CN112968971A

CN112968971A - Method and device for establishing session connection, electronic equipment and readable storage medium

Info

Publication number: CN112968971A
Application number: CN202110277998.XA
Authority: CN
Inventors: 夏冰冰; 张妍
Original assignee: BEIJING CERTIFICATE AUTHORITY
Current assignee: BEIJING CERTIFICATE AUTHORITY
Priority date: 2021-03-15
Filing date: 2021-03-15
Publication date: 2021-06-15
Anticipated expiration: 2041-03-15
Also published as: CN112968971B

Abstract

The application belongs to the technical field of communication, and discloses a method, a device, electronic equipment and a readable storage medium for establishing session connection, wherein the method comprises the following steps: receiving an SPA data packet sent by a client; acquiring a digital signature and transmission information contained in an SPA data packet; acquiring a public key of the client according to the transmission information; verifying the digital signature according to the public key; and if the client passes the verification based on the signature verification result of the digital signature, establishing session connection with the client. Therefore, the digital signature is adopted to carry out validity verification on the SPA data packet, a private key for the digital signature does not need to be transmitted, the problem that the private key is stolen is avoided, and the network security of the SPA session is improved.

Description

Method and device for establishing session connection, electronic equipment and readable storage medium

Technical Field

The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for establishing a session connection, an electronic device, and a readable storage medium.

Background

A Single Packet Authorization (SPA) technique refers to a technique in which, before a network session is established, a responder of a network connection authenticates and authorizes a requester through an SPA Packet sent by the requester of the network connection. SPA techniques may prevent unauthorized requestors from establishing session connections with responders, thereby identifying and blocking connection requests by attackers prior to session establishment.

However, in the prior art, when establishing an SPA session connection, an attacker can often forge a legal SPA packet and establish a session connection with a responder through the forged SPA packet.

Therefore, when an SPA session connection is established, how to improve the security of the SPA session establishment is a technical problem to be solved.

Disclosure of Invention

The embodiment of the application aims to provide a session connection establishment method, a session connection establishment device, electronic equipment and a readable storage medium, which are used for improving the security of SPA session establishment when an SPA session connection is established.

In one aspect, a method for session connection establishment is provided, including:

receiving an SPA data packet sent by a client;

acquiring a digital signature and transmission information contained in an SPA data packet, wherein the digital signature is acquired after the transmission information is signed;

acquiring a public key of the client according to the transmission information;

verifying the digital signature according to the public key;

and if the client passes the verification based on the signature verification result of the digital signature, establishing session connection with the client.

In the implementation process, when the SPA session connection is established, the digital signature is adopted to carry out validity verification on the SPA data packet, and a private key for the digital signature does not need to be transmitted, so that the problem that the private key is stolen is avoided, and the network security of the SPA session is improved.

Preferably, obtaining the public key of the client according to the transmission information includes:

acquiring client identification information contained in the transmission information, and acquiring a public key which is stored in association with the client identification information from a local place; alternatively, the first and second electrodes may be,

acquiring client identification information contained in the transmission information, acquiring a digital certificate which is stored in association with the client identification information from a local place, and acquiring a public key of the client from the digital certificate; alternatively, the first and second electrodes may be,

and acquiring the digital certificate contained in the transmission information, and acquiring the public key of the client from the digital certificate.

In the implementation process, the public key can be stored by adopting a local database or a digital certificate, so that the safety of public key storage is improved.

Preferably, if it is determined that the client is verified based on the signature verification result of the digital signature, establishing a session connection with the client includes:

if the signature verification result of the digital signature represents that the signature verification passes, verifying the fresh number contained in the transmission information;

if the fresh number is determined to pass the verification, obtaining authorization permission information according to the transmission information;

according to the authorization permission information, authorization permission verification is carried out on the client;

and if the authorization permission is determined to pass the verification, establishing session connection with the client.

In the implementation process, the repeated SPA data packets can be identified only through the fresh number without storing the hash values and other data of all historical SPA data packets, so that the steps of SPA data packet replay attack protection are simplified.

Preferably, the verification of the freshness number contained in the transmission information includes:

determining the time difference between the fresh number and the current time, and if the time difference is lower than a preset time threshold, determining that the fresh number passes verification; alternatively, the first and second electrodes may be,

and acquiring a current sequence number stored locally, if the freshness number is larger than the current sequence number, determining that the freshness number passes verification, and updating the current sequence number into the freshness number.

In the above implementation, time-related data or sequence numbers may be used as the freshness numbers.

Preferably, before receiving the SPA packet sent by the client, the method further includes:

receiving a registration request message sent by a client;

acquiring client identification information, a public key and private key certification information contained in the registration request message, wherein the private key certification information is generated aiming at the public key and the client identification information based on the private key;

verifying the private key certification information according to the public key and the client identification information to obtain a private key verification result;

if the registration verification is determined to pass based on the private key verification result, the client identification information and the public key are stored in an associated manner;

and returning a registration pass response message to the client.

In the implementation process, before the session is established and connected, the client is registered through the client identification information, the public key and the private key certification information, so that the security of the subsequent network session establishment is improved.

Preferably, if it is determined that the registration verification passes based on the private key verification result, the associating and storing the client identification information and the public key includes:

if the private key verification result represents that the private key verification passes, client certificate information contained in the registration request message is obtained;

acquiring locally stored legal certificate information set aiming at client identification information;

and if the legal certificate information is consistent with the client certificate information, the client identification information and the public key are stored in an associated manner.

In the implementation process, the legality of the client is ensured through the client certificate information.

Preferably, if it is determined that the legal credential information is consistent with the client credential information, the client identification information and the public key are stored in association, including:

if the legal certificate information is consistent with the client certificate information, generating authorization permission information of the client;

storing the client identification information, the public key and the authorization license information in a local association manner, or sending the authorization license information to the client and receiving a digital certificate returned by the client;

wherein the digital certificate is generated based on the client identification information, the public key, and the authorization license information.

In the implementation process, the client identification information, the public key and the authorization permission information are stored in a local database or a digital certificate in an associated manner, so that the storage safety of the client identification information, the public key and the authorization permission information is improved.

signing the transmission information through a private key to obtain a digital signature;

sending an SPA data packet containing the digital signature and the transmission information to the server side, so that the server side verifies the digital signature according to the transmission information;

and determining that the received verification passing response message returned by the server based on the signature verification result establishes session connection with the server.

Preferably, before sending the SPA packet containing the digital signature and the transmission information to the server, the method further includes:

acquiring client identification information, and generating a public key and a corresponding private key;

generating private key certification information aiming at the public key and the client identification information according to the private key;

sending a registration request message containing client identification information, a public key and private key certification information to a server, so that the server verifies the private key certification information according to the public key and the client identification information;

and receiving a registration passing response message returned by the server side when the server side determines that the registration passes the verification based on the private key verification result.

In one aspect, an apparatus for session connection establishment is provided, including:

the receiving unit is used for receiving the SPA data packet sent by the client;

the device comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring a digital signature and transmission information contained in an SPA data packet, and the digital signature is obtained after the transmission information is signed;

the second obtaining unit is used for obtaining the public key of the client according to the transmission information;

the verification unit is used for verifying the digital signature according to the public key;

and the connection unit is used for establishing session connection with the client if the client passes the verification determined based on the signature verification result of the digital signature.

Preferably, the second obtaining unit is configured to:

Preferably, the connection unit is configured to:

Preferably, the receiving unit is further configured to:

receiving a registration request message sent by a client;

and returning a registration pass response message to the client.

Preferably, the receiving unit is further configured to:

the obtaining unit is used for signing the transmission information through a private key to obtain a digital signature;

the sending unit is used for sending the SPA data packet containing the digital signature and the transmission information to the server side, so that the server side verifies the digital signature according to the transmission information;

and the connection unit is used for determining that the received verification passing response message returned by the server based on the signature verification result establishes session connection with the server.

Preferably, the obtaining unit is configured to:

In one aspect, an electronic device is provided, which includes a processor and a memory, where the memory stores computer-readable instructions that, when executed by the processor, perform the steps of the method provided in any of the various alternative implementations of session connection establishment described above.

In one aspect, a readable storage medium is provided, on which a computer program is stored, which, when being executed by a processor, performs the steps of the method as provided in any of the various alternative implementations of session connection establishment described above.

Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.

Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;

fig. 2 is a flowchart illustrating an implementation of a registration method according to an embodiment of the present disclosure;

fig. 3 is a flowchart of an implementation of a method for establishing a session connection according to an embodiment of the present application;

fig. 4 is an interaction flowchart of a registration method according to an embodiment of the present application;

fig. 5 is an interaction flowchart of a session connection establishment method according to an embodiment of the present application;

fig. 6 is a first schematic structural diagram of an apparatus for session connection establishment according to an embodiment of the present disclosure;

fig. 7 is a schematic structural diagram of an apparatus for establishing a session connection according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.

It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.

First, some terms referred to in the embodiments of the present application will be described to facilitate understanding by those skilled in the art.

The terminal equipment: may be a mobile terminal, a fixed terminal, or a portable terminal such as a mobile handset, station, unit, device, multimedia computer, multimedia tablet, internet node, communicator, desktop computer, laptop computer, notebook computer, netbook computer, tablet computer, personal communication system device, personal navigation device, personal digital assistant, audio/video player, digital camera/camcorder, positioning device, television receiver, radio broadcast receiver, electronic book device, gaming device, or any combination thereof, including the accessories and peripherals of these devices, or any combination thereof. It is also contemplated that the terminal device can support any type of interface to the user (e.g., wearable device), and the like.

A server: the cloud server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and can also be a cloud server for providing basic cloud computing services such as cloud service, a cloud database, cloud computing, cloud functions, cloud storage, network service, cloud communication, middleware service, domain name service, security service, big data and artificial intelligence platform and the like.

SPA technique: before the network session is established, the responder of the network connection authenticates and authorizes the requester through the SPA data packet sent by the requester of the network connection. The core of the SPA technology is a set of network protocols, which are completed by the interaction of a client installed on a requesting device and a server installed on a responding device. The server does not respond to any access SPA packet in the default state, but will continue to check the contents of all received SPA packets. When a legal SPA data packet constructed and sent by a legal client is detected, the server temporarily opens a specific connection mode according to request information in the SPA data packet, and allows the specific client and the server to establish an effective session. After the session is established, the server side returns to the default state and still does not respond to any access SPA data packet. The established session is not affected and the network resources required for access are continuously used by the requesting party. SPA techniques may prevent unauthorized requestors from establishing session connections with responders, thereby identifying and blocking connection requests by attackers prior to session establishment.

Quotient secret No. 2 (SM2) algorithm: the elliptic curve public key cryptographic algorithm is issued by the national cryptographic administration and is mainly used for digital signature, data encryption, key exchange, identity authentication and the like.

Quotient secret No. 9 (SM9) algorithm: the identification cryptographic algorithm is an algorithm that uses the user's identification (e.g., mail address, mobile phone number, QQ number, etc.) as a public key. The SM9 algorithm omits the process of exchanging digital certificates and public keys, so that the security system becomes easy to deploy and manage, and is very suitable for various occasions of end-to-end off-line security communication, cloud data encryption, attribute-based encryption and policy-based encryption.

Physical Address (Media Access Control Address, MAC): the address for identifying the location of the network device is specifically used for uniquely identifying a network card in the network, and if one or more network cards exist in a device, each network card needs to have a unique MAC address.

In order to improve the security of SPA session establishment when an SPA session connection is established, embodiments of the present application provide a session connection establishment method, apparatus, electronic device, and readable storage medium.

Fig. 1 is a schematic view of an application scenario provided in the embodiment of the present application. The application scenario includes an electronic device 101 and a requestor device 102. The electronic device 101 is a responder device, which may be a server or a terminal device, for requesting to establish a session connection by a requester. The requestor device 102 may be a terminal device. The electronic device 101 is installed with a server, and the requester device 102 is installed with a client, optionally, the electronic device 101 may be installed with an SPA server, and the requester device 102 may be installed with an SPA client.

In the embodiment of the present application, the application scenario includes a registration stage and a session connection establishment stage of a client.

In the registration stage, the client generates private key certification information for verifying whether the client holds a legal private key or not aiming at the public key and the client identification information based on the private key, and sends a registration request message containing the client identification information, the public key and the private key certification information to the server. The server side verifies the private key certification information according to the public key and the client side identification information, judges whether the registration verification is passed or not based on the private key verification result, if the client side is confirmed to pass the registration verification, the client side identification information and the public key are stored in an associated mode, so that a session connection request of the client side can be verified through the client side identification information and the public key in a subsequent session connection establishment stage, and if the client side is confirmed not to pass the registration verification, the client side cannot perform subsequent session connection.

In the session connection establishment phase, the client sends an SPA data packet containing transmission information and a corresponding digital signature to the server. And the server side verifies the digital signature based on the transmission information in the SPA data packet, establishes session connection with the client side when the client side passes the verification based on the signature verification result, and refuses to establish the session connection with the client side if the client side passes the verification.

In the embodiment of the application, before the session connection based on the SPA is established, the client registers at the server. Referring to fig. 2, an implementation flow chart of a registration method provided in the embodiment of the present application is shown, and a specific implementation flow of the method is as follows:

step 200: the client acquires the client identification information and generates a key pair comprising a public key and a private key by adopting an asymmetric encryption algorithm.

Specifically, the asymmetric encryption algorithm is an algorithm supporting digital signature operation. The public key pk and the private key sk contained in each key pair are not identical.

Alternatively, the asymmetric encryption Algorithm may be a national secret SM2 Algorithm, a national secret SM9 Algorithm, a public key encryption (Rivest Shamir Adleman, RSA) Algorithm, an Elliptic Curve Digital Signature (ECDSA) Algorithm, or the like.

In practical application, the asymmetric encryption algorithm may also be set according to a practical application scenario, which is not limited herein.

It should be noted that the private key is stored and used by the client and is not provided to other entity devices, so that an attacker cannot steal the private key of the client in the key transmission process, and the security of the private key is ensured.

Step 201: the client generates private key certification information for the public key and the client identification information based on the private key.

Specifically, the client performs digital signature on verification information composed of the client identification information and the public key through a private key to generate private key certification information.

In one embodiment, the client forms the verification information based on the client identification information and the public key, performs hash calculation on the verification information by using a hash algorithm to obtain a hash value, i.e., a message digest, and encrypts the hash value by using a private key to obtain an encrypted hash value, i.e., private key attestation information (PoP).

The verification information at least comprises client identification information and a public key. Optionally, the authentication information may also contain client credential information as well as other additional information. The client Identification Information (ID) is used to uniquely identify the client.

The private key certification information is used to certify that the client holds a legal private key, and the client credential information (IDProof) is used to verify the validity of the client, and may be a one-time password, and the like, which is not limited herein.

Alternatively, the client ID may be a device serial number, a user name, and a MAC address. The additional information may be time, sequence number, etc. The verification information may be in the form of a structure, an array, a set, and the like, and is not limited herein.

In practical application, the client ID and the additional information may be set according to a practical application scenario, which is not limited herein.

Step 202: the client sends a registration request message containing client identification information, a public key and private key certification information to the server.

Further, the client can also obtain client certificate information of the client, and send a registration request message containing client identification information, a public key, private key certification information and the client certificate information to the server.

It should be noted that before step 202 is executed, an administrator generates client credential information for the client in advance, and may send the client credential information to the client and send the client identification information and the client credential information to the server in manners of manual distribution, offline interaction, manual auditing, or the like, so as to avoid the client credential information being stolen in the distribution process and ensure the security of the client credential information distribution.

In one embodiment, the administrator inputs the client credential information in the client and the server, respectively, by manual input.

In one embodiment, the administrator distributes the client credential information to the client and the server, respectively, by means of short messages or emails.

In practical applications, other distribution methods may also be adopted to distribute the client credential information, which is not limited herein.

It should be noted that, since each device installed with the client needs to register only once, and then the subsequent session connection step can be performed, the offline interaction or manual review or distribution mode has little influence on the session connection efficiency.

Further, if the client has been registered in the server before, and re-registration is applied, the registration request message may not include the client credential information, and after the server obtains the public key of the client through the private key certification information, if it is determined that the public key has been registered and stored, it may be determined that the client is legitimate.

Step 203: the server receives a registration request message sent by the client.

Step 204: the server side obtains client side identification information, a public key and private key certification information contained in the registration request message.

Step 205: and the server side verifies the private key certification information according to the public key and the client side identification information to obtain a private key verification result.

Specifically, the server decrypts the private key certification information through the public key to obtain decrypted information, and verifies the decrypted information based on verification information composed of the client identification information and the public key.

In one embodiment, the server side performs hash calculation on verification information composed of client side identification information and a public key by using a hash algorithm to obtain a first hash value, decrypts private key certification information by using the public key to obtain a second hash value, namely decryption information, and determines that the private key passes verification if the first hash value is the same as the second hash value, or determines that the private key fails verification.

Further, if the private key verification fails, the client is determined not to pass the registration, and a registration failure response message is returned to the client.

Therefore, the client can prove that the client really holds the legal private key to other participants, such as a server, on the premise of not revealing the private key.

Step 206: and if the registration verification is determined to pass based on the private key verification result, the server stores the client identification information and the public key in an associated manner.

Specifically, when step 206 is executed, the server may adopt the following two ways:

the first mode is as follows: and if the private key verification result represents that the private key passes the verification, determining that the registration passes the verification, and storing the client ID and the public key in an associated manner.

Therefore, the client can judge that the registration verification is passed only by the private key certification information when the client really holds the legal private key.

The second way is: and if the private key verification result represents that the private key passes verification and the client certificate information passes verification, determining that the registration passes verification and storing the client ID and the public key in an associated manner.

Specifically, when the second method is adopted, the following steps may be adopted:

s2061: and if the private key verification result represents that the private key passes verification, acquiring client certificate information contained in the registration request message.

S2062: and obtaining legal certificate information corresponding to the client identification information of the client according to the corresponding relation between the stored client identification information and the legal certificate information.

Specifically, before step 202 is executed, the administrator generates client credential information for the client in advance, and sends the client credential information to the client and sends the client identification information and the client credential information to the server in a manner of manual distribution, offline interaction, and the like. The server takes the received client certificate information as the legal certificate information of the client, and stores the legal certificate information of the client and the client identification in a communication and association manner.

S2063: and if the legal certificate information is consistent with the client certificate information, the server stores the client identification information and the public key in an associated manner.

Specifically, if it is determined that the legal credential information is consistent with the client credential information, that is, the client is a legal client, the server stores the client identification information and the public key in an associated manner.

When the client identification information and the public key are stored in an associated manner, the following two ways can be adopted:

the first mode is as follows: and storing the client identification information and the public key in a local association manner.

In one embodiment, the client identification information and the public key are stored as a database record in a local database.

Further, if the legal credential information is determined to be consistent with the client credential information, the client registration is determined not to pass, and a registration failure response message is returned to the client.

Further, the server side can also generate authorization license information aiming at the client side, and store the client side identification information, the public key and the authorization license information in an associated manner.

Therefore, the client identification information and the public key can be locally stored in the server side in a database storage mode, or the client identification information, the public key and the authorization permission information can be locally stored in the server side.

The second way is: and sending the client identification information and the public key to the client, and receiving a digital certificate returned by the client based on the client identification information and the public key.

Specifically, the server sends the client identification information and the public key to the client. The client generates a digital certificate based on the client identification information and the public key, and returns the digital certificate to the server.

Further, the server side sends the client side identification information, the public key and the authorization permission information to the client side. The client generates a digital certificate based on the client identification information, the public key and the authorization permission information, and returns the digital certificate to the server.

Further, after the client generates and stores the digital certificate, the client may not send the digital certificate to the server. That is, the server does not store the digital certificate, but stores the digital certificate through the client, and when the subsequent client sends a session connection request to the server, the server only needs to send the digital certificate to the server.

The digital certificate may be generated based on the client identification information, the public key, and the license authorization information, or may be generated based on the client identification information and the public key.

Thus, the client identification information and the public key, or the client identification information, the public key and the authorization permission information, can be respectively used as different fields of the digital Certificate, the digital Certificate is used as a carrier, and the digital Certificate is issued after being checked by a Certificate Authority (CA) or a system with corresponding qualification. Therefore, the client identification information and the public key are stored or the client identification information, the public key and the authorization permission information are stored in a digital certificate mode. And, the digital certificate may be stored at the server or at the client.

Wherein, the authorization permission information (Auth) indicates that the server allows the client to operate in the network session. The authorization permission information includes authorization permission conditions for setting for the client, for example, through the authorization permission information, the server may set an IP address, a TCP port or a UDP port that the client can access, an application layer protocol that can be used, a session frequency range, a traffic range, and the like.

Optionally, the authorization permission information may be set according to any one or any combination of the following parameters:

internet Protocol (IP) addresses, Transmission Control Protocol (TCP) ports, User Datagram Protocol (UDP) ports, application layer protocols, session request frequency, and traffic restrictions.

In practical applications, the authorization permission information may be set according to practical application scenarios, and is not limited herein.

Therefore, the data such as the public key and the like are stored by adopting a safe database system or a digital certificate, so that an attacker is prevented from tampering or damaging the data, and the data safety is improved.

Step 207: and the server returns a registration pass response message to the client.

In practical application, the registration stage needs to be carried out in a safe network transmission environment, in the embodiment of the application, the client certificate information is distributed in a manual distribution mode or an off-line interaction mode, so that the client registers in the safe network environment, the client certificate information is prevented from being stolen, whether the client holds a legal private key or not is verified through the private key certification information, the legality of the client is verified through the client certificate information, and the registration safety of the client is improved.

In the embodiment of the application, after the client finishes the registration, the client can send a session connection request to the server to establish session connection with the server. Referring to fig. 3, an implementation flow chart of a method for establishing a session connection according to an embodiment of the present application is shown, and a specific implementation flow of the method is as follows:

step 300: the client signs the transmission information through the private key to obtain a digital signature.

Specifically, the transmission information includes any one or any combination of the following parameters: client identification information, digital certificates, freshness numbers, additional information, and authorization license information.

The digital signature is obtained by signing the transmission information. The Nonce is used to prevent an attacker from attacking the server in a manner of repeatedly sending the SPA packet to the server for many times. The additional information is information added according to an actual application scenario. The digital certificate is generated for the client identification information and the public key in the client registration stage.

Alternatively, the fresh number may be a serial number, such as an SPA packet serial number, or may be time-varying data, such as time, and is not limited herein.

Alternatively, the additional information (Info) may be device information, personnel information, a port requesting a connection, a digital certificate or a requested service, etc. Optionally, the additional information may also include a digital certificate.

In practical application, the freshness number and the additional information may be set according to a practical application scenario, which is not limited herein.

Step 301: and the client sends an SPA data packet containing the transmission information and the digital signature to the server.

It should be noted that, when transmitting the SPA packet, the SPA packet may be transmitted in the clear, or may be transmitted after being encrypted, so that the security of the SPA session is not affected.

Step 302: and the server receives the SPA data packet sent by the client and acquires the digital signature and the transmission information contained in the SPA data packet.

Step 303: and the server acquires the public key of the client according to the transmission information.

Specifically, when step 303 is executed, the server may adopt the following modes:

the first mode is as follows: and acquiring client identification information contained in the transmission information, and acquiring a public key stored in association with the client identification information from a local place.

Specifically, if it is determined that the client identification information and the public key are stored in the local association of the server, the public key corresponding to the client identification information of the client is directly obtained.

In one embodiment, after the client has been registered, the server stores the client identification information and the corresponding public key in a database in an associated manner, and then the server searches the public key of the client from the database through the client identification information of the client.

In this way, the public key can be directly obtained from the database local to the server.

The second way is: and acquiring client identification information contained in the transmission information, acquiring a digital certificate which is stored in association with the client identification information from a local place, and acquiring a public key of the client from the digital certificate.

Specifically, if it is determined that the public key is stored in a digital certificate manner and the server locally stores each digital certificate, the server obtains the digital certificate corresponding to the client identification information and obtains the public key of the client from the digital certificate.

In this way, the public key can be obtained from a digital certificate stored locally at the server.

The third mode is as follows: and acquiring the digital certificate contained in the transmission information, and acquiring the public key of the client from the digital certificate.

Specifically, if the transmission information of the SPA packet includes a digital certificate, the server acquires the digital certificate from the transmission information and acquires a public key included in the digital certificate.

Thus, the public key can be obtained from the digital certificate stored in the client.

Step 304: and the server side verifies the digital signature according to the public key.

Specifically, the server decrypts the digital signature through the public key to obtain decryption information, and judges whether the digital signature passes verification through the decryption information and the transmission information.

In one embodiment, if the decryption information and the transmission information are consistent, the server determines that the signature verification passes, otherwise, the server determines that the signature verification fails.

In one embodiment, the server performs hash calculation on the transmission information to obtain a third hash value, decrypts the digital signature by using the public key to obtain a fourth hash value, that is, decrypted information, and determines that the signature verification passes if the third hash value is the same as the fourth hash value, or determines that the signature verification does not pass if the third hash value is not the same as the fourth hash value.

Step 305: and if the client passes the verification based on the signature verification result of the digital signature, the server establishes session connection with the client.

Specifically, when step 305 is executed, the server may adopt the following steps:

s3051: and if the signature verification result of the digital signature represents that the signature verification passes, acquiring a fresh number contained in the transmission information.

Specifically, the transmission information further includes a fresh number.

S3052: and verifying the fresh number, and if the fresh number is verified to pass, acquiring authorization permission information according to the transmission information.

Specifically, the fresh number is used for preventing an attacker from attacking the server side in a mode of repeatedly sending the SPA data packet to the server side for many times. The additional information is information added according to an actual application scenario.

Alternatively, the freshness number may be a sequence number, such as an SPA packet sequence number, or may be time-varying data, such as time.

In one embodiment, setting the fresh number as time, the server acquires the current time, determines a time difference between the fresh number and the current time, and determines that the fresh number passes verification if the time difference is lower than a preset time threshold.

The preset time threshold represents a time size, for example, 5s, and in practical application, the preset time threshold may be set according to a practical application scenario, which is not limited herein.

In one embodiment, setting the fresh number as the serial number, the server obtains the current serial number stored locally, and if the fresh number is greater than the current serial number, the server determines that the fresh number passes verification, and updates the current serial number to the fresh number.

When obtaining the authorization permission information according to the transmission information, the server may adopt the following modes:

the first mode is as follows: and acquiring corresponding authorization permission information stored locally according to the client identification information in the transmission information.

Therefore, the server side can directly acquire the authorization permission information stored in association with the client side identification information from the local database.

The second way is: and acquiring a locally stored corresponding digital certificate according to the client identification information in the transmission information, and acquiring authorization permission information contained in the digital certificate.

Thus, the server can obtain the authorization license information from the locally stored digital certificate.

The third mode is as follows: and acquiring the digital certificate contained in the additional information of the transmission information, and acquiring the authorization permission information contained in the digital certificate.

Thus, the server can obtain the authorization permission information stored in the client.

S3053: and performing authorization permission verification on the client according to the authorization permission information.

Specifically, if the client is determined to meet the authorization permission condition in the authorization permission information, the authorization permission verification is determined to pass, otherwise, the authorization permission verification is determined not to pass.

In one embodiment, if the authorization condition in the authorization permission information is that the session request frequency is lower than the request frequency threshold, the server acquires the session request frequency of the client within a specified time period, and if the session request frequency is determined to be lower than the request frequency threshold, it is determined that the authorization permission verification passes, otherwise, it is determined that the authorization permission verification does not pass.

In one embodiment, if the authorization condition in the authorization permission information is that the application layer protocol is a designated protocol, the server obtains the application layer protocol currently transmitted by the client, and if the application layer protocol is the designated protocol, it is determined that the authorization permission verification passes, otherwise, it is determined that the authorization permission verification does not pass.

Further, the authorization permission condition may also be whether the port to which the client requests to access is a designated port, whether the concurrency number of the client is lower than a preset concurrency number threshold, and the like. In practical applications, the authorization permission condition may be set according to practical application scenarios, and is not limited herein.

S3054: and if the authorization permission is determined to pass the verification, establishing session connection with the client.

Specifically, if the authorization permission is determined to pass the verification, the server returns a verification passing response message to the client, and establishes session connection with the client.

The session connection establishment process may further include the steps of configuring a temporary permission rule in the local firewall by the server, waiting for the client to establish the session connection, and clearing the temporary permission rule after the session connection is established or overtime, which are not described herein again.

The above embodiments are further specifically described below with a specific registration application scenario. Referring to fig. 4, an interactive flowchart of a registration method provided in the embodiment of the present application is shown, and a specific implementation flow of the method is as follows:

step 400: the SPA client generates a key pair that contains a public key and a private key.

Specifically, when step 400 is executed, the specific steps refer to step 200, which is not described herein again.

Step 401: the SPA client generates private key certification information for the public key and the client identification information based on the private key.

Specifically, when step 401 is executed, the specific steps refer to step 201 described above, and are not described herein again.

Step 402: the SPA client sends a registration request message containing client identification information, a public key and private key certification information to the SPA server.

Specifically, when step 402 is executed, the specific steps refer to step 202, which is not described herein again.

Step 403: and the SPA server side verifies the corresponding private key certification information according to the public key in the registration request message and the client identification information to obtain a private key verification result.

Specifically, when step 403 is executed, the specific steps refer to step 205, which is not described herein again.

Step 404: and if the registration verification is determined to pass based on the private key verification result, the SPA server stores the client identification information and the public key in an associated manner.

Specifically, when step 404 is executed, the specific steps refer to step 206, which is not described herein again.

Step 405: the SPA server side returns a registration pass response message to the SPA client side.

The above embodiments are further specifically described below with a specific application scenario of session connection establishment. Referring to fig. 5, an interactive flowchart of a session connection establishment method provided in the embodiment of the present application is shown, and a specific implementation flow of the method is as follows:

step 500: the SPA client signs the transmission information through a private key to obtain a digital signature.

Specifically, when step 500 is executed, the specific steps refer to step 300, which is not described herein again.

Step 501: the SPA client sends an SPA data packet containing the transmission information and the digital signature to the SPA server.

Step 502: the SPA server side obtains the digital signature and the transmission information contained in the SPA data packet.

Specifically, when step 502 is executed, the specific steps refer to step 302 described above, and are not described herein again.

Step 503: and the SPA server side acquires the public key of the SPA client side according to the transmission information.

Specifically, when step 503 is executed, the specific steps refer to step 303 above, and are not described herein again.

Step 504: and the SPA server side verifies the digital signature according to the public key.

Specifically, when step 504 is executed, the specific steps refer to step 304, which is not described herein again.

Step 505: and if the signature verification is confirmed to be passed, the SPA server side verifies the fresh number contained in the transmission information.

Specifically, when step 505 is executed, the specific steps refer to step 305 described above, and are not described herein again.

Step 506: and if the fresh number is determined to pass the verification, the SPA server side acquires authorization permission information according to the transmission information.

Specifically, when step 506 is executed, the specific steps refer to step 305 described above, and are not described herein again.

Step 507: and the SPA server side performs authorization permission verification on the SPA client side according to the authorization permission information.

Specifically, when step 507 is executed, the specific steps refer to step 305, which is not described herein again.

Step 508: if the authorization permission is confirmed to pass the verification, the SPA server side returns a verification passing response message to the SPA client side and establishes session connection with the SPA client side.

Specifically, when step 508 is executed, the specific steps refer to step 305 described above, and are not described herein again.

In the embodiment of the application, whether the client side holds a legal private key or not is verified through private key certification information in a registration stage, the legality of the client side is verified through client side certificate information, and when the client side is determined to hold the legal private key and the client side is legal, client side identification information, a public key and authorization permission information are stored in an associated mode, so that an attacker can be prevented from impersonating identity or pretending to hold the private key in the registration stage. In the session connection establishment stage, the public key is obtained through the client identification information, and the digital signature is verified through the public key, so that whether the public key is matched with the client identification information or not can be verified, the legality of the data packet can be verified, a private key for the digital signature does not need to be transmitted in a registration process or a session connection establishment process, the problem that the private key is stolen is avoided, an attacker can be prevented from counterfeiting the identity, the security of the establishment of the SPA session connection can be ensured without a safe network transmission environment when the session connection is established, data such as hash values of all historical SPA data packets do not need to be stored, repeated SPA data packets can be identified only through fresh numbers, and the steps of the SPA data packet replay attack protection are simplified.

Based on the same inventive concept, the embodiment of the present application further provides a device for establishing a session connection, and because the principles of the device and the apparatus for solving the problems are similar to those of a method for establishing a session connection, the implementation of the device may refer to the implementation of the method, and repeated details are not repeated.

As shown in fig. 6, a schematic structural diagram of an apparatus for establishing a session connection according to an embodiment of the present application is shown, where the apparatus includes:

a receiving unit 611, configured to receive an SPA packet sent by a client;

a first obtaining unit 612, configured to obtain a digital signature and transmission information included in the SPA packet, where the digital signature is obtained after signing the transmission information;

a second obtaining unit 613, configured to obtain a public key of the client according to the transmission information;

a verification unit 614, configured to verify the digital signature according to the public key;

a connection unit 615, configured to establish a session connection with the client if it is determined that the client passes the verification based on the signature verification result of the digital signature.

Preferably, the second obtaining unit 613 is configured to:

Preferably, the connection unit 615 is configured to:

Preferably, the receiving unit 611 is further configured to:

receiving a registration request message sent by a client;

and returning a registration pass response message to the client.

Preferably, the receiving unit 611 is further configured to:

As shown in fig. 7, a schematic structural diagram of a device for establishing a session connection according to an embodiment of the present application is shown, where the device includes:

an obtaining unit 711, configured to sign the transmission information through a private key to obtain a digital signature;

a sending unit 712, configured to send an SPA packet including the digital signature and the transmission information to the server, so that the server verifies the digital signature according to the transmission information;

a connection unit 713, configured to determine that a verification-passing response message returned by the server based on the signature verification result is received, and establish session connection with the server.

Preferably, the obtaining unit 711 is configured to:

In the method, the device, the electronic device and the readable storage medium for establishing the session connection, the SPA data packet sent by the client is received; acquiring a digital signature and transmission information contained in an SPA data packet, wherein the digital signature is acquired after the transmission information is signed; acquiring a public key of the client according to the transmission information; verifying the digital signature according to the public key; and if the client passes the verification based on the signature verification result of the digital signature, establishing session connection with the client. Therefore, the digital signature is adopted to carry out validity verification on the SPA data packet, a private key for the digital signature does not need to be transmitted, the problem that the private key is stolen is avoided, and the network security of the SPA session is improved.

Fig. 8 shows a schematic structural diagram of an electronic device. Referring to fig. 8, the electronic device 8000 includes: a processor 8010, a memory 8020, a power supply 8030, a display unit 8040, and an input unit 8050.

The processor 8010 is the control center of the electronic device 8000, and it is to be understood that various functions of the electronic device 8000 may be performed by operating or executing software programs and/or data stored in the memory 8020 by connecting various components using various interfaces and lines, thereby performing overall monitoring of the electronic device 8000.

In this embodiment, the processor 8010, when calling a computer program stored in the memory 8020, executes the method for session connection establishment provided in the embodiment shown in fig. 3.

Alternatively, the processor 8010 may comprise one or more processing units; preferably, the processor 8010 may integrate the application processor, which handles primarily the operating system, user interface, applications, etc., and the modem processor, which handles primarily the wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 8010. In some embodiments, the processor, memory, and/or memory may be implemented on a single chip, or in some embodiments, they may be implemented separately on separate chips.

The memory 8020 may mainly include a program storage area and a data storage area, in which an operating system, various applications, and the like may be stored; the stored data area may store data created according to the use of the electronic device 8000, and the like. Further, the memory 8020 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device.

The electronic device 8000 may also include a power supply 8030 (e.g., a battery) that may be used to provide power to the various components, which may be logically coupled to the processor 8010 via a power management system, which may be used to manage charging, discharging, and power consumption.

The display unit 8040 may be used to display information input by a user or information provided to the user, various menus of the electronic device 8000, and the like, and in the embodiment of the present invention, the display unit is mainly used to display a display interface of each application in the electronic device 8000 and objects such as texts and pictures displayed in the display interface. The display unit 8040 may include a display panel 8041. The Display panel 8041 may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like.

The input unit 8050 can be used to receive information such as numbers or characters input by a user. The input unit 8050 may include a touch panel 8051 and other input devices 8052. Among other things, the touch panel 8051, also referred to as a touch screen, can collect touch operations by a user on or near the touch panel 8051 (e.g., operations by a user on or near the touch panel 8051 using any suitable object or accessory such as a finger, a stylus, etc.).

Specifically, the touch panel 8051 can detect a touch operation of a user, detect signals caused by the touch operation, convert the signals into touch point coordinates, send the touch point coordinates to the processor 8010, receive a command sent by the processor 8010, and execute the command. In addition, the touch panel 8051 can be implemented by various types such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. Other input devices 8052 can include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, power on/off keys, etc.), a trackball, a mouse, a joystick, and the like.

Of course, the touch panel 8051 can cover the display panel 8041, and when the touch panel 8051 detects a touch operation thereon or nearby, the touch panel 8051 is transmitted to the processor 8010 to determine the type of the touch event, and then the processor 8010 provides a corresponding visual output on the display panel 8041 according to the type of the touch event. Although in FIG. 8, the touch panel 8051 and the display panel 8041 are shown as two separate components to implement the input and output functions of the electronic device 8000, in some embodiments, the touch panel 8051 and the display panel 8041 can be integrated to implement the input and output functions of the electronic device 8000.

The electronic device 8000 may also include one or more sensors, such as pressure sensors, gravitational acceleration sensors, proximity light sensors, and the like. Of course, the electronic device 8000 may also include other components such as a camera, as required in a particular application, and these components are not shown in fig. 8 and will not be described in detail since they are not components that are used in the embodiments of the present application.

Those skilled in the art will appreciate that fig. 8 is merely an example of an electronic device and is not limiting of electronic devices and may include more or fewer components than those shown, or some components may be combined, or different components.

In an embodiment of the present application, a readable storage medium has a computer program stored thereon, and when the computer program is executed by a processor, the communication device may perform the steps in the above embodiments.

For convenience of description, the above parts are separately described as modules (or units) according to functional division. Of course, the functionality of the various modules (or units) may be implemented in the same one or more pieces of software or hardware when implementing the present application.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. A method for session connection establishment, comprising:

receiving a single packet authorization technology SPA data packet sent by a client;

acquiring a digital signature and transmission information contained in the SPA data packet, wherein the digital signature is acquired after the transmission information is signed;

acquiring a public key of the client according to the transmission information;

verifying the digital signature according to the public key;

2. The method of claim 1, wherein obtaining the public key of the client based on the transmission information comprises:

and acquiring a digital certificate contained in the transmission information, and acquiring the public key of the client from the digital certificate.

3. The method of claim 1, wherein establishing a session connection with the client if the client verification is determined to be passed based on a signature verification result of the digital signature comprises:

and if the authorization permission is confirmed to pass the verification, establishing session connection with the client.

4. The method of claim 3, wherein verifying the freshness number contained in the transmission information comprises:

and acquiring a current sequence number stored locally, if the fresh number is larger than the current sequence number, determining that the fresh number passes verification, and updating the current sequence number into the fresh number.

5. The method of any of claims 1-4, wherein prior to receiving the SPA packet sent by the client, further comprising:

receiving a registration request message sent by the client;

and returning a registration pass response message to the client.

6. The method of claim 5, wherein storing the client identification information in association with the public key if it is determined that the registration verification passes based on the private key verification result comprises:

7. The method of claim 6, wherein storing the client identification information in association with the public key if it is determined that the legitimate credential information is consistent with the client credential information comprises:

if the legal certificate information is determined to be consistent with the client certificate information, generating authorization permission information of the client;

8. A method for session connection establishment, comprising:

sending a single packet authorization technology SPA data packet containing the digital signature and the transmission information to a server side, so that the server side verifies the digital signature according to the transmission information;

9. The method of claim 8, wherein prior to sending the SPA packet containing the digital signature and the transmission information to a server, further comprising:

sending a registration request message containing the client identification information, the public key and the private key certification information to a server, so that the server verifies the private key certification information according to the public key and the client identification information;

and receiving a registration passing response message returned by the server when the server determines that the registration passes the verification based on the private key verification result.

10. An apparatus for session connection establishment, comprising:

the receiving unit is used for receiving a single packet authorization technology SPA data packet sent by the client;

the first acquisition unit is used for acquiring a digital signature and transmission information contained in the SPA data packet, wherein the digital signature is obtained after the transmission information is signed;

11. The apparatus of claim 10, wherein the second obtaining unit is to:

12. The apparatus of claim 10, wherein the connection unit is to:

13. The apparatus of claim 12, wherein the connection unit is to:

14. The apparatus of any of claims 10-13, wherein the receiving unit is further to:

receiving a registration request message sent by the client;

and returning a registration pass response message to the client.

15. The apparatus of claim 14, wherein the receiving unit is further configured to:

16. The apparatus of claim 15, wherein the receiving unit is further configured to:

17. An apparatus for session connection establishment, comprising:

a sending unit, configured to send a single packet authorization technology SPA data packet including the digital signature and the transmission information to a server, so that the server verifies the digital signature according to the transmission information;

and the connection unit is used for determining that the verification passing response message returned by the server based on the signature verification result is received and establishing session connection with the server.

18. The apparatus of claim 17, wherein the obtaining unit is further configured to:

19. An electronic device comprising a processor and a memory, said memory storing computer readable instructions which, when executed by said processor, perform the steps of the method of any of claims 1-7 or 8-9.

20. A readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1-7 or 8-9.