WO2021169266A1 - Method and apparatus for secure handshaking between client and service end, and storage medium - Google Patents

Method and apparatus for secure handshaking between client and service end, and storage medium Download PDF

Info

Publication number
WO2021169266A1
WO2021169266A1 PCT/CN2020/117430 CN2020117430W WO2021169266A1 WO 2021169266 A1 WO2021169266 A1 WO 2021169266A1 CN 2020117430 W CN2020117430 W CN 2020117430W WO 2021169266 A1 WO2021169266 A1 WO 2021169266A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
session record
client
key
handshake
Prior art date
Application number
PCT/CN2020/117430
Other languages
French (fr)
Chinese (zh)
Inventor
魏海通
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021169266A1 publication Critical patent/WO2021169266A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/12Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Definitions

  • This application relates to the field of information security technology, and more specifically, to a method, device and storage medium for secure handshake between a client and a server.
  • HTTPS Secure Hypertext Transfer Protocol
  • SSL Secure Socket Layer
  • TLS/SSL Transport Layer Security, the full name of the secure transport layer protocol
  • the HTTP protocol uses plain text to transmit information, and there are risks of information eavesdropping, information tampering, and information hijacking.
  • the protocol TLS/SSL has the functions of identity verification, information encryption and integrity verification to encrypt the transmitted data to ensure that the data is in transmission Unchanged, it is a layer of security protocol between TCP and HTTP.
  • HTTPS is roughly divided into two phases, namely the handshake phase and the data transmission phase.
  • Handshake phase During the handshake phase, the client and server of the TLS/SSL protocol negotiate a set of encryption algorithms and integrity verification algorithms used to protect data transmission, as well as the keys used by each algorithm.
  • Data transmission phase Once the TLS/SSL handshake is completed, the data is divided into a series of records protected by key encryption negotiated in the handshake phase for transmission.
  • the client and the server need multiple round-trip negotiation interactions during the handshake phase, and a large amount of calculations are required to obtain information related to secure communication such as keys, and the round-trip time (RTT) is relatively large; and the client Complicated and cumbersome key calculations are required inside the server, and the performance (such as power, storage, and computing resources) of the client device and the server device consumes a lot, which is the main reason for the slow HTTPS link.
  • RTT round-trip time
  • Session is generally used.
  • Resumption session reuse
  • Session Resumption includes Session Ticket (session record) reuse and Session ID (session identification) reuse.
  • Session Ticket reuse is that the server generates a session record to record information related to secure communication such as the key negotiated successfully with the client in the handshake process, and sends the encrypted session record to the client for subsequent follow-up
  • the client carries the encrypted session record in the handshake request, and the server uses the key to decrypt the session record, reuses information related to secure communication such as the successfully negotiated key in the previous handshake process, reduces the RTT to one, and completes the handshake quickly Process.
  • the purpose of this application is to provide a method, device and storage medium for the secure handshake between the client and the server.
  • the method changes the situation that the session recording key is always unchanged, increases the difficulty of deciphering the session recording key, and enhances the security of data transmission.
  • a method for secure handshake between a client and a server is provided.
  • the secure handshake between the client and the server is realized by using session record reuse in the handshake phase of the client and the server, including the following steps.
  • S110 The server generates a session recording key every first set period of time and saves it in its memory, and the session recording key is deleted when the storage time of the memory exceeds a preset validity period.
  • the server uses the newly generated session record key to encrypt the session record generated by the initial handshake between the client and the server, and sends the encrypted session record to the client; where ,
  • the session record includes a negotiation key used to encrypt the interactive content between the client and the server.
  • S130 When the client carries the encrypted session record and performs a subsequent handshake with the server, the server sequentially calls the session record key in its memory to decrypt the encrypted session record, if If the decryption is successful, the client and the server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, proceed to S120.
  • a secure handshake method between a client and a server is provided.
  • the secure handshake between the client and the server is realized by using session record reuse during the handshake phase of the client and the server, and the server It is the CDN edge server in CDN, including the following steps.
  • S210 Set a server as a central server, and the central server generates a session record key every first set period, saves it in its memory, and synchronously saves the session record key to each CDN node
  • the session recording key is deleted when the storage time in the memory of the central server and the CDN edge server exceeds a preset validity period.
  • the CDN edge server invokes the session record key newly stored in its memory to encrypt the session record generated by the initial handshake between the client and the CDN edge server, and sends the encrypted session record to all The client; wherein the session record contains a negotiation key used to encrypt the interactive content between the client and the server.
  • S230 When the client carries the encrypted session record and performs a subsequent handshake with the CDN edge server, the CDN edge server sequentially calls its memory in the order of the storage time of the session record key from near to far. The session record key in the session record decrypts the encrypted session record. If the decryption is successful, the client and the CDN edge server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful , Then proceed to S220.
  • an electronic device including: a memory and a processor, the memory is stored with a computer program, and the computer program is executed by the processor to realize the following client and server security Steps of the handshake method.
  • S110 The server generates a session recording key every first set period of time and saves it in its memory, and the session recording key is deleted when the storage time of the memory exceeds a preset validity period.
  • the server uses the newly generated session record key to encrypt the session record generated by the initial handshake between the client and the server, and sends the encrypted session record to the client; where
  • the session record includes a negotiation key used to encrypt the interactive content between the client and the server.
  • S130 When the client carries the encrypted session record and performs a subsequent handshake with the server, the server sequentially calls the session record key in its memory to decrypt the encrypted session record, if If the decryption is successful, the client and the server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, proceed to S120.
  • an electronic device including: a memory and a processor, the memory is stored with a computer program, and the computer program is executed by the processor to realize the following client and server security Steps of the handshake method.
  • S210 Set a server as a central server, and the central server generates a session record key every first set period, saves it in its memory, and synchronously saves the session record key to each CDN node
  • the session recording key is deleted when the storage time in the memory of the central server and the CDN edge server exceeds a preset validity period.
  • the CDN edge server invokes the session record key newly stored in its memory to encrypt the session record generated by the initial handshake between the client and the CDN edge server, and sends the encrypted session record to all The client; wherein the session record contains a negotiation key used to encrypt the interactive content between the client and the server.
  • S230 When the client carries the encrypted session record and performs a subsequent handshake with the CDN edge server, the CDN edge server sequentially calls its memory in the order of the storage time of the session record key from near to far. The session record key in the session record decrypts the encrypted session record. If the decryption is successful, the client and the CDN edge server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful , Then proceed to S220.
  • a computer-readable storage medium stores a client and server secure handshake program, and the client and server secure handshake program is processed by a processor. When executed, the steps of the following method of secure handshake between the client and the server are implemented.
  • S110 The server generates a session recording key every first set period of time and saves it in its memory, and the session recording key is deleted when the storage time of the memory exceeds a preset validity period.
  • the server uses the newly generated session record key to encrypt the session record generated by the initial handshake between the client and the server, and sends the encrypted session record to the client; where
  • the session record includes a negotiation key used to encrypt the interactive content between the client and the server.
  • S130 When the client carries the encrypted session record and performs a subsequent handshake with the server, the server sequentially calls the session record key in its memory to decrypt the encrypted session record, if If the decryption is successful, the client and the server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, proceed to S120.
  • a computer-readable storage medium stores a client and server secure handshake program, and the client and server secure handshake program is processed by a processor. When executed, the steps of the following method of secure handshake between the client and the server are implemented.
  • S210 Set a server as a central server, and the central server generates a session record key every first set period, saves it in its memory, and synchronously saves the session record key to each CDN node
  • the session recording key is deleted when the storage time in the memory of the central server and the CDN edge server exceeds a preset validity period.
  • the CDN edge server invokes the session record key newly stored in its memory to encrypt the session record generated by the initial handshake between the client and the CDN edge server, and sends the encrypted session record to all The client; wherein the session record contains a negotiation key used to encrypt the interactive content between the client and the server.
  • S230 When the client carries the encrypted session record and performs a subsequent handshake with the CDN edge server, the CDN edge server sequentially calls its memory in the order of the storage time of the session record key from near to far. The session record key in the session record decrypts the encrypted session record. If the decryption is successful, the client and the CDN edge server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful , Then proceed to S220.
  • the session recording key is periodically reset, and the reset key can be synchronized to all CDN nodes. Ensure that the session recording key generated in each cycle is different.
  • the session records of the HTTPS connection handshake phase in the latest cycle are encrypted and decrypted with the latest key, and the session records generated by the HTTPS connection in the previous cycle are decrypted one by one with the decryption key generated in the previous cycle. Only the session record key within the validity period is saved. After the validity period, the client carries the encrypted session record and sends a request to the server again, and the session record cannot be decrypted.
  • the client must renegotiate the key with the server to generate the session record and use the latest session record.
  • Key encryption The situation that the session recording key is always the same is changed, the difficulty of deciphering the session recording key is increased, and the security of data transmission is enhanced.
  • Fig. 1 is a flowchart of a method for secure handshake between a client and a server according to Embodiment 1 of the present application.
  • Fig. 2 is a flowchart of a method for secure handshake between a client and a server according to Embodiment 2 of the present application.
  • FIG. 3 is a schematic diagram of the logical structure of a system for secure handshake between a client and a server according to Embodiment 4 of the present application.
  • CDN Content delivery network, simply means to cache content in different locations, through load balancing and other technologies to direct user requests to the nearest cache server to obtain content, so as to improve the corresponding speed of users' access to the website.
  • CDN edge server The nearest cache server mentioned above. The main purpose is to store the content as close to the user as possible, thereby reducing delay and improving page loading time.
  • Asymmetric key Unlike symmetric encryption algorithm, asymmetric encryption algorithm requires two keys, a public key and a private key. The public key and the private key are a pair. If the public key is used to encrypt data, only the corresponding private key can be used to decrypt it.
  • FIG. 1 is a flowchart of a method for a secure handshake between a client and a server according to Embodiment 1 of the present application.
  • the application scenario is that when the client is connected to a single server, the session record reuse is used in the handshake phase.
  • the HTTPS protocol is used when establishing a connection.
  • the TLS/SSL protocol in the HTTPS protocol uses a session record reuse session cache mechanism during the handshake phase.
  • the client initiates the first request to the server.
  • the server and the client start the first handshake process to negotiate a key.
  • a session record is generated.
  • the server encrypts the session record and sends the session record to the client.
  • the client When the client initiates a request to the server again, it does not need to perform key negotiation again, and only needs to carry the encrypted session record. As long as the server can decrypt the session record, the handshake process is completed. The client and the server start data transmission, and the transmitted data is encrypted and transmitted using the negotiated key in the session record.
  • the method for the secure handshake between the client and the server in this embodiment includes the following steps.
  • S110 The server generates a session record key every first set period of time and saves it in its memory, and the session record key is deleted when the storage time of the session record key in the memory exceeds the preset validity period.
  • the session recording key can be a symmetric key or an asymmetric key.
  • the preset validity period should be greater than the first set cycle time, and the preset validity period is preferably set to be greater than or equal to three times the first set cycle time.
  • the first set cycle time may be 1 hour
  • the preset validity period may be 24 hours.
  • the server saves the session record key generated within 24 hours in its memory in the order of the generated time, and clears the session record key generated 24 hours ago from the memory.
  • the server uses the newly generated session record key to encrypt the session record generated by the initial handshake between the client and the server, and sends the encrypted session record to the client; the session record contains the session record used to encrypt the client and The negotiated key of the server's interactive content.
  • the client and the server perform an initial handshake to generate a session record, and the server uses the newly generated session record key to encrypt the session record, and sends the encrypted session record to the client.
  • the encryption key of the session record generated during the handshake phase is not exactly the same. Only when the client and the server establish an HTTPS connection within the same first set period of time (1 hour), The encryption keys of the session records generated in the handshake phase are the same. Compared with the session records generated at any time in the prior art, the session records are encrypted using a unified key, which increases the security.
  • the client and the server in the initialized state use a randomly generated key for encryption when the session record is generated by the initial handshake. If the server is not in the initial state, the client and the server use the newly generated encryption key for encryption when the session record is generated by the initial handshake.
  • S130 When the client carries the encrypted session record and performs subsequent handshake with the server, the server sequentially calls the session record key in its memory to decrypt the encrypted session record. If the decryption is successful, the client and the server reuse For the negotiated key in the session record, the handshake is completed; if the decryption is unsuccessful, proceed to S120.
  • the encrypted session record is carried, and the server sequentially calls the session record key in its memory to decrypt the encrypted session record.
  • the server sequentially calls the session record decryption key in its memory to decrypt the encrypted session record in the order of the generation time of the session record key from near to far.
  • the server uses the newly generated session record decryption key to give the session record Decrypt, the decryption is successful and the handshake is completed; if the client initiates a request to the server after the same first set period of time (1 hour), the encrypted session record is carried in the handshake process, and the server uses the newly generated session Record the decryption key to decrypt the session record, and the decryption fails.
  • the server then calls the session record decryption keys stored in the memory in sequence according to the generation time of the session record key from near to far, and decrypts the session record until the decryption is successful.
  • the handshake is completed; if the server decryption is unsuccessful, it means that the session record has expired, or the key of this session record has been cleared in the memory (more than 24 hours), then restart S120, as the client and server are established for the first time HTTPS connection, the client and the server handshake for the first time, renegotiate the key to generate the session record, and use the latest session record key stored in the memory for encryption, send the client to save, and complete the handshake.
  • FIG. 2 is a flowchart of a method for secure handshake between a client and a server according to Embodiment 2 of the present application.
  • the client and server secure handshake method the application scenario is that the client connects to multiple servers, the handshake phase adopts session record reuse, and the server can be each CDN in the CDN The CDN edge server of the node. Including the following steps.
  • S210 Set a server as a central server, and the central server generates a session record key every first set period, saves it in its memory, and synchronously saves the session record key to the CDN edge server of each CDN node In the memory of, the session record key is deleted when the storage time in the memory of the central server and the CDN edge server exceeds the preset validity period.
  • the session recording key can be a symmetric key or an asymmetric key.
  • the preset validity period should be greater than the first set cycle time, and the preset validity period is preferably set to be greater than or equal to three times the first set cycle time.
  • the first set cycle time may be 1 hour
  • the preset validity period may be 24 hours.
  • the central server saves the session record keys generated within 24 hours in its memory in accordance with the generated time sequence, and the central server clears the session record keys generated 24 hours ago from its memory.
  • the CDN edge server of each CND node synchronizes and saves the session record key generated by the central server within 24 hours in its memory according to the generated time sequence.
  • the CDN edge server of each CND node encrypts the session record stored 24 hours ago. The key is cleared from its memory.
  • the CDN edge server calls the latest session record key stored in its memory to encrypt the session record generated by the initial handshake between the client and the CDN edge server, and sends the encrypted session record to the client; among them, the session record contains the It is used to encrypt the negotiated key of the interactive content between the client and the server.
  • the client and the CDN edge server first shake hands to generate a session record.
  • the CDN edge server uses the latest session record key stored in its memory to encrypt the session record, and sends the encrypted session record to the client.
  • the encryption key of the session record generated during the handshake phase is not exactly the same, only the client and the CDN edge server are established within the same first set period of time (1 hour) During the HTTPS connection, the session record encryption key generated in the handshake phase is the same. Compared with the prior art, all CDN edge servers use the same key to encrypt the session record at any time, which increases security.
  • the client when the client establishes an HTTPS connection with the CDN edge server for the first time, if the CDN edge server is in the initial state, the client and the CDN edge server in the initial state shake hands to generate the session record for the first time, and then call the newly generated session record encryption key in the memory of the central server Encrypted session recording. After that, the CDN edge server began to synchronize and save the session record key in the memory of the central server.
  • S230 When the client carries the encrypted session record and performs the subsequent handshake with the CDN edge server, the CDN edge server sequentially calls the session record key in its memory to encrypt the encrypted session record key in the order of the preservation time of the session record key. The session record is decrypted. If the decryption is successful, the client and the CDN edge server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, proceed to S220.
  • the encrypted session record is carried.
  • the CDN edge server sequentially calls the session record key in its memory to encrypt the session in the order of the preservation time of the session record key.
  • the record is decrypted.
  • the encrypted session record is carried in the handshake process, and the CDN edge server uses the latest synchronously saved session record decryption key Decrypt the session record, the decryption is successful and the handshake is completed; if the client initiates a request to the CDN edge server after the same first set period of time (1 hour), the encrypted session record is carried in the handshake process, and the CDN edge The server decrypts the session record using the latest synchronously saved session record decryption key. If the decryption fails, the CDN edge server then calls the session record decryption key stored in its memory in order of the session record key storage time from near to farthest.
  • the key used to decrypt the session record during the handshake phase is not exactly the same, only the client and the CDN edge within the same first set period of time (1 hour)
  • the decryption key of the session record generated when the server establishes the HTTPS connection for the first time is the same.
  • all CDN edge servers use a unified key to decrypt the session record at any time, which increases the security.
  • the session recording key can be a symmetric key.
  • the symmetric key generation method in this application is: a 48-bit random number is regularly generated every 1 hour.
  • the session recording key can also be an asymmetric key.
  • S210 further includes that the method of generating the asymmetric key is: central The server generates a private key for each CDN edge server and a public key corresponding to the private key according to the IP of each CDN edge server every first set period of time. Synchronize the private key and its corresponding public key to the memory of the corresponding CDN edge server. The memory of the central server and the memory of each CDN edge server only save the private key and the corresponding public key generated within the preset validity period. That is, the asymmetric session recording key is deleted when the storage time in the memory of the central server and the CDN edge server exceeds the preset validity period.
  • the public key is used to encrypt session records, and each CDN edge server uses its stored private key randomly generated according to its IP to decrypt the session record encrypted by the public key.
  • the central server saves all private keys and corresponding public keys generated within the preset validity period in the memory according to the generated time sequence, and the central server clears all private keys and their corresponding public keys generated before the preset validity period from the memory.
  • the CDN edge server synchronously saves the private key and the public key corresponding to the private key generated by its IP within the preset validity period, and saves it in the memory according to the generated time sequence.
  • the CDN edge server synchronizes the private key and the private key saved before the preset validity period.
  • the public key is cleared from memory.
  • S220 further includes that the CDN edge server invokes the latest public key stored in its memory to encrypt the session record generated by the initial handshake between the client and the CDN edge server, and sends the encrypted session record to the client.
  • the CDN edge server invokes the latest public key stored in its memory to encrypt the session record, and sends the encrypted session record to the client.
  • S230 further includes that when the client carries the public key-encrypted session record and performs the subsequent handshake with the CDN edge server, the CDN edge server sequentially calls the private key in its memory to perform the session record according to the order of the preservation time of the private key. Decrypt. If the decryption is successful, the client and the CDN edge server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, proceed to S220.
  • the public key encrypted session record is carried.
  • the CDN edge server sequentially calls the private key in its memory to decrypt the session record according to the order of the preservation time of the private key.
  • each CDN edge server When using an asymmetric key, when each CDN edge server establishes an HTTPS connection with the client again, the private key used to decrypt the session record during the handshake phase is different.
  • Each CDN edge server has its own private key to decrypt the session record, and the private key of the same CDN edge server in different first set period time is also different. Compared with the existing technology, it is more secure.
  • FIG. 3 is a schematic diagram of the logical structure of a system for secure handshake between a client and a server according to Embodiment 4 of the present application.
  • a client and server secure handshake system corresponding to the method in Embodiment 1, includes: a handshake phase setting unit, a session record key generation unit, a session record encryption unit, and a session record decryption unit.
  • the handshake phase setting unit is used to set the handshake phase between the client and the server, and the session record is reused to realize the secure handshake between the client and the server.
  • the session recording key generating unit is used for the server to generate a session recording key every first set period of time and save it in its memory, and the session recording key is deleted when the storage time in the memory exceeds the preset validity period.
  • the session record encryption unit is used for the server to use the newly generated session record key to encrypt the session record generated by the initial handshake between the client and the server, and send the encrypted session record to the client; among them, the session record contains the It is used to encrypt the negotiated key of the interactive content between the client and the server.
  • the session record decryption unit is used for the client to carry the encrypted session record for subsequent handshake with the server.
  • the server sequentially calls the session record key in its memory to decrypt the encrypted session record. If the decryption is successful, the client The client and the server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, the client and the server re-shakes hands to generate the session record, and the server uses the newly generated session record key to encrypt the session record and encrypt it After the session record is sent to the client.
  • Embodiment 5 A client and server secure handshake system corresponding to the method in Embodiment 2, including: a handshake phase setting unit, a session record key generation unit, a session record encryption unit, and a session record decryption unit.
  • the handshake phase setting unit is used to set the handshake phase between the client and each CDN edge server in the CDN, and session records are reused to realize the secure handshake between the client and the server.
  • the session recording key generation unit is used to set a server as the central server, and the central server generates the session recording key every first set period, saves it in its memory, and synchronously saves the session recording key to every In the memory of the CDN edge server of a CDN node, the session record key is deleted when the storage time in the memory of the central server and the CDN edge server exceeds the preset validity period.
  • the session record encryption unit is used for the CDN edge server to call the newly saved session record key in its memory to encrypt the session record generated by the client and the CDN edge server through the initial handshake, and send the encrypted session record to the client;
  • the session record contains the negotiation key used to encrypt the interactive content between the client and the server.
  • the session record decryption unit is used for the client to carry the encrypted session record for subsequent handshake with the CDN edge server.
  • the CDN edge server calls the session record secret in its memory in the order of the preservation time of the session record key from near to far. The key decrypts the encrypted session record. If the decryption is successful, the client and the CDN edge server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, the client and the CDN edge server re-handshake to generate a session To record, the CDN edge server calls the newly saved session record key in its memory to encrypt the session record, and sends the encrypted session record to the client.
  • Embodiment 6 An electronic device including a memory and a processor, and a computer program is stored in the memory. When the computer program is executed by the processor, it realizes the secure handshake between the client and the server of Embodiment 1 or Embodiment 2 or Embodiment 3 Method steps.
  • Embodiment 7 A computer-readable storage medium.
  • the computer-readable storage medium may be non-volatile or volatile.
  • the computer-readable storage medium stores a client and server secure handshake program.
  • the client and server secure handshake program is executed by the processor, the client and service of Embodiment 1 or Embodiment 2 or Embodiment 3 are implemented. Steps of the end-to-end secure handshake method.

Abstract

The present application relates to the technical field of information security. Provided is a method for secure handshaking between a client and a service end. Secure handshaking is realized by means of reusing a session record at a handshaking stage of a client and a service end. The method comprises: S110: a service end generating a session record key every first set period of time and storing same in a memory of the service end; S120: the service end using the latest generated session record key to encrypt a session record generated by means of initial handshaking between a client and the service end, and sending the encrypted session record to the client; and S130: when the client carries the encrypted session record to perform subsequent handshaking with the service end, the service end sequentially calling session record keys in the memory of the service end to decrypt the encrypted session record, if the decryption is successful, the client and the service end reusing a negotiation key in the session record, such that handshaking is completed, and if the decryption fails, proceeding to S120. The present application increases the difficulty in the decryption of a session record key and enhances data transmission security.

Description

客户端与服务端安全握手的方法、装置及存储介质Method, device and storage medium for secure handshake between client and server
本申请要求于2020年02月26日提交中国专利局、申请号为202010119427.9,发明名称为“客户端与服务端安全握手的方法、装置及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on February 26, 2020, the application number is 202010119427.9, and the invention title is "Method, device and storage medium for secure handshake between client and server", and its entire contents Incorporated in this application by reference.
技术领域Technical field
本申请涉及信息安全技术领域,更为具体地,涉及一种客户端与服务端安全握手的方法、装置及存储介质。This application relates to the field of information security technology, and more specifically, to a method, device and storage medium for secure handshake between a client and a server.
背景技术Background technique
随着大家对网络安全的重视,越来越多的网站全站整改成HTTPS(Secure Hypertext Transfer Protocol,安全超文本传输协议)。它是一个安全通信通道,它基于HTTP开发,用于在客户计算机和服务器之间交换信息。它使用安全套接字层(SSL)进行信息交换,是使用TLS/SSL(Transport Layer Security,全称安全传输层协议)加密的HTTP协议。HTTP协议采用明文传输信息,存在信息窃听、信息篡改和信息劫持的风险,而协议TLS/SSL具有身份验证、信息加密和完整性校验的功能,对传送的数据进行加密,确保数据在传送中不被改变,是介于TCP和HTTP之间的一层安全协议。As everyone pays more attention to network security, more and more websites are rectified to HTTPS (Secure Hypertext Transfer Protocol, secure hypertext transfer protocol). It is a secure communication channel, which is developed based on HTTP and used to exchange information between the client computer and the server. It uses Secure Socket Layer (SSL) for information exchange, and it uses TLS/SSL (Transport Layer Security, the full name of the secure transport layer protocol) encrypted HTTP protocol. The HTTP protocol uses plain text to transmit information, and there are risks of information eavesdropping, information tampering, and information hijacking. The protocol TLS/SSL has the functions of identity verification, information encryption and integrity verification to encrypt the transmitted data to ensure that the data is in transmission Unchanged, it is a layer of security protocol between TCP and HTTP.
HTTPS大致分为两个阶段,即握手阶段和数据传输阶段。握手阶段:TLS/SSL协议的客户端与服务端在握手阶段协商出一组用于保护数据传输的加密算法和完整性验证算法、以及每个算法所使用的密钥。数据传输阶段:一旦TLS/SSL握手完成,数据就被分成一系列经过握手阶段协商的密钥加密保护的记录进行传输。HTTPS is roughly divided into two phases, namely the handshake phase and the data transmission phase. Handshake phase: During the handshake phase, the client and server of the TLS/SSL protocol negotiate a set of encryption algorithms and integrity verification algorithms used to protect data transmission, as well as the keys used by each algorithm. Data transmission phase: Once the TLS/SSL handshake is completed, the data is divided into a series of records protected by key encryption negotiated in the handshake phase for transmission.
然而,客户端和服务端在握手阶段需要多次的往返协商交互,及大量的计算才能获得密钥等安全通信相关的信息,往返时延(Round-Trip Time,RTT)较大;且客户端和服务端内部要进行复杂和繁琐的密钥计算,客户端设备和服务端设备的性能(如电量、存储和计算资源等)消耗严重,这就是造成HTTPS链接慢的主要原因。However, the client and the server need multiple round-trip negotiation interactions during the handshake phase, and a large amount of calculations are required to obtain information related to secure communication such as keys, and the round-trip time (RTT) is relatively large; and the client Complicated and cumbersome key calculations are required inside the server, and the performance (such as power, storage, and computing resources) of the client device and the server device consumes a lot, which is the main reason for the slow HTTPS link.
现有技术中为避免在后续的握手流程中,再次进行多次交互和大量计算,一般采用Session Resumption(会话重用),Session Resumption包括Session Ticket(会话记录)重用和Session ID(会话标识)重用。其中,Session Ticket重用,是服务端生成会话记录以记录在握手流程中与客户端协商成功的密钥等安全通信相关的信息,并将加密后的会话记录发送给客户端,以备在后续的握手请求中客户端携带该加密后的会话记录,服务端采用密钥将会话记录解密,重用之前握手流程中已经协商成功的密钥等与安全通信相关的信息,RTT 减少到一个,快速完成握手流程。In the prior art, in order to avoid multiple interactions and a large number of calculations in the subsequent handshake process, Session is generally used. Resumption (session reuse), Session Resumption includes Session Ticket (session record) reuse and Session ID (session identification) reuse. Among them, Session Ticket reuse is that the server generates a session record to record information related to secure communication such as the key negotiated successfully with the client in the handshake process, and sends the encrypted session record to the client for subsequent follow-up The client carries the encrypted session record in the handshake request, and the server uses the key to decrypt the session record, reuses information related to secure communication such as the successfully negotiated key in the previous handshake process, reduces the RTT to one, and completes the handshake quickly Process.
发明人意识到,这样虽然为握手节省了时间,为客户端和服务端减小了消耗,但是,会话记录的加密密钥只有服务端保存且永不改变,也为数据传输的安全性带来隐患。特别是CDN边缘服务器都用同一个密钥加密会话记录,一旦被破解所有的HTTPS都失效。The inventor realized that although this saves time for the handshake and reduces the consumption for the client and server, the encryption key of the session record is only saved by the server and never changes, which also brings the security of data transmission. Hidden dangers. In particular, the CDN edge servers all use the same key to encrypt the session records. Once cracked, all HTTPS will be invalid.
技术问题technical problem
鉴于上述问题,本申请的目的是提供一种客户端与服务端安全握手的方法、装置及存储介质。本方法改变了会话记录密钥始终不变的情况,增加了会话记录密钥的破译难度,增强了数据传输的安全性。In view of the above-mentioned problems, the purpose of this application is to provide a method, device and storage medium for the secure handshake between the client and the server. The method changes the situation that the session recording key is always unchanged, increases the difficulty of deciphering the session recording key, and enhances the security of data transmission.
技术解决方案Technical solutions
根据本申请的一个方面,提供了一种客户端与服务端安全握手的方法,通过在客户端与服务端握手阶段采用会话记录重用来实现客户端与服务端的安全握手,包括以下步骤。According to one aspect of the present application, a method for secure handshake between a client and a server is provided. The secure handshake between the client and the server is realized by using session record reuse in the handshake phase of the client and the server, including the following steps.
S110:服务端每隔第一设定周期时间生成会话记录密钥,保存到其内存中,并且所述会话记录密钥在所述内存的保存时间超过预设有效期时即被删除。S110: The server generates a session recording key every first set period of time and saves it in its memory, and the session recording key is deleted when the storage time of the memory exceeds a preset validity period.
S120:所述服务端采用最新生成的所述会话记录密钥加密所述客户端和所述服务端初次握手生成的会话记录,并将加密后的所述会话记录发送给所述客户端;其中,在所述会话记录中包含用于加密所述客户端与服务端交互内容的协商密钥。S120: The server uses the newly generated session record key to encrypt the session record generated by the initial handshake between the client and the server, and sends the encrypted session record to the client; where , The session record includes a negotiation key used to encrypt the interactive content between the client and the server.
S130:所述客户端携带加密后的所述会话记录与所述服务端进行后续握手时,所述服务端依次调用其内存中的会话记录密钥对加密后的所述会话记录进行解密,若解密成功,则所述客户端与所述服务端重用所述会话记录中的协商密钥,握手完成;若解密不成功,则进行S120。S130: When the client carries the encrypted session record and performs a subsequent handshake with the server, the server sequentially calls the session record key in its memory to decrypt the encrypted session record, if If the decryption is successful, the client and the server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, proceed to S120.
根据本申请的另一方面,提供了一种客户端与服务端安全握手的方法,通过在客户端与服务端握手阶段采用会话记录重用来实现客户端与服务端的安全握手,并且所述服务端为CDN中的CDN边缘服务器,包括以下步骤。According to another aspect of the present application, there is provided a secure handshake method between a client and a server. The secure handshake between the client and the server is realized by using session record reuse during the handshake phase of the client and the server, and the server It is the CDN edge server in CDN, including the following steps.
S210:设定一台服务器为中心服务器,所述中心服务器每隔第一设定周期时间生成会话记录密钥,保存到其内存中,并将所述会话记录密钥同步保存到每一个CDN节点的所述CDN边缘服务器的内存中,所述会话记录密钥在所述中心服务器和所述CDN边缘服务器的内存中保存时间超过预设有效期时即被删除。S210: Set a server as a central server, and the central server generates a session record key every first set period, saves it in its memory, and synchronously saves the session record key to each CDN node In the memory of the CDN edge server, the session recording key is deleted when the storage time in the memory of the central server and the CDN edge server exceeds a preset validity period.
S220:所述CDN边缘服务器调用其内存中最新保存的所述会话记录密钥加密所述客户端和所述CDN边缘服务器初次握手生成的会话记录,并将加密后的所述会话记录发送给所述客户端;其中,在所述会话记录中包含用于加密所述客户端与服务端交互内容的协商密钥。S220: The CDN edge server invokes the session record key newly stored in its memory to encrypt the session record generated by the initial handshake between the client and the CDN edge server, and sends the encrypted session record to all The client; wherein the session record contains a negotiation key used to encrypt the interactive content between the client and the server.
S230:所述客户端携带加密后的所述会话记录与所述CDN边缘服务器进行后续握手时,所述CDN边缘服务器按照所述会话记录密钥保存时间由近到远的顺序,依次调用其内存中的会话记录密钥对加密后的所述会话记录进行解密,若解密成功,则所述客户端与所述CDN边缘服务器重用所述会话记录中的协商密钥,握手完成;若解密不成功,则进行S220。S230: When the client carries the encrypted session record and performs a subsequent handshake with the CDN edge server, the CDN edge server sequentially calls its memory in the order of the storage time of the session record key from near to far. The session record key in the session record decrypts the encrypted session record. If the decryption is successful, the client and the CDN edge server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful , Then proceed to S220.
根据本申请的另一方面,提供了一种电子装置,包括:存储器和处理器,所述存储器中存储有计算机程序,所述计算机程序被处理器执行时实现下述的客户端与服务端安全握手的方法的步骤。According to another aspect of the present application, there is provided an electronic device, including: a memory and a processor, the memory is stored with a computer program, and the computer program is executed by the processor to realize the following client and server security Steps of the handshake method.
S110:服务端每隔第一设定周期时间生成会话记录密钥,保存到其内存中,并且所述会话记录密钥在所述内存的保存时间超过预设有效期时即被删除。S110: The server generates a session recording key every first set period of time and saves it in its memory, and the session recording key is deleted when the storage time of the memory exceeds a preset validity period.
S120:所述服务端采用最新生成的所述会话记录密钥加密客户端和所述服务端初次握手生成的会话记录,并将加密后的所述会话记录发送给所述客户端;其中,在所述会话记录中包含用于加密所述客户端与所述服务端交互内容的协商密钥。S120: The server uses the newly generated session record key to encrypt the session record generated by the initial handshake between the client and the server, and sends the encrypted session record to the client; where The session record includes a negotiation key used to encrypt the interactive content between the client and the server.
S130:所述客户端携带加密后的所述会话记录与所述服务端进行后续握手时,所述服务端依次调用其内存中的会话记录密钥对加密后的所述会话记录进行解密,若解密成功,则所述客户端与所述服务端重用所述会话记录中的协商密钥,握手完成;若解密不成功,则进行S120。S130: When the client carries the encrypted session record and performs a subsequent handshake with the server, the server sequentially calls the session record key in its memory to decrypt the encrypted session record, if If the decryption is successful, the client and the server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, proceed to S120.
根据本申请的另一方面,提供了一种电子装置,包括:存储器和处理器,所述存储器中存储有计算机程序,所述计算机程序被处理器执行时实现下述的客户端与服务端安全握手的方法的步骤。According to another aspect of the present application, there is provided an electronic device, including: a memory and a processor, the memory is stored with a computer program, and the computer program is executed by the processor to realize the following client and server security Steps of the handshake method.
S210:设定一台服务器为中心服务器,所述中心服务器每隔第一设定周期时间生成会话记录密钥,保存到其内存中,并将所述会话记录密钥同步保存到每一个CDN节点的所述CDN边缘服务器的内存中,所述会话记录密钥在所述中心服务器和所述CDN边缘服务器的内存中保存时间超过预设有效期时即被删除。S210: Set a server as a central server, and the central server generates a session record key every first set period, saves it in its memory, and synchronously saves the session record key to each CDN node In the memory of the CDN edge server, the session recording key is deleted when the storage time in the memory of the central server and the CDN edge server exceeds a preset validity period.
S220:所述CDN边缘服务器调用其内存中最新保存的所述会话记录密钥加密所述客户端和所述CDN边缘服务器初次握手生成的会话记录,并将加密后的所述会话记录发送给所述客户端;其中,在所述会话记录中包含用于加密所述客户端与服务端交互内容的协商密钥。S220: The CDN edge server invokes the session record key newly stored in its memory to encrypt the session record generated by the initial handshake between the client and the CDN edge server, and sends the encrypted session record to all The client; wherein the session record contains a negotiation key used to encrypt the interactive content between the client and the server.
S230:所述客户端携带加密后的所述会话记录与所述CDN边缘服务器进行后续握手时,所述CDN边缘服务器按照所述会话记录密钥保存时间由近到远的顺序,依次调用其内存中的会话记录密钥对加密后的所述会话记录进行解密,若解密成功,则所述客户端与所述CDN边缘服务器重用所述会话记录中的协商密钥,握手完成;若解密不成功,则进行S220。S230: When the client carries the encrypted session record and performs a subsequent handshake with the CDN edge server, the CDN edge server sequentially calls its memory in the order of the storage time of the session record key from near to far. The session record key in the session record decrypts the encrypted session record. If the decryption is successful, the client and the CDN edge server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful , Then proceed to S220.
根据本申请的另一方面,提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有客户端与服务端安全握手程序,所述客户端与服务端安全握手程序被处理器执行时,实现下述的客户端与服务端安全握手的方法的步骤。According to another aspect of the present application, a computer-readable storage medium is provided. The computer-readable storage medium stores a client and server secure handshake program, and the client and server secure handshake program is processed by a processor. When executed, the steps of the following method of secure handshake between the client and the server are implemented.
S110:服务端每隔第一设定周期时间生成会话记录密钥,保存到其内存中,并且所述会话记录密钥在所述内存的保存时间超过预设有效期时即被删除。S110: The server generates a session recording key every first set period of time and saves it in its memory, and the session recording key is deleted when the storage time of the memory exceeds a preset validity period.
S120:所述服务端采用最新生成的所述会话记录密钥加密客户端和所述服务端初次握手生成的会话记录,并将加密后的所述会话记录发送给所述客户端;其中,在所述会话记录中包含用于加密所述客户端与所述服务端交互内容的协商密钥。S120: The server uses the newly generated session record key to encrypt the session record generated by the initial handshake between the client and the server, and sends the encrypted session record to the client; where The session record includes a negotiation key used to encrypt the interactive content between the client and the server.
S130:所述客户端携带加密后的所述会话记录与所述服务端进行后续握手时,所述服务端依次调用其内存中的会话记录密钥对加密后的所述会话记录进行解密,若解密成功,则所述客户端与所述服务端重用所述会话记录中的协商密钥,握手完成;若解密不成功,则进行S120。S130: When the client carries the encrypted session record and performs a subsequent handshake with the server, the server sequentially calls the session record key in its memory to decrypt the encrypted session record, if If the decryption is successful, the client and the server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, proceed to S120.
根据本申请的另一方面,提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有客户端与服务端安全握手程序,所述客户端与服务端安全握手程序被处理器执行时,实现下述的客户端与服务端安全握手的方法的步骤。According to another aspect of the present application, a computer-readable storage medium is provided. The computer-readable storage medium stores a client and server secure handshake program, and the client and server secure handshake program is processed by a processor. When executed, the steps of the following method of secure handshake between the client and the server are implemented.
S210:设定一台服务器为中心服务器,所述中心服务器每隔第一设定周期时间生成会话记录密钥,保存到其内存中,并将所述会话记录密钥同步保存到每一个CDN节点的所述CDN边缘服务器的内存中,所述会话记录密钥在所述中心服务器和所述CDN边缘服务器的内存中保存时间超过预设有效期时即被删除。S210: Set a server as a central server, and the central server generates a session record key every first set period, saves it in its memory, and synchronously saves the session record key to each CDN node In the memory of the CDN edge server, the session recording key is deleted when the storage time in the memory of the central server and the CDN edge server exceeds a preset validity period.
S220:所述CDN边缘服务器调用其内存中最新保存的所述会话记录密钥加密所述客户端和所述CDN边缘服务器初次握手生成的会话记录,并将加密后的所述会话记录发送给所述客户端;其中,在所述会话记录中包含用于加密所述客户端与服务端交互内容的协商密钥。S220: The CDN edge server invokes the session record key newly stored in its memory to encrypt the session record generated by the initial handshake between the client and the CDN edge server, and sends the encrypted session record to all The client; wherein the session record contains a negotiation key used to encrypt the interactive content between the client and the server.
S230:所述客户端携带加密后的所述会话记录与所述CDN边缘服务器进行后续握手时,所述CDN边缘服务器按照所述会话记录密钥保存时间由近到远的顺序,依次调用其内存中的会话记录密钥对加密后的所述会话记录进行解密,若解密成功,则所述客户端与所述CDN边缘服务器重用所述会话记录中的协商密钥,握手完成;若解密不成功,则进行S220。S230: When the client carries the encrypted session record and performs a subsequent handshake with the CDN edge server, the CDN edge server sequentially calls its memory in the order of the storage time of the session record key from near to far. The session record key in the session record decrypts the encrypted session record. If the decryption is successful, the client and the CDN edge server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful , Then proceed to S220.
有益效果Beneficial effect
利用上述根据本申请的客户端与服务端安全握手的方法,将会话记录密钥进行定期的重设,重设后的密钥可同步到所有CDN节点。保证每个周期生成的会话记录密钥是不同的。最新的周期内HTTPS连接握手阶段的会话记录用最新的密钥加密和解密,以前周期HTTPS连接生成的会话记录用以前周期生成的解密密钥逐个尝试去解密。只保存有效期内的会话记录密钥,客户端有效期之后携带加密会话记录再次向服务端发送请求,将无法解密此会话记录,客户端要与服务端重新协商密钥生成会话记录使用最新的会话记录密钥加密。改变了会话记录密钥始终不变的情况,增加了会话记录密钥的破译难度,增强了数据传输的安全性。Using the above-mentioned method of secure handshake between the client and the server according to the present application, the session recording key is periodically reset, and the reset key can be synchronized to all CDN nodes. Ensure that the session recording key generated in each cycle is different. The session records of the HTTPS connection handshake phase in the latest cycle are encrypted and decrypted with the latest key, and the session records generated by the HTTPS connection in the previous cycle are decrypted one by one with the decryption key generated in the previous cycle. Only the session record key within the validity period is saved. After the validity period, the client carries the encrypted session record and sends a request to the server again, and the session record cannot be decrypted. The client must renegotiate the key with the server to generate the session record and use the latest session record. Key encryption. The situation that the session recording key is always the same is changed, the difficulty of deciphering the session recording key is increased, and the security of data transmission is enhanced.
附图说明Description of the drawings
图1为根据本申请实施例1的客户端与服务端安全握手的方法的流程图。Fig. 1 is a flowchart of a method for secure handshake between a client and a server according to Embodiment 1 of the present application.
图2为根据本申请实施例2的客户端与服务端安全握手的方法的流程图。Fig. 2 is a flowchart of a method for secure handshake between a client and a server according to Embodiment 2 of the present application.
图3为根据本申请实施例4的客户端与服务端安全握手的系统的逻辑结构示意图。3 is a schematic diagram of the logical structure of a system for secure handshake between a client and a server according to Embodiment 4 of the present application.
本发明的实施方式Embodiments of the present invention
在下面的描述中,出于说明的目的,为了提供对一个或多个实施例的全面理解,阐述了许多具体细节。然而,很明显,也可以在没有这些具体细节的情况下实现这些实施例。在其它例子中,为了便于描述一个或多个实施例,公知的结构和设备以方框图的形式示出。为便于理解,以下将对本申请中出现的概念进行名词解释。In the following description, for illustrative purposes, in order to provide a comprehensive understanding of one or more embodiments, many specific details are set forth. However, it is obvious that these embodiments can also be implemented without these specific details. In other examples, for the convenience of describing one or more embodiments, well-known structures and devices are shown in the form of block diagrams. For ease of understanding, the following will explain the terms appearing in this application.
CDN:内容分发网络,简单说就是通过在不同地点缓存内容,通过负载平衡等技术将用户请求定向到最近的缓存服务器上获取内容,提高用户访问网站的相应速度。CDN: Content delivery network, simply means to cache content in different locations, through load balancing and other technologies to direct user requests to the nearest cache server to obtain content, so as to improve the corresponding speed of users' access to the website.
CDN边缘服务器:即上述最近的缓存服务器,主要目的是将内容尽可能地存储到距离用户比较近的节点,从而减少延迟并改善页面加载时间。CDN edge server: The nearest cache server mentioned above. The main purpose is to store the content as close to the user as possible, thereby reducing delay and improving page loading time.
非对称密钥:与对称加密算法不同,非对称加密算法需要两个密钥,公开密钥和私有密钥。公开密钥与私有密钥是一对,如果用公开密钥对数据进行加密,只有用对应的私有密钥才能解密。Asymmetric key: Unlike symmetric encryption algorithm, asymmetric encryption algorithm requires two keys, a public key and a private key. The public key and the private key are a pair. If the public key is used to encrypt data, only the corresponding private key can be used to decrypt it.
以下将结合附图对本申请的具体实施例进行详细描述。The specific embodiments of the present application will be described in detail below with reference to the accompanying drawings.
实施例1:图1为根据本申请实施例1的客户端与服务端安全握手的方法的流程图。Embodiment 1: FIG. 1 is a flowchart of a method for a secure handshake between a client and a server according to Embodiment 1 of the present application.
如图1所示,在本实施例中客户端与服务端安全握手的方法,应用场景为客户端与单个服务端连接时,握手阶段采用会话记录重用的情况。为了客户端与服务端之间数据的安全传输,建立连接时采用HTTPS协议,HTTPS协议中的TLS/SSL协议在握手阶段采用会话记录重用会话缓存机制。客户端向服务端发起第一次请求,服务端与客户端开始第一次握手流程,进行密钥的协商,协商成功后,生成会话记录,服务端加密会话记录后向客户端发送会话记录。客户端再次向服务端发起请求时,不用再次进行密钥协商,只需携带加密后的会话记录,服务端只要能将会话记录解密,握手流程完成。客户端与服务端开始数据传输,所传输的数据采用会话记录中的协商密钥进行加密传输。As shown in FIG. 1, in the method of the client and the server secure handshake in this embodiment, the application scenario is that when the client is connected to a single server, the session record reuse is used in the handshake phase. For the secure transmission of data between the client and the server, the HTTPS protocol is used when establishing a connection. The TLS/SSL protocol in the HTTPS protocol uses a session record reuse session cache mechanism during the handshake phase. The client initiates the first request to the server. The server and the client start the first handshake process to negotiate a key. After the negotiation is successful, a session record is generated. The server encrypts the session record and sends the session record to the client. When the client initiates a request to the server again, it does not need to perform key negotiation again, and only needs to carry the encrypted session record. As long as the server can decrypt the session record, the handshake process is completed. The client and the server start data transmission, and the transmitted data is encrypted and transmitted using the negotiated key in the session record.
本实施例中客户端与服务端安全握手的方法,包括以下步骤。The method for the secure handshake between the client and the server in this embodiment includes the following steps.
S110:服务端每隔第一设定周期时间生成会话记录密钥,保存到其内存中,并且会话记录密钥在内存的保存时间超过预设有效期时即被删除。S110: The server generates a session record key every first set period of time and saves it in its memory, and the session record key is deleted when the storage time of the session record key in the memory exceeds the preset validity period.
会话记录密钥可为对称密钥或非对称密钥。预设有效期应大于第一设定周期时间,预设有效期最好设置为大于或等于三倍的第一设定周期时间。The session recording key can be a symmetric key or an asymmetric key. The preset validity period should be greater than the first set cycle time, and the preset validity period is preferably set to be greater than or equal to three times the first set cycle time.
本实施例中第一设定周期时间可为1小时,预设有效期可为24小时。服务端将24小时内生成的会话记录密钥,按生成的时间顺序保存在其内存中,将24小时之前生成的会话记录密钥从内存中清除。In this embodiment, the first set cycle time may be 1 hour, and the preset validity period may be 24 hours. The server saves the session record key generated within 24 hours in its memory in the order of the generated time, and clears the session record key generated 24 hours ago from the memory.
S120:服务端采用最新生成的会话记录密钥加密客户端和服务端初次握手生成的会话记录,并将加密后的会话记录发送给客户端;其中,在会话记录中包含用于加密客户端与服务端交互内容的协商密钥。S120: The server uses the newly generated session record key to encrypt the session record generated by the initial handshake between the client and the server, and sends the encrypted session record to the client; the session record contains the session record used to encrypt the client and The negotiated key of the server's interactive content.
客户端和服务端初次握手生成会话记录,服务端采用最新生成的会话记录密钥加密会话记录,并将加密后的所述会话记录发送给所述客户端。The client and the server perform an initial handshake to generate a session record, and the server uses the newly generated session record key to encrypt the session record, and sends the encrypted session record to the client.
客户端每次和服务器建立HTTPS连接时,在握手阶段生成的会话记录的加密密钥是不完全相同的,只有同一第一设定周期时间(1小时)内客户端和服务器建立HTTPS连接时,在握手阶段生成的会话记录的加密密钥是相同的,相比现有技术中无论何时生成的会话记录使用统一的密钥加密,增加了安全性。Each time the client establishes an HTTPS connection with the server, the encryption key of the session record generated during the handshake phase is not exactly the same. Only when the client and the server establish an HTTPS connection within the same first set period of time (1 hour), The encryption keys of the session records generated in the handshake phase are the same. Compared with the session records generated at any time in the prior art, the session records are encrypted using a unified key, which increases the security.
当客户端首次和服务端建立HTTPS连接时,若服务端为初始化状态,客户端和初始化状态的服务端初次握手生成会话记录时使用随机生成的密钥加密。若服务端不是初始化状态,客户端和服务端初次握手生成会话记录时使用最新生成的的加密密钥加密。When the client establishes an HTTPS connection with the server for the first time, if the server is in the initialized state, the client and the server in the initialized state use a randomly generated key for encryption when the session record is generated by the initial handshake. If the server is not in the initial state, the client and the server use the newly generated encryption key for encryption when the session record is generated by the initial handshake.
S130:客户端携带加密后的会话记录与服务端进行后续握手时,服务端依次调用其内存中的会话记录密钥对加密后的会话记录进行解密,若解密成功,则客户端与服务端重用会话记录中的协商密钥,握手完成;若解密不成功,则进行S120。S130: When the client carries the encrypted session record and performs subsequent handshake with the server, the server sequentially calls the session record key in its memory to decrypt the encrypted session record. If the decryption is successful, the client and the server reuse For the negotiated key in the session record, the handshake is completed; if the decryption is unsuccessful, proceed to S120.
客户端与服务端后续握手时,携带加密后的会话记录,服务端依次调用其内存中的会话记录密钥对加密后的会话记录进行解密。During the subsequent handshake between the client and the server, the encrypted session record is carried, and the server sequentially calls the session record key in its memory to decrypt the encrypted session record.
解密会话记录时,服务端按照会话记录密钥生成时间由近到远的顺序,依次调用其内存中的会话记录解密密钥对加密后的会话记录进行解密。When decrypting the session record, the server sequentially calls the session record decryption key in its memory to decrypt the encrypted session record in the order of the generation time of the session record key from near to far.
如客户端在同一个第一设定周期时间(1小时)内再次向服务端发起请求时,在握手过程中携带加密后的会话记录,服务端使用最新生成的会话记录解密密钥给会话记录解密,解密成功握手完成;如客户端在同一个第一设定周期时间(1小时)之后又向服务端发起请求时,在握手过程中携带加密后的会话记录,服务端使用最新生成的会话记录解密密钥给会话记录解密,解密失败,服务端再按照会话记录密钥生成时间由近到远的顺序,依次调用内存中存储的会话记录解密密钥,对会话记录进行解密,直到解密成功,握手完成;如服务端解密不成功则说明会话记录已经失效,或者此会话记录的密钥已经在内存中被清除(超过24小时),则重新进行S120,当作客户端和服务端首次建立HTTPS连接,客户端和服务端初次握手,重新协商密钥生成会话记录,并采用内存中存储的最新会话记录密钥进行加密,发送客户端保存,完成握手。For example, when the client initiates a request to the server again within the same first set period of time (1 hour), the encrypted session record is carried in the handshake process, and the server uses the newly generated session record decryption key to give the session record Decrypt, the decryption is successful and the handshake is completed; if the client initiates a request to the server after the same first set period of time (1 hour), the encrypted session record is carried in the handshake process, and the server uses the newly generated session Record the decryption key to decrypt the session record, and the decryption fails. The server then calls the session record decryption keys stored in the memory in sequence according to the generation time of the session record key from near to far, and decrypts the session record until the decryption is successful. , The handshake is completed; if the server decryption is unsuccessful, it means that the session record has expired, or the key of this session record has been cleared in the memory (more than 24 hours), then restart S120, as the client and server are established for the first time HTTPS connection, the client and the server handshake for the first time, renegotiate the key to generate the session record, and use the latest session record key stored in the memory for encryption, send the client to save, and complete the handshake.
实施例2:图2为根据本申请实施例2的客户端与服务端安全握手的方法的流程图。Embodiment 2: FIG. 2 is a flowchart of a method for secure handshake between a client and a server according to Embodiment 2 of the present application.
如图2所示,在本实施例中客户端与服务端安全握手的方法,应用场景为客户端与多个服务器连接,握手阶段采用会话记录重用,并且服务端可为CDN中的每个CDN节点的CDN边缘服务器。包括以下步骤。As shown in Figure 2, in this embodiment, the client and server secure handshake method, the application scenario is that the client connects to multiple servers, the handshake phase adopts session record reuse, and the server can be each CDN in the CDN The CDN edge server of the node. Including the following steps.
S210:设定一台服务器为中心服务器,中心服务器每隔第一设定周期时间生成会话记录密钥,保存到其内存中,并将会话记录密钥同步保存到每一个CDN节点的CDN边缘服务器的内存中,会话记录密钥在中心服务器和CDN边缘服务器的内存中保存时间超过预设有效期时即被删除。S210: Set a server as a central server, and the central server generates a session record key every first set period, saves it in its memory, and synchronously saves the session record key to the CDN edge server of each CDN node In the memory of, the session record key is deleted when the storage time in the memory of the central server and the CDN edge server exceeds the preset validity period.
会话记录密钥可为对称密钥或非对称密钥。预设有效期应大于第一设定周期时间,预设有效期最好设置为大于或等于三倍的第一设定周期时间。The session recording key can be a symmetric key or an asymmetric key. The preset validity period should be greater than the first set cycle time, and the preset validity period is preferably set to be greater than or equal to three times the first set cycle time.
本实施例中第一设定周期时间可为1小时,预设有效期可为24小时。中心服务器将24小时内生成的会话记录密钥,按照生成的时间顺序保存在其内存中,中心服务器将24小时之前生成的会话记录密钥从其内存中清除。每一个CND节点的CDN边缘服务器将中心服务器24小时内生成的会话记录密钥,按照生成的时间顺序同步保存在其内存中,每一个CND节点的CDN边缘服务器将24小时之前保存的会话记录密钥从其内存中清除。In this embodiment, the first set cycle time may be 1 hour, and the preset validity period may be 24 hours. The central server saves the session record keys generated within 24 hours in its memory in accordance with the generated time sequence, and the central server clears the session record keys generated 24 hours ago from its memory. The CDN edge server of each CND node synchronizes and saves the session record key generated by the central server within 24 hours in its memory according to the generated time sequence. The CDN edge server of each CND node encrypts the session record stored 24 hours ago. The key is cleared from its memory.
S220:CDN边缘服务器调用其内存中最新保存的会话记录密钥加密客户端和CDN边缘服务器初次握手生成的会话记录,并将加密后的会话记录发送给客户端;其中,在会话记录中包含用于加密客户端与服务端交互内容的协商密钥。S220: The CDN edge server calls the latest session record key stored in its memory to encrypt the session record generated by the initial handshake between the client and the CDN edge server, and sends the encrypted session record to the client; among them, the session record contains the It is used to encrypt the negotiated key of the interactive content between the client and the server.
客户端与CDN边缘服务器初次握手生成会话记录,CDN边缘服务器调用其内存中最新保存的会话记录密钥加密会话记录,并将加密后的会话记录发送给客户端。The client and the CDN edge server first shake hands to generate a session record. The CDN edge server uses the latest session record key stored in its memory to encrypt the session record, and sends the encrypted session record to the client.
客户端每次和CDN边缘服务器建立HTTPS连接时,在握手阶段生成的会话记录的加密密钥是不完全相同的,只有同一第一设定周期时间(1小时)内客户端和CDN边缘服务器建立HTTPS连接时,在握手阶段生成的会话记录加密密钥是相同的,相比现有技术中无论何时所有CDN边缘服务器都使用同一的密钥加密会话记录,增加了安全性。Every time the client establishes an HTTPS connection with the CDN edge server, the encryption key of the session record generated during the handshake phase is not exactly the same, only the client and the CDN edge server are established within the same first set period of time (1 hour) During the HTTPS connection, the session record encryption key generated in the handshake phase is the same. Compared with the prior art, all CDN edge servers use the same key to encrypt the session record at any time, which increases security.
进一步,客户端首次和CDN边缘服务器建立HTTPS连接时,若CDN边缘服务器为初始化状态,客户端和初始化状态的CDN边缘服务器初次握手生成会话记录就调用中心服务器内存中最新生成的会话记录加密密钥加密会话记录。此后,CDN边缘服务器就开始同步保存中心服务器内存中的会话记录密钥。Furthermore, when the client establishes an HTTPS connection with the CDN edge server for the first time, if the CDN edge server is in the initial state, the client and the CDN edge server in the initial state shake hands to generate the session record for the first time, and then call the newly generated session record encryption key in the memory of the central server Encrypted session recording. After that, the CDN edge server began to synchronize and save the session record key in the memory of the central server.
S230:客户端携带加密后的会话记录与CDN边缘服务器进行后续握手时,CDN边缘服务器按照会话记录密钥保存时间由近到远的顺序,依次调用其内存中的会话记录密钥对加密后的会话记录进行解密,若解密成功,则客户端与CDN边缘服务器重用会话记录中的协商密钥,握手完成;若解密不成功,则进行S220。S230: When the client carries the encrypted session record and performs the subsequent handshake with the CDN edge server, the CDN edge server sequentially calls the session record key in its memory to encrypt the encrypted session record key in the order of the preservation time of the session record key. The session record is decrypted. If the decryption is successful, the client and the CDN edge server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, proceed to S220.
客户端与CDN边缘服务器后续的握手中,携带加密后的会话记录,CDN边缘服务器按照会话记录密钥保存时间由近到远的顺序,依次调用其内存中的会话记录密钥对加密后的会话记录进行解密。In the subsequent handshake between the client and the CDN edge server, the encrypted session record is carried. The CDN edge server sequentially calls the session record key in its memory to encrypt the session in the order of the preservation time of the session record key. The record is decrypted.
如客户端在同一个第一设定周期时间(1小时)内再次向CDN边缘服务器发起请求时,在握手过程中携带加密后的会话记录,CDN边缘服务器使用最新同步保存的会话记录解密密钥给会话记录解密,解密成功握手完成;如客户端在同一个第一设定周期时间(1小时)之后又向该CDN边缘服务器发起请求时,在握手过程中携带加密后的会话记录,CDN边缘服务器使用最新同步保存的会话记录解密密钥给会话记录解密,解密失败,CDN边缘服务器再按照会话记录密钥保存时间由近到远的顺序,依次调用其内存中存储的会话记录解密密钥,对会话记录进行解密,直到解密成功,握手完成。若解密不成功,说明会话记录已经失效,或者此会话记录的密钥已经在CDN边缘服务器内存中被清除(超过24小时),则重新进行S220,客户端与CDN边缘服务器重新建立HTTPS连接,当作客户端与CDN边缘服务器初次握手,重新协商密钥生成会话记录,采用CDN边缘服务器内存中最新保存的会话记录加密密钥加密会话记录。For example, when the client initiates a request to the CDN edge server again within the same first set period of time (1 hour), the encrypted session record is carried in the handshake process, and the CDN edge server uses the latest synchronously saved session record decryption key Decrypt the session record, the decryption is successful and the handshake is completed; if the client initiates a request to the CDN edge server after the same first set period of time (1 hour), the encrypted session record is carried in the handshake process, and the CDN edge The server decrypts the session record using the latest synchronously saved session record decryption key. If the decryption fails, the CDN edge server then calls the session record decryption key stored in its memory in order of the session record key storage time from near to farthest. Decrypt the session record until the decryption is successful and the handshake is completed. If the decryption is unsuccessful, it means that the session record has expired, or the key of the session record has been cleared in the CDN edge server memory (more than 24 hours), then perform S220 again, and the client and the CDN edge server re-establish the HTTPS connection. As the first handshake between the client and the CDN edge server, the key is renegotiated to generate a session record, and the session record is encrypted using the latest session record encryption key stored in the CDN edge server's memory.
本实施例中,客户端再次和CDN边缘服务器建立HTTPS连接时,在握手阶段解密会话记录的密钥是不完全相同的,只有同一第一设定周期时间(1小时)内客户端和CDN边缘服务器初次建立HTTPS连接的生成的会话记录,解密密钥是相同的,相比现有技术中无论何时所有CDN边缘服务器都使用统一的密钥解密会话记录,增加了安全性。In this embodiment, when the client establishes an HTTPS connection with the CDN edge server again, the key used to decrypt the session record during the handshake phase is not exactly the same, only the client and the CDN edge within the same first set period of time (1 hour) The decryption key of the session record generated when the server establishes the HTTPS connection for the first time is the same. Compared with the prior art, all CDN edge servers use a unified key to decrypt the session record at any time, which increases the security.
会话记录密钥可为对称密钥。本申请中的对称密钥生成方式为:每隔1小时定时生成一个48位随机数。The session recording key can be a symmetric key. The symmetric key generation method in this application is: a 48-bit random number is regularly generated every 1 hour.
实施例3:在实施例2的基础上,会话记录密钥也可为非对称密钥,当会话记录密钥为非对称密钥时,S210进一步包括,生成非对称密钥的方式为:中心服务器每隔第一设定周期时间,根据每个CDN边缘服务器的IP,为每个CDN边缘服务器生成私钥,及私钥对应的公钥。将私钥和其对应的公钥同步保存到相应的CDN边缘服务器的内存中,中心服务器的内存和每一个CDN边缘服务器的内存中只保存预设有效期内生成的私钥和对应的公钥,即非对称会话记录密钥在中心服务器和CDN边缘服务器的内存中保存时间超过预设有效期时即被删除。Embodiment 3: On the basis of Embodiment 2, the session recording key can also be an asymmetric key. When the session recording key is an asymmetric key, S210 further includes that the method of generating the asymmetric key is: central The server generates a private key for each CDN edge server and a public key corresponding to the private key according to the IP of each CDN edge server every first set period of time. Synchronize the private key and its corresponding public key to the memory of the corresponding CDN edge server. The memory of the central server and the memory of each CDN edge server only save the private key and the corresponding public key generated within the preset validity period. That is, the asymmetric session recording key is deleted when the storage time in the memory of the central server and the CDN edge server exceeds the preset validity period.
公钥用于加密会话记录,每一个CDN边缘服务器使用其保存的根据其IP随机生成的私钥解密公钥加密后的会话记录。The public key is used to encrypt session records, and each CDN edge server uses its stored private key randomly generated according to its IP to decrypt the session record encrypted by the public key.
中心服务器将预设有效期内生成的所有私钥和对应的公钥按照生成的时间顺序保存在内存中,中心服务器将预设有效期之前生成的所有私钥和其对应的公钥从内存中清除。The central server saves all private keys and corresponding public keys generated within the preset validity period in the memory according to the generated time sequence, and the central server clears all private keys and their corresponding public keys generated before the preset validity period from the memory.
CDN边缘服务器将预设有效期内同步保存的根据其IP生成各私钥和私钥对应的公钥,按照生成的时间顺序保存在内存中,CDN边缘服务器将预设有效期之前同步保存的私钥和公钥从内存中清除。The CDN edge server synchronously saves the private key and the public key corresponding to the private key generated by its IP within the preset validity period, and saves it in the memory according to the generated time sequence. The CDN edge server synchronizes the private key and the private key saved before the preset validity period. The public key is cleared from memory.
S220进一步包括,CDN边缘服务器调用其内存中最新保存的公钥加密客户端和CDN边缘服务器初次握手生成的会话记录,并将加密后的会话记录发送给客户端。S220 further includes that the CDN edge server invokes the latest public key stored in its memory to encrypt the session record generated by the initial handshake between the client and the CDN edge server, and sends the encrypted session record to the client.
客户端与CDN边缘服务器初次握手时,CDN边缘服务器调用其内存中最新保存的公钥加密会话记录,并将加密后的会话记录发送给客户端。During the initial handshake between the client and the CDN edge server, the CDN edge server invokes the latest public key stored in its memory to encrypt the session record, and sends the encrypted session record to the client.
S230进一步包括,客户端携带公钥加密后的会话记录与CDN边缘服务器进行后续握手时,CDN边缘服务器按照私钥保存时间由近到远的顺序,依次调用其内存中的私钥对会话记录进行解密,若解密成功,则客户端与CDN边缘服务端重用会话记录中的协商密钥,握手完成;若解密不成功,则进行S220。S230 further includes that when the client carries the public key-encrypted session record and performs the subsequent handshake with the CDN edge server, the CDN edge server sequentially calls the private key in its memory to perform the session record according to the order of the preservation time of the private key. Decrypt. If the decryption is successful, the client and the CDN edge server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, proceed to S220.
客户端与CDN边缘服务器后续的握手中,携带公钥加密后的会话记录,CDN边缘服务器按照私钥保存时间由近到远的顺序,依次调用其内存中的私钥对会话记录进行解密。In the subsequent handshake between the client and the CDN edge server, the public key encrypted session record is carried. The CDN edge server sequentially calls the private key in its memory to decrypt the session record according to the order of the preservation time of the private key.
使用不对称密钥时,每个CDN边缘服务器与客户端再次建立HTTPS连接时,在握手阶段解密会话记录的私钥不相同。每一个CDN边缘服务器拥有自己的私钥解密会话记录,不同的第一设定周期时间内的同一CDN边缘服务器的私钥也不同。相比现有技术,更具有安全性。When using an asymmetric key, when each CDN edge server establishes an HTTPS connection with the client again, the private key used to decrypt the session record during the handshake phase is different. Each CDN edge server has its own private key to decrypt the session record, and the private key of the same CDN edge server in different first set period time is also different. Compared with the existing technology, it is more secure.
实施例4:图3为根据本申请实施例4的客户端与服务端安全握手的系统的逻辑结构示意图。Embodiment 4: FIG. 3 is a schematic diagram of the logical structure of a system for secure handshake between a client and a server according to Embodiment 4 of the present application.
如图3所示,与实施例1中方法相应的一种客户端与服务端安全握手的系统,包括:握手阶段设置单元、会话记录密钥生成单元、会话记录加密单元、会话记录解密单元。As shown in FIG. 3, a client and server secure handshake system corresponding to the method in Embodiment 1, includes: a handshake phase setting unit, a session record key generation unit, a session record encryption unit, and a session record decryption unit.
握手阶段设置单元,用于设置客户端与服务端的握手阶段,采用会话记录重用来实现客户端与服务端的安全握手。The handshake phase setting unit is used to set the handshake phase between the client and the server, and the session record is reused to realize the secure handshake between the client and the server.
会话记录密钥生成单元,用于服务端每隔第一设定周期时间生成会话记录密钥,保存到其内存中,并且会话记录密钥在内存的保存时间超过预设有效期时即被删除。The session recording key generating unit is used for the server to generate a session recording key every first set period of time and save it in its memory, and the session recording key is deleted when the storage time in the memory exceeds the preset validity period.
会话记录加密单元,用于服务端采用最新生成的会话记录密钥加密客户端和服务端初次握手生成的会话记录,并将加密后的会话记录发送给客户端;其中,在会话记录中包含用于加密客户端与服务端交互内容的协商密钥。The session record encryption unit is used for the server to use the newly generated session record key to encrypt the session record generated by the initial handshake between the client and the server, and send the encrypted session record to the client; among them, the session record contains the It is used to encrypt the negotiated key of the interactive content between the client and the server.
会话记录解密单元,用于客户端携带加密后的会话记录与服务端进行后续握手时,服务端依次调用其内存中的会话记录密钥对加密后的会话记录进行解密,若解密成功,则客户端与服务端重用会话记录中的协商密钥,握手完成;若解密不成功,则客户端与服务端重新握手生成会话记录,服务端采用最新生成的会话记录密钥加密会话记录,并将加密后的会话记录发送给客户端。The session record decryption unit is used for the client to carry the encrypted session record for subsequent handshake with the server. The server sequentially calls the session record key in its memory to decrypt the encrypted session record. If the decryption is successful, the client The client and the server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, the client and the server re-shakes hands to generate the session record, and the server uses the newly generated session record key to encrypt the session record and encrypt it After the session record is sent to the client.
实施例5:与实施例2中方法相应的一种客户端与服务端安全握手的系统,包括:握手阶段设置单元、会话记录密钥生成单元、会话记录加密单元、会话记录解密单元。Embodiment 5: A client and server secure handshake system corresponding to the method in Embodiment 2, including: a handshake phase setting unit, a session record key generation unit, a session record encryption unit, and a session record decryption unit.
握手阶段设置单元,用于设置客户端与CDN中的每个CDN边缘服务器的握手阶段,均采用会话记录重用来实现客户端与服务端的安全握手。The handshake phase setting unit is used to set the handshake phase between the client and each CDN edge server in the CDN, and session records are reused to realize the secure handshake between the client and the server.
会话记录密钥生成单元,用于设定一台服务器为中心服务器,中心服务器每隔第一设定周期时间生成会话记录密钥,保存到其内存中,并将会话记录密钥同步保存到每一个CDN节点的CDN边缘服务器的内存中,会话记录密钥在中心服务器和CDN边缘服务器的内存中保存时间超过预设有效期时即被删除。The session recording key generation unit is used to set a server as the central server, and the central server generates the session recording key every first set period, saves it in its memory, and synchronously saves the session recording key to every In the memory of the CDN edge server of a CDN node, the session record key is deleted when the storage time in the memory of the central server and the CDN edge server exceeds the preset validity period.
会话记录加密单元,用于CDN边缘服务器调用其内存中最新保存的会话记录密钥加密客户端和CDN边缘服务器初次握手生成的会话记录,并将加密后的会话记录发送给客户端;其中,在会话记录中包含用于加密客户端与服务端交互内容的协商密钥。The session record encryption unit is used for the CDN edge server to call the newly saved session record key in its memory to encrypt the session record generated by the client and the CDN edge server through the initial handshake, and send the encrypted session record to the client; The session record contains the negotiation key used to encrypt the interactive content between the client and the server.
会话记录解密单元,用于客户端携带加密后的会话记录与CDN边缘服务器进行后续握手时,CDN边缘服务器按照会话记录密钥保存时间由近到远的顺序,依次调用其内存中的会话记录密钥对加密后的会话记录进行解密,若解密成功,则客户端与CDN边缘服务器重用会话记录中的协商密钥,握手完成;若解密不成功,则进行客户端与CDN边缘服务器重新握手生成会话记录,CDN边缘服务器调用其内存中最新保存的会话记录密钥加密会话记录,并将加密后的会话记录发送给客户端。The session record decryption unit is used for the client to carry the encrypted session record for subsequent handshake with the CDN edge server. The CDN edge server calls the session record secret in its memory in the order of the preservation time of the session record key from near to far. The key decrypts the encrypted session record. If the decryption is successful, the client and the CDN edge server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, the client and the CDN edge server re-handshake to generate a session To record, the CDN edge server calls the newly saved session record key in its memory to encrypt the session record, and sends the encrypted session record to the client.
实施例6:一种电子装置,包括存储器和处理器,存储器中存储有计算机程序,计算机程序被处理器执行时实现实施例1或实施例2或实施例3的客户端与服务端安全握手的方法的步骤。Embodiment 6: An electronic device including a memory and a processor, and a computer program is stored in the memory. When the computer program is executed by the processor, it realizes the secure handshake between the client and the server of Embodiment 1 or Embodiment 2 or Embodiment 3 Method steps.
实施例7:一种计算机可读存储介质,所述计算机可读存储介质可以是非易失性,也可以是易失性的。其中,计算机可读存储介质中存储有客户端与服务端安全握手程序,客户端与服务端安全握手程序被处理器执行时,实现实施例1或实施例2或实施例3的客户端与服务端安全握手的方法的步骤。Embodiment 7: A computer-readable storage medium. The computer-readable storage medium may be non-volatile or volatile. Wherein, the computer-readable storage medium stores a client and server secure handshake program. When the client and server secure handshake program is executed by the processor, the client and service of Embodiment 1 or Embodiment 2 or Embodiment 3 are implemented. Steps of the end-to-end secure handshake method.
如上参照图1和图2以示例的方式描述根据本申请的客户端与服务端安全握手的方法。但是,本领域技术人员应当理解,对于上述本申请所提出的客户端与服务端安全握手的方法,还可以在不脱离本申请内容的基础上做出各种改进。因此,本申请的保护范围应当由所附的权利要求书的内容确定。The method of the client and the server secure handshake according to the present application is described by way of example with reference to FIG. 1 and FIG. 2 above. However, those skilled in the art should understand that various improvements can be made without departing from the content of the application for the secure handshake method between the client and the server proposed in this application. Therefore, the protection scope of this application should be determined by the content of the appended claims.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims (20)

  1. 一种客户端与服务端安全握手的方法,通过在客户端与服务端握手阶段采用会话记录重用来实现客户端与服务端的安全握手,其中,包括以下步骤:A method for secure handshake between the client and the server is achieved by using session record reuse in the handshake phase of the client and the server to realize the secure handshake between the client and the server, which includes the following steps:
    S110:服务端每隔第一设定周期时间生成会话记录密钥,保存到其内存中,并且所述会话记录密钥在所述内存的保存时间超过预设有效期时即被删除;S110: The server generates a session recording key every first set period of time and saves it in its memory, and the session recording key is deleted when the storage time of the memory exceeds a preset validity period;
    S120:所述服务端采用最新生成的所述会话记录密钥加密客户端和所述服务端初次握手生成的会话记录,并将加密后的所述会话记录发送给所述客户端;其中,在所述会话记录中包含用于加密所述客户端与所述服务端交互内容的协商密钥;S120: The server uses the newly generated session record key to encrypt the session record generated by the initial handshake between the client and the server, and sends the encrypted session record to the client; where The session record includes a negotiation key used to encrypt the interactive content between the client and the server;
    S130:所述客户端携带加密后的所述会话记录与所述服务端进行后续握手时,所述服务端依次调用其内存中的会话记录密钥对加密后的所述会话记录进行解密,若解密成功,则所述客户端与所述服务端重用所述会话记录中的协商密钥,握手完成;若解密不成功,则进行S120。S130: When the client carries the encrypted session record and performs a subsequent handshake with the server, the server sequentially calls the session record key in its memory to decrypt the encrypted session record, if If the decryption is successful, the client and the server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, proceed to S120.
  2. 如权利要求1所述的客户端与服务端安全握手的方法,其中,所述预设有效期不小于三倍的所述第一设定周期时间。8. The method for secure handshake between a client and a server according to claim 1, wherein the preset validity period is not less than three times the first preset period time.
  3. 如权利要求1所述的客户端与服务端安全握手的方法,其中,The method for a secure handshake between a client and a server according to claim 1, wherein:
    在S110中,所述服务端将所述预设有效期内生成的所述会话记录密钥,按生成的时间顺序保存在其内存中;In S110, the server stores the session record keys generated within the preset validity period in its memory according to the generated time sequence;
    在S130中,所述服务端按照所述会话记录密钥生成时间由近到远的顺序,依次调用其内存中的会话记录密钥对加密后的所述会话记录进行解密。In S130, the server sequentially calls the session record key in its memory to decrypt the encrypted session record in the order of the generation time of the session record key from near to far.
  4. 一种客户端与服务端安全握手的方法,通过在客户端与服务端握手阶段采用会话记录重用来实现客户端与服务端的安全握手,并且所述服务端为CDN中的CDN边缘服务器,其中,包括以下步骤:A method for the secure handshake between the client and the server is achieved by using session record reuse in the handshake phase between the client and the server to realize the secure handshake between the client and the server, and the server is a CDN edge server in the CDN, wherein, It includes the following steps:
    S210:设定一台服务器为中心服务器,所述中心服务器每隔第一设定周期时间生成会话记录密钥,保存到其内存中,并将所述会话记录密钥同步保存到每一个CDN节点的所述CDN边缘服务器的内存中,所述会话记录密钥在所述中心服务器和所述CDN边缘服务器的内存中保存时间超过预设有效期时即被删除;S210: Set a server as a central server, and the central server generates a session record key every first set period, saves it in its memory, and synchronously saves the session record key to each CDN node In the memory of the CDN edge server, the session recording key is deleted when the storage time in the memory of the central server and the CDN edge server exceeds a preset validity period;
    S220:所述CDN边缘服务器调用其内存中最新保存的所述会话记录密钥加密所述客户端和所述CDN边缘服务器初次握手生成的会话记录,并将加密后的所述会话记录发送给所述客户端;其中,在所述会话记录中包含用于加密所述客户端与服务端交互内容的协商密钥;S220: The CDN edge server invokes the session record key newly stored in its memory to encrypt the session record generated by the initial handshake between the client and the CDN edge server, and sends the encrypted session record to all The client; wherein the session record includes a negotiation key used to encrypt the interactive content between the client and the server;
    S230:所述客户端携带加密后的所述会话记录与所述CDN边缘服务器进行后续握手时,所述CDN边缘服务器按照所述会话记录密钥保存时间由近到远的顺序,依次调用其内存中的会话记录密钥对加密后的所述会话记录进行解密,若解密成功,则所述客户端与所述CDN边缘服务器重用所述会话记录中的协商密钥,握手完成;若解密不成功,则进行S220。S230: When the client carries the encrypted session record and performs a subsequent handshake with the CDN edge server, the CDN edge server sequentially calls its memory in the order of the storage time of the session record key from near to far. The session record key in the session record decrypts the encrypted session record. If the decryption is successful, the client and the CDN edge server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful , Then proceed to S220.
  5. 如权利要求4所述的客户端与服务端安全握手的方法,其中,所述预设有效期不小于三倍的所述第一设定周期时间。The method for secure handshake between the client and the server according to claim 4, wherein the preset validity period is not less than three times the first preset period time.
  6. 如权利要求4所述的客户端与服务端安全握手的方法,其中,在S210中,所述会话记录密钥为非对称密钥,生成所述非对称密钥的方式为:所述中心服务器每隔所述第一设定周期时间,根据每个所述CDN边缘服务器的IP,为每个CDN边缘服务器生成私钥,及所述私钥对应的公钥,并将所述私钥和其对应的公钥同步保存到相应的CDN边缘服务器的内存中。The method for a secure handshake between a client and a server according to claim 4, wherein, in S210, the session recording key is an asymmetric key, and the method for generating the asymmetric key is: the central server At intervals of the first set period of time, a private key and a public key corresponding to the private key are generated for each CDN edge server according to the IP of each CDN edge server, and the private key and its The corresponding public key is synchronously saved in the memory of the corresponding CDN edge server.
  7. 如权利要求6所述的客户端与服务端安全握手的方法,其中,S220还包括,所述CDN边缘服务器调用其内存中最新保存的所述公钥加密所述客户端和所述CDN边缘服务器初次握手生成的会话记录,并将加密后的所述会话记录发送给所述客户端。The method for a secure handshake between a client and a server according to claim 6, wherein S220 further comprises: the CDN edge server invokes the latest public key stored in its memory to encrypt the client and the CDN edge server The session record generated by the initial handshake, and the encrypted session record is sent to the client.
  8. 如权利要求6所述的客户端与服务端安全握手的方法,其中,S230还包括,所述客户端携带所述公钥加密后的所述会话记录与所述CDN边缘服务器进行后续握手时,所述CDN边缘服务器按照所述私钥保存时间由近到远的顺序,依次调用其内存中的私钥对所述会话记录进行解密,若解密成功,则所述客户端与所述CDN边缘服务端重用所述会话记录中的协商密钥,握手完成;若解密不成功,则进行S220。8. The method for secure handshake between a client and a server according to claim 6, wherein S230 further comprises: when the client carries the session record encrypted by the public key and performs a subsequent handshake with the CDN edge server, The CDN edge server sequentially calls the private key in its memory to decrypt the session record in the order of the storage time of the private key from near to far. If the decryption is successful, the client and the CDN edge service The terminal reuses the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, proceed to S220.
  9. 一种电子装置,其中,包括存储器和处理器,所述存储器和所述处理器相互连接,所述存储器用于存储计算机程序,所述计算机程序被配置为由所述处理器执行,所述计算机程序配置用于执行一种客户端与服务端安全握手的方法,所述方法通过在客户端与服务端握手阶段采用会话记录重用来实现客户端与服务端的安全握手,所述方法包括以下步骤:An electronic device, comprising a memory and a processor, the memory and the processor are connected to each other, the memory is used to store a computer program, the computer program is configured to be executed by the processor, the computer The program configuration is used to implement a method for a client and server secure handshake. The method uses session record reuse in the client and server handshake phase to achieve a secure handshake between the client and the server. The method includes the following steps:
    S110:服务端每隔第一设定周期时间生成会话记录密钥,保存到其内存中,并且所述会话记录密钥在所述内存的保存时间超过预设有效期时即被删除;S110: The server generates a session recording key every first set period of time and saves it in its memory, and the session recording key is deleted when the storage time of the memory exceeds a preset validity period;
    S120:所述服务端采用最新生成的所述会话记录密钥加密客户端和所述服务端初次握手生成的会话记录,并将加密后的所述会话记录发送给所述客户端;其中,在所述会话记录中包含用于加密所述客户端与所述服务端交互内容的协商密钥;S120: The server uses the newly generated session record key to encrypt the session record generated by the initial handshake between the client and the server, and sends the encrypted session record to the client; where The session record includes a negotiation key used to encrypt the interactive content between the client and the server;
    S130:所述客户端携带加密后的所述会话记录与所述服务端进行后续握手时,所述服务端依次调用其内存中的会话记录密钥对加密后的所述会话记录进行解密,若解密成功,则所述客户端与所述服务端重用所述会话记录中的协商密钥,握手完成;若解密不成功,则进行S120。S130: When the client carries the encrypted session record and performs a subsequent handshake with the server, the server sequentially calls the session record key in its memory to decrypt the encrypted session record, if If the decryption is successful, the client and the server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, proceed to S120.
  10. 如权利要求9所述的电子装置,其中,所述预设有效期不小于三倍的所述第一设定周期时间。9. The electronic device of claim 9, wherein the preset validity period is not less than three times the first preset period time.
  11. 如权利要求9所述的电子装置,其中,The electronic device according to claim 9, wherein:
    在S110中,所述服务端将所述预设有效期内生成的所述会话记录密钥,按生成的时间顺序保存在其内存中;In S110, the server stores the session record keys generated within the preset validity period in its memory according to the generated time sequence;
    在S130中,所述服务端按照所述会话记录密钥生成时间由近到远的顺序,依次调用其内存中的会话记录密钥对加密后的所述会话记录进行解密。In S130, the server sequentially calls the session record key in its memory to decrypt the encrypted session record in the order of the generation time of the session record key from near to far.
  12. 一种电子装置,其中,包括存储器和处理器,所述存储器和所述处理器相互连接,所述存储器用于存储计算机程序,所述计算机程序被配置为由所述处理器执行,所述计算机程序配置用于执行一种客户端与服务端安全握手的方法,所述方法通过在客户端与服务端握手阶段采用会话记录重用来实现客户端与服务端的安全握手,并且所述服务端为CDN中的CDN边缘服务器,所述方法包括以下步骤:An electronic device, comprising a memory and a processor, the memory and the processor are connected to each other, the memory is used to store a computer program, the computer program is configured to be executed by the processor, the computer The program is configured to perform a secure handshake method between the client and the server. The method uses session record reuse during the handshake phase of the client and the server to realize the secure handshake between the client and the server, and the server is a CDN In the CDN edge server in, the method includes the following steps:
    S210:设定一台服务器为中心服务器,所述中心服务器每隔第一设定周期时间生成会话记录密钥,保存到其内存中,并将所述会话记录密钥同步保存到每一个CDN节点的所述CDN边缘服务器的内存中,所述会话记录密钥在所述中心服务器和所述CDN边缘服务器的内存中保存时间超过预设有效期时即被删除;S210: Set a server as a central server, and the central server generates a session record key every first set period, saves it in its memory, and synchronously saves the session record key to each CDN node In the memory of the CDN edge server, the session recording key is deleted when the storage time in the memory of the central server and the CDN edge server exceeds a preset validity period;
    S220:所述CDN边缘服务器调用其内存中最新保存的所述会话记录密钥加密所述客户端和所述CDN边缘服务器初次握手生成的会话记录,并将加密后的所述会话记录发送给所述客户端;其中,在所述会话记录中包含用于加密所述客户端与服务端交互内容的协商密钥;S220: The CDN edge server invokes the session record key newly stored in its memory to encrypt the session record generated by the initial handshake between the client and the CDN edge server, and sends the encrypted session record to all The client; wherein the session record includes a negotiation key used to encrypt the interactive content between the client and the server;
    S230:所述客户端携带加密后的所述会话记录与所述CDN边缘服务器进行后续握手时,所述CDN边缘服务器按照所述会话记录密钥保存时间由近到远的顺序,依次调用其内存中的会话记录密钥对加密后的所述会话记录进行解密,若解密成功,则所述客户端与所述CDN边缘服务器重用所述会话记录中的协商密钥,握手完成;若解密不成功,则进行S220。S230: When the client carries the encrypted session record and performs a subsequent handshake with the CDN edge server, the CDN edge server sequentially calls its memory in the order of the storage time of the session record key from near to far. The session record key in the session record decrypts the encrypted session record. If the decryption is successful, the client and the CDN edge server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful , Then proceed to S220.
  13. 如权利要求12所述的电子装置,其中,所述预设有效期不小于三倍的所述第一设定周期时间。11. The electronic device of claim 12, wherein the preset validity period is not less than three times the first preset period time.
  14. 如权利要求12所述的电子装置,其中,在S210中,所述会话记录密钥为非对称密钥,生成所述非对称密钥的方式为:所述中心服务器每隔所述第一设定周期时间,根据每个所述CDN边缘服务器的IP,为每个CDN边缘服务器生成私钥,及所述私钥对应的公钥,并将所述私钥和其对应的公钥同步保存到相应的CDN边缘服务器的内存中。The electronic device according to claim 12, wherein, in S210, the session recording key is an asymmetric key, and the method of generating the asymmetric key is: the central server every first device According to the IP of each CDN edge server, generate a private key and a public key corresponding to the private key according to the IP of each CDN edge server, and save the private key and its corresponding public key to In the memory of the corresponding CDN edge server.
  15. 如权利要求14所述的电子装置,其中,S220还包括,所述CDN边缘服务器调用其内存中最新保存的所述公钥加密所述客户端和所述CDN边缘服务器初次握手生成的会话记录,并将加密后的所述会话记录发送给所述客户端。The electronic device according to claim 14, wherein S220 further comprises: the CDN edge server invokes the latest public key stored in its memory to encrypt the session record generated by the initial handshake between the client and the CDN edge server, And send the encrypted session record to the client.
  16. 如权利要求14所述的电子装置,其中,S230还包括,所述客户端携带所述公钥加密后的所述会话记录与所述CDN边缘服务器进行后续握手时,所述CDN边缘服务器按照所述私钥保存时间由近到远的顺序,依次调用其内存中的私钥对所述会话记录进行解密,若解密成功,则所述客户端与所述CDN边缘服务端重用所述会话记录中的协商密钥,握手完成;若解密不成功,则进行S220。The electronic device according to claim 14, wherein, S230 further comprises: when the client carries the session record encrypted by the public key and performs a subsequent handshake with the CDN edge server, the CDN edge server performs a subsequent handshake with the CDN edge server. In the order of the storage time of the private key from near to far, the private key in its memory is sequentially invoked to decrypt the session record. If the decryption is successful, the client and the CDN edge server reuse the session record. The handshake is completed; if the decryption is unsuccessful, proceed to S220.
  17. 一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时用于实现一种客户端与服务端安全握手的方法,所述方法通过在客户端与服务端握手阶段采用会话记录重用来实现客户端与服务端的安全握手,所述方法包括以下步骤:A computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, it is used to realize a secure handshake method between a client and a server. In the handshake phase between the client and the server, the session record is reused to implement a secure handshake between the client and the server. The method includes the following steps:
    S110:服务端每隔第一设定周期时间生成会话记录密钥,保存到其内存中,并且所述会话记录密钥在所述内存的保存时间超过预设有效期时即被删除;S110: The server generates a session recording key every first set period of time and saves it in its memory, and the session recording key is deleted when the storage time of the memory exceeds a preset validity period;
    S120:所述服务端采用最新生成的所述会话记录密钥加密客户端和所述服务端初次握手生成的会话记录,并将加密后的所述会话记录发送给所述客户端;其中,在所述会话记录中包含用于加密所述客户端与所述服务端交互内容的协商密钥;S120: The server uses the newly generated session record key to encrypt the session record generated by the initial handshake between the client and the server, and sends the encrypted session record to the client; where The session record includes a negotiation key used to encrypt the interactive content between the client and the server;
    S130:所述客户端携带加密后的所述会话记录与所述服务端进行后续握手时,所述服务端依次调用其内存中的会话记录密钥对加密后的所述会话记录进行解密,若解密成功,则所述客户端与所述服务端重用所述会话记录中的协商密钥,握手完成;若解密不成功,则进行S120。S130: When the client carries the encrypted session record and performs a subsequent handshake with the server, the server sequentially calls the session record key in its memory to decrypt the encrypted session record, if If the decryption is successful, the client and the server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful, proceed to S120.
  18. 如权利要求17所述的计算机可读存储介质,其中,所述预设有效期不小于三倍的所述第一设定周期时间。17. The computer-readable storage medium of claim 17, wherein the preset validity period is not less than three times the first set period time.
  19. 如权利要求17所述的计算机可读存储介质,其中,The computer-readable storage medium of claim 17, wherein:
    在S110中,所述服务端将所述预设有效期内生成的所述会话记录密钥,按生成的时间顺序保存在其内存中;In S110, the server stores the session record keys generated within the preset validity period in its memory according to the generated time sequence;
    在S130中,所述服务端按照所述会话记录密钥生成时间由近到远的顺序,依次调用其内存中的会话记录密钥对加密后的所述会话记录进行解密。In S130, the server sequentially calls the session record key in its memory to decrypt the encrypted session record in the order of the generation time of the session record key from near to far.
  20. 一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时用于实现一种客户端与服务端安全握手的方法,所述方法通过在客户端与服务端握手阶段采用会话记录重用来实现客户端与服务端的安全握手,并且所述服务端为CDN中的CDN边缘服务器,所述方法包括以下步骤:A computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, it is used to realize a secure handshake method between a client and a server. During the handshake phase between the client and the server, session record reuse is used to implement a secure handshake between the client and the server, and the server is a CDN edge server in the CDN. The method includes the following steps:
    S210:设定一台服务器为中心服务器,所述中心服务器每隔第一设定周期时间生成会话记录密钥,保存到其内存中,并将所述会话记录密钥同步保存到每一个CDN节点的所述CDN边缘服务器的内存中,所述会话记录密钥在所述中心服务器和所述CDN边缘服务器的内存中保存时间超过预设有效期时即被删除;S210: Set a server as a central server, and the central server generates a session record key every first set period, saves it in its memory, and synchronously saves the session record key to each CDN node In the memory of the CDN edge server, the session recording key is deleted when the storage time in the memory of the central server and the CDN edge server exceeds a preset validity period;
    S220:所述CDN边缘服务器调用其内存中最新保存的所述会话记录密钥加密所述客户端和所述CDN边缘服务器初次握手生成的会话记录,并将加密后的所述会话记录发送给所述客户端;其中,在所述会话记录中包含用于加密所述客户端与服务端交互内容的协商密钥;S220: The CDN edge server invokes the session record key newly stored in its memory to encrypt the session record generated by the initial handshake between the client and the CDN edge server, and sends the encrypted session record to all The client; wherein the session record includes a negotiation key used to encrypt the interactive content between the client and the server;
    S230:所述客户端携带加密后的所述会话记录与所述CDN边缘服务器进行后续握手时,所述CDN边缘服务器按照所述会话记录密钥保存时间由近到远的顺序,依次调用其内存中的会话记录密钥对加密后的所述会话记录进行解密,若解密成功,则所述客户端与所述CDN边缘服务器重用所述会话记录中的协商密钥,握手完成;若解密不成功,则进行S220。S230: When the client carries the encrypted session record and performs a subsequent handshake with the CDN edge server, the CDN edge server sequentially calls its memory in the order of the storage time of the session record key from near to far. The session record key in the session record decrypts the encrypted session record. If the decryption is successful, the client and the CDN edge server reuse the negotiated key in the session record, and the handshake is completed; if the decryption is unsuccessful , Then proceed to S220.
PCT/CN2020/117430 2020-02-26 2020-09-24 Method and apparatus for secure handshaking between client and service end, and storage medium WO2021169266A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010119427.9A CN111385289A (en) 2020-02-26 2020-02-26 Method, device and storage medium for secure handshake between client and server
CN202010119427.9 2020-02-26

Publications (1)

Publication Number Publication Date
WO2021169266A1 true WO2021169266A1 (en) 2021-09-02

Family

ID=71217016

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/117430 WO2021169266A1 (en) 2020-02-26 2020-09-24 Method and apparatus for secure handshaking between client and service end, and storage medium

Country Status (2)

Country Link
CN (1) CN111385289A (en)
WO (1) WO2021169266A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114095254A (en) * 2021-11-22 2022-02-25 中国建设银行股份有限公司 Message encryption method, server device, client device and storage medium

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111385289A (en) * 2020-02-26 2020-07-07 平安科技(深圳)有限公司 Method, device and storage medium for secure handshake between client and server
CN114500040B (en) * 2022-01-24 2023-09-19 北京金数信安科技有限公司 Safe and efficient communication method based on cryptographic algorithm and implementation thereof
CN116055215B (en) * 2023-03-02 2024-03-15 上海弘积信息科技有限公司 Communication method, system and equipment based on network security transmission protocol

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102368765A (en) * 2011-10-08 2012-03-07 大连高成网络科技有限公司 Website login authentication method
CN106059986A (en) * 2015-04-22 2016-10-26 阿里巴巴集团控股有限公司 Method and server for SSL (Secure Sockets Layer) session reuse
CN106790285A (en) * 2017-02-27 2017-05-31 杭州迪普科技股份有限公司 A kind of Session state reuse method and device
CN108512849A (en) * 2018-04-02 2018-09-07 北京奇艺世纪科技有限公司 A kind of handshake method and system accessing server
US20200007321A1 (en) * 2018-06-28 2020-01-02 Nxp B.V. Method for establishing a secure communication session in a communications system
CN111385289A (en) * 2020-02-26 2020-07-07 平安科技(深圳)有限公司 Method, device and storage medium for secure handshake between client and server

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100678934B1 (en) * 2004-06-09 2007-02-07 삼성전자주식회사 Method and apparatus for secure communication reusing a session key between clients and servers
CN106161404A (en) * 2015-04-22 2016-11-23 阿里巴巴集团控股有限公司 The method of SSL Session state reuse, server and system
CN110830239B (en) * 2018-08-07 2023-02-28 阿里巴巴集团控股有限公司 Key updating method, device and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102368765A (en) * 2011-10-08 2012-03-07 大连高成网络科技有限公司 Website login authentication method
CN106059986A (en) * 2015-04-22 2016-10-26 阿里巴巴集团控股有限公司 Method and server for SSL (Secure Sockets Layer) session reuse
CN106790285A (en) * 2017-02-27 2017-05-31 杭州迪普科技股份有限公司 A kind of Session state reuse method and device
CN108512849A (en) * 2018-04-02 2018-09-07 北京奇艺世纪科技有限公司 A kind of handshake method and system accessing server
US20200007321A1 (en) * 2018-06-28 2020-01-02 Nxp B.V. Method for establishing a secure communication session in a communications system
CN111385289A (en) * 2020-02-26 2020-07-07 平安科技(深圳)有限公司 Method, device and storage medium for secure handshake between client and server

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114095254A (en) * 2021-11-22 2022-02-25 中国建设银行股份有限公司 Message encryption method, server device, client device and storage medium
CN114095254B (en) * 2021-11-22 2024-04-12 中国建设银行股份有限公司 Message encryption method, server device, client device and storage medium

Also Published As

Publication number Publication date
CN111385289A (en) 2020-07-07

Similar Documents

Publication Publication Date Title
WO2021169266A1 (en) Method and apparatus for secure handshaking between client and service end, and storage medium
US7890634B2 (en) Scalable session management
US7720227B2 (en) Encryption method for SIP message and encrypted SIP communication system
US20040161110A1 (en) Server apparatus, key management apparatus, and encrypted communication method
Bittau et al. The case for ubiquitous {Transport-Level} encryption
WO2022021992A1 (en) Data transmission method and system based on nb-iot communication, and medium
CN102833253A (en) Method and server for establishing safe connection between client and server
CN107872450B (en) Secure communication method and system
CN109936529B (en) Method, device and system for secure communication
Park et al. Lightweight secure communication for CoAP-enabled internet of things using delegated DTLS handshake
CN106169952B (en) A kind of authentication method that internet Key Management Protocol is negotiated again and device
WO2012088889A1 (en) Data communication method and device and data interaction system based on browser
CN113612605A (en) Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology
CN111080299B (en) Anti-repudiation method for transaction information, client and server
CN112332986B (en) Private encryption communication method and system based on authority control
CN111865609A (en) Private cloud platform data encryption and decryption system based on state cryptographic algorithm
US11606193B2 (en) Distributed session resumption
WO2009082950A1 (en) Key distribution method, device and system
CN110581829A (en) Communication method and device
EP2244420B1 (en) Method and apparatus for recovering the connection
CN109474667B (en) Unmanned aerial vehicle communication method based on TCP and UDP
Boo et al. FDTLS: Supporting DTLS-based combined storage and communication security for IoT devices
CN114707158A (en) Network communication authentication method and network communication authentication system based on TEE
WO2014047868A1 (en) Protocol stack type negotiation method and device
JP2002189976A (en) Authentication system and method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20922222

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20922222

Country of ref document: EP

Kind code of ref document: A1