CN115296847A - Flow control method and device, computer equipment and storage medium - Google Patents

Flow control method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN115296847A
CN115296847A CN202210788214.4A CN202210788214A CN115296847A CN 115296847 A CN115296847 A CN 115296847A CN 202210788214 A CN202210788214 A CN 202210788214A CN 115296847 A CN115296847 A CN 115296847A
Authority
CN
China
Prior art keywords
client
flow control
connection
session ticket
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210788214.4A
Other languages
Chinese (zh)
Other versions
CN115296847B (en
Inventor
韩华伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Tuya Information Technology Co Ltd
Original Assignee
Hangzhou Tuya Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Tuya Information Technology Co Ltd filed Critical Hangzhou Tuya Information Technology Co Ltd
Priority to CN202210788214.4A priority Critical patent/CN115296847B/en
Publication of CN115296847A publication Critical patent/CN115296847A/en
Application granted granted Critical
Publication of CN115296847B publication Critical patent/CN115296847B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a flow control method, a flow control device, a computer device and a storage medium, wherein the method comprises the following steps: acquiring a connection request sent by a client, and performing identity authentication on the client according to the connection request; sending the flow control token number to the client side passing the identity verification through the session ticket so as to establish connection with the client side; and when connection is established with the client, if the connection request sent by the client has a session ticket, the flow control of the client is carried out based on the flow control token number in the session ticket. According to the method and the device, flow control can be carried out based on the session ticket in the process of establishing connection, an additional distributed storage system is not needed, and the problems that flow control is carried out through the additional distributed storage system, and storage cost and complexity are too high are solved.

Description

Flow control method and device, computer equipment and storage medium
Technical Field
The present application relates to the field of network communication technologies, and in particular, to a flow control method and apparatus, a computer device, and a storage medium.
Background
Under the scene of the internet of things, terminal devices with different processing rates and different types of communication networks exist, and most of transmitted data have certain requirements on time delay and bandwidth. In order to ensure that effective data transmission is performed among communication devices in the internet of things, and data flow on each link meets requirements, the internet of things cloud server platform generally limits the connection frequency of the devices, namely flow control.
At present, when flow control is carried out, firstly, transmission layer connection and bidirectional identity authentication between a server and a client are required to be established, and then the connection times of the client to the server are counted through an additional distributed storage system, so that the storage cost for carrying out flow control is improved, and meanwhile, the complexity of distributed counting is increased, and therefore, the problems of overhigh storage cost and complexity when the distributed storage system is used for carrying out flow control exist.
For the problems of flow control through an additional distributed storage system and excessive storage cost and complexity in the related art, no effective solution is provided at present.
Disclosure of Invention
The embodiment provides a flow control method, a flow control device, a computer device and a storage medium, so as to solve the problems of excessive storage cost and complexity caused by flow control through an additional distributed storage system in the related art.
In a first aspect, in this embodiment, a flow control method is provided, including:
acquiring a connection request sent by a client, and performing identity authentication on the client according to the connection request;
sending the flow control token number to the client side which passes the identity verification through the session ticket so as to establish connection with the client side;
and when connection is established with the client, if the connection request sent by the client has the session ticket, the flow control is carried out on the client based on the flow control token number in the session ticket.
In some embodiments, the obtaining a connection request sent by a client and authenticating the client based on the connection request includes:
extracting the identity of the client in the connection request, and inquiring in the service cluster to obtain a corresponding client key;
and performing identity verification on the client inquired of the identity identification based on an HMAC algorithm and the client secret key.
In some embodiments, the performing, by the client querying the identity identifier, the identity verification based on the client key and the HMAC algorithm includes:
calculating to obtain a first authentication code based on an HMAC algorithm according to the client key and the encryption suite;
transmitting the encryption suite to the client, acquiring a second authentication code returned by the client, and performing identity authentication by comparing the first authentication code with the second authentication code;
if the first authentication code is the same as the second authentication code, the identity authentication is passed, and the identity identification is stored;
and if the first authentication code is different from the second authentication code, the identity authentication is not passed, and the connection establishment request is terminated.
In some embodiments, the sending, by the session ticket, the flow control token number to the authenticated client to establish a connection with the client includes:
based on a session key obtained in the connection establishing process, encrypting and transmitting the session ticket to a client passing identity authentication;
the session ticket comprises an identity of a client passing identity verification and the corresponding flow control token number.
In some embodiments, the performing, each time a connection is established with a client, if the connection request sent by the client includes the session ticket, flow control on the client based on the number of flow control tokens in the session ticket includes:
when connection is established with a client, whether a session ticket is contained in the connection request is checked;
if the flow control token comprises the session ticket, flow control is carried out based on the number of the flow control token, the effective time of the flow control token and the effective time of the session ticket;
and if the session ticket is not included, the identity authentication is carried out again with the client so as to establish connection.
In some embodiments, the performing flow control based on the flow control token number, the valid time of the flow control token, and the valid time of the session ticket includes:
when the flow control token number is not 0 and the flow control token and the session ticket are both in the valid time, establishing connection with the client, and regenerating the session ticket and sending the session ticket to the client;
when the flow control token number is 0, terminating the connection establishment request of the corresponding client;
when the flow control token is expired, the effective time of the flow control token is updated, and a session ticket is regenerated and sent to the client;
and when the session ticket is expired, the identity authentication is carried out again with the client, and the session ticket is generated and sent to the client.
In a second aspect, there is provided in this embodiment a flow control device comprising: the system comprises a first verification module, a first connection module and a first flow control module;
the first verification module is used for acquiring a connection request sent by a client and verifying the identity of the client according to the connection request;
the first connection module is used for sending the flow control token number to the client passing the identity verification through the session ticket so as to establish connection with the client;
the first flow control module is configured to, when a connection is established with a client each time, perform flow control on the client based on the number of flow control tokens in the session ticket if the connection request sent by the client includes the session ticket.
In a third aspect, in this embodiment, another flow control method is provided, including:
sending the connection request to a server; the connection request comprises a corresponding identity identifier so as to carry out identity authentication at a server;
receiving and storing a session ticket transmitted by a server and the number of flow control tokens contained in the session ticket, and establishing connection with the server;
and when connection is established with the server side every time, the session ticket is sent to the server side through a connection request, and flow control is carried out based on the flow control token number in the session ticket.
In some embodiments, the sending a connection request to a server; the connection request includes a corresponding identity identifier so as to perform identity authentication at the server, and the method includes:
sending a connection request including an identity to a server;
and acquiring an encryption suite returned after the server inquires the identity identifier, calculating based on an HMAC algorithm according to the encryption suite and the local key to obtain a second authentication code, and transmitting the second authentication code to the server for identity verification.
In a fourth aspect, there is provided in this embodiment another flow control device, comprising: the second verification module, the second connection module and the second flow control module;
the second verification module is used for sending the connection request to the server; the connection request comprises a corresponding identity identifier so as to carry out identity authentication at a server;
the second connection module is used for receiving and storing the session ticket transmitted by the server and the flow control token number contained in the session ticket, and establishing connection with the server;
and the second flow control module is used for sending the session ticket to the server through a connection establishment request when establishing connection with the server every time, and controlling the flow based on the flow control token number in the session ticket.
In a fifth aspect, there is provided in this embodiment a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the flow control methods of the first and third aspects when executing the computer program.
In a sixth aspect, there is provided in this embodiment a storage medium having stored thereon a computer program which, when executed by a processor, implements the flow control method of the first and third aspects described above.
Compared with the related art, according to the traffic control method, the traffic control device, the computer device and the storage medium provided in this embodiment, the identity of the client is verified according to the connection request by acquiring the connection request sent by the client; sending the flow control token number to the client side which passes the identity verification through the session ticket so as to establish connection with the client side; when connection is established with a client, if the connection request sent by the client has the session ticket, the flow control is performed on the client based on the number of the flow control tokens in the session ticket, so that the problems of excessive storage cost and complexity caused by the flow control performed by an additional distributed storage system are solved, and the effect that the flow control is performed based on the session ticket without the additional distributed storage system in the connection establishing process is realized.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a block diagram of a hardware configuration of a terminal of a flow control method in one embodiment;
FIG. 2 is a schematic diagram of a prior art flow control method;
FIG. 3 is a flow diagram of a flow control method in one embodiment;
FIG. 4 is a diagram illustrating a process for a server to authenticate a client and transmit a session ticket according to an embodiment;
FIG. 5 is a diagram illustrating a transmission process between a client and a server when traffic is released according to an embodiment;
fig. 6 is a schematic diagram illustrating a transmission process between a client and a server when flow control is triggered in an embodiment;
fig. 7 is a diagram illustrating a transmission process between a client and a server when a flow control token expires in an embodiment;
FIG. 8 is a diagram illustrating a transmission process between a client and a server when a session ticket expires in one embodiment;
FIG. 9 is a flow diagram of another flow control method in one embodiment;
FIG. 10 is a flow chart of a flow control method in a preferred embodiment;
FIG. 11 is a block diagram of the construction of a flow control device in one embodiment;
FIG. 12 is a block diagram of an alternative flow control device in accordance with one embodiment.
In the figure: 102. a processor; 104. a memory; 106. a transmission device; 108. an input-output device; 10. a first verification module; 11. a first connection module; 12. a first flow control module; 20. a second verification module; 21. a second connection module; 22. a second fluidic module.
Detailed Description
For a clearer understanding of the objects, aspects and advantages of the present application, reference is made to the following description and accompanying drawings.
Unless defined otherwise, technical or scientific terms referred to herein shall have the same general meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The use of the terms "a" and "an" and "the" and similar referents in the context of this application do not denote a limitation of quantity, either in the singular or the plural. The terms "comprises," "comprising," "has," "having," and any variations thereof, as referred to in this application, are intended to cover non-exclusive inclusions; for example, a process, method, and system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or modules, but may include other steps or modules (elements) not listed or inherent to such process, method, article, or apparatus. Reference throughout this application to "connected," "coupled," and the like is not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference to "a plurality" in this application means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. In general, the character "/" indicates a relationship in which the objects associated before and after are an "or". The terms "first," "second," "third," and the like in this application are used for distinguishing between similar items and not necessarily for describing a particular sequential or chronological order.
The method embodiments provided in the present embodiment may be executed in a terminal, a computer, or a similar computing device. For example, the method is executed on a terminal, where the terminal may be a client and/or a server, and fig. 1 is a block diagram of a hardware structure of the terminal of the flow control method according to the embodiment. As shown in fig. 1, the terminal may include one or more processors 102 (only one shown in fig. 1) and a memory 104 for storing data, wherein the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA. The terminal may also include a transmission device 106 for communication functions and an input-output device 108. It will be understood by those of ordinary skill in the art that the structure shown in fig. 1 is merely an illustration and is not intended to limit the structure of the terminal described above. For example, the terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store a computer program, for example, a software program of an application software and a module, such as a computer program corresponding to the flow control method in the present embodiment, and the processor 102 executes various functional applications and data processing by running the computer program stored in the memory 104, so as to implement the method described above. The memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. The network described above includes a wireless network provided by a communication provider of the terminal. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
Under the scene of the internet of things, terminal devices with different processing rates and different types of communication networks exist, and most of transmitted data have certain requirements on time delay and bandwidth. In order to ensure that effective data transmission is performed among communication devices in the internet of things, and data flow on each link meets requirements, the internet of things cloud server platform generally limits the connection frequency of the devices, namely flow control.
The precondition for controlling the flow of the equipment is identity authentication, which ensures the authenticity of the equipment identity. Firstly, the transmission layer connection and the bidirectional identity authentication between a server and a client are required to be established, and then the connection times of the client to the server are counted through an additional distributed storage system.
Fig. 2 is a schematic diagram of a flow control method in the prior art, and as shown in fig. 2, TLS secure connection needs to be established first, a service load (payload) carries an identity and key information of a client, and transmits the identity and key information to a server, and the server receives the payload, then analyzes the identity and key information to perform identity verification, and then performs flow control based on the identity and accumulated connection times. A general TLS (secure transport layer protocol) one-way authentication process only authenticates a server and cannot complete authentication of an equipment, a certificate needs to be preset at the equipment in a perfect TLS two-way authentication process, and management, maintenance and transmission costs of the certificate are high. Even if TLS mutual authentication is completed, if the service server cannot acquire TLS layer information, the authenticity of the device identity in the service payload information still cannot be identified, and further verification is required. In addition, the additional distributed storage system increases the storage cost and increases the complexity of distributed statistical counting.
In order to solve the above problem, a flow control method is provided in the following embodiments, which does not need to rely on an additional distributed storage system to implement flow control, and can implement faster bidirectional identity authentication between a server and a client in the TLS protocol.
In this embodiment, a flow control method is provided, and fig. 3 is a flowchart of the method in this embodiment, as shown in fig. 3, the method includes the following steps:
step S310, obtaining the connection request sent by the client, and performing identity verification on the client according to the connection request.
Specifically, in the TLS handshake protocol, the connection request sent by the client includes the generated transient random number, the identity, and the set of encryption suites supported by the client. In the server side, a connection request sent by the client side is obtained, and identity authentication is carried out on the client side according to the identity while connection with the client side is carried out through a TLS handshake protocol. The authentication code is generated based on an HMAC algorithm, and identity verification is performed on the client as early as possible in the early stage process of TLS connection establishment, so that connection establishment with an invalid client is avoided, and connection cost is reduced.
Step S320, sending the flow control token number to the client passing the identity authentication through the session ticket, so as to establish a connection with the client.
Specifically, for the client passing the identity authentication, the identity of the client is stored in the context (context) of the TLS, and the establishment of the TLS connection is continued.
In the TLS connection, a server side dispatches a session ticket (session _ ticket) by sending a new _ session _ ticket message, specifically encrypts a key configured by the server side, encrypts a session key (session _ key) obtained by negotiation between the client side and the server side in a handshake protocol, and transmits the encrypted session key (session _ key) to the client side in an encryption channel. In this step, the identity of the corresponding client and the number of flow control tokens (tokens) sent to the client are added to the session ticket, and the client stores the session ticket in the local secure storage after receiving the session ticket. The flow control token number represents the maximum connection times of the client in a certain time period set by the server.
Step S330, when establishing connection with the client each time, if the connection request sent by the client has a session ticket, performing flow control on the client based on the number of flow control tokens in the session ticket.
Specifically, when the connection is established subsequently each time, the connection request sent by the client to the server carries the session ticket stored locally. After receiving the connection request, the server side checks if the session ticket exists, decrypts and recovers the session ticket, performs flow control on the client side based on the flow control token number, and specifically, in combination with the flow control token number, the token validity period and the session ticket validity period, judges whether the current client side can complete connection with the server side, so as to realize flow control.
Through the steps, in the process of establishing the connection between the client and the server, the session ticket including the flow control token number is transmitted to the client for storage, and then flow control is performed according to the flow control token number in the session ticket transmitted by the client when the connection is established at each subsequent time, so that the connection times do not need to be counted by using an additional distributed storage system.
Further, when bidirectional identity authentication is performed in the conventional flow control method, since only the server is authenticated in the TLS unidirectional authentication process, authentication of the device side cannot be completed, and TLS bidirectional authentication is costly, the server needs to perform identity authentication on the client once, and after an expensive TLS connection is established, if authentication of the client fails, a problem of connection cost waste is also caused. The above steps perform identity authentication on the client as early as possible in the early-stage process of establishing the connection between the client and the server, and block the device connection (or attack) flow of which the illegal identity is recognized as early as possible, so that the TLS connection establishment cost and the flow cost reaching the service server are reduced, the connection establishment with the invalid client is avoided, and the connection cost is reduced.
In some embodiments, fig. 4 is a schematic diagram of a process of performing, by a server, identity authentication on a client and transmitting a session ticket, in this embodiment, as shown in fig. 4, a process of performing, by the server, identity authentication on the client includes the following steps:
extracting the identity of the client in the connection request, and inquiring in the service cluster to obtain a corresponding client key; and performing identity authentication on the client inquired with the identity identification based on an HMAC algorithm and a client key.
Specifically, after receiving the connection request (client _ hello), the server extracts the identity of the client, first queries whether the identity exists in the service cluster, and if so, obtains the corresponding client key and also generates a server transient random number at the server. And negotiating to obtain the encryption suite to be used by the connection according to the encryption suite set supported by the client and the encryption suite set supported by the server in the connection request. The service cluster is a service server cluster and stores the identity of the client supported by the server and the corresponding client key.
Further, a first authentication code is obtained through calculation based on an HMAC algorithm according to the client key and the encryption suite;
transmitting the encryption suite to the client, acquiring a second authentication code returned by the client, and performing identity authentication by comparing the first authentication code with the second authentication code;
if the first authentication code is the same as the second authentication code, the identity authentication is passed, and the identity identification is stored;
if the first authentication code is different from the second authentication code, the identity authentication is not passed, and the connection establishment request is terminated.
Specifically, as shown in fig. 4, HMAC calculation is performed on the identity of the client, the client instant random number, and the server instant random number at the server according to the client key and the encrypted suite obtained through negotiation, so as to obtain the first authentication code of the server. And the server transmits the instant random number of the server and the encrypted suite obtained by negotiation by sending hello _ verify _ request message to the client.
After the client receives the hello _ verify _ request message, the server instantaneous random number and the encryption suite are extracted, because the internet of things equipment usually burns the identity and the equipment key into equipment firmware (ROM), namely equipment, an identity and a key, the local client key is used for carrying out HMAC calculation on the identity of the client, the client instantaneous random number and the server instantaneous random number to obtain a second authentication code of the client. And then transmitting the identity, the second authentication code and the encryption suite by sending a client _ hello _2 message to the server.
After receiving the client _ hello _2 message, the server performs identity authentication by comparing the first authentication code with the second authentication code, if the first authentication code is the same as the second authentication code, the server passes the identity authentication, stores the identity of the client into the context of the TLS, and continues the TLS handshake process. And if the first authentication code is different from the second authentication code, the identity authentication is not passed, the server side sends an Alert message to the client side, and the connection establishment process is terminated.
According to the embodiment, the authentication code can be calculated through the HMAC algorithm in the early-stage process of connection establishment of the client and the service end, identity verification can be carried out on the client as soon as possible, and device connection (or attack) flow of illegal identity can be recognized as soon as possible to be blocked, so that the TLS connection establishment cost and the flow cost reaching the service end are reduced. The server does not need to pay attention to the problem of security domains such as equipment identity authentication and the like, the condition that the equipment or client identity authentication fails after connection is established is avoided, and connection establishment with an invalid client is also avoided, so that the connection cost is reduced.
In some embodiments, as shown in fig. 4, the process of the server transmitting the session ticket with the client includes:
based on the session key obtained in the connection establishing process, the session ticket is encrypted and transmitted to the client side passing the identity authentication; the session ticket comprises the identity of the client passing the identity verification and the corresponding flow control token number.
Specifically, after the client sends client _ finished and before the server sends server _ finished information to the client, the server first dispatches a session ticket (session _ ticket) by sending a new _ session _ ticket information, specifically encrypts through a key configured by the server, encrypts by using a session key (session _ key) negotiated by the client and the server in a handshake protocol, and transmits the encrypted session ticket to the client in an encryption channel. In this embodiment, the session ticket is added with the identity and the number of flow control tokens issued to the client, a token expiration timestamp token _ expired _ time, and a session ticket expiration timestamp token _ expired _ time. Wherein, because the flow control token number is contained in the session ticket, token _ expired _ time < = ticket _ expired _ time is set to ensure reasonable token and session ticket validity period.
After TLS handshake is successful, the client end stores the session ticket in local safety storage after receiving the session ticket transmitted by encryption. The server side takes out the identity identifier in the TLS context, adds the identity identifier into the payload of the service cluster, receives the payload in the subsequent connection again, and shows that the identity identifier is authenticated and is within the range of the connection times limited by the flow control, so that the identity identifier does not need to be authenticated and the connection times are not limited again.
In the embodiment, based on the TLS handshake process, the authenticated client identity and session _ ticket (session _ ticket) encrypt the flow control policy information (flow control token number, token expiration timestamp and session ticket expiration timestamp) and then send the encrypted flow control policy information to the client for storage, so that a distributed storage system can be prevented from being used at the server, the storage cost is reduced, flow control of client connection is completed in the TLS handshake process, the number of connection times is not counted after TLS connection is established, and the complexity of distributed counting can be reduced.
In some embodiments, when a connection is established with a client, if a connection request sent by the client has a session ticket, performing flow control on the client based on the number of flow control tokens in the session ticket, including the following steps:
when connection is established with a client, whether a session ticket is contained in a connection request is checked;
if the session ticket is contained, flow control is carried out based on the number of the flow control tokens, the effective time of the flow control tokens and the effective time of the session ticket;
and if the session ticket is not included, the identity authentication is carried out again with the client so as to establish connection.
Specifically, when the connection is established in the following each time, if the client locally stores the session ticket, the session ticket is carried in the first client _ hello (connection request) message sent by the client to the server.
After receiving the client _ hello message, the server checks whether the session ticket is contained therein. If the session ticket is contained, analyzing and recovering the session ticket based on the session key obtained in the TLS establishing process to obtain the identity, the flow control token number, the token expiration timestamp and the session ticket expiration timestamp. If the session ticket is not contained, the client side does not carry out identity authentication and flow control, and then the client side carries out identity authentication again to establish connection.
Further, when the session ticket is included, flow control is performed based on the number of flow control tokens, the valid time of the flow control tokens, and the valid time of the session ticket, which specifically includes the following four cases:
(1) And when the flow control token number is not 0 and the flow control token and the session ticket are both in the valid time, establishing connection with the client, and regenerating the session ticket and sending the session ticket to the client.
Fig. 5 is a schematic diagram of a transmission process between the client and the server when the flow is released in this embodiment, as shown in fig. 5, a client _ hello (connection request) sent by the server to the client is analyzed to obtain a session ticket, and if the flow control token number is not 0 and the current time is less than the token expiration timestamp and less than the session ticket expiration timestamp, it is indicated that both the flow control token and the session ticket are within the valid time, and the TLS handshake is successful this time, where the current time is defined as the server time for receiving the session ticket. And subtracting 1 from the number of the flow control tokens (tokens = tokens-1), which indicates that the connection consumes one number of the flow control tokens, and regenerating a session ticket according to the number of the flow control tokens, and sending the session ticket to the client through a new _ session _ token message.
(2) And when the flow control token number is 0, terminating the connection establishment request of the corresponding client.
Fig. 6 is a schematic diagram of a transmission process between the client and the server when flow control is triggered in this embodiment, and as shown in fig. 6, if tokens are equal to 0, which indicates that the flow control token is used up, the server sends an Alert message to the client to terminate the connection request.
(3) And when the flow control token expires, updating the effective time of the flow control token, regenerating a session ticket and sending the session ticket to the client.
Fig. 7 is a schematic diagram of a transmission process between a client and a server when a flow control token expires in this embodiment, as shown in fig. 7, if a current time is greater than or equal to a token expiration timestamp, a time window indicating flow control expires, and a token expiration timestamp is generated again, where the token expiration timestamp is equal to the current time plus the flow control time window, and the flow control time window indicates that, within a certain time window, the number of connections of the client is limited to implement flow control, where token _ expired _ time = now + time _ window. Resetting token number tokens, regenerating session ticket _ ticket, and sending the session ticket to the client through new _ session _ ticket message.
(4) And when the session ticket is expired, the identity authentication is carried out again with the client, and the session ticket is generated and sent to the client.
Fig. 8 is a schematic diagram of a transmission process between the client and the server when the session ticket expires in this embodiment, and as shown in fig. 8, if the current time now is greater than or equal to the session ticket expiration timestamp ticket _ expired _ time, which indicates that the session ticket session _ ticket expires, the handshake process is completed again to establish connection, and a new session ticket is dispatched to the client.
With the four cases of performing flow control provided in this embodiment, when the transmission of the client includes the session ticket, flow control under various conditions can be implemented based on the number of flow control tokens in the session ticket, the session ticket expiration timestamp, and the token expiration timestamp, and the corresponding client is subjected to flow release or connection termination.
The embodiment also provides a flow control method. Fig. 9 is a flowchart of another flow control method according to this embodiment, and as shown in fig. 9, the method includes the following steps:
step S910, sending the connection request to the server; the connection request comprises a corresponding identity so as to carry out identity verification at the server.
Specifically, in the TLS handshake protocol, a connection request sent by a client includes a generated transient random number, an identity, and an encryption suite set supported by the client, and a server performs authentication on the client based on an HMAC algorithm according to the identity while connecting with the client through the TLS handshake protocol.
Step S920, receiving and storing the session ticket transmitted by the server and the flow control token number included in the session ticket, and establishing a connection with the server.
Specifically, for the client passing the identity verification, the server dispatches a session ticket (session _ ticket) by sending a new _ session _ ticket message, specifically, encrypts through a key configured by the server, and transmits the encrypted session ticket (session _ key) to the client in an encryption channel after encrypting by using a session key (session _ key) negotiated by the client and the server in a handshake protocol. After receiving the session ticket, the client stores the session ticket in a local secure storage, and transmits the session ticket to the server every time connection is established with the server.
Step S930, when establishing connection with the server, sending the session ticket to the server through the connection request, and performing flow control based on the flow control token number in the session ticket.
Specifically, when the connection is established subsequently each time, the connection request sent by the client to the server carries the session ticket stored locally. And after receiving the connection request, the server side checks whether the session ticket exists, decrypts and recovers the session ticket, performs flow control on the client side based on the flow control token number, and specifically, judges whether the current client side can be connected with the server side by combining the flow control token number, the token validity period and the session ticket validity period so as to realize flow control.
Through the steps, in the process of establishing the connection between the client and the server, the session ticket comprising the flow control token number is transmitted to the client for storage, and then flow control is performed according to the flow control token number in the session ticket transmitted by the client when the connection is established each time subsequently, so that the connection times are not required to be counted by using an additional distributed storage system. Furthermore, the identity of the client is verified as early as possible in the early-stage process of establishing the connection between the client and the server, and the connection (or attack) flow of the equipment which recognizes the illegal identity as early as possible is blocked, so that the connection establishment cost of TLS and the flow cost reaching the service server are reduced, the connection establishment with the invalid client is avoided, and the connection cost is reduced.
In some embodiments, the sending of the connection request to the server; the connection request includes a corresponding identity identifier so as to perform identity authentication at the server, and the method includes:
sending a connection request including an identity to a server; and acquiring an encryption suite returned after the server inquires the identity identifier, calculating based on an HMAC algorithm according to the encryption suite and the local key to obtain a second authentication code, and transmitting the second authentication code to the server for identity verification.
Specifically, according to the above embodiment, after receiving the connection request and checking the identity, the server further generates the first verification code, and then transmits the server instant random number and the encrypted suite obtained through negotiation by sending a hello _ verify _ request message to the client.
After the client receives the hello _ verify _ request message, the server instantaneous random number and the encryption suite are extracted, because the internet of things equipment usually burns the identity and the equipment key into equipment firmware (ROM), namely equipment, an identity and a key, the local client key is used for carrying out HMAC calculation on the identity of the client, the client instantaneous random number and the server instantaneous random number to obtain a second authentication code of the client. And then transmitting the identity, the second authentication code and the encryption suite by sending a client _ hello _2 message to the server.
In the embodiment, the authentication code can be calculated by an HMAC algorithm in the early-stage process of establishing the connection between the client and the service end, the identity of the client is verified as soon as possible, and the connection (or attack) flow of the equipment with illegal identity is identified as soon as possible to block, so that the connection establishment cost of TLS and the flow cost reaching the service end are reduced.
The present embodiment is described and illustrated below by means of preferred embodiments.
Fig. 10 is a flowchart of a flow control method of the present preferred embodiment, and as shown in fig. 10, the method includes the steps of:
step S101, the client sends a connection request to the server, wherein the connection request comprises an identity, a client instant random number and an encryption suite set supported by the client.
And S102, the server side inquires the identity identification in the service cluster to obtain a corresponding client side secret key, and then calculates and obtains a server side verification code based on an HMAC algorithm by combining an encryption suite obtained by negotiation.
And step S103, after receiving the server instantaneous random number and the encryption suite transmitted by the server, the client calculates a client verification code based on an HMAC algorithm by combining a local client key and sends the client verification code to the server.
And step S104, the server performs identity authentication by comparing the server verification code with the client authentication code, stores the identity identification for the client passing the authentication, and terminates the connection for the client failing the authentication.
And step S105, the server side encrypts the flow control token number, the token expiration timestamp and the session ticket expiration timestamp which are set for the client side through the session ticket and transmits the encrypted session ticket to the client side.
And step S106, the client receives and stores the session ticket, and sends the session ticket through the connection request in each subsequent connection.
And step S107, the server judges the effective time of the token and the session ticket according to the flow control token number, the token expiration timestamp and the session ticket expiration timestamp in the session ticket and by combining the current time, and controls the flow of the client requesting for connection.
It should be noted that the steps illustrated in the above-described flow diagrams or in the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order different than here.
In this embodiment, a flow control device is further provided, and the flow control device is used to implement the foregoing embodiments and preferred embodiments, and the description of the flow control device is omitted. The terms "module," "unit," "sub-unit," and the like as used below may implement a combination of software and/or hardware of predetermined functions. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 11 is a block diagram showing the structure of a flow rate control device according to the present embodiment, and as shown in fig. 11, the device includes: a first verification module 10, a first connection module 11 and a first flow control module 12;
the first authentication module 10 is configured to obtain a connection request sent by a client, and perform identity authentication on the client according to the connection request.
And the first connection module 11 is configured to send the flow control token number to the client that passes the authentication through the session ticket, so as to establish a connection with the client.
The first flow control module 12 is configured to, when a connection is established with the client each time, perform flow control on the client based on the number of flow control tokens in the session ticket if the connection request sent by the client includes the session ticket.
Through the steps, in the process of establishing the connection between the client and the server, the session ticket including the flow control token number is transmitted to the client for storage, and then flow control is performed according to the flow control token number in the session ticket transmitted by the client when the connection is established at each subsequent time, so that the connection times do not need to be counted by using an additional distributed storage system.
Further, when bidirectional identity authentication is performed in the conventional flow control method, since only the server is authenticated in the TLS unidirectional authentication process, authentication of the device side cannot be completed, and TLS bidirectional authentication is costly, the server needs to perform identity authentication on the client once, and after an expensive TLS connection is established, if authentication of the client fails, a problem of connection cost waste is also caused. The above steps perform identity authentication on the client as early as possible in the early-stage process of establishing the connection between the client and the server, and block the device connection (or attack) flow of which the illegal identity is recognized as early as possible, so that the TLS connection establishment cost and the flow cost reaching the service server are reduced, the connection establishment with the invalid client is avoided, and the connection cost is reduced.
In this embodiment there is provided a further flow control device, as shown in figure 12, comprising: a second verification module 20, a second connection module 21 and a second flow control module 22;
the second verification module 20 is configured to send the connection request to the server; the connection request comprises a corresponding identity so as to carry out identity verification at the server.
The second connection module 21 is configured to receive and store the session ticket transmitted by the server and the flow control token number included in the session ticket, and establish a connection with the server.
And the second flow control module 22 is configured to send the session ticket to the server through the connection establishment request each time a connection is established with the server, and perform flow control based on the flow control token number in the session ticket.
Through the steps, in the process of establishing the connection between the client and the server, the session ticket including the flow control token number is transmitted to the client for storage, and then flow control is performed according to the flow control token number in the session ticket transmitted by the client when the connection is established at each subsequent time, so that the connection times do not need to be counted by using an additional distributed storage system. Furthermore, the identity of the client is verified as early as possible in the early-stage process of establishing the connection between the client and the server, and the connection (or attack) flow of the equipment which recognizes the illegal identity as early as possible is blocked, so that the connection establishment cost of TLS and the flow cost reaching the service server are reduced, the connection establishment with the invalid client is avoided, and the connection cost is reduced.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules may be located in different processors in any combination.
There is also provided in this embodiment a computer device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
Optionally, the computer device may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
It should be noted that, for specific examples in this embodiment, reference may be made to the examples described in the foregoing embodiments and optional implementations, and details are not described again in this embodiment.
In addition, in combination with the flow control method provided in the foregoing embodiment, a storage medium may also be provided to implement this embodiment. The storage medium has a computer program stored thereon; the computer program, when executed by a processor, implements any of the flow control methods in the above embodiments.
It should be understood that the specific embodiments described herein are merely illustrative of this application and are not intended to be limiting. All other embodiments, which can be derived by a person skilled in the art from the examples provided herein without any inventive step, shall fall within the scope of protection of the present application.
It is obvious that the drawings are only examples or embodiments of the present application, and it is obvious to those skilled in the art that the present application can be applied to other similar cases according to the drawings without creative efforts. Moreover, it should be appreciated that such a development effort might be complex and lengthy, but would nevertheless be a routine undertaking of design, fabrication, and manufacture for those of ordinary skill having the benefit of this disclosure, and is not intended to limit the present disclosure to the particular forms disclosed herein.
The term "embodiment" is used herein to mean that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly or implicitly understood by one of ordinary skill in the art that the embodiments described in this application may be combined with other embodiments without conflict.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the patent protection. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims (12)

1. A method of flow control, comprising:
acquiring a connection request sent by a client, and performing identity authentication on the client according to the connection request;
sending the flow control token number to the client side which passes the identity verification through the session ticket so as to establish connection with the client side;
and when connection is established with the client, if the connection request sent by the client has the session ticket, flow control is carried out on the client based on the flow control token number in the session ticket.
2. The traffic control method according to claim 1, wherein the obtaining a connection request sent by a client and performing authentication on the client based on the connection request includes:
extracting the identity of the client in the connection request, and inquiring in the service cluster to obtain a corresponding client key;
and performing identity verification on the client inquired of the identity identification based on an HMAC algorithm and the client secret key.
3. The traffic control method according to claim 2, wherein the performing the authentication on the client querying the identity identifier based on the client key and the HMAC algorithm comprises:
calculating to obtain a first authentication code based on an HMAC algorithm according to the client key and the encryption suite;
transmitting the encryption suite to a client, acquiring a second authentication code returned by the client, and performing identity authentication by comparing the first authentication code with the second authentication code;
if the first authentication code is the same as the second authentication code, the identity authentication is passed, and the identity identification is stored;
and if the first authentication code is different from the second authentication code, the identity authentication is not passed, and the connection establishment request is terminated.
4. The traffic control method according to claim 1, wherein the sending the flow control token number to the authenticated client through the session ticket to establish a connection with the client comprises:
based on a session key obtained in the connection establishing process, encrypting and transmitting the session ticket to a client passing identity authentication;
the session ticket comprises an identity of a client passing identity verification and the corresponding flow control token number.
5. The method according to claim 1, wherein, when a connection is established with a client each time, if the connection request sent by the client includes the session ticket, performing flow control on the client based on a flow control token number in the session ticket, includes:
when connection is established with a client, whether a session ticket is contained in the connection request is checked;
if the flow control token comprises the session ticket, flow control is carried out based on the number of the flow control token, the effective time of the flow control token and the effective time of the session ticket;
and if the session ticket is not included, the identity authentication is carried out again with the client so as to establish connection.
6. The method for controlling flow according to claim 5, wherein the controlling flow based on the flow control token number, the valid time of the flow control token and the valid time of the session ticket comprises:
when the flow control token number is not 0 and the flow control token and the session ticket are both in the valid time, establishing connection with the client, and regenerating the session ticket and sending the session ticket to the client;
when the flow control token number is 0, terminating the connection establishment request of the corresponding client;
when the flow control token is expired, the effective time of the flow control token is updated, and a session ticket is regenerated and sent to the client;
and when the session ticket is expired, the identity authentication is carried out again with the client, and the session ticket is generated and sent to the client.
7. A flow control device, comprising: the system comprises a first verification module, a first connection module and a first flow control module;
the first verification module is used for acquiring a connection request sent by a client and verifying the identity of the client according to the connection request;
the first connection module is used for sending the flow control token number to the client side which passes the identity authentication through the session ticket so as to establish connection with the client side;
and the first flow control module is used for controlling the flow of the client based on the flow control token number in the session ticket if the connection request sent by the client has the session ticket when the connection is established with the client each time.
8. A method of flow control, comprising:
sending the connection request to a server; the connection request comprises a corresponding identity identifier so as to carry out identity authentication at a server;
receiving and storing a session ticket transmitted by a server and the flow control token number contained in the session ticket, and establishing connection with the server;
and when connection is established with the server, the session ticket is sent to the server through a connection request, and flow control is carried out based on the flow control token number in the session ticket.
9. The flow control method according to claim 8, wherein the sending a connection request to a server; the connection request includes a corresponding identity identifier so as to perform identity authentication at the server, and the method includes:
sending a connection request including an identity to a server;
and acquiring an encryption suite returned after the server inquires the identity identifier, calculating based on an HMAC algorithm according to the encryption suite and the local key to obtain a second authentication code, and transmitting the second authentication code to the server for identity verification.
10. A flow control device, comprising: the second verification module, the second connection module and the second flow control module;
the second verification module is used for sending the connection request to the server; the connection request comprises a corresponding identity identifier so as to carry out identity authentication at a server;
the second connection module is used for receiving and storing the session ticket transmitted by the server and the flow control token number contained in the session ticket, and establishing connection with the server;
and the second flow control module is used for sending the session ticket to the service end through the connection establishment request when establishing connection with the service end every time, and controlling the flow based on the flow control token number in the session ticket.
11. A computer device comprising a memory and a processor, wherein the memory has stored therein a computer program, and the processor is configured to execute the computer program to perform the flow control method according to any one of claims 1 to 6 or 8 to 9.
12. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the flow control method according to any one of claims 1 to 6 or 8 to 9.
CN202210788214.4A 2022-07-06 2022-07-06 Flow control method, flow control device, computer equipment and storage medium Active CN115296847B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210788214.4A CN115296847B (en) 2022-07-06 2022-07-06 Flow control method, flow control device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210788214.4A CN115296847B (en) 2022-07-06 2022-07-06 Flow control method, flow control device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115296847A true CN115296847A (en) 2022-11-04
CN115296847B CN115296847B (en) 2024-02-13

Family

ID=83821381

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210788214.4A Active CN115296847B (en) 2022-07-06 2022-07-06 Flow control method, flow control device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115296847B (en)

Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1741447A (en) * 2004-08-23 2006-03-01 威达电股份有限公司 Network safety management method and system
CN101159675A (en) * 2007-11-06 2008-04-09 中兴通讯股份有限公司 Method of implementing improvement of user service quality in IP multimedia subsystem
CN101197670A (en) * 2006-12-08 2008-06-11 中兴通讯股份有限公司 Authentication device for providing authentication to users accessing by terminal
CN202206418U (en) * 2010-03-19 2012-04-25 F5网络公司 Traffic management device, system and processor
CN104067595A (en) * 2012-01-26 2014-09-24 迈克菲公司 System and method for innovative management of transport layer security session tickets in a network environment
CN106657125A (en) * 2017-01-03 2017-05-10 上海金融云服务集团安全技术有限公司 Flow control mechanism suitable for online identity authentication
CN108064436A (en) * 2017-11-21 2018-05-22 深圳市汇顶科技股份有限公司 Biometric information transmission method for building up, device, system and storage medium
CN108377186A (en) * 2018-03-19 2018-08-07 北京工业大学 A kind of ssl protocol based on TCM
US20190182349A1 (en) * 2017-12-07 2019-06-13 Akamai Technologies, Inc. Client side cache visibility with tls session tickets
CN110224816A (en) * 2019-05-15 2019-09-10 如般量子科技有限公司 Anti- quantum calculation application system and short distance energy-saving communication method and computer equipment based on key card and sequence number
CN110417888A (en) * 2019-07-30 2019-11-05 中国工商银行股份有限公司 Flow control methods, volume control device and electronic equipment
CN110622482A (en) * 2017-06-01 2019-12-27 国际商业机器公司 No cache session ticket support in TLS inspection
CN110933078A (en) * 2019-11-29 2020-03-27 交通银行股份有限公司 H5 unregistered user session tracking method
CN112104673A (en) * 2020-11-12 2020-12-18 中博信息技术研究院有限公司 Multimedia resource web access authority authentication method
CN112149105A (en) * 2020-10-21 2020-12-29 腾讯科技(深圳)有限公司 Data processing system, method, related device and storage medium
CN113438071A (en) * 2021-05-28 2021-09-24 荣耀终端有限公司 Method and device for secure communication
CN113810330A (en) * 2020-06-11 2021-12-17 华为技术有限公司 Method, device and storage medium for sending verification information
CN113923797A (en) * 2021-09-26 2022-01-11 深圳市广和通无线通信软件有限公司 Session establishing method, device, client device and computer storage medium
CN114567600A (en) * 2022-01-27 2022-05-31 深圳市潮流网络技术有限公司 Traffic management method and related equipment

Patent Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1741447A (en) * 2004-08-23 2006-03-01 威达电股份有限公司 Network safety management method and system
CN101197670A (en) * 2006-12-08 2008-06-11 中兴通讯股份有限公司 Authentication device for providing authentication to users accessing by terminal
CN101159675A (en) * 2007-11-06 2008-04-09 中兴通讯股份有限公司 Method of implementing improvement of user service quality in IP multimedia subsystem
CN202206418U (en) * 2010-03-19 2012-04-25 F5网络公司 Traffic management device, system and processor
CN104067595A (en) * 2012-01-26 2014-09-24 迈克菲公司 System and method for innovative management of transport layer security session tickets in a network environment
CN106657125A (en) * 2017-01-03 2017-05-10 上海金融云服务集团安全技术有限公司 Flow control mechanism suitable for online identity authentication
CN110622482A (en) * 2017-06-01 2019-12-27 国际商业机器公司 No cache session ticket support in TLS inspection
CN108064436A (en) * 2017-11-21 2018-05-22 深圳市汇顶科技股份有限公司 Biometric information transmission method for building up, device, system and storage medium
US20190182349A1 (en) * 2017-12-07 2019-06-13 Akamai Technologies, Inc. Client side cache visibility with tls session tickets
CN108377186A (en) * 2018-03-19 2018-08-07 北京工业大学 A kind of ssl protocol based on TCM
CN110224816A (en) * 2019-05-15 2019-09-10 如般量子科技有限公司 Anti- quantum calculation application system and short distance energy-saving communication method and computer equipment based on key card and sequence number
CN110417888A (en) * 2019-07-30 2019-11-05 中国工商银行股份有限公司 Flow control methods, volume control device and electronic equipment
CN110933078A (en) * 2019-11-29 2020-03-27 交通银行股份有限公司 H5 unregistered user session tracking method
CN113810330A (en) * 2020-06-11 2021-12-17 华为技术有限公司 Method, device and storage medium for sending verification information
CN112149105A (en) * 2020-10-21 2020-12-29 腾讯科技(深圳)有限公司 Data processing system, method, related device and storage medium
CN112104673A (en) * 2020-11-12 2020-12-18 中博信息技术研究院有限公司 Multimedia resource web access authority authentication method
CN113438071A (en) * 2021-05-28 2021-09-24 荣耀终端有限公司 Method and device for secure communication
CN113923797A (en) * 2021-09-26 2022-01-11 深圳市广和通无线通信软件有限公司 Session establishing method, device, client device and computer storage medium
CN114567600A (en) * 2022-01-27 2022-05-31 深圳市潮流网络技术有限公司 Traffic management method and related equipment

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
PENGKUN LI等: "iTLS: Lightweight Transport-Layer Security Protocol for IoT With Minimal Latency and Perfect Forward Secrecy", IEEE INTERNET OF THINGS JOURNAL *
唐晓东;齐治昌;: "建立INTERNET上的安全环境", 计算机科学, no. 01 *
杨冬菊;冯凯;: "基于缓存的分布式统一身份认证优化机制研究", 计算机科学, no. 03 *

Also Published As

Publication number Publication date
CN115296847B (en) 2024-02-13

Similar Documents

Publication Publication Date Title
CN111835752B (en) Lightweight authentication method based on equipment identity and gateway
US10547594B2 (en) Systems and methods for implementing data communication with security tokens
CN109246053B (en) Data communication method, device, equipment and storage medium
CN110380852B (en) Bidirectional authentication method and communication system
CN111799867B (en) Mutual trust authentication method and system between charging equipment and charging management platform
CN111756529B (en) Quantum session key distribution method and system
CN109714360B (en) Intelligent gateway and gateway communication processing method
CN111435913A (en) Identity authentication method and device for terminal of Internet of things and storage medium
KR20050064119A (en) Server certification validation method for authentication of extensible authentication protocol for internet access on user terminal
CN108134672B (en) Data transmission system based on quantum encryption switch device and transmission method thereof
CN113852483B (en) Network slice connection management method, terminal and computer readable storage medium
CN111756530A (en) Quantum service mobile engine system, network architecture and related equipment
CN111756528A (en) Quantum session key distribution method and device and communication architecture
CN110493222A (en) A kind of power automation terminal remote management method and system
CN112565302A (en) Communication method, system and equipment based on security gateway
CN111510302A (en) Method and system for improving certificate verification efficiency in secure communication protocol
CN103986716A (en) Establishing method for SSL connection and communication method and device based on SSL connection
CN115150179B (en) Soft and hard life aging control method and related device, chip, medium and program
US20240129320A1 (en) Method and device to provide a security level for communication
CN115296847B (en) Flow control method, flow control device, computer equipment and storage medium
US20240097892A1 (en) Orchestrated quantum key distribution
CN107466466B (en) Secure communication method, controlled device and equipment, remote control device and equipment
CN110572352A (en) intelligent distribution network security access platform and implementation method thereof
CN115549929B (en) SPA single packet authentication method and device based on zero trust network stealth
CN114428965A (en) Secure communication method, system, electronic device, and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant