CN117938407A - Signaling transmission method, system, electronic equipment and storage medium - Google Patents
Signaling transmission method, system, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117938407A CN117938407A CN202211284714.0A CN202211284714A CN117938407A CN 117938407 A CN117938407 A CN 117938407A CN 202211284714 A CN202211284714 A CN 202211284714A CN 117938407 A CN117938407 A CN 117938407A
- Authority
- CN
- China
- Prior art keywords
- client
- server
- authentication information
- encrypted
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 96
- 230000011664 signaling Effects 0.000 title claims abstract description 73
- 230000005540 biological transmission Effects 0.000 title claims abstract description 67
- 230000003993 interaction Effects 0.000 claims abstract description 64
- 238000012795 verification Methods 0.000 claims abstract description 48
- 238000004891 communication Methods 0.000 claims description 41
- 238000004590 computer program Methods 0.000 claims description 21
- 230000008569 process Effects 0.000 claims description 17
- 238000012790 confirmation Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 7
- 230000009471 action Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 239000003814 drug Substances 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a signaling transmission method, a system, electronic equipment and a storage medium, which are applied to a client in a signaling transmission system, wherein the method comprises the following steps: transmitting an initial key to a server through link encryption; receiving an encryption key generated by the server side according to the initial key through link encryption; generating client authentication information, and encrypting the client authentication information through an encryption key; sending the encrypted client authentication information to a server so that the server verifies the encrypted client authentication information; receiving encrypted server authentication information fed back by a server and verifying the encrypted server authentication information; and when the encrypted authentication information of the server passes the verification, the information interaction is carried out with the server. The method of the embodiment of the application can realize the verification of the client and the server, and after the verification is passed, the encryption key is utilized to encrypt and interact the interaction information between the client and the server, thereby improving the interaction security.
Description
Technical Field
The present application relates to the field of information technologies, and in particular, to a signaling transmission method, a system, an electronic device, and a storage medium.
Background
At present, in the signaling transmission process, signaling is often transmitted by encrypting the signaling to be transmitted. For example, the signaling to be transmitted is encrypted, then the encrypted signaling is sent to the receiving party, and the receiving party obtains the signaling through decryption after receiving the encrypted signaling.
However, when the transmission is performed by the method, if a key leakage occurs, signaling may be acquired through the leaked key, thereby affecting the security of the transmission.
Disclosure of Invention
An object of an embodiment of the present application is to provide a signaling transmission method, a system, an electronic device, and a storage medium, which are used for security problem in signaling transmission process. The specific technical scheme is as follows:
In a first aspect of the embodiment of the present application, a signaling transmission method is provided, which is applied to a client in a signaling transmission system, where the signaling transmission system further includes a server;
The method comprises the following steps:
Transmitting an initial key to the server through link encryption;
Receiving an encryption key generated by the server according to the initial key through link encryption;
Generating client authentication information, and encrypting the client authentication information through the encryption key;
Sending the encrypted client authentication information to the server so that the server verifies the encrypted client authentication information;
Receiving and verifying the encrypted server authentication information fed back by the server, wherein the server authentication information is generated after the server verifies the encrypted client authentication information;
and when the encrypted server authentication information passes verification, encrypting and interacting interaction information with the server through the encryption key.
Optionally, the sending the encrypted client authentication information to the server, so that the server verifies the encrypted client authentication information, including:
Judging whether the quality of a User Datagram Protocol (UDP) network between the client and the server meets a first preset requirement or not;
If the first preset requirement is met, judging whether the client authentication information meets a second preset requirement or not;
And if the second preset requirement is met, sending the encrypted client authentication information to the server so that the server can verify the encrypted client authentication information.
Optionally, after the determining whether the UDP network between the client and the server meets the first preset requirement, the method further includes:
and if the first preset requirement is not met, carrying out information interaction with the server through a standby Transmission Control Protocol (TCP) network.
Optionally, the generating the client authentication information and encrypting the client authentication information by the encryption key includes:
generating client authentication information;
identifying sensitive information and non-sensitive information in the client authentication information through a preset sensitive information list;
Encrypting the identified sensitive information through the encryption key;
The sending the encrypted client authentication information to the server so that the server verifies the encrypted client authentication information, including:
and sending the encrypted sensitive information and the identified non-sensitive information to the server so that the server verifies the encrypted sensitive information and the identified non-sensitive information.
Optionally, the generating the client authentication information and encrypting the client authentication information by the encryption key includes:
acquiring command parameters of a client;
generating a client signature according to the client command parameters and the client signature generation rule;
and encrypting the client signature and the command parameters of the client by the encryption key.
Optionally, the generating a client signature according to the command parameter of the client and the signature generation rule of the client includes:
Generating a corresponding hash value according to the serial number of the client, the unique code of the request, the unique code of the client and the encryption key;
And taking the generated hash value as the client signature.
Optionally, the receiving and verifying the encrypted server authentication information fed back by the server includes:
Receiving encrypted server authentication information fed back by the server, wherein the encrypted server authentication information is obtained by encrypting command parameters of the server and a signature of the server through the encryption key;
Decrypting the encrypted server authentication information according to the encryption key to obtain command parameters of the server and a signature of the server;
Generating a server signature to be verified according to the command parameters of the server and the signature generation rule of the client;
comparing the signature of the server to be verified with the signature of the server, if the signature is the same, the verification is passed, and if the signature is different, the verification fails.
Optionally, the method further comprises:
In the process of interacting with the service end, detecting the network quality of communication with the service end;
and when the network quality of the communication does not meet the first preset requirement, identifying and interacting with another network different from the current network in the UDP network and the TCP network.
In a second aspect of the embodiment of the present application, a signaling transmission method is provided, which is applied to a server in a signaling transmission system, where the signaling transmission system further includes a client;
The method comprises the following steps:
receiving an initial key sent by the client through link encryption;
an encryption key generated from the initial key;
Transmitting the encryption key to the client through link encryption so that the client generates client authentication information, and encrypting the client authentication information through the encryption key;
receiving encrypted client authentication information and verifying the encrypted client authentication information;
when verification passes, generating encrypted server authentication information;
and sending the encrypted server authentication information to the client so that the client can verify the encrypted server authentication information and encrypt and interact interaction information with the client through the encryption key when the verification is passed.
Optionally, the encrypted client authentication information includes a signature generation rule of the client itself, and the receiving the encrypted client authentication information and verifying the encrypted client authentication information includes:
receiving encrypted client authentication information, wherein the encrypted client authentication information is obtained by encrypting command parameters of the client and a signature of the client through the encryption key;
Decrypting the encrypted client authentication information according to the encryption key to obtain command parameters of the client and a signature of the client;
Generating a client signature to be verified according to the client command parameters and the server signature generation rule;
Comparing the client signature to be verified with the signature of the client, if the client signature is the same, verifying the client signature, and if the client signature is different, failing to verify the client signature.
Optionally, the method further comprises:
In the process of interacting information with the client, the received address updating information sent by the client, wherein the address updating information comprises an updated address;
Generating and sending a re-authentication request to the client so that the client authenticates the re-authentication request;
and receiving the feedback authentication confirmation information of the client, and carrying out interaction of interaction information with the client through the updated address.
Optionally, the generating and sending a re-authentication request to the client, so that the client authenticates the re-authentication request, including:
Generating a reauthentication parameter of a server and a reauthentication signature of the server, wherein the reauthentication signature of the server is generated through the reauthentication parameter of the server and a signature generation rule of the server;
And sending the re-authentication parameters of the server and the re-authentication signature of the server to the client so that the client generates a re-signature to be verified according to the re-authentication parameters of the server and the signature generation rule of the client and verifies the re-authentication signature of the server.
In a third aspect of the embodiment of the present application, there is provided a signaling transmission system, where the signaling transmission system includes a client and a server;
The client is used for executing any signaling transmission method applied to the client;
the server is used for executing any signaling transmission method applied to the server.
In a fourth aspect of the embodiment of the present application, an electronic device is provided, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;
A memory for storing a computer program;
and the processor is used for realizing any signaling transmission method applied to the client when executing the program stored in the memory.
In a fifth aspect of the embodiment of the present application, an electronic device is provided, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;
A memory for storing a computer program;
And the processor is used for realizing any signaling transmission method applied to the server when executing the programs stored in the memory.
In a sixth aspect of the embodiments of the present application, there is provided a computer readable storage medium, in which a computer program is stored, the computer program implementing any one of the signaling transmission methods applied to a client as described above when executed by a processor.
In a seventh aspect of the embodiments of the present application, a computer readable storage medium is provided, where a computer program is stored, where the computer program is executed by a processor to implement any one of the signaling transmission methods applied to a server.
In an eighth aspect of the embodiment of the present application, there is further provided a computer program product containing instructions, which when run on a computer, cause the computer to perform any of the above-mentioned signaling transmission methods applied to a client.
In a ninth aspect of the embodiment of the present application, the embodiment of the present application further provides a computer program product containing instructions, which when executed on a computer, cause the computer to perform any one of the signaling transmission methods applied to a server.
The embodiment of the application has the beneficial effects that:
The signaling transmission method provided by the embodiment of the application is applied to a client in a signaling transmission system, and the signaling transmission system also comprises a server; the method comprises the following steps: transmitting an initial key to the server through link encryption; receiving an encryption key generated by the server according to the initial key through link encryption; generating client authentication information, and encrypting the client authentication information through the encryption key; sending the encrypted client authentication information to the server so that the server verifies the encrypted client authentication information; receiving and verifying the encrypted server authentication information fed back by the server, wherein the server authentication information is generated after the server verifies the encrypted client authentication information; and when the encrypted server authentication information passes verification, performing information interaction with the server. It can be seen that, by the method of the embodiment of the application, the initial secret key can be sent to the server through link encryption, and then the encryption secret key generated by the server according to the initial secret key is received, so that in the verification process, the encryption and the sending of the verification information are carried out through the encryption secret key, the verification of the client and the server is realized, and after the verification is passed, the encryption and the interaction of the interaction information between the client and the server are carried out by utilizing the encryption secret key, thereby improving the security of the signaling transmission process.
Of course, it is not necessary for any one product or method of practicing the application to achieve all of the advantages set forth above at the same time.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the application, and other embodiments may be obtained according to these drawings to those skilled in the art.
Fig. 1 is a schematic flow chart of a signaling transmission method applied to a client according to an embodiment of the present application;
fig. 2 is a schematic flow chart of verifying client authentication information according to an embodiment of the present application;
Fig. 3 is a diagram illustrating an example of a signaling transmission method according to an embodiment of the present application;
fig. 4 is a schematic diagram of network handover in a signaling transmission process according to an embodiment of the present application;
fig. 5 is a schematic flow chart of encrypting client authentication information according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of client authentication information according to an embodiment of the present application;
fig. 7 is a schematic diagram of another process for encrypting client authentication information according to an embodiment of the present application;
FIG. 8 is a schematic flow chart of interaction of authentication requests provided by an embodiment of the present application;
fig. 9 is another flow chart of a signaling transmission method applied to a client according to an embodiment of the present application;
Fig. 10 is a schematic structural diagram of a signaling transmission system according to an embodiment of the present application;
Fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of another electronic device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. Based on the embodiments of the present application, all other embodiments obtained by the person skilled in the art based on the present application are included in the scope of protection of the present application.
First, terms of art that may be used in the embodiments of the present application will be explained:
webrtc: (Web instant messaging, web Real-Time Communication) is an API (Application Programming Interface ) application that supports Web browsers for Real-time voice conversations or video conversations.
Websocket: a protocol for full duplex communication over a single TCP (Transmission Control Protocol ) communication protocol connection.
RTT: an important performance indicator in a Round-Trip Time computer network represents the total Time delay that has elapsed from the Time the data is sent from the sender to the Time the acknowledgement from the receiver is received (the acknowledgement is sent immediately after the data is received by the receiver).
In a first aspect of the embodiment of the present application, a signaling transmission method is provided, which is applied to a client in a signaling transmission system, where the signaling transmission system further includes a server;
Referring to fig. 1, the method includes:
step S11, the initial key is sent to the server through link encryption.
The link encryption in the embodiment of the application refers to providing a secure communication link in the data transmission process, so that the security of data transmission, such as SSL (Secure Socket Layer ) and the like, can be ensured. The initial key may be information for generating a key, such as a name, an ID (Identity), or the like.
The method of the embodiment of the application is applied to the client, and can be implemented by the client, and particularly, the client can be a computer, a mobile phone, a server and the like.
Step S12, the encryption key generated by the receiving server side according to the initial key is encrypted through the link.
After sending the initial key to the server through link encryption, the server may receive the initial key and generate an encryption key according to the received initial key, and specifically, may generate the encryption key according to a preset key generation algorithm and the initial key. Specifically, the preset key generation algorithm may be ssh-keygen (selective encryption algorithm), opensl (symmetric encryption algorithm), or the like. For example, when the initial key is a name, an ID, or the like, the encryption key may be generated by a preset key generation algorithm and the initial key.
Step S13, generating the client authentication information and encrypting the client authentication information through an encryption key.
The client authentication information is information that can be authenticated, such as a signature. Specifically, the method of the embodiment of the application can be applied to interaction of the call information of the client and the server, for example, webrtc (Web Real-Time Communications, a Real-time communication technology) to perform Real-time audio/video interaction between the client and the server, and when the method is applied to the scene, the verification information can also comprise the serial number of the client, the unique code of the current request, the unique code of the client and the like. The client authentication information is encrypted by the encryption key, and the encrypted client authentication information is obtained by encrypting the authentication information by the encryption key in a signaling encryption mode.
Step S14, the encrypted client authentication information is sent to the server, so that the server verifies the encrypted client authentication information.
After sending the encrypted client authentication information to the server, the server may decrypt the authentication information by using the encrypted secret medicine to obtain the authentication information, and then authenticate the authentication information. Specifically, the client authentication information may include a command parameter of the client and a client signature, the client signature may be generated by the command parameter of the client, and when the server verifies, the client may generate a signature according to a self signature generation rule and the command parameter of the client, and then compare the generated signature with the client signature, thereby realizing verification.
And S15, receiving the encrypted server authentication information fed back by the server and verifying the encrypted server authentication information.
The server authentication information is generated after the server verifies the encrypted client authentication information. Specifically, after the server verifies the encrypted client authentication information, the server authentication information can be generated, then the server authentication information is encrypted, and finally the encrypted server authentication information is fed back to the client. The server authentication information may include a command parameter of the server and a server signature, where the server signature may be generated by the server according to a self-applied signature generation rule and the command parameter of the server.
The server side authentication information is received and verified after the encryption, the received encrypted server side authentication information can be decrypted to obtain the server side authentication information, and then the server side authentication information is verified. Specifically, the server authentication information may include a command parameter of the server and a server signature, and when the client is verified, the client may generate the server signature to be verified according to a signature generation rule of the client and the command parameter of the server, and then compare the server signature to be verified with the server signature to realize verification.
And S16, when the encrypted server authentication information passes verification, the encryption key is used for encrypting and interacting interaction information with the server.
The method of the embodiment of the application can be applied to interaction of the call information of the client and the server, for example, webrtc, and is used for carrying out real-time audio/video interaction between the client and the server.
When the interaction is performed in a link encryption mode, the link layer encryption depends on ssl, multiple interaction requests are needed, and the signaling itself encryption can reduce the IO (Input/Output) Time of the first request, so in the embodiment of the application, encryption keys are exchanged in advance in a link encryption mode before the call, all audio and video call interaction signaling contents are encrypted and decrypted through the interaction encryption keys, the first request Time can be reduced, and the information interaction can be completed by 0RTT (Round Trip Time), so that the interaction efficiency can be improved.
It can be seen that, by the method of the embodiment of the present application, an initial secret key can be sent to a server through link encryption, and then an encryption secret key generated by the server according to the initial secret key is received, so that in the verification process, verification information is encrypted and sent through the encryption secret key, verification of the client and the server is achieved, and after verification is passed, encryption and interaction of interaction information between the client and the server are performed by using the encryption secret key, thereby improving security of the signaling transmission process.
Optionally, referring to fig. 2, step S14 sends the encrypted client authentication information to the server, so that the server verifies the encrypted client authentication information, including:
step S141, judging whether the UDP (user datagram protocol) network quality between the client and the server meets a first preset requirement;
step S142, if the first preset requirement is met, judging whether the client authentication information meets the second preset requirement;
Step S143, if the second preset requirement is met, the encrypted client authentication information is sent to the server, so that the server verifies the encrypted client authentication information.
Optionally, after determining whether the UDP network between the client and the server meets the first preset requirement, the method further includes: if the first preset requirement is not met, information interaction is carried out with the server through a standby TCP (transmission control protocol) network.
The method comprises the steps of judging the UDP network quality between a client and a server, judging whether the UDP network quality between the client and the server meets the communication requirement, and if so, judging that the UDP network quality between the client and the server meets the first preset requirement. And then judging whether the client authentication information is effective, specifically, judging whether the corresponding information can be read through the authentication information, if so, judging that the second preset requirement is met, and sending the encrypted client authentication information to a server through a UDP (user datagram protocol) network for interaction of authentication information and subsequent interaction information.
In one example, referring to fig. 3, comprising: signaling encryption, judging whether interaction is successful or not after pre-interacting an encryption key, and if so, initiating a call through a client, wherein the call comprises an encrypted signaling group packet; after judging whether the UDP network quality between the client and the server meets the first preset requirement or not, if the UDP network quality between the client and the server does not meet the preset requirement, carrying out information interaction through a standby network, and carrying out information interaction with the server through the standby TCP network, wherein after the conversion to the TCP network, the client authentication information does not need to be judged whether the client authentication information meets the second preset requirement or not, and the transmission and interaction of verification information are not needed, but the interaction of interaction information between the client and the server is carried out directly through the standby TCP network; if the default network link is normal, judging whether the data packet is valid, if not, discarding the data packet, and if so, performing quick authentication; and when the quick authentication is performed, firstly judging whether the authentication of the server fails, if the authentication fails, ending, if the authentication fails, performing normal through information interaction, judging whether a network address is changed in a call, if the network address is changed, initiating the authentication through the server, then judging whether the authentication of the server fails, if the authentication fails, ending, if the authentication fails, returning the authentication through the client, judging whether the authentication of the client fails, if the authentication fails, ending, and if the authentication fails, returning the normal call information interaction to continue to execute.
Optionally, the method further comprises: in the process of interacting with the server, detecting the network quality of communication with the server; when the network quality of the communication does not meet the first preset requirement, the interaction is identified and performed through another network which is different from the current network in the UDP network and the TCP network. For example, referring to fig. 4, when a client terminal and a server terminal are interacted, such as disconnection occurs in a call, connection can be restarted through reconnection of the client terminal to reselect a UDP link and a TCP link, specifically, when normal call opening through UDP fails, normal passing through is opened through TCP, normal message interaction is performed, and when normal call and interaction are performed through TCP, interaction information is encrypted through a secret key.
Therefore, by the scheme of the embodiment of the application, the UDP network quality between the client and the server can be judged, so that the information interaction between the client and the server is performed through the standby network when the network quality does not meet the preset requirement, and the reliability of the information interaction between the client and the server is improved.
Optionally, referring to fig. 5, step S13 generates client authentication information, and encrypts the client authentication information with an encryption key, including:
step S131, generating client authentication information;
Step S132, identifying sensitive information and non-sensitive information in the client authentication information through a preset sensitive information list;
Step S133, encrypting the identified sensitive information through an encryption key;
Step S14 sends the encrypted client authentication information to the server, so that the server verifies the encrypted client authentication information, including:
Step S141, the encrypted sensitive information and the identified non-sensitive information are sent to the server, so that the server verifies the encrypted sensitive information and the identified non-sensitive information.
By the method of the embodiment of the application, the sensitive information list can be generated in advance, and the sensitive information list can comprise sensitive information needing encryption, such as service information and the like. Specifically, the client authentication information may include a plurality of pieces of sub information, and in identifying the sensitive information and the non-sensitive information in the client authentication information, each piece of sub information may be matched with a preset sensitive information list to obtain the sensitive information. Specifically, the non-sensitive information may include data such as storage session (time domain), routing information, reliable UDP transport signaling, and the like. For example, referring to fig. 6, the client authentication information may include an encrypted area and an unencrypted area, and in particular, the encrypted area may include encrypted traffic data, and the unencrypted area may include session identification, route identification, and reliable UDP transport dependent data.
The identified sensitive information is encrypted through the encryption key, and the encrypted sensitive information and the identified non-sensitive information are sent to the server, so that the server verifies the encrypted sensitive information and the identified non-sensitive information, the sensitive information can be encrypted, information leakage is prevented, interaction safety is improved, and attack packages can be prevented from consuming encryption and decryption performances.
Optionally, referring to fig. 7, generating the client authentication information and encrypting the client authentication information by an encryption key includes:
Step S71, obtaining command parameters of the client;
Step S72, generating a client signature according to the client command parameters and the client signature generation rules;
step S73, encrypting the client signature and the command parameters of the client itself by the encryption key.
Optionally, generating the client signature according to the client command parameter and the client signature generation rule includes: generating a corresponding hash value according to the serial number of the client, the unique code of the request, the unique code of the client and the encryption key; and taking the generated hash value as a client signature.
The client obtains the command parameters of the client, which may include the serial number of the client, the unique code of the request, the unique code of the client and the encryption key. For example, referring to fig. 8, the client sends an authentication request, where the authentication request includes the client's own command parameters and signature. Specifically, the generation rule of the signature may be: hash ((serial number + unique code of this request + unique code of client) +key), namely through the hash algorithm, according to serial number, unique code of this request, unique code of client and encryption key produce the correspondent hash value, and regard this hash value as the signature.
After receiving the client authentication information, the server can verify the client authentication information, specifically, the server can generate a signature to be verified according to the received command parameters of the client and the signature generation rule of the server, and then compare the generated signature to be verified with the received client signature, so that verification is realized. For example, the server receives the client authentication command, generates a signature according to the parameters sent by the client and the rules of the server by the serial number sent by the client, the unique code of the request and the unique code of the client, compares the two signatures, passes the verification if the two signatures are consistent, sends the client authentication command to the client, and returns a failure establishment if the two signatures are inconsistent. Specifically, the signature generation rule of the client and the signature generation rule of the server may be the same or different.
Optionally, receiving and verifying the encrypted server authentication information fed back by the server, including: receiving encrypted server authentication information fed back by a server, wherein the encrypted server authentication information is obtained by encrypting command parameters of the server and a signature of the server through an encryption key; decrypting the encrypted server authentication information according to the encryption key to obtain command parameters of the server and a signature of the server; generating a server signature to be verified according to the command parameters of the server and the signature generation rule of the client; and comparing the signature of the server to be verified with the signature of the server, if the signature is the same, the verification is passed, and if the signature is different, the verification fails.
Specifically, after receiving the encrypted server authentication information fed back by the server, verification can be performed by a method similar to that of the server. Specifically, the client may generate a signature to be verified according to the received command parameter of the server and the signature generation rule of the client, and then compare the signature to be verified with the received signature of the server to realize verification. For example, the client receives the serial number sent by the server through the authentication command of the server, the unique code of the request, the unique code of the client, the signature, the client compares the two signatures, if the two signatures are consistent, the client passes through verification, the client enters the subsequent signaling receiving and sending flow, and if the two signatures are inconsistent, the client returns to the failure establishment.
Referring to fig. 8, after the client and the server perform authentication and pass, if the server detects that the ip and port (interface) information of the client changes and does not accept the changed address data during normal message interaction, a re-authentication request can be initiated to the client, the client performs validity authentication again according to the authentication request, and after the authentication passes, an authentication request is sent to the server, the server can perform validity authentication according to the authentication request sent by the client, update the source information of the client after the authentication passes, and perform message interaction again.
In a second aspect of the embodiment of the present application, a signaling transmission method is provided, which is applied to a server in a signaling transmission system, where the signaling transmission system further includes a client;
Referring to fig. 9, the method includes:
Step S91, receiving an initial key sent by a client through link encryption;
step S92, an encryption key generated according to the initial key;
step S93, transmitting an encryption key to the client through link encryption so that the client generates client authentication information, and encrypting the client authentication information through the encryption key;
step S94, receiving the encrypted client authentication information and verifying the encrypted client authentication information;
step S95, when verification passes, generating encrypted server authentication information;
Step S96, the encrypted server authentication information is sent to the client, so that the client authenticates the encrypted server authentication information and performs encryption and interaction of interaction information with the client through an encryption key when the authentication is passed.
Optionally, the encrypted client authentication information includes a signature generation rule of the client itself, receives the encrypted client authentication information, and verifies the encrypted client authentication information, including:
receiving encrypted client authentication information, wherein the encrypted client authentication information is obtained by encrypting command parameters of a client, a signature of the client and a signature generation rule of the client through an encryption key;
Decrypting the encrypted client authentication information according to the encryption key to obtain command parameters of the client, the signature of the client and signature generation rules of the client;
Generating a client signature to be verified according to the command parameters of the client and the signature generation rule of the client;
And comparing the client signature to be verified with the signature of the client, if the client signature is the same as the client signature, verifying the client signature, and if the client signature is different from the client signature, failing to verify the client signature.
Optionally, the method further comprises:
in the process of interacting information with the client, the received address updating information sent by the client, wherein the address updating information comprises an updated address;
Generating and sending a re-authentication request to the client so that the client authenticates the re-authentication request;
and receiving the feedback authentication confirmation information of the client, and carrying out interaction of interaction information with the client through the updated address.
Optionally, generating and sending a re-authentication request to the client, so that the client authenticates the re-authentication request, including: generating a reauthentication parameter of the server and a reauthentication signature of the server, wherein the reauthentication signature of the server is generated through the reauthentication parameter of the server and a signature generation rule of the server; and sending the re-authentication parameters of the server and the re-authentication signature of the server to the client so that the client generates the re-signature to be verified according to the re-authentication parameters of the server and the signature generation rule of the client and verifies the re-authentication signature of the server.
Specifically, referring to fig. 8, in the process of interaction between the server and the client, for example, when applied to Webrtc, and in the process of interaction between the client and the server in real time, when the information source ip (internet protocol ) and port (port) information of the client are received at the server and changed (replay attack or actual change occurs), the client is required to perform rapid signaling interaction authentication again, and before authentication is completed, the server discards all data packets from the new client, and the rapid authentication flow is as follows: the server side sends the reauthentication command parameter: the serial number, the unique code of the request, the unique code of the client and the signature are given to the client. The client receives the re-authentication command, generates a signature according to the same rule through the serial number sent by the server, the unique code of the request, the unique code of the client and the signature, compares the two signatures, passes the verification if the two signatures are consistent, sends the authentication command of the client to the server, and returns a failure in establishment if the two signatures are inconsistent. When the server receives the client authentication command, the server generates a signature according to the same rule by the serial number sent by the client, the unique code of the request and the unique code of the client and the signature, compares the two signatures, and if the two signatures are consistent, the client information is updated by verification, and if the two signatures are inconsistent, the establishment failure is returned.
It can be seen that, by the method of the embodiment of the application, the initial secret key can be sent to the server through link encryption, and then the encryption secret key generated by the server according to the initial secret key is received, so that in the verification process, the encryption and the sending of the verification information are carried out through the encryption secret key, the verification of the client and the server is realized, and after the verification is passed, the encryption and the interaction of the interaction information between the client and the server are carried out by utilizing the encryption secret key, thereby improving the security of the signaling transmission process.
In a third aspect of the embodiment of the present application, a signaling transmission system is provided, referring to fig. 10, where the signaling transmission system includes a client 1001 and a server 1002;
A client 1001, configured to execute any one of the signaling transmission methods applied to the client;
the server 1002 is configured to execute any of the signaling transmission methods applied to the server.
It can be seen that, by the method of the embodiment of the application, the initial secret key can be sent to the server through link encryption, and then the encryption secret key generated by the server according to the initial secret key is received, so that in the verification process, the encryption and the sending of verification information are carried out through the encryption secret key, the verification of the client and the server is realized, after the verification is passed, the encryption and the interaction of the interaction information between the client and the server are carried out by utilizing the encryption secret key, and the transmission efficiency of signaling in the interaction process is improved.
The embodiment of the present application further provides an electronic device, as shown in fig. 11, including a processor 1101, a communication interface 1102, a memory 1103 and a communication bus 1104, where the processor 1101, the communication interface 1102 and the memory 1103 complete communication with each other through the communication bus 1104,
A memory 1103 for storing a computer program;
The processor 1101 is configured to execute a program stored in the memory 1103, and implement the following steps:
Transmitting an initial key to a server through link encryption;
Receiving an encryption key generated by the server side according to the initial key through link encryption;
Generating client authentication information, and encrypting the client authentication information through an encryption key;
sending the encrypted client authentication information to a server so that the server verifies the encrypted client authentication information;
Receiving and verifying encrypted server authentication information fed back by a server, wherein the server authentication information is generated after the server verifies the encrypted client authentication information;
And when the encrypted authentication information of the server passes the verification, the encryption key is used for encrypting and interacting the interaction information with the server.
The embodiment of the application also provides an electronic device, as shown in fig. 12, which comprises a processor 1201, a communication interface 1202, a memory 1203 and a communication bus 1204, wherein the processor 1201, the communication interface 1202 and the memory 1203 complete the communication with each other through the communication bus 1204,
A memory 1203 for storing a computer program;
The processor 1201, when executing the program stored in the memory 1203, performs the following steps:
receiving an initial key sent by a client through link encryption;
an encryption key generated from the initial key;
Transmitting an encryption key to the client through link encryption so that the client generates client authentication information, and encrypting the client authentication information through the encryption key;
receiving encrypted client authentication information and verifying the encrypted client authentication information;
when verification passes, generating encrypted server authentication information;
And sending the encrypted server authentication information to the client so that the client can verify the encrypted server authentication information and encrypt and interact interaction information with the client through an encryption key when the verification passes.
The communication bus mentioned above for the electronic device may be a peripheral component interconnect standard (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the electronic device and other devices.
The Memory may include random access Memory (Random Access Memory, RAM) or may include Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but may also be a digital signal Processor (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components.
In yet another embodiment of the present application, there is also provided a computer readable storage medium having a computer program stored therein, the computer program when executed by a processor implementing the steps of any of the above signaling transmission methods applied to a client.
In yet another embodiment of the present application, a computer readable storage medium is provided, where a computer program is stored, where the computer program, when executed by a processor, implements the steps of any of the signaling transmission methods applied to a server as described above.
In yet another embodiment of the present application, a computer program product comprising instructions which, when run on a computer, cause the computer to perform any of the above embodiments of the signaling transmission method applied to a client is also provided.
In yet another embodiment of the present application, a computer program product containing instructions that, when executed on a computer, cause the computer to perform any of the signaling transmission methods of the above embodiments applied to a server is also provided.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, optical fiber, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid state disk Solid STATE DISK (SSD)), etc.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for apparatus, system, electronic device, and computer program product embodiments, the description is relatively simple, as it is substantially similar to method embodiments, with reference to the description of method embodiments in part.
The foregoing description is only of the preferred embodiments of the present application and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application are included in the protection scope of the present application.
Claims (15)
1. The signaling transmission method is characterized by being applied to a client in a signaling transmission system, wherein the signaling transmission system also comprises a server;
The method comprises the following steps:
Transmitting an initial key to the server through link encryption;
Receiving an encryption key generated by the server according to the initial key through link encryption;
Generating client authentication information, and encrypting the client authentication information through the encryption key;
Sending the encrypted client authentication information to the server so that the server verifies the encrypted client authentication information;
Receiving and verifying the encrypted server authentication information fed back by the server, wherein the server authentication information is generated after the server verifies the encrypted client authentication information;
and when the encrypted server authentication information passes verification, encrypting and interacting interaction information with the server through the encryption key.
2. The method of claim 1, wherein the sending the encrypted client authentication information to the server to cause the server to verify the encrypted client authentication information comprises:
Judging whether the quality of a User Datagram Protocol (UDP) network between the client and the server meets a first preset requirement or not;
If the first preset requirement is met, judging whether the client authentication information meets a second preset requirement or not;
And if the second preset requirement is met, sending the encrypted client authentication information to the server so that the server can verify the encrypted client authentication information.
3. The method according to claim 2, wherein after the determining whether the UDP network between the client and the server meets the first preset requirement, the method further comprises:
and if the first preset requirement is not met, carrying out information interaction with the server through a standby Transmission Control Protocol (TCP) network.
4. The method of claim 1, wherein generating the client authentication information and encrypting the client authentication information with the encryption key comprises:
generating client authentication information;
identifying sensitive information and non-sensitive information in the client authentication information through a preset sensitive information list;
Encrypting the identified sensitive information through the encryption key;
The sending the encrypted client authentication information to the server so that the server verifies the encrypted client authentication information, including:
and sending the encrypted sensitive information and the identified non-sensitive information to the server so that the server verifies the encrypted sensitive information and the identified non-sensitive information.
5. The method of claim 1, wherein generating the client authentication information and encrypting the client authentication information with the encryption key comprises:
acquiring command parameters of a client;
generating a client signature according to the client command parameters and the client signature generation rule;
and encrypting the client signature and the command parameters of the client by the encryption key.
6. The method of claim 5, wherein generating a client signature based on the client's own command parameters and the client's own signature generation rules comprises:
Generating a corresponding hash value according to the serial number of the client, the unique code of the request, the unique code of the client and the encryption key;
And taking the generated hash value as the client signature.
7. The method of claim 5, wherein the receiving and verifying the encrypted server authentication information fed back by the server includes:
Receiving encrypted server authentication information fed back by the server, wherein the encrypted server authentication information is obtained by encrypting command parameters of the server and a signature of the server through the encryption key;
Decrypting the encrypted server authentication information according to the encryption key to obtain command parameters of the server and a signature of the server;
Generating a server signature to be verified according to the command parameters of the server and the signature generation rule of the client;
comparing the signature of the server to be verified with the signature of the server, if the signature is the same, the verification is passed, and if the signature is different, the verification fails.
8. A method according to claim 3, characterized in that the method further comprises:
In the process of interacting with the service end, detecting the network quality of communication with the service end;
and when the network quality of the communication does not meet the first preset requirement, identifying and interacting with another network different from the current network in the UDP network and the TCP network.
9. The signaling transmission method is characterized by being applied to a server side in a signaling transmission system, wherein the signaling transmission system also comprises a client side;
The method comprises the following steps:
receiving an initial key sent by the client through link encryption;
an encryption key generated from the initial key;
Transmitting the encryption key to the client through link encryption so that the client generates client authentication information, and encrypting the client authentication information through the encryption key;
receiving encrypted client authentication information and verifying the encrypted client authentication information;
when verification passes, generating encrypted server authentication information;
and sending the encrypted server authentication information to the client so that the client can verify the encrypted server authentication information and encrypt and interact interaction information with the client through the encryption key when the verification is passed.
10. The method of claim 9, wherein the encrypted client authentication information includes a signature generation rule of the client itself, and wherein the receiving the encrypted client authentication information and verifying the encrypted client authentication information comprises:
receiving encrypted client authentication information, wherein the encrypted client authentication information is obtained by encrypting command parameters of the client and a signature of the client through the encryption key;
Decrypting the encrypted client authentication information according to the encryption key to obtain command parameters of the client and a signature of the client;
Generating a client signature to be verified according to the client command parameters and the server signature generation rule;
Comparing the client signature to be verified with the signature of the client, if the client signature is the same, verifying the client signature, and if the client signature is different, failing to verify the client signature.
11. The method according to claim 9, wherein the method further comprises:
In the process of interacting information with the client, the received address updating information sent by the client, wherein the address updating information comprises an updated address;
Generating and sending a re-authentication request to the client so that the client authenticates the re-authentication request;
and receiving the feedback authentication confirmation information of the client, and carrying out interaction of interaction information with the client through the updated address.
12. The method of claim 11, wherein the generating and sending a re-authentication request to the client to cause the client to authenticate the re-authentication request comprises:
Generating a reauthentication parameter of a server and a reauthentication signature of the server, wherein the reauthentication signature of the server is generated through the reauthentication parameter of the server and a signature generation rule of the server;
And sending the re-authentication parameters of the server and the re-authentication signature of the server to the client so that the client generates a re-signature to be verified according to the re-authentication parameters of the server and the signature generation rule of the client and verifies the re-authentication signature of the server.
13. A signaling transmission system, wherein the signaling transmission system comprises a client server;
The client being adapted to perform the method of any of claims 1-8;
The server is configured to perform the method of any one of claims 9-12.
14. The electronic equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
A memory for storing a computer program;
A processor for carrying out the method steps of any one of claims 1-8 or 9-12 when executing a program stored on a memory.
15. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored therein a computer program which, when executed by a processor, implements the method steps of any of claims 1-8 or 9-12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211284714.0A CN117938407A (en) | 2022-10-17 | 2022-10-17 | Signaling transmission method, system, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211284714.0A CN117938407A (en) | 2022-10-17 | 2022-10-17 | Signaling transmission method, system, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117938407A true CN117938407A (en) | 2024-04-26 |
Family
ID=90761639
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211284714.0A Pending CN117938407A (en) | 2022-10-17 | 2022-10-17 | Signaling transmission method, system, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117938407A (en) |
-
2022
- 2022-10-17 CN CN202211284714.0A patent/CN117938407A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108512846B (en) | Bidirectional authentication method and device between terminal and server | |
| CN107040513B (en) | Trusted access authentication processing method, user terminal and server | |
| CN109302412B (en) | VoIP communication processing method based on CPK, terminal, server and storage medium | |
| CN109413201B (en) | SSL communication method, device and storage medium | |
| US20190268764A1 (en) | Data transmission method, apparatus, and system | |
| US11736304B2 (en) | Secure authentication of remote equipment | |
| US20060005033A1 (en) | System and method for secure communications between at least one user device and a network entity | |
| CN112714053B (en) | Communication connection method and device | |
| CN113225352B (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN108322416B (en) | Security authentication implementation method, device and system | |
| CA2986401C (en) | Authenticating a system based on a certificate | |
| CN113204772B (en) | Data processing method, device, system, terminal, server and storage medium | |
| WO2023241176A1 (en) | Communication method and apparatus, device, storage medium, and program product | |
| US8386783B2 (en) | Communication apparatus and communication method | |
| CN104243452B (en) | A kind of cloud computing access control method and system | |
| CN110892695A (en) | Method, device and computer program product for checking connection parameters of a password-protected communication connection during the establishment of a connection | |
| CN113630244A (en) | End-to-end safety guarantee method facing communication sensor network and edge server | |
| CN114499969B (en) | Communication message processing method and device, electronic equipment and storage medium | |
| WO2022135388A1 (en) | Identity authentication method and apparatus, device, chip, storage medium, and program | |
| CN117938407A (en) | Signaling transmission method, system, electronic equipment and storage medium | |
| JP2003069581A (en) | Unjust packet prevention method and preventing apparatus of radio multi-hop network | |
| US11399092B2 (en) | Method for preventing sip device from being attacked, calling device, and called device | |
| WO2023231311A1 (en) | Vxlan tunnel authentication method and system, and access gateway and network access device | |
| US20240097903A1 (en) | Ipcon mcdata session establishment method | |
| TWI751433B (en) | Secure communication key negotiation method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |