SPA server.
Step 502: the SPA server acquires a digital signature and transmission information contained in the SPA data packet.
Specifically, when step 502 is performed, specific steps refer to step 302 described above, and are not described herein.
Step 503: and the SPA server acquires the public key of the SPA client according to the transmission information.
Specifically, when step 503 is performed, specific steps are referred to above in step 303, and are not described herein.
Step 504: and the SPA server verifies the digital signature according to the public key.
Specifically, when step 504 is performed, specific steps are referred to above in step 304, and are not described herein.
Step 505: if the signature verification is confirmed to pass, the SPA server verifies the freshness number contained in the input information.
Specifically, when step 505 is performed, specific steps refer to step 305, and are not described herein.
Step 506: and if the verification of the freshness number is confirmed to pass, the SPA server acquires authorization permission information according to the transmission information.
Specifically, when step 506 is performed, specific steps refer to step 305, which is not described herein.
Step 507: and the SPA server verifies the authorized license of the SPA client according to the authorized license information.
Specifically, when step 507 is performed, specific steps refer to step 305, which is not described herein.
Step 508: if the authorization permission verification is confirmed to be passed, the SPA server side returns a verification passing response message to the SPA client side, and session connection is established with the SPA client side.
Specifically, when step 508 is performed, specific steps refer to step 305, which is not described herein.
In the embodiment of the application, in the registration stage, whether the client holds the legal private key is verified through the private key proving information, the validity of the client is verified through the client credential information, and when the client is determined to hold the legal private key and the client is legal, the client identification information, the public key and the authorization permission information are stored in an associated mode, so that an attacker can be prevented from impersonating the identity or impersonating the private key in the registration stage. In the session connection establishment stage, the public key is obtained through the client identification information, and the digital signature is verified through the public key, so that whether the public key is matched with the client identification information or not and the validity of the data packet are verified, no matter the registration flow or the session connection establishment flow needs to transmit the private key for the digital signature, the problem that the private key is stolen is avoided, the attacker is prevented from impersonating the identity, the safety of the SPA session connection establishment can be ensured without a safe network transmission environment when the session connection is established, the data such as hash values of all historical SPA data packets are not stored, repeated SPA data packets can be identified only through fresh numbers, and the step of SPA data packet replay attack protection is simplified.
Based on the same inventive concept, the embodiment of the present application further provides a device for establishing session connection, and since the principle of the device and the device for solving the problem is similar to that of a method for establishing session connection, the implementation of the device can refer to the implementation of the method, and the repetition is omitted.
Fig. 6 is a schematic structural diagram of a device for establishing session connection according to an embodiment of the present application, including:
a receiving unit 611, configured to receive an SPA data packet sent by a client;
a first obtaining unit 612, configured to obtain a digital signature and transmission information included in the SPA data packet, where the digital signature is obtained by signing the transmission information;
a second obtaining unit 613, configured to obtain a public key of the client according to the transmission information;
a verification unit 614, configured to verify the digital signature according to the public key;
a connection unit 615, configured to establish a session connection with the client if it is determined that the client passes the verification based on the signature verification result of the digital signature.
Preferably, the second obtaining unit 613 is configured to:
acquiring client identification information contained in the transmission information, and locally acquiring a public key stored in association with the client identification information; or alternatively, the process may be performed,
Acquiring client identification information contained in the transmission information, locally acquiring a digital certificate stored in association with the client identification information, and acquiring a public key of the client from the digital certificate; or alternatively, the process may be performed,
and acquiring the digital certificate contained in the transmission information, and acquiring the public key of the client from the digital certificate.
Preferably, the connection unit 615 is configured to:
if the signature verification result of the digital signature represents that the signature verification is passed, verifying the freshness number contained in the transmission information;
if the verification of the fresh number is confirmed to pass, acquiring authorization permission information according to the transmission information;
performing authorization permission verification on the client according to the authorization permission information;
if the authorization permission verification is determined to pass, session connection is established with the client.
Preferably, the connection unit 615 is configured to:
determining the time difference between the fresh number and the current time, and if the time difference is lower than a preset time threshold value, determining that the verification of the fresh number is passed; or alternatively, the process may be performed,
and acquiring the current sequence number stored locally, if the fresh number is determined to be larger than the current sequence number, determining that the verification of the fresh number is passed, and updating the current sequence number to the fresh number.
Preferably, the receiving unit 611 is further configured to:
receiving a registration request message sent by a client;
Acquiring client identification information, a public key and private key proving information contained in a registration request message, wherein the private key proving information is generated for the public key and the client identification information based on a private key;
verifying the private key certification information according to the public key and the client identification information to obtain a private key verification result;
if the registration verification is determined to pass based on the private key verification result, the client identification information and the public key are stored in an associated mode;
a registration pass response message is returned to the client.
Preferably, the receiving unit 611 is further configured to:
if the private key verification result represents that the private key verification is passed, acquiring client side credential information further contained in the registration request message;
acquiring locally stored legal credential information set for client identification information;
and if the legal credential information is consistent with the client credential information, storing the client identification information and the public key in an associated manner.
Preferably, the receiving unit 611 is further configured to:
if the legal credential information is consistent with the client credential information, generating authorization permission information of the client;
storing the client identification information, the public key and the authorization permission information in a local association mode, or sending the authorization permission information to the client and receiving a digital certificate returned by the client;
Wherein the digital certificate is generated based on the client identification information, the public key, and the authorization permission information.
Fig. 7 is a schematic diagram of a second device for establishing session connection according to an embodiment of the present application, including:
an obtaining unit 711 for signing the transmission information by the private key to obtain a digital signature;
a sending unit 712, configured to send an SPA data packet including the digital signature and the transmission information to the server, so that the server verifies the digital signature according to the transmission information;
and a connection unit 713, configured to determine that the session connection is established with the server after receiving the authentication pass response message returned by the server based on the signature authentication result.
Preferably, the obtaining unit 711 is configured to:
acquiring client identification information, and generating a public key and a corresponding private key;
generating private key certification information according to the private key and aiming at the public key and the client identification information;
a registration request message containing client identification information, a public key and private key certification information is sent to a server, so that the server verifies the private key certification information according to the public key and the client identification information;
and the receiving server determines that the registration passes the response message returned when the registration passes the verification based on the private key verification result.
In the method, the device, the electronic equipment and the readable storage medium for establishing session connection provided by the embodiment of the application, SPA data packets sent by a client are received; the method comprises the steps of obtaining a digital signature and transmission information contained in an SPA data packet, wherein the digital signature is obtained after the transmission information is signed; acquiring a public key of the client according to the transmission information; verifying the digital signature according to the public key; if the verification result of the digital signature is based on the verification result of the digital signature, the client is confirmed to pass the verification, and session connection is established with the client. Therefore, the digital signature is adopted to perform validity verification on the SPA data packet, a private key for the digital signature is not required to be transmitted, the problem that the private key is stolen is avoided, and the network security of the SPA session is improved.
Fig. 8 shows a schematic structural diagram of an electronic device. Referring to fig. 8, an electronic device 8000 includes: a processor 8010, a memory 8020, a power supply 8030, a display unit 8040, and an input unit 8050.
The processor 8010 is a control center of the electronic device 8000, connects various components using various interfaces and wires, and performs various functions of the electronic device 8000 by running or executing software programs and/or data stored in the memory 8020, thereby monitoring the electronic device 8000 as a whole.
In an embodiment of the present application, the processor 8010 executes the method for session connection establishment provided by the embodiment shown in fig. 3 when it invokes a computer program stored in the memory 8020.
Optionally, the processor 8010 may include one or more processing units; preferably, the processor 8010 may integrate an application processor and a modem processor, wherein the application processor primarily handles operating systems, user interfaces, applications, etc., and the modem processor primarily handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 8010. In some embodiments, the processor, memory, may be implemented on a single chip, and in some embodiments, they may be implemented separately on separate chips.
The memory 8020 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, various applications, and the like; the storage data area may store data created according to the use of the electronic device 8000, and the like. In addition, the memory 8020 can include high-speed random access memory, and can also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device, and the like.
The electronic device 8000 also includes a power supply 8030 (e.g., a battery) that provides power to the various components, which may be logically coupled to the processor 8010 via a power management system, such that the power management system may be used to manage charging, discharging, and power consumption.
The display unit 8040 may be used to display information input by a user or information provided to the user, various menus of the electronic device 8000, and the like, and in the embodiment of the present invention, is mainly used to display a display interface of each application in the electronic device 8000 and objects such as text and pictures displayed in the display interface. The display unit 8040 may include a display panel 8041. The display panel 8041 may be configured in the form of a liquid crystal display (Liquid Crystal Display, LCD), an Organic Light-Emitting Diode (OLED), or the like.
The input unit 8050 may be used to receive information such as numbers or characters input by a user. The input unit 8050 may include a touch panel 8051 and other input devices 8052. Among other things, the touch panel 8051, also referred to as a touch screen, may collect touch operations thereon or thereabout by a user (e.g., operations of the user on the touch panel 8051 or thereabout using any suitable object or accessory such as a finger, stylus, etc.).
Specifically, the touch panel 8051 may detect a touch operation by a user, detect signals resulting from the touch operation, convert the signals into coordinates of contacts, send the coordinates of contacts to the processor 8010, and receive and execute a command sent from the processor 8010. In addition, the touch panel 8051 may be implemented in various types such as resistive, capacitive, infrared, and surface acoustic wave. Other input devices 8052 may include, but are not limited to, one or more of a physical keyboard, function keys (e.g., volume control keys, on-off keys, etc.), a trackball, mouse, joystick, etc.
Of course, the touch panel 8051 may cover the display panel 8041, and when the touch panel 8051 detects a touch operation thereon or thereabout, the touch panel is transmitted to the processor 8010 to determine the type of touch event, and then the processor 8010 provides a corresponding visual output on the display panel 8041 according to the type of touch event. Although in fig. 8, the touch panel 8051 and the display panel 8041 are two separate components to implement the input and output functions of the electronic device 8000, in some embodiments, the touch panel 8051 may be integrated with the display panel 8041 to implement the input and output functions of the electronic device 8000.
The electronic device 8000 may also include one or more sensors, such as a pressure sensor, a gravitational acceleration sensor, a proximity light sensor, and the like. Of course, the electronic device 8000 may also include other components such as a camera, as desired in a particular application, which are not shown in fig. 8 and will not be described in detail since these components are not the components that are important in embodiments of the present application.
It will be appreciated by those skilled in the art that fig. 8 is merely an example of an electronic device and is not meant to be limiting and that more or fewer components than shown may be included or certain components may be combined or different components.
In an embodiment of the present application, a readable storage medium has stored thereon a computer program which, when executed by a processor, enables a communication device to perform the steps of the above-described embodiments.
For convenience of description, the above parts are described as being functionally divided into modules (or units) respectively. Of course, the functions of each module (or unit) may be implemented in the same piece or pieces of software or hardware when implementing the present application.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (16)
1. A method for session connection establishment, comprising:
Receiving a single-packet authorization technology SPA data packet sent by a client;
the digital signature and the transmission information contained in the SPA data packet are obtained after the transmission information is signed;
acquiring a public key of the client according to the transmission information;
verifying the digital signature according to the public key;
if the verification of the client is determined to pass based on the signature verification result of the digital signature, session connection is established with the client;
if the verification result of the digital signature is based on the verification result of the digital signature, the session connection is established with the client if the verification of the client is determined to pass, and the method comprises the following steps:
if the signature verification result of the digital signature represents that signature verification is passed, verifying the freshness number contained in the transmission information; if the freshness verification is confirmed to pass, acquiring authorization permission information according to the transmission information; performing authorization permission verification on the client according to the authorization permission information; if the authorization permission verification is confirmed to pass, session connection is established with the client;
if the authorization permission condition is that the session request frequency is lower than the request frequency threshold, performing authorization permission verification on the client according to the authorization permission information, including:
Acquiring the session request frequency of the client in a specified time period, if the session request frequency is determined to be lower than the request frequency threshold, determining that the authorization permission verification is passed, otherwise, determining that the authorization permission verification is not passed;
the verifying the freshness number contained in the transmission information comprises the following steps:
determining the time difference between the fresh number and the current time, and if the time difference is lower than a preset time threshold value, determining that the verification of the fresh number is passed; or, obtaining the current sequence number stored locally, if the freshness number is determined to be greater than the current sequence number, determining that the freshness number passes verification, and updating the current sequence number to the freshness number.
2. The method of claim 1, wherein obtaining the public key of the client based on the transmission information comprises:
acquiring client identification information contained in the transmission information, and locally acquiring a public key stored in association with the client identification information; or alternatively, the process may be performed,
acquiring client identification information contained in the transmission information, locally acquiring a digital certificate stored in association with the client identification information, and acquiring a public key of the client from the digital certificate; or alternatively, the process may be performed,
And acquiring the digital certificate contained in the transmission information, and acquiring the public key of the client from the digital certificate.
3. The method of any one of claims 1-2, further comprising, prior to receiving the SPA packet sent by the client:
receiving a registration request message sent by the client;
acquiring client identification information, a public key and private key proving information contained in the registration request message, wherein the private key proving information is generated for the public key and the client identification information based on the private key;
verifying the private key certification information according to the public key and the client identification information to obtain a private key verification result;
if the registration verification is determined to pass based on the private key verification result, storing the client identification information and the public key in an associated mode;
and returning a registration passing response message to the client.
4. The method of claim 3, wherein storing the client identification information in association with the public key if registration verification is determined to pass based on the private key verification result, comprises:
if the private key verification result represents that the private key verification is passed, acquiring client side credential information further contained in the registration request message;
Acquiring locally stored legal credential information set for client identification information;
and if the legal credential information is consistent with the client credential information, storing the client identification information and the public key in an associated mode.
5. The method of claim 4, wherein storing the client identification information in association with the public key if it is determined that the legal credential information is consistent with the client credential information, comprises:
if the legal credential information is determined to be consistent with the client credential information, generating authorization permission information of the client;
storing the client identification information, the public key and the authorization permission information in a local association mode, or sending the authorization permission information to the client and receiving a digital certificate returned by the client;
wherein the digital certificate is generated based on the client identification information, the public key, and the authorization permission information.
6. A method for session connection establishment, applied to a client, comprising:
signing the transmission information through a private key to obtain a digital signature; the transmission information comprises freshness and authorization permission information;
Sending a single-packet authorization technology SPA data packet containing the digital signature and the transmission information to a server, so that the server verifies the digital signature according to the transmission information;
determining that a verification passing response message returned by the server based on a signature verification result is received, and establishing session connection with the server;
the step of verifying the digital signature by the server according to the transmission information specifically includes:
if signature verification results of the digital signature represent signature verification, verifying the freshness number contained in the transmission information; if the freshness verification is confirmed to pass, acquiring authorization permission information according to the transmission information; performing authorization permission verification on the client according to the authorization permission information; determining that the authorization grant verification passes;
if the authorization permission condition is that the session request frequency is lower than the request frequency threshold, performing authorization permission verification on the client according to the authorization permission information, including:
acquiring the session request frequency of the client in a specified time period, if the session request frequency is determined to be lower than the request frequency threshold, determining that the authorization permission verification is passed, otherwise, determining that the authorization permission verification is not passed;
The verifying the freshness number contained in the transmission information comprises the following steps:
determining the time difference between the fresh number and the current time, and if the time difference is lower than a preset time threshold value, determining that the verification of the fresh number is passed; or, obtaining the current sequence number stored locally, if the freshness number is determined to be greater than the current sequence number, determining that the freshness number passes verification, and updating the current sequence number to the freshness number.
7. The method of claim 6, further comprising, prior to sending a SPA packet containing the digital signature and the transmission information to a server:
acquiring client identification information, and generating a public key and a corresponding private key;
generating private key certification information aiming at the public key and the client identification information according to the private key;
sending a registration request message containing the client identification information, the public key and the private key certification information to a server, so that the server verifies the private key certification information according to the public key and the client identification information;
and receiving a registration passing response message returned by the server side when the registration verification is determined to pass based on the private key verification result.
8. An apparatus for session connection establishment, comprising:
the receiving unit is used for receiving the SPA data packet sent by the client;
the first acquisition unit is used for acquiring a digital signature and transmission information contained in the SPA data packet, wherein the digital signature is obtained after signing the transmission information;
the second acquisition unit is used for acquiring the public key of the client according to the transmission information;
the verification unit is used for verifying the digital signature according to the public key;
the connection unit is used for establishing session connection with the client if the client is determined to pass verification based on the signature verification result of the digital signature;
the connecting unit is specifically used for: if the signature verification result of the digital signature represents that signature verification is passed, verifying the freshness number contained in the transmission information; if the freshness verification is confirmed to pass, acquiring authorization permission information according to the transmission information; performing authorization permission verification on the client according to the authorization permission information; if the authorization permission verification is confirmed to pass, session connection is established with the client;
If the authorization permission condition is that the session request frequency is lower than the request frequency threshold, the connection unit is specifically configured to:
acquiring the session request frequency of the client in a specified time period, if the session request frequency is determined to be lower than the request frequency threshold, determining that the authorization permission verification is passed, otherwise, determining that the authorization permission verification is not passed;
the connection unit is used for:
determining the time difference between the fresh number and the current time, and if the time difference is lower than a preset time threshold value, determining that the verification of the fresh number is passed; or alternatively, the process may be performed,
and acquiring a current sequence number stored locally, if the fresh number is determined to be larger than the current sequence number, determining that the verification of the fresh number is passed, and updating the current sequence number to the fresh number.
9. The apparatus of claim 8, wherein the second acquisition unit is to:
acquiring client identification information contained in the transmission information, and locally acquiring a public key stored in association with the client identification information; or alternatively, the process may be performed,
acquiring client identification information contained in the transmission information, locally acquiring a digital certificate stored in association with the client identification information, and acquiring a public key of the client from the digital certificate; or alternatively, the process may be performed,
And acquiring the digital certificate contained in the transmission information, and acquiring the public key of the client from the digital certificate.
10. The apparatus of any of claims 8-9, wherein the receiving unit is further configured to:
receiving a registration request message sent by the client;
acquiring client identification information, a public key and private key proving information contained in the registration request message, wherein the private key proving information is generated for the public key and the client identification information based on the private key;
verifying the private key certification information according to the public key and the client identification information to obtain a private key verification result;
if the registration verification is determined to pass based on the private key verification result, storing the client identification information and the public key in an associated mode;
and returning a registration passing response message to the client.
11. The apparatus of claim 10, wherein the receiving unit is further for:
if the private key verification result represents that the private key verification is passed, acquiring client side credential information further contained in the registration request message;
acquiring locally stored legal credential information set for client identification information;
And if the legal credential information is consistent with the client credential information, storing the client identification information and the public key in an associated mode.
12. The apparatus of claim 11, wherein the receiving unit is further for:
if the legal credential information is determined to be consistent with the client credential information, generating authorization permission information of the client;
storing the client identification information, the public key and the authorization permission information in a local association mode, or sending the authorization permission information to the client and receiving a digital certificate returned by the client;
wherein the digital certificate is generated based on the client identification information, the public key, and the authorization permission information.
13. An apparatus for session connection establishment, applied to a client, comprising:
the obtaining unit is used for signing the transmission information through the private key to obtain a digital signature; the transmission information comprises freshness and authorization permission information;
the sending unit is used for sending a single-packet authorization technology SPA data packet containing the digital signature and the transmission information to the server, so that the server verifies the digital signature according to the transmission information;
The connection unit is used for determining that a verification passing response message returned by the server based on a signature verification result is received, and establishing session connection with the server;
the step of verifying the digital signature by the server according to the transmission information specifically includes:
if signature verification results of the digital signature represent signature verification, verifying the freshness number contained in the transmission information; if the freshness verification is confirmed to pass, acquiring authorization permission information according to the transmission information; performing authorization permission verification on the client according to the authorization permission information; determining that the authorization grant verification passes;
if the authorization permission condition is that the session request frequency is lower than the request frequency threshold, performing authorization permission verification on the client according to the authorization permission information, including:
acquiring the session request frequency of the client in a specified time period, if the session request frequency is determined to be lower than the request frequency threshold, determining that the authorization permission verification is passed, otherwise, determining that the authorization permission verification is not passed;
the verifying the freshness number contained in the transmission information comprises the following steps:
Determining the time difference between the fresh number and the current time, and if the time difference is lower than a preset time threshold value, determining that the verification of the fresh number is passed; or, obtaining the current sequence number stored locally, if the freshness number is determined to be greater than the current sequence number, determining that the freshness number passes verification, and updating the current sequence number to the freshness number.
14. The apparatus of claim 13, wherein the obtaining unit is further configured to:
acquiring client identification information, and generating a public key and a corresponding private key;
generating private key certification information aiming at the public key and the client identification information according to the private key;
sending a registration request message containing the client identification information, the public key and the private key certification information to a server, so that the server verifies the private key certification information according to the public key and the client identification information;
and receiving a registration passing response message returned by the server side when the registration verification is determined to pass based on the private key verification result.
15. An electronic device comprising a processor and a memory storing computer readable instructions which, when executed by the processor, perform the steps of the method of any of claims 1-5 or 6-7.
16. A readable storage medium having stored thereon a computer program, which when executed by a processor performs the steps of the method according to any of claims 1-5 or 6-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110277998.XA CN112968971B (en) | 2021-03-15 | 2021-03-15 | Method, device, electronic equipment and readable storage medium for establishing session connection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110277998.XA CN112968971B (en) | 2021-03-15 | 2021-03-15 | Method, device, electronic equipment and readable storage medium for establishing session connection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112968971A CN112968971A (en) | 2021-06-15 |
| CN112968971B true CN112968971B (en) | 2023-08-15 |
Family
ID=76279361
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110277998.XA Active CN112968971B (en) | 2021-03-15 | 2021-03-15 | Method, device, electronic equipment and readable storage medium for establishing session connection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112968971B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114257471B (en) * | 2021-11-09 | 2024-04-05 | 网宿科技股份有限公司 | Authentication method, network device and storage medium |
| CN114389813A (en) * | 2021-11-26 | 2022-04-22 | 北京升明科技有限公司 | Method, device, equipment and storage medium for access authorization of browser |
| CN114553430B (en) * | 2022-01-21 | 2024-02-06 | 华北电力大学 | SDP-based safety access system for power service terminal |
| CN115333761B (en) * | 2022-03-29 | 2023-09-26 | 中国船舶集团有限公司第七一一研究所 | Equipment communication method and device applied to ship and server |
| CN115333779A (en) * | 2022-07-15 | 2022-11-11 | 天翼云科技有限公司 | Method and device for verifying data and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790183A (en) * | 2016-12-30 | 2017-05-31 | 广州华多网络科技有限公司 | Logging on authentication method of calibration, device |
| CN108023873A (en) * | 2017-11-08 | 2018-05-11 | 深圳市文鼎创数据科技有限公司 | channel establishing method and terminal device |
| CN111586025A (en) * | 2020-04-30 | 2020-08-25 | 广州市品高软件股份有限公司 | SDN-based SDP security group implementation method and security system |
| CN112039848A (en) * | 2020-08-05 | 2020-12-04 | 北京链飞未来科技有限公司 | Web authentication method, system and device based on block chain public key digital signature |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8856892B2 (en) * | 2012-06-27 | 2014-10-07 | Sap Ag | Interactive authentication |
| US20170070353A1 (en) * | 2015-09-08 | 2017-03-09 | Gemalto Inc. | Method of managing credentials in a server and a client system |
-
2021
- 2021-03-15 CN CN202110277998.XA patent/CN112968971B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790183A (en) * | 2016-12-30 | 2017-05-31 | 广州华多网络科技有限公司 | Logging on authentication method of calibration, device |
| CN108023873A (en) * | 2017-11-08 | 2018-05-11 | 深圳市文鼎创数据科技有限公司 | channel establishing method and terminal device |
| CN111586025A (en) * | 2020-04-30 | 2020-08-25 | 广州市品高软件股份有限公司 | SDN-based SDP security group implementation method and security system |
| CN112039848A (en) * | 2020-08-05 | 2020-12-04 | 北京链飞未来科技有限公司 | Web authentication method, system and device based on block chain public key digital signature |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112968971A (en) | 2021-06-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112968971B (en) | Method, device, electronic equipment and readable storage medium for establishing session connection | |
| US11799656B2 (en) | Security authentication method and device | |
| CN110537346B (en) | Safe decentralized domain name system | |
| US9992176B2 (en) | Systems and methods for encrypted communication in a secure network | |
| CN110069918B (en) | Efficient double-factor cross-domain authentication method based on block chain technology | |
| CN102647461B (en) | Communication means based on HTTP, server, terminal | |
| US8285989B2 (en) | Establishing a secured communication session | |
| US20170214664A1 (en) | Secure connections for low power devices | |
| US9225702B2 (en) | Transparent client authentication | |
| US8683209B2 (en) | Method and apparatus for pseudonym generation and authentication | |
| US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
| CN106878318A (en) | A kind of block chain real time polling cloud system | |
| CN106790045B (en) | distributed virtual machine agent device based on cloud environment and data integrity guarantee method | |
| CN110933484A (en) | Management method and device of wireless screen projection equipment | |
| CN105681470A (en) | Communication method, server and terminal based on hypertext transfer protocol | |
| TWI526871B (en) | Server, user device, and user device and server interaction method | |
| CN112533202A (en) | Identity authentication method and device | |
| CN115001841A (en) | Identity authentication method, identity authentication device and storage medium | |
| CN114513339A (en) | Security authentication method, system and device | |
| CN113904830B (en) | SPA authentication method, SPA authentication device, electronic equipment and readable storage medium | |
| CN114065170A (en) | Method and device for acquiring platform identity certificate and server | |
| Tomar et al. | Image based authentication with secure key exchange mechanism in cloud | |
| KR20110016186A (en) | The method for preventing changing the authority of information data | |
| CN114389802B (en) | Information decryption method and device, electronic equipment and readable storage medium | |
| US20230291549A1 (en) | Securely sharing secret information through an unsecure channel |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |