CN115296847B - Flow control method, flow control device, computer equipment and storage medium - Google Patents

Flow control method, flow control device, computer equipment and storage medium Download PDF

Info

Publication number
CN115296847B
CN115296847B CN202210788214.4A CN202210788214A CN115296847B CN 115296847 B CN115296847 B CN 115296847B CN 202210788214 A CN202210788214 A CN 202210788214A CN 115296847 B CN115296847 B CN 115296847B
Authority
CN
China
Prior art keywords
flow control
client
session ticket
connection
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210788214.4A
Other languages
Chinese (zh)
Other versions
CN115296847A (en
Inventor
韩华伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Tuya Information Technology Co Ltd
Original Assignee
Hangzhou Tuya Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Tuya Information Technology Co Ltd filed Critical Hangzhou Tuya Information Technology Co Ltd
Priority to CN202210788214.4A priority Critical patent/CN115296847B/en
Publication of CN115296847A publication Critical patent/CN115296847A/en
Application granted granted Critical
Publication of CN115296847B publication Critical patent/CN115296847B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Abstract

The application relates to a flow control method, a flow control device, a computer device and a storage medium, wherein the flow control method comprises the following steps: acquiring a connection request sent by a client, and performing identity verification on the client according to the connection request; transmitting the flow control token number to the client passing the identity verification through the session ticket so as to establish connection with the client; and when the connection is established with the client, if the connection request sent by the client has a session ticket, controlling the flow of the client based on the flow control token number in the session ticket. According to the method and the device, in the process of establishing connection, flow control can be performed based on the session ticket, an additional distributed storage system is not needed, and the problems of excessively high storage cost and complexity due to the fact that the flow control is performed through the additional distributed storage system are solved.

Description

Flow control method, flow control device, computer equipment and storage medium
Technical Field
The present invention relates to the field of network communications technologies, and in particular, to a flow control method, a flow control device, a computer device, and a storage medium.
Background
In the scene of the internet of things, terminal equipment with different processing rates and different types of communication networks exist, and most of transmitted data have certain requirements on time delay and bandwidth. In order to ensure that effective data transmission is carried out among all communication devices in the Internet of things, so that data flow on all links meets the requirements, the Internet of things cloud server platform generally limits the device connection frequency, namely flow control.
At present, when flow control is performed, firstly, connection of a transmission layer between a server and a client and bidirectional identity authentication are required to be established, and then, the connection times of the client to the server are counted through an additional distributed storage system, so that the storage cost for performing flow control is increased, and meanwhile, the complexity of distributed statistics counting is increased, and therefore, the problems of excessively high storage cost and complexity exist when the distributed storage system is used for performing flow control.
Aiming at the problems of excessive storage cost and complexity in the related art, which are caused by the fact that the flow control is performed through an additional distributed storage system, no effective solution is proposed at present.
Disclosure of Invention
In this embodiment, a flow control method, apparatus, computer device, and storage medium are provided to solve the problems of excessive storage cost and complexity in the related art that flow control is performed by an additional distributed storage system.
In a first aspect, in this embodiment, there is provided a flow control method including:
acquiring a connection request sent by a client, and performing identity verification on the client according to the connection request;
transmitting the flow control token number to the client passing the identity verification through the session ticket so as to establish connection with the client;
And when the connection is established with the client terminal each time, if the session ticket is included in the connection request sent by the client terminal, controlling the flow of the client terminal based on the flow control token number in the session ticket.
In some embodiments, the obtaining the connection request sent by the client, and performing authentication on the client based on the connection request includes:
extracting the identity of the client in the connection request, and inquiring in a service cluster to obtain a corresponding client key;
and carrying out identity verification on the client which inquires the identity mark based on an HMAC algorithm and the client key.
In some embodiments, the authenticating the client querying the identity based on the client key and HMAC algorithm includes:
according to the client key and the encryption suite, calculating a first authentication code based on an HMAC algorithm;
transmitting the encryption suite to a client, acquiring a second authentication code returned by the client, and performing identity authentication by comparing the first authentication code with the second authentication code;
if the first authentication code is the same as the second authentication code, the identity authentication is passed, and the identity identification is stored;
If the first authentication code is different from the second authentication code, the identity authentication is not passed, and the connection establishment request is terminated.
In some of these embodiments, the sending the flow control token number through the session ticket to the authenticated client to establish a connection with the client includes:
encrypting and transmitting the session ticket to a client passing identity verification based on a session key obtained in a connection establishment process;
the session ticket comprises the identity of the client passing the identity verification and the corresponding flow control token number.
In some embodiments, each time a connection is established with a client, if the connection request sent by the client has the session ticket, performing flow control on the client based on the number of flow control tokens in the session ticket, including:
checking whether a session ticket is contained in the connection request every time a connection is established with a client;
if the session ticket is included, performing flow control based on the number of the flow control tokens, the valid time of the flow control tokens and the valid time of the session ticket;
if the session ticket is not included, re-authentication is performed with the client to establish a connection.
In some embodiments, the controlling the flow based on the number of flow control tokens, the validity time of the flow control tokens, and the validity time of the session ticket includes:
when the flow control token number is not 0 and the flow control token and the session ticket are in the effective time, establishing connection with the client, and re-regenerating the session ticket and sending the session ticket to the client;
when the flow control token number is 0, terminating the connection establishment request of the corresponding client;
when the flow control token expires, updating the effective time of the flow control token, and regenerating a session ticket and sending the session ticket to a client;
and when the session ticket expires, re-authenticating with the client, and generating a session ticket and sending the session ticket to the client.
In a second aspect, in this embodiment, there is provided a flow control device comprising: the device comprises a first verification module, a first connection module and a first flow control module;
the first verification module is used for acquiring a connection request sent by a client, and carrying out identity verification on the client according to the connection request;
the first connection module is used for sending the flow control token number to the client passing the identity verification through the session ticket so as to establish connection with the client;
And the first flow control module is used for controlling the flow of the client based on the flow control token number in the session ticket if the session ticket is included in the connection request sent by the client when the connection is established with the client each time.
In a third aspect, in this embodiment, there is provided another flow control method, including:
sending the connection request to a server; the connection request comprises a corresponding identity mark so as to carry out identity verification at the server;
receiving and storing a session ticket transmitted by a server side and the flow control token number contained in the session ticket, and establishing connection with the server side;
and when the connection is established with the server side each time, the session ticket is sent to the server side through a connection request, and the flow control is performed based on the flow control token number in the session ticket.
In some embodiments, the sending the connection request to the server; the connection request includes a corresponding identity identifier, so as to perform identity verification at the server, including:
transmitting a connection request comprising an identity to a server;
and acquiring an encryption suite returned after the server inquires the identity, calculating a second authentication code based on an HMAC algorithm according to the encryption suite and the local key, and transmitting the second authentication code to the server for identity verification.
In a fourth aspect, in this embodiment, there is provided another flow control device comprising: the second verification module, the second connection module and the second flow control module;
the second verification module is used for sending the connection request to the server; the connection request comprises a corresponding identity mark so as to carry out identity verification at the server;
the second connection module is used for receiving and storing the session ticket transmitted by the server and the flow control token number contained in the session ticket, and establishing connection with the server;
and the second flow control module is used for sending the session ticket to the server through a connection establishment request every time connection is established with the server, and performing flow control based on the flow control token number in the session ticket.
In a fifth aspect, in this embodiment, there is provided a computer device including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the flow control methods of the first and third aspects described above when executing the computer program.
In a sixth aspect, in this embodiment, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the flow control methods described in the first and third aspects above.
Compared with the related art, the flow control method, the flow control device, the computer equipment and the storage medium provided in the embodiment perform identity verification on the client according to the connection request by acquiring the connection request sent by the client; transmitting the flow control token number to the client passing the identity verification through the session ticket so as to establish connection with the client; when a connection is established with a client each time, if the session ticket is included in the connection request sent by the client, the flow control is performed on the client based on the flow control token number in the session ticket, so that the problems of excessively high storage cost and complexity caused by performing flow control through an additional distributed storage system are solved, and the effect of performing flow control based on the session ticket in the connection establishment process without requiring an additional distributed storage system is realized.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the other features, objects, and advantages of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 is a block diagram of the hardware architecture of a terminal of a flow control method in one embodiment;
FIG. 2 is a schematic diagram of a prior art flow control method;
FIG. 3 is a flow chart of a flow control method in one embodiment;
FIG. 4 is a schematic diagram of a server-side authentication and transmission of a session ticket for a client in one embodiment;
FIG. 5 is a schematic diagram of a transmission process between a client and a server during traffic placement in one embodiment;
fig. 6 is a schematic diagram of a transmission process between a client and a server when a flow control is triggered in one embodiment;
FIG. 7 is a schematic diagram of a transmission process between a client and a server when a streaming token expires in one embodiment;
fig. 8 is a schematic diagram of a transmission process between a client and a server upon expiration of a session ticket in one embodiment;
FIG. 9 is a flow chart of another method of flow control in one embodiment;
FIG. 10 is a flow chart of a flow control method in a preferred embodiment;
FIG. 11 is a block diagram of a flow control device in one embodiment;
fig. 12 is a block diagram of another flow control device in one embodiment.
In the figure: 102. a processor; 104. a memory; 106. a transmission device; 108. an input-output device; 10. a first verification module; 11. a first connection module; 12. a first flow control module; 20. a second verification module; 21. a second connection module; 22. and a second flow control module.
Detailed Description
For a clearer understanding of the objects, technical solutions and advantages of the present application, the present application is described and illustrated below with reference to the accompanying drawings and examples.
Unless defined otherwise, technical or scientific terms used herein shall have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terms "a," "an," "the," "these," and the like in this application are not intended to be limiting in number, but rather are singular or plural. The terms "comprising," "including," "having," and any variations thereof, as used in the present application, are intended to cover a non-exclusive inclusion; for example, a process, method, and system, article, or apparatus that comprises a list of steps or modules (units) is not limited to the list of steps or modules (units), but may include other steps or modules (units) not listed or inherent to such process, method, article, or apparatus. The terms "connected," "coupled," and the like in this application are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference to "a plurality" in this application means two or more. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., "a and/or B" may mean: a exists alone, A and B exist together, and B exists alone. Typically, the character "/" indicates that the associated object is an "or" relationship. The terms "first," "second," "third," and the like, as referred to in this application, merely distinguish similar objects and do not represent a particular ordering of objects.
The method embodiments provided in the present embodiment may be executed in a terminal, a computer, or similar computing device. Such as on a terminal, where the terminal may be a client and/or a server, fig. 1 is a block diagram of the hardware architecture of the terminal of the flow control method of the present embodiment. As shown in fig. 1, the terminal may include one or more (only one is shown in fig. 1) processors 102 and a memory 104 for storing data, wherein the processors 102 may include, but are not limited to, a microprocessor MCU, a programmable logic device FPGA, or the like. The terminal may also include a transmission device 106 for communication functions and an input-output device 108. It will be appreciated by those skilled in the art that the structure shown in fig. 1 is merely illustrative and is not intended to limit the structure of the terminal. For example, the terminal may also include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1.
The memory 104 may be used to store a computer program, for example, a software program of application software and a module, such as a computer program corresponding to a flow control method in the present embodiment, and the processor 102 executes the computer program stored in the memory 104 to perform various functional applications and data processing, that is, to implement the above-described method. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory remotely located relative to the processor 102, which may be connected to the terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. The network includes a wireless network provided by a communication provider of the terminal. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, simply referred to as NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is configured to communicate with the internet wirelessly.
In the scene of the internet of things, terminal equipment with different processing rates and different types of communication networks exist, and most of transmitted data have certain requirements on time delay and bandwidth. In order to ensure that effective data transmission is carried out among all communication devices in the Internet of things, so that data flow on all links meets the requirements, the Internet of things cloud server platform generally limits the device connection frequency, namely flow control.
The precondition for controlling the flow of the equipment is identity authentication, so that the authenticity of the equipment identity is ensured. Firstly, the connection of a transmission layer between a server and a client and bidirectional identity authentication are required to be established, and then the connection times of the client to the server are counted through an additional distributed storage system.
Fig. 2 is a schematic diagram of a flow control method in the prior art, as shown in fig. 2, a TLS secure connection needs to be established first, a service load (payload) carries a client identity and key information and transmits the client identity and key information to a server, the server receives the payload and then analyzes the identity and key information to perform identity verification, and then performs flow control based on the identity and accumulated connection times. The common TLS (secure transport layer protocol) one-way authentication flow only authenticates the server, and cannot finish authentication on the device, while the perfect TLS two-way authentication flow needs to preset a certificate on the device, and the management, maintenance and transmission costs of the certificate are high. Even if TLS mutual authentication is completed, if the service server cannot acquire TLS layer information, the authenticity of the device identity in the service payload information cannot be identified, and further verification is required. In addition, the additional distributed storage system increases the storage cost and the complexity of distributed statistics counting.
In order to solve the above problems, in the following embodiments, a flow control method is provided, which does not need to rely on an additional distributed storage system to implement flow control, and can implement faster bidirectional identity authentication between a server and a client in the TLS protocol.
In this embodiment, a flow control method is provided, and fig. 3 is a flowchart of the method of this embodiment, as shown in fig. 3, and the method includes the following steps:
step S310, a connection request sent by a client is obtained, and the client is authenticated according to the connection request.
Specifically, in the TLS handshake protocol, a connection request sent by a client includes a generated transient random number, an identity identifier, and a set of encryption suites supported by the client. And in the server, acquiring a connection request sent by the client, and carrying out identity authentication on the client according to the identity while connecting the client with the client through a TLS handshake protocol. The authentication code is specifically generated based on an HMAC algorithm, and the authentication is performed on the client as early as possible in the early stage of the TLS connection establishment, so that the connection establishment with an invalid client is avoided, and the connection cost is reduced.
Step S320, the flow control token number is sent to the authenticated client through the session ticket to establish a connection with the client.
Specifically, for the client that passes the authentication, the identity of the client is stored in the context (context) of TLS, and the TLS connection is continuously established.
In TLS connection, the server sends a session ticket (session_ticket) by sending a new_session_ticket message, specifically, the session ticket is encrypted by a key configured by the server, and then the session key (session_key) obtained by negotiation in the handshake protocol between the client and the server is encrypted and then transmitted to the client in an encrypted channel. In this step, the identity of the corresponding client and the number of flow control tokens (tokens) issued to the client are added to the session ticket, and the client receives the session ticket and stores the session ticket in a local secure storage. The flow control token number represents the maximum connection times of the client in a certain time period set by the server.
Step S330, when a connection is established with the client, if the connection request sent by the client has a session ticket, the client is subjected to flow control based on the number of flow control tokens in the session ticket.
Specifically, each time a connection is subsequently established, the connection request sent by the client to the server carries its locally stored session ticket. After receiving the connection request, the server checks if there is a session ticket, decrypts and recovers the session ticket, controls the flow of the client based on the number of flow control tokens, and specifically judges whether the current client can complete connection with the server by combining the number of flow control tokens, the token validity period and the session ticket validity period so as to realize flow control.
Through the steps, in the process of establishing the connection between the client and the server, the session ticket comprising the flow control token number is transmitted to the client for storage, and then when the connection is established every time later, the flow control is carried out according to the flow control token number in the session ticket transmitted by the client, so that the number of connection times is not required to be counted by using an additional distributed storage system.
Further, in the existing flow control method, when performing bidirectional identity authentication, since the TLS unidirectional authentication flow only authenticates the server, authentication on the device cannot be completed, and TLS bidirectional authentication has high cost, the server also needs to perform identity authentication on the client separately, and after the high TLS connection is established, if authentication on the client fails at this time, the problem of connection cost waste is also caused. The steps perform identity verification on the client as early as possible in the early process of connection establishment between the client and the server, and block the equipment connection (or attack) flow for identifying illegal identities as early as possible, thereby reducing the connection establishment cost of TLS and the flow cost for reaching the service server, avoiding connection establishment with invalid clients and reducing the connection cost.
In some embodiments, fig. 4 is a schematic diagram of a process of authenticating a client by a server and transmitting a session ticket in this embodiment, and as shown in fig. 4, the process of authenticating the client by the server includes the following steps:
extracting the identity of the client in the connection request, and inquiring in the service cluster to obtain a corresponding client key; and carrying out identity verification on the client which inquires the identity mark based on the HMAC algorithm and the client key.
Specifically, after receiving a connection request (client_hello), the server extracts the identity of the client, firstly queries whether the identity exists in the service cluster, if so, acquires the corresponding client key, and also generates a server instant random number at the server. And negotiating with the encryption suite set supported by the server according to the encryption suite set supported by the client in the connection request to obtain the encryption suite to be used in the connection. The service cluster is a service server cluster, and the identity of the client supported by the server and the corresponding client key are stored.
Further, according to the client key and the encryption suite, a first authentication code is calculated based on an HMAC algorithm;
Transmitting the encryption suite to the client, acquiring a second authentication code returned by the client, and performing identity authentication by comparing the first authentication code with the second authentication code;
if the first authentication code is the same as the second authentication code, the identity authentication is passed, and the identity identification is stored;
if the first authentication code is different from the second authentication code, the identity authentication is not passed, and the connection establishment request is terminated.
Specifically, as shown in fig. 4, the server performs HMAC calculation on the identity of the client, the client instant random number and the server instant random number according to the client key and the encryption suite obtained by negotiation, so as to obtain a first authentication code of the server. And the server transmits the server transient random number and the negotiated encryption suite by sending a hello_verify_request message to the client.
After the client receives the hello_verify_request message, the server instant random number and the encryption suite are extracted, and because the internet of things device generally burns the identity identifier and the device key in the device firmware (ROM), namely a device, an identity and a key, the client identity identifier, the client instant random number and the server instant random number are also subjected to HMAC calculation by using the local client key, so that the second authentication code of the client is obtained. And then transmitting the identity, the second authentication code and the encryption suite by sending a client_hello_2 message to the server.
After receiving the client_hello_2 message, the server performs identity authentication by comparing the first authentication code with the second authentication code, if the first authentication code is the same as the second authentication code, the identity authentication passes, the identity of the client is stored in the context of TLS, and the TLS handshake process is continued. If the first authentication code is different from the second authentication code, the identity authentication is not passed, and the server sends an Alert message to the client to terminate the connection establishment flow.
According to the method and the device, in the early stage of connection establishment between the client and the server, the authentication code is calculated through the HMAC algorithm, the client is authenticated as soon as possible, and the device connection (or attack) flow for identifying illegal identities as soon as possible is blocked, so that the connection establishment cost of TLS and the flow cost reaching the service end are reduced. The server side does not need to pay attention to the security domain such as equipment identity authentication, and the like, so that the situation that equipment or client identity authentication fails after connection establishment is avoided, namely connection establishment with an invalid client is avoided, and the connection cost is reduced.
In some of these embodiments, as shown in fig. 4, the process of transmitting a session ticket with a client by a server includes:
Based on the session key obtained in the connection establishment process, encrypting and transmitting the session ticket to the client passing the identity verification; the session ticket includes the identity of the authenticated client and the corresponding flow control token number.
Specifically, after the client sends the client_finished, before the server sends the server_finished message to the client, the session ticket (session_ticket) is dispatched by sending a new_session_ticket message, specifically by encrypting a key configured by the server, and then the session key (session_key) obtained by negotiation in the handshake protocol by the client and the server is transmitted to the client in an encrypted channel after being encrypted. In this embodiment, the identity and the number of flow control tokens issued to the client are added to the session ticket, along with a token expiration time stamp token_expire_time, and a session ticket expiration time stamp_expire_time. Wherein, since the flow control token number is contained in the session ticket, token_expire_time < = token_expire_time is set to ensure a reasonable token and session ticket validity period.
After the TLS handshake is successful, the client saves in a local secure store after receiving the encrypted transport session ticket. The server side takes out the identity mark in the TLS context, adds the identity mark into the payload of the service cluster, receives the payload in the subsequent connection again, and indicates that the identity mark is authenticated, and the identity mark is not required to be authenticated and the connection times are limited in the connection times range of flow control limitation.
According to the method and the device, based on the TLS handshake process, the authenticated client identity and session ticket (session_ticket) encrypt and then send the flow control strategy information (flow control token number, token expiration time stamp and session ticket expiration time stamp) to the client for storage, so that the use of a distributed storage system at a server can be avoided, the storage cost is reduced, the flow control of client connection is completed in the TLS handshake process, the statistics of connection times is not needed after the TLS connection is established, and the complexity of distributed counting can be reduced.
In some embodiments, each time a connection is established with a client, if a session ticket is included in a connection request sent by the client, the client is subjected to flow control based on the number of flow control tokens in the session ticket, including the following steps:
checking whether a session ticket is contained in the connection request every time a connection is established with the client;
if the session ticket is included, performing flow control based on the number of flow control tokens, the validity time of the flow control tokens and the validity time of the session ticket;
if the session ticket is not included, re-authentication is performed with the client to establish a connection.
Specifically, if the client locally stores the session ticket at each subsequent connection establishment, the session ticket is carried in a first client hello message sent by the client to the server.
After receiving the client hello message, the server checks whether the session ticket is included therein. If the session ticket is included, resolving and recovering the session ticket based on the session key obtained in the TLS establishment process to obtain the identity, the flow control token number, the token expiration time stamp and the session ticket expiration time stamp. If the session ticket is not included, indicating that the client is not authenticated and flow controlled, re-authenticating with the client to establish a connection.
Further, when the session ticket is included, the flow control is performed based on the number of the flow control tokens, the valid time of the flow control tokens and the valid time of the session ticket, which specifically comprises the following four cases:
(1) When the flow control token number is not 0 and the flow control token and the session ticket are in the effective time, connection is established with the client, and the session ticket is regenerated and sent to the client.
Fig. 5 is a schematic diagram of a transmission process between a client and a server during a traffic flow in this embodiment, as shown in fig. 5, a client_hello (connection request) sent by the client is parsed at the server to obtain a session ticket, if the number of flow control tokens is not 0 and the current time is less than the token expiration time stamp and less than the session ticket expiration time stamp, it is indicated that both the flow control tokens and the session ticket are within the valid time, and the TLS handshake is successful, where the current time is defined as the time of the server receiving the session ticket. Subtracting 1 from the flow control token number (token=token-1), explaining that the connection consumes one flow control token number, regenerating a session ticket according to the flow control token number, and sending the session ticket to the client through a new_session_ticket message.
(2) And when the flow control token number is 0, terminating the connection establishment request of the corresponding client.
Fig. 6 is a schematic diagram of a transmission process between a client and a server when the flow control is triggered in this embodiment, as shown in fig. 6, if the token is equal to 0, which indicates that the flow control token is used up, the server sends an Alert message to the client to terminate the connection request.
(3) When the flow control token expires, the effective time of the flow control token is updated, and the session ticket is regenerated and sent to the client.
Fig. 7 is a schematic diagram of a transmission process between a client and a server when a streaming token expires in this embodiment, as shown in fig. 7, if the current time is greater than or equal to a token expiration time stamp, a time window indicating flow control expires, and a token expiration time stamp is regenerated, where the token expiration time stamp is equal to the current time plus a streaming control time window, and the streaming control time window indicates that the number of client connections is limited within a certain time window, so as to implement flow control, where token_expire_time=now+time_window. The flow control token number token is reset, the session ticket is regenerated, and the session ticket is sent to the client through a new session ticket message.
(4) When the session ticket expires, authentication is re-performed with the client and the session ticket is generated and sent to the client.
Fig. 8 is a schematic diagram of a transmission procedure between a client and a server when a session ticket expires in this embodiment, and if the current time now is equal to or greater than the session ticket expiration time stamp_expire_time, which indicates that the session ticket session_ticket expires, the handshake procedure is completed again to establish a connection, and a new session ticket is dispatched to the client, as shown in fig. 8.
By means of the four conditions for flow control provided in the embodiment, when the session ticket is included in the transmission of the client, flow control in various conditions can be achieved based on the flow control token number, the session ticket expiration time stamp and the token expiration time stamp in the session ticket, and flow release or termination connection can be performed on the corresponding client.
In this embodiment, a flow control method is also provided. Fig. 9 is a flowchart of another flow control method of the present embodiment, as shown in fig. 9, including the steps of:
step S910, sending a connection request to a server; the connection request includes a corresponding identity to perform authentication at the server.
Specifically, in the TLS handshake protocol, a connection request sent by a client includes a generated transient random number, an identity identifier, and an encryption suite set supported by the client, and a server performs identity verification on the client based on an HMAC algorithm according to the identity identifier while connecting the client with the server through the TLS handshake protocol.
Step S920, receiving and storing the session ticket transmitted by the server and the flow control token number contained in the session ticket, and establishing connection with the server.
Specifically, for the client side passing the authentication, the server side sends a session ticket (session_ticket) by sending a new_session_ticket message, specifically, the session ticket (session_ticket) is encrypted by a key configured by the server side, and then the session ticket (session_key) obtained by negotiation in a handshake protocol between the client side and the server side is transmitted to the client side in an encrypted channel after being encrypted. After receiving the session ticket, the client saves the session ticket in a local secure storage, and transmits the session ticket to the server every time a connection is subsequently established with the server.
Step S930, each time a connection is established with the server, the session ticket is sent to the server through a connection request, and flow control is performed based on the number of flow control tokens in the session ticket.
Specifically, each time a connection is subsequently established, the connection request sent by the client to the server carries its locally stored session ticket. After receiving the connection request, the server checks if there is a session ticket, decrypts and recovers the session ticket, controls the flow of the client based on the number of flow control tokens, and specifically judges whether the current client can complete connection with the server by combining the number of flow control tokens, the token validity period and the session ticket validity period so as to realize flow control.
Through the steps, in the process of establishing the connection between the client and the server, the session ticket comprising the flow control token number is transmitted to the client for storage, and then when the connection is established every time later, the flow control is carried out according to the flow control token number in the session ticket transmitted by the client, so that the number of connection times is not required to be counted by using an additional distributed storage system. Further, the authentication is performed on the client as early as possible in the early process of the connection establishment between the client and the server, and the device connection (or attack) flow which recognizes the illegal identity as early as possible is blocked, so that the connection establishment cost of the TLS and the flow cost reaching the service server are reduced, the connection establishment with the invalid client is avoided, and the connection cost is reduced.
In some embodiments, the above-mentioned connection request is sent to the server; the connection request includes a corresponding identity identifier, so as to perform identity verification at the server, including:
transmitting a connection request comprising an identity to a server; and acquiring an encryption suite returned after the server inquires the identity, calculating a second authentication code based on an HMAC algorithm according to the encryption suite and the local key, and transmitting the second authentication code to the server for identity verification.
Specifically, according to the above embodiment, after receiving the connection request and verifying the identity, the server further generates a first verification code, and then transmits the server transient random number and the negotiated encryption suite by sending a hello_verify_request message to the client.
After the client receives the hello_verify_request message, the server instant random number and the encryption suite are extracted, and because the internet of things device generally burns the identity identifier and the device key in the device firmware (ROM), namely a device, an identity and a key, the client identity identifier, the client instant random number and the server instant random number are also subjected to HMAC calculation by using the local client key, so that the second authentication code of the client is obtained. And then transmitting the identity, the second authentication code and the encryption suite by sending a client_hello_2 message to the server.
According to the method and the device, in the early stage of connection establishment between the client and the server, the authentication code is calculated through the HMAC algorithm, the client is authenticated as soon as possible, and the device connection (or attack) flow for identifying illegal identities as soon as possible is blocked, so that the connection establishment cost of TLS and the flow cost reaching the service end are reduced.
The present embodiment is described and illustrated below by way of preferred embodiments.
Fig. 10 is a flowchart of the flow control method of the present preferred embodiment, as shown in fig. 10, comprising the steps of:
step S101, a client sends a connection request to a server, wherein the connection request comprises an identity, a client transient random number and an encryption suite set supported by the client.
Step S102, the server queries the identity in the service cluster to obtain a corresponding client key, and then calculates a server verification code based on an HMAC algorithm by combining the encrypted suite obtained by negotiation.
Step S103, after receiving the server-side transient random number and the encryption suite transmitted by the server-side, the client-side verification code is obtained by combining a local client-side key and calculating based on an HMAC algorithm, and is sent to the server-side.
Step S104, the server side performs identity authentication by comparing the server side verification code and the client side authentication code, saves the identity for the client side passing verification, and terminates the connection for the client side failing verification.
In step S105, the server encrypts the flow control token number, the token expiration time stamp and the session ticket expiration time stamp set for the client, and then transmits the encrypted flow control token number, the encrypted token expiration time stamp and the encrypted session ticket expiration time stamp to the client.
Step S106, the client receives and saves the session ticket, and sends the session ticket through the connection request at each subsequent connection.
Step S107, the server judges the effective time of the token and the session ticket according to the flow control token number, the token expiration time stamp and the session ticket expiration time stamp in the session ticket and the current time, and controls the flow of the client requesting connection.
It should be noted that the steps illustrated in the above-described flow or flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order other than that illustrated herein.
In this embodiment, a flow control device is further provided, and the flow control device is used to implement the foregoing embodiments and preferred embodiments, and is not described in detail. The terms "module," "unit," "sub-unit," and the like as used below may refer to a combination of software and/or hardware that performs a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementations in hardware, or a combination of software and hardware, are also possible and contemplated.
Fig. 11 is a block diagram of the flow rate control device of the present embodiment, and as shown in fig. 11, the device includes: a first authentication module 10, a first connection module 11, and a first flow control module 12;
the first verification module 10 is configured to obtain a connection request sent by the client, and perform identity verification on the client according to the connection request.
A first connection module 11, configured to send the flow control token number to the authenticated client through the session ticket to establish a connection with the client.
A first flow control module 12, configured to, each time a connection is established with a client, perform flow control on the client based on the number of flow control tokens in the session ticket if the session ticket is included in the connection request sent by the client.
Through the steps, in the process of establishing the connection between the client and the server, the session ticket comprising the flow control token number is transmitted to the client for storage, and then when the connection is established every time later, the flow control is carried out according to the flow control token number in the session ticket transmitted by the client, so that the number of connection times is not required to be counted by using an additional distributed storage system.
Further, in the existing flow control method, when performing bidirectional identity authentication, since the TLS unidirectional authentication flow only authenticates the server, authentication on the device cannot be completed, and TLS bidirectional authentication has high cost, the server also needs to perform identity authentication on the client separately, and after the high TLS connection is established, if authentication on the client fails at this time, the problem of connection cost waste is also caused. The steps perform identity verification on the client as early as possible in the early process of connection establishment between the client and the server, and block the equipment connection (or attack) flow for identifying illegal identities as early as possible, thereby reducing the connection establishment cost of TLS and the flow cost for reaching the service server, avoiding connection establishment with invalid clients and reducing the connection cost.
Another flow control device is also provided in this embodiment, as shown in fig. 12, which includes: a second authentication module 20, a second connection module 21 and a second streaming module 22;
a second verification module 20, configured to send a connection request to a server; the connection request includes a corresponding identity to perform authentication at the server.
A second connection module 21, configured to receive and store the session ticket transmitted by the server and the number of flow control tokens contained in the session ticket, and establish a connection with the server.
And a second flow control module 22, configured to send the session ticket to the server through a connection establishment request each time a connection is established with the server, and perform flow control based on the number of flow control tokens in the session ticket.
Through the steps, in the process of establishing the connection between the client and the server, the session ticket comprising the flow control token number is transmitted to the client for storage, and then when the connection is established every time later, the flow control is carried out according to the flow control token number in the session ticket transmitted by the client, so that the number of connection times is not required to be counted by using an additional distributed storage system. Further, the authentication is performed on the client as early as possible in the early process of the connection establishment between the client and the server, and the device connection (or attack) flow which recognizes the illegal identity as early as possible is blocked, so that the connection establishment cost of the TLS and the flow cost reaching the service server are reduced, the connection establishment with the invalid client is avoided, and the connection cost is reduced.
The above-described respective modules may be functional modules or program modules, and may be implemented by software or hardware. For modules implemented in hardware, the various modules described above may be located in the same processor; or the above modules may be located in different processors in any combination.
There is also provided in this embodiment a computer device comprising a memory in which a computer program is stored and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
Optionally, the computer device may further include a transmission device and an input/output device, where the transmission device is connected to the processor, and the input/output device is connected to the processor.
It should be noted that, specific examples in this embodiment may refer to examples described in the foregoing embodiments and alternative implementations, and are not described in detail in this embodiment.
In addition, in combination with the flow control method provided in the above embodiment, a storage medium may be provided in this embodiment. The storage medium has a computer program stored thereon; the computer program, when executed by a processor, implements any of the flow control methods of the above embodiments.
It should be understood that the specific embodiments described herein are merely illustrative of this application and are not intended to be limiting. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present application, are within the scope of the present application in light of the embodiments provided herein.
It is evident that the drawings are only examples or embodiments of the present application, from which the present application can also be adapted to other similar situations by a person skilled in the art without the inventive effort. In addition, it should be appreciated that while the development effort might be complex and lengthy, it would nevertheless be a routine undertaking of design, fabrication, or manufacture for those of ordinary skill having the benefit of this disclosure, and thus should not be construed as an admission of insufficient detail.
The term "embodiment" in this application means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive. It will be clear or implicitly understood by those of ordinary skill in the art that the embodiments described in this application can be combined with other embodiments without conflict.
The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the patent. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.

Claims (11)

1. A flow control method, comprising:
acquiring a connection request sent by a client, and performing identity verification on the client according to the connection request;
transmitting the flow control token number to the client passing the identity verification through the session ticket so as to establish connection with the client;
when establishing connection with a client terminal each time, if the connection request sent by the client terminal has the session ticket, controlling the flow of the client terminal based on the flow control token number in the session ticket; the flow control method specifically comprises the following steps of:
When the flow control token number is not 0 and the flow control token and the session ticket are in the effective time, establishing connection with the client, subtracting 1 from the flow control token number, regenerating the session ticket and transmitting the session ticket to the client;
when the flow control token number is 0, terminating the connection establishment request of the corresponding client;
when the flow control token expires, updating the effective time of the flow control token, and regenerating a session ticket and sending the session ticket to a client;
and when the session ticket expires, re-authenticating with the client, and generating a session ticket and sending the session ticket to the client.
2. The flow control method according to claim 1, wherein the obtaining the connection request sent by the client and authenticating the client based on the connection request includes:
extracting the identity of the client in the connection request, and inquiring in a service cluster to obtain a corresponding client key;
and carrying out identity verification on the client which inquires the identity mark based on an HMAC algorithm and the client key.
3. The flow control method according to claim 2, wherein said authenticating the client that queried the identity based on the client key and HMAC algorithm comprises:
According to the client key and the encryption suite, calculating a first authentication code based on an HMAC algorithm;
transmitting the encryption suite to a client, acquiring a second authentication code returned by the client, and performing identity authentication by comparing the first authentication code with the second authentication code;
if the first authentication code is the same as the second authentication code, the identity authentication is passed, and the identity identification is stored;
if the first authentication code is different from the second authentication code, the identity authentication is not passed, and the connection establishment request is terminated.
4. The flow control method according to claim 1, wherein the sending the flow control token number through the session ticket to the authenticated client to establish a connection with the client comprises:
encrypting and transmitting the session ticket to a client passing identity verification based on a session key obtained in a connection establishment process;
the session ticket comprises the identity of the client passing the identity verification and the corresponding flow control token number.
5. The flow control method according to claim 1, wherein the performing flow control on the client based on the number of flow control tokens in the session ticket if the session ticket is included in the connection request sent by the client each time a connection is established with the client, comprises:
Checking whether a session ticket is contained in the connection request every time a connection is established with a client;
if the session ticket is included, performing flow control based on the number of the flow control tokens, the valid time of the flow control tokens and the valid time of the session ticket;
if the session ticket is not included, re-authentication is performed with the client to establish a connection.
6. A flow control device, comprising: the device comprises a first verification module, a first connection module and a first flow control module;
the first verification module is used for acquiring a connection request sent by a client, and carrying out identity verification on the client according to the connection request;
the first connection module is used for sending the flow control token number to the client passing the identity verification through the session ticket so as to establish connection with the client;
the first flow control module is configured to perform flow control on the client based on the number of flow control tokens in the session ticket if the session ticket is included in the connection request sent by the client when connection is established with the client each time; the flow control method specifically comprises the following steps of:
When the flow control token number is not 0 and the flow control token and the session ticket are in the effective time, establishing connection with the client, subtracting 1 from the flow control token number, regenerating the session ticket and transmitting the session ticket to the client;
when the flow control token number is 0, terminating the connection establishment request of the corresponding client;
when the flow control token expires, updating the effective time of the flow control token, and regenerating a session ticket and sending the session ticket to a client;
and when the session ticket expires, re-authenticating with the client, and generating a session ticket and sending the session ticket to the client.
7. A flow control method, comprising:
sending the connection request to a server; the connection request comprises a corresponding identity mark so as to carry out identity verification at the server;
receiving and storing a session ticket transmitted by a server side and the flow control token number contained in the session ticket, and establishing connection with the server side; wherein the obtaining step of the session ticket is as follows:
when the flow control token number is not 0 and the flow control token and the session ticket are in the effective time, connection is established with the server, and the receiving server subtracts 1 from the flow control token number to regenerate the session ticket;
When the flow control token expires, the receiving server updates the effective time of the flow control token and regenerates the session ticket;
when the session ticket expires, the receiving server performs authentication again to generate a session ticket;
and when the connection is established with the server side each time, the session ticket is sent to the server side through a connection request, and the flow control is performed based on the flow control token number in the session ticket.
8. The flow control method according to claim 7, wherein the connection request is sent to a server; the connection request includes a corresponding identity identifier, so as to perform identity verification at the server, including:
transmitting a connection request comprising an identity to a server;
and acquiring an encryption suite returned after the server inquires the identity, calculating a second authentication code based on an HMAC algorithm according to the encryption suite and the local key, and transmitting the second authentication code to the server for identity verification.
9. A flow control device, comprising: the second verification module, the second connection module and the second flow control module;
the second verification module is used for sending the connection request to the server; the connection request comprises a corresponding identity mark so as to carry out identity verification at the server;
The second connection module is used for receiving and storing the session ticket transmitted by the server and the flow control token number contained in the session ticket, and establishing connection with the server; wherein the obtaining step of the session ticket is as follows:
when the flow control token number is not 0 and the flow control token and the session ticket are in the effective time, connection is established with the server, and the receiving server subtracts 1 from the flow control token number to regenerate the session ticket;
when the flow control token expires, the receiving server updates the effective time of the flow control token and regenerates the session ticket;
when the session ticket expires, the receiving server performs authentication again to generate a session ticket;
and the second flow control module is used for sending the session ticket to the server through a connection establishment request every time connection is established with the server, and performing flow control based on the flow control token number in the session ticket.
10. A computer device comprising a memory and a processor, wherein the memory has stored therein a computer program, the processor being arranged to run the computer program to perform the flow control method of any of claims 1 to 5 or 7 to 8.
11. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program, when executed by a processor, implements the steps of the flow control method of any of claims 1 to 5 or 7 to 8.
CN202210788214.4A 2022-07-06 2022-07-06 Flow control method, flow control device, computer equipment and storage medium Active CN115296847B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210788214.4A CN115296847B (en) 2022-07-06 2022-07-06 Flow control method, flow control device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210788214.4A CN115296847B (en) 2022-07-06 2022-07-06 Flow control method, flow control device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115296847A CN115296847A (en) 2022-11-04
CN115296847B true CN115296847B (en) 2024-02-13

Family

ID=83821381

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210788214.4A Active CN115296847B (en) 2022-07-06 2022-07-06 Flow control method, flow control device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115296847B (en)

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1741447A (en) * 2004-08-23 2006-03-01 威达电股份有限公司 Network safety management method and system
CN101159675A (en) * 2007-11-06 2008-04-09 中兴通讯股份有限公司 Method of implementing improvement of user service quality in IP multimedia subsystem
CN101197670A (en) * 2006-12-08 2008-06-11 中兴通讯股份有限公司 Authentication device for providing authentication to users accessing by terminal
CN202206418U (en) * 2010-03-19 2012-04-25 F5网络公司 Traffic management device, system and processor
CN104067595A (en) * 2012-01-26 2014-09-24 迈克菲公司 System and method for innovative management of transport layer security session tickets in a network environment
CN106657125A (en) * 2017-01-03 2017-05-10 上海金融云服务集团安全技术有限公司 Flow control mechanism suitable for online identity authentication
CN108064436A (en) * 2017-11-21 2018-05-22 深圳市汇顶科技股份有限公司 Biometric information transmission method for building up, device, system and storage medium
CN108377186A (en) * 2018-03-19 2018-08-07 北京工业大学 A kind of ssl protocol based on TCM
CN110224816A (en) * 2019-05-15 2019-09-10 如般量子科技有限公司 Anti- quantum calculation application system and short distance energy-saving communication method and computer equipment based on key card and sequence number
CN110417888A (en) * 2019-07-30 2019-11-05 中国工商银行股份有限公司 Flow control methods, volume control device and electronic equipment
CN110622482A (en) * 2017-06-01 2019-12-27 国际商业机器公司 No cache session ticket support in TLS inspection
CN110933078A (en) * 2019-11-29 2020-03-27 交通银行股份有限公司 H5 unregistered user session tracking method
CN112104673A (en) * 2020-11-12 2020-12-18 中博信息技术研究院有限公司 Multimedia resource web access authority authentication method
CN112149105A (en) * 2020-10-21 2020-12-29 腾讯科技(深圳)有限公司 Data processing system, method, related device and storage medium
CN113438071A (en) * 2021-05-28 2021-09-24 荣耀终端有限公司 Method and device for secure communication
CN113810330A (en) * 2020-06-11 2021-12-17 华为技术有限公司 Method, device and storage medium for sending verification information
CN113923797A (en) * 2021-09-26 2022-01-11 深圳市广和通无线通信软件有限公司 Session establishing method, device, client device and computer storage medium
CN114567600A (en) * 2022-01-27 2022-05-31 深圳市潮流网络技术有限公司 Traffic management method and related equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10581948B2 (en) * 2017-12-07 2020-03-03 Akamai Technologies, Inc. Client side cache visibility with TLS session tickets

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1741447A (en) * 2004-08-23 2006-03-01 威达电股份有限公司 Network safety management method and system
CN101197670A (en) * 2006-12-08 2008-06-11 中兴通讯股份有限公司 Authentication device for providing authentication to users accessing by terminal
CN101159675A (en) * 2007-11-06 2008-04-09 中兴通讯股份有限公司 Method of implementing improvement of user service quality in IP multimedia subsystem
CN202206418U (en) * 2010-03-19 2012-04-25 F5网络公司 Traffic management device, system and processor
CN104067595A (en) * 2012-01-26 2014-09-24 迈克菲公司 System and method for innovative management of transport layer security session tickets in a network environment
CN106657125A (en) * 2017-01-03 2017-05-10 上海金融云服务集团安全技术有限公司 Flow control mechanism suitable for online identity authentication
CN110622482A (en) * 2017-06-01 2019-12-27 国际商业机器公司 No cache session ticket support in TLS inspection
CN108064436A (en) * 2017-11-21 2018-05-22 深圳市汇顶科技股份有限公司 Biometric information transmission method for building up, device, system and storage medium
CN108377186A (en) * 2018-03-19 2018-08-07 北京工业大学 A kind of ssl protocol based on TCM
CN110224816A (en) * 2019-05-15 2019-09-10 如般量子科技有限公司 Anti- quantum calculation application system and short distance energy-saving communication method and computer equipment based on key card and sequence number
CN110417888A (en) * 2019-07-30 2019-11-05 中国工商银行股份有限公司 Flow control methods, volume control device and electronic equipment
CN110933078A (en) * 2019-11-29 2020-03-27 交通银行股份有限公司 H5 unregistered user session tracking method
CN113810330A (en) * 2020-06-11 2021-12-17 华为技术有限公司 Method, device and storage medium for sending verification information
CN112149105A (en) * 2020-10-21 2020-12-29 腾讯科技(深圳)有限公司 Data processing system, method, related device and storage medium
CN112104673A (en) * 2020-11-12 2020-12-18 中博信息技术研究院有限公司 Multimedia resource web access authority authentication method
CN113438071A (en) * 2021-05-28 2021-09-24 荣耀终端有限公司 Method and device for secure communication
CN113923797A (en) * 2021-09-26 2022-01-11 深圳市广和通无线通信软件有限公司 Session establishing method, device, client device and computer storage medium
CN114567600A (en) * 2022-01-27 2022-05-31 深圳市潮流网络技术有限公司 Traffic management method and related equipment

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
iTLS: Lightweight Transport-Layer Security Protocol for IoT With Minimal Latency and Perfect Forward Secrecy;Pengkun Li等;IEEE Internet of Things Journal;全文 *
基于缓存的分布式统一身份认证优化机制研究;杨冬菊;冯凯;;计算机科学(第03期);全文 *
建立INTERNET上的安全环境;唐晓东;齐治昌;;计算机科学(第01期);全文 *

Also Published As

Publication number Publication date
CN115296847A (en) 2022-11-04

Similar Documents

Publication Publication Date Title
CN111835752B (en) Lightweight authentication method based on equipment identity and gateway
CN107277061B (en) IOT (Internet of things) equipment based end cloud secure communication method
CN110380852B (en) Bidirectional authentication method and communication system
CN110474875B (en) Discovery method and device based on service architecture
EP1811744B1 (en) Method, system and centre for authenticating in End-to-End communications based on a mobile network
CN110290525A (en) A kind of sharing method and system, mobile terminal of vehicle number key
US10462671B2 (en) Methods and arrangements for authenticating a communication device
KR20050064119A (en) Server certification validation method for authentication of extensible authentication protocol for internet access on user terminal
CN109068321B (en) Method and system for negotiating session key, mobile terminal and intelligent household equipment
CN109714360B (en) Intelligent gateway and gateway communication processing method
US11070537B2 (en) Stateless method for securing and authenticating a telecommunication
WO2007084615A1 (en) System and method for authenticating a wireless computing device
WO2022001474A1 (en) Network slice connection management method, terminal, and computer-readable storage medium
KR20180054775A (en) Method and system for providing security against initial contact establishment of mobile devices and devices
CN108259486B (en) End-to-end key exchange method based on certificate
CN115296847B (en) Flow control method, flow control device, computer equipment and storage medium
CN111510302A (en) Method and system for improving certificate verification efficiency in secure communication protocol
CN103986716A (en) Establishing method for SSL connection and communication method and device based on SSL connection
CN110896683A (en) Data protection method, device and system
CA3204892A1 (en) Orchestrated quantum key distribution
CN115190450B (en) Internet of Vehicles communication method and system for establishing TLS channel based on V2X certificate
CN117395652B (en) Bidirectional identity authentication method and system for communication at two ends of wireless network
RU2779029C1 (en) Access of a non-3gpp compliant apparatus to the core network
CN111212424B (en) Method and system for authenticating UE during interoperation from EPS to 5GS
Grochla et al. Extending the TLS protocol by EAP handshake to build a security architecture for heterogenous wireless network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant