WO2022022057A1 - Session ticket processing method and apparatus, electronic device, and computer readable storage medium - Google Patents

Session ticket processing method and apparatus, electronic device, and computer readable storage medium Download PDF

Info

Publication number
WO2022022057A1
WO2022022057A1 PCT/CN2021/098070 CN2021098070W WO2022022057A1 WO 2022022057 A1 WO2022022057 A1 WO 2022022057A1 CN 2021098070 W CN2021098070 W CN 2021098070W WO 2022022057 A1 WO2022022057 A1 WO 2022022057A1
Authority
WO
WIPO (PCT)
Prior art keywords
session
ticket
session ticket
communication
key
Prior art date
Application number
PCT/CN2021/098070
Other languages
French (fr)
Chinese (zh)
Inventor
刘华
Original Assignee
北京金山云网络技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京金山云网络技术有限公司 filed Critical 北京金山云网络技术有限公司
Publication of WO2022022057A1 publication Critical patent/WO2022022057A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use

Definitions

  • the present application relates to the field of communication technologies, and in particular, to a session ticket processing method, apparatus, electronic device, and computer-readable storage medium.
  • HTTPS Hyper Text Transfer Protocol over SecureSocket Layer
  • CDN Content Delivery Network
  • the distributed cluster web server Nginx can support the distributed session ticket (ticket) mechanism, but does not support the distributed session ID (session id) mechanism.
  • ticket distributed session ticket
  • session id distributed session ID
  • the purpose of this application is to provide a session ticket processing method, device, electronic device and computer-readable storage medium, which can improve the short handshake rate of the entire distributed cluster network, reduce CPU consumption, and improve cluster communication. security.
  • an embodiment of the present application provides a method for processing session tickets, which is applied to a server in a distributed cluster, the server is in communication connection with a preset management server, and the management server is configured to generate a session ticket and store the session ticket.
  • Sending the ticket to each server of the distributed cluster the method includes: receiving a new session ticket sent by the management server; updating the session configuration, determining the original session ticket in the session configuration as the master key, and determining the new session ticket is the secondary key, wherein both the primary key and the secondary key are set to decrypt the communication session, and the primary key is preferentially used to decrypt the communication session, and the primary key is also set to decrypt the communication session when the primary key is received.
  • the communication session created after the new session ticket is encrypted; if a confirmation message that the distributed cluster has completed updating the session configuration is received, the new session ticket is determined as the primary key, and the original session ticket is determined as the secondary key; and when When the preset time arrives, the original session ticket is deleted.
  • the above communication session is one of a secure socket layer SSL session and a transport layer security TLS session.
  • the preset time is not less than the validity period of the original session ticket.
  • the method before the above step of receiving a new session ticket sent by the management server, the method further includes: enabling a preset switch control of the session ticket mechanism.
  • the above-mentioned server is communicated with a preset client, and the method further includes: receiving a communication connection request sent by the client, the communication connection request carrying a session ticket; judging whether the session ticket is within the validity period; If it is determined that the session ticket is within the validity period, the session ticket is verified through the master key; and if the session ticket is verified through the master key, a communication session is established with the client.
  • the above method further includes: if the session ticket is not verified by the primary key, verifying the session ticket by the secondary key; and if the session ticket is verified by the secondary key , establishes a communication session with the client.
  • an embodiment of the present application further provides a session ticket processing device, which is applied to a server in a distributed cluster, the server is in communication connection with a preset management server, and the management server is configured to generate a session ticket and store the session ticket.
  • the ticket is sent to each server of the distributed cluster, and the device includes: a new session ticket receiving module, set to receive the new session ticket sent by the management server; a session configuration update module, set to update the session.
  • the original session ticket is determined as the primary key
  • the new session ticket is determined as the secondary key, wherein the primary key and the secondary key are both set to decrypt the communication session, and the primary key is preferentially used to decrypt the communication session.
  • the primary key is also set to encrypt the communication session created after receiving the new session ticket;
  • the primary and secondary key adjustment module is set to receive confirmation information that the distributed cluster has completed updating the session configuration,
  • the new session ticket is determined as the primary key, and the original session ticket is determined as the secondary key; and
  • the original session ticket deletion module is set to delete the original session ticket when the preset time arrives.
  • the above communication session is one of a secure socket layer SSL session and a transport layer security TLS session.
  • the above-mentioned apparatus further includes a session ticket mechanism enabling module, which is configured as a preset switch control for enabling the session ticket mechanism.
  • the above-mentioned server is connected to a preset client in communication, and the above-mentioned device further includes: a communication connection request receiving module, configured to receive a communication connection request sent by the client, and the communication connection request carries a session ticket;
  • the verification module is set to judge whether the session ticket is within the validity period, and if it is judged that the session ticket is within the validity period, verify the session ticket through the master key, and establish a communication session with the client if the session ticket is verified through the master key.
  • the above-mentioned judgment and verification module is further configured to verify the session ticket by the secondary key if the session ticket is not verified by the primary key, and establish with the client if the session ticket is verified by the secondary key. communication session.
  • an embodiment of the present application further provides an electronic device, the electronic device includes a processor and a memory, the memory stores computer-executable instructions that can be executed by the processor, and the processor executes the computer-executable instructions To implement the above session ticket processing method.
  • embodiments of the present application further provide a computer-readable storage medium, where the computer-readable storage medium stores computer-executable instructions, and when the computer-executable instructions are called and executed by a processor, the computer-executable instructions The processor is prompted to implement the above session ticket processing method.
  • FIG. 1 is a schematic diagram of an application scenario of session communication through session tickets provided by an embodiment of the present application
  • FIG. 2 is a schematic flowchart of a method for processing a session ticket according to an embodiment of the present application
  • FIG. 3 is a schematic flowchart of another session ticket processing method provided by an embodiment of the present application.
  • 4A is a schematic structural diagram of an apparatus for processing session tickets provided by an embodiment of the present application.
  • 4B is a schematic structural diagram of another apparatus for processing session tickets according to an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
  • Reference numeral description 100-cluster server; 200-management server; 300-client; 41-new session ticket receiving module; 42-session configuration update module; 43-primary and secondary key adjustment module; 44-existing session ticket deletion module; 51-processor; 52-memory; 53-bus; 54-communication interface.
  • a session is an uninterrupted request-response sequence between a client and a server. For each request from a client, the server can recognize that the request comes from the same client.
  • a session is started when an unknown client sends its first request to a web application; a session ends when the client explicitly ends the session or the server does not accept any requests from the client within a predefined time limit.
  • the server Before the server allows clients to access protected resources within the website, the server typically implements authentication and/or authorization services in the form of guard gates, wherein the security processing performed by these authentication and authorization services can be divided into The following two stages.
  • the client and server establish a secure communication session, such as a Secure Sockets Layer (SSL) session, which can include certificate and key exchange between the client and the remote server in order to establish trust relationship, and negotiate the key and cipher that will be set to encrypt messages in the SSL session.
  • SSL Secure Sockets Layer
  • Many websites use the SSL protocol in their authentication services.
  • SSL or its successors, such as Transport Layer Security (TLS) are widely used protocols set up to establish secure connections from clients to servers in order to prevent message forgery, data tampering, and eavesdropping.
  • TLS Transport Layer Security
  • the SSL handshake protocol allows the client and server to negotiate encryption algorithms and keys before the application protocol sends or receives its first data byte. In this way, the SSL handshake provides a secure communication session or connection that can be used by higher network layers for secure communication, including subsequent transmission of credential information for subsequent authentication operations or subsequent authorization operations.
  • credential information is transmitted from the client to the server for subsequent authentication operations or subsequent authorization operations.
  • the server requests the client to provide user credentials, the client provides the user credentials to the server, and the server verifies the user credentials in subsequent authentication or authorization operations. Based on authentication of user credentials, the server either allows or blocks client access to protected resources.
  • session id and session ticket are two mechanisms for short handshakes.
  • session id is usually used in stand-alone mode, and if the same ticket is deployed in the entire network of the cluster, distribution can be achieved. session ticket.
  • FIG. 1 is a schematic diagram of an application scenario of session communication through session tickets, in which the cluster server 100 is connected to the client 300 and the management server 200 in communication respectively, and the management server 200 is configured to generate a session ticket and send The session ticket is sent to the cluster server 100 .
  • a secure communication session is first established between the client 300 and the cluster server 100 .
  • the above two stages are used to establish a secure communication session.
  • the session is secured, and the server authenticates the client 300 through the session ticket provided by the client 300 to allow or prevent the client 300 from quickly accessing the requested resource.
  • the management server 200 may be Nginx, which is a high-performance HTTP and reverse proxy web server, wherein Nginx supports distributed session tickets, but does not support distributed sessions Identifies the session id. In actual operation, if the same session ticket is used all the time, there is a risk of being cracked, so it is necessary to update and replace the session ticket in the session communication.
  • Nginx is a high-performance HTTP and reverse proxy web server
  • a session ticket provided by the embodiment of the present application
  • the processing method, device and electronic device are provided, and the technology can be applied to various scenarios where session tickets need to be updated.
  • a method for processing a session ticket disclosed in the embodiment of this application is first introduced in detail.
  • FIG. 2 it is a schematic flowchart of a method for processing session tickets, wherein the method is applied to a server in a distributed cluster, the server is in communication connection with a preset management server, and the management server is configured to generate a session ticket, and send the session ticket to each server in the distributed cluster.
  • the method includes the following steps:
  • Step S202 Receive a new session ticket sent by the management server.
  • a server in a distributed cluster it obtains a session ticket from the management server, which is set to encrypt and decrypt the communication session established between the cluster server and the client.
  • the management server sets the validity period corresponding to the session ticket, which is usually set to 300 seconds.
  • the cluster server can quickly authenticate the identity of the client through the valid session ticket provided by the client. If the verification is passed, session communication is established, so as to realize a brief handshake and quickly establish a communication session. If the verification fails, for example, the session ticket has expired, the client cannot quickly establish a communication session with the cluster server, and needs to go through a complete handshake process to establish a communication session. During the complete handshake process, the client will re-obtain from the cluster server. Session ticket, and within the validity period of the newly obtained session ticket, a brief handshake can be implemented with the cluster server again.
  • the session tickets of the entire cluster network are often updated within a certain period of time.
  • the update period is also called the security period of the session ticket, which can be one month, half a month, one week or other time periods, and the length of the security period can be flexibly adjusted according to the needs of the actual application scenario.
  • the management server when the session ticket in the cluster server needs to be replaced, the management server generates a new session ticket, and simultaneously issues the original session ticket and the new session ticket to each server in the cluster.
  • the cluster server receives the original session ticket and the new session ticket issued by the management server.
  • Step S204 Update the session configuration, determine the original session ticket in the session configuration as the primary key, and determine the new session ticket as the secondary key; wherein, the primary key and the secondary key are both set to be used for the communication session. decrypt, and preferably use the master key to decrypt the communication session, the master key is also set to encrypt the communication session created after the receipt of the new session ticket.
  • the above communication session may be a secure socket layer SSL session or a transport layer security TLS session.
  • both the SSL session and the TLS session are security protocols that provide security and data integrity for network communication, and TLS and SSL encrypt network connections between the transport layer and the application layer.
  • the cluster server replaces the received session ticket with the existing session ticket in the server, that is, retains the original session ticket, and adds a new received session ticket after the original session ticket.
  • the cluster server replaces the received session ticket with the existing session ticket in the server, that is, retains the original session ticket, and adds a new received session ticket after the original session ticket.
  • the original session ticket in the session configuration is determined as the primary key
  • the new session ticket is determined as the secondary key.
  • the master key is used to encrypt the communication session created after receiving the new session ticket. That is, if the session ticket needs to be sent to the client, the original session ticket is still sent. The newly created communication session is still encrypted with the original session ticket.
  • the master key is preferentially used, and the original session credentials are still used for decryption at this time.
  • Step S206 If the confirmation message that the distributed cluster has completed updating the session configuration is received, the new session ticket is determined as the primary key, and the original session ticket is determined as the secondary key.
  • each cluster server receives a new session ticket from the management server, and the time for configuration update varies. After the cluster server completes the session configuration update , it will return the information that the update configuration is completed to the management server.
  • the management server confirms that all servers in the cluster have completed the update of the session configuration, it notifies the servers in the cluster.
  • the server in the cluster receives confirmation information that the distributed cluster has completed updating the session configuration, it determines the new session ticket as the primary key and the original session ticket as the secondary key.
  • the two session tickets that is, the keys
  • the new session ticket is determined as the master key, and Identify the original session ticket as the secondary key.
  • the key rotation if a session ticket needs to be sent to the client, a new session ticket is sent to encrypt the communication session created later with the new session ticket, and if the received communication session needs to be
  • the new session ticket is used first for decryption. If the decryption fails, the original session ticket is used for decryption.
  • Step S208 when the preset time arrives, delete the original session ticket.
  • the old session ticket can be deleted.
  • the deletion of the original session ticket is triggered by setting a preset time.
  • the preset time is not less than the validity period of the original session ticket. For example, if the validity period of the original session ticket is 300 seconds, the original session ticket will be deleted when the key is rotated for at least 300 seconds. There are no restrictions.
  • the processing method of the session ticket provided in this embodiment makes the session ticket exchange on the cluster server, for those not yet encrypted and decrypted through the original session ticket.
  • the completed session can still achieve a short handshake normally, which effectively alleviates the problem of a sharp drop in the handshake rate of the entire network caused by the hard replacement of old and new session tickets.
  • a new session ticket sent by the management server is received; the session configuration is updated, the original session ticket in the session configuration is determined as the primary key, and the new session ticket is determined as the secondary key key; wherein, both the primary key and the secondary key are set to decrypt the communication session, and the primary key is preferentially used to decrypt the communication session, and the primary key is also set to decrypt the communication session when the new session is received.
  • the communication session created after the ticket is encrypted; if the confirmation message that the distributed cluster has completed updating the session configuration is received, the new session ticket is determined as the primary key, and the original session ticket is determined as the secondary key; when the preset time When it arrives, delete the original session ticket.
  • a short handshake can be successfully implemented, thereby improving the short handshake rate; Not only a new session ticket is added to the clustered server, but the original session ticket is retained, so that the original session encrypted by the original session ticket can be decrypted, and the session encrypted by the new session ticket can also be decrypted until the session encrypted by the original session ticket can be decrypted.
  • this embodiment further introduces the specific implementation process of the cluster server encrypting and decrypting the communication session through the original session ticket and the new session ticket during the session ticket replacement.
  • FIG. 3 it is a schematic flowchart of another method for processing session tickets, wherein the method is applied to a server in a distributed cluster, and the server is in communication connection with a preset management server, and the management server is configured to generate session tickets. , and send the session ticket to each server in the distributed cluster.
  • the method includes the following steps:
  • Step S302 Receive a communication connection request sent by the client, where the communication connection request carries a session ticket.
  • the management server issues a unified session ticket for the entire network of the cluster. Therefore, the session ticket obtained by the client from one cluster server in the cluster can also be used for a brief handshake with another cluster server. .
  • Step S304 Determine whether the session ticket is within the validity period; if the session ticket is within the validity period, execute step S306, and if the session ticket is not within the validity period, execute step S316.
  • the cluster server When the cluster server receives the communication connection request from the client, it determines whether the session ticket carried in the connection request is within the validity period, and if the session ticket is within the validity period, the session ticket is verified by the master key in the server. At this time, if it is before the key rotation, the master key is the original session ticket, that is, the session ticket is verified by the original session ticket to check whether it conforms to the session rules; The new session ticket is validated.
  • Step S306 Verify the session ticket by using the master key.
  • the session ticket is decrypted by the master key to verify whether it complies with the session rules.
  • Step S308 Determine whether the session ticket verification is passed through the master key; if the session ticket verification is passed through the master key, then step S314 is executed; if the session ticket verification fails through the master key, then Step S310 is executed.
  • session ticket If the session ticket is verified through the primary key, a communication session is established with the client to achieve a short handshake; if the session ticket verification through the primary key fails, the session ticket needs to be verified through the secondary key. authenticating.
  • the primary key is the new session ticket
  • the secondary key is the original session ticket. If the session ticket carried in the communication connection request is a new session ticket, the verification of the session ticket through the master key will pass; and if the session ticket carried in the communication connection request is the original session ticket, the session ticket will be verified through the master key. The session ticket verification will not pass. In this case, the session ticket needs to be verified through the secondary key.
  • Step S310 Verify the session ticket through the secondary key.
  • the session ticket is decrypted by the secondary key to verify whether it complies with the session rules.
  • Step S312 Determine whether the session ticket verification is passed by the secondary key; if the session ticket verification is passed by the secondary key, then step S314 is executed; if the session ticket verification is not passed by the secondary key, then Step S316 is executed.
  • a communication session is established with the client to achieve a short handshake; if the session ticket verification fails through the secondary key, a session ticket error notification is returned to the client. , the client needs to go through a full handshake to establish a communication session.
  • Step S314 Establish a communication session with the client.
  • the client can perform operations such as accessing data resources on the cluster server.
  • Step S316 Return a session ticket error notification to the client.
  • a notification of session ticket error is returned to the client.
  • the client needs to establish a communication session with the cluster server through a complete handshake.
  • a switch control may also be set on the cluster server to control the opening and closing of the session ticket mechanism.
  • the processing method of the session ticket provided in the foregoing embodiment is executed.
  • the configuration of distributed session tickets in the Nginx service can be implemented by the following code:
  • ticket.key is also the session ticket, and its generation code is as follows:
  • the cluster server retains the original session ticket and the new session ticket at the same time, which can decrypt the session encrypted by the original session ticket or decrypt the session encrypted by the new session ticket. It can alleviate the problem of the short handshake rate of the entire network caused by the hard ticket replacement method in the related technology, which can improve the short handshake rate of the entire network, save CPU consumption, and improve the security of cluster communication.
  • an embodiment of the present application further provides a session ticket processing apparatus, as shown in FIG. 4A , which is a schematic structural diagram of a session ticket processing apparatus, wherein, The device is applied to a server of a distributed cluster, the server is in communication connection with a preset management server, and the management server is configured to generate a session ticket and send the session ticket to each server of the distributed cluster.
  • the device includes a new session ticket receiving module 41, a session configuration update module 42, a primary and secondary key adjustment module 43 and an original session ticket deletion module 44 that are connected in sequence, wherein the functions of each module are as follows:
  • the new session ticket receiving module 41 is configured to receive the new session ticket sent by the management server;
  • the session configuration update module 42 is configured to update the session configuration, determine the original session ticket in the session configuration as the primary key, and determine the new session ticket as the secondary key; wherein, the primary key and the secondary key are both set In order to decrypt the communication session, and preferably use the master key to decrypt the communication session, the master key is also set to encrypt the communication session created after receiving the new session ticket;
  • the primary and secondary key adjustment module 43 is configured to determine the new session ticket as the primary key and the original session ticket as the secondary key if receiving confirmation information that the distributed cluster has completed updating the session configuration;
  • the original session ticket deletion module 44 is configured to delete the original session ticket when the preset time arrives.
  • a session ticket processing device receives a new session ticket sent by the management server; updates the session configuration, determines the original session ticket in the session configuration as the primary key, and determines the new session ticket as the secondary
  • the primary key and the secondary key are both set to decrypt the communication session, and the primary key is preferentially used to decrypt the communication session, and the primary key is also set to decrypt the communication session when the new session is received.
  • the communication session created after the ticket is encrypted; if the confirmation message that the distributed cluster has completed updating the session configuration is received, the new session ticket is determined as the primary key, and the original session ticket is determined as the secondary key; when the preset time When it arrives, delete the original session ticket.
  • the above communication session is one of a secure socket layer SSL session and a transport layer security TLS session.
  • the above-mentioned preset time is not less than the validity period of the original session ticket.
  • the above-mentioned apparatus further includes a session ticket mechanism enabling module 45 , which is set as a preset switch control for enabling the session ticket mechanism.
  • the above-mentioned apparatus further includes a communication connection request receiving module 46, which is configured to receive a communication connection request sent by the client, and the communication connection request carries a session ticket; the judgment and verification module 47, set to judge whether the session ticket is within the validity period; if it is judged that the session ticket is within the validity period, verify the session ticket through the master key; The client establishes a communication session.
  • a communication connection request receiving module 46 which is configured to receive a communication connection request sent by the client, and the communication connection request carries a session ticket
  • the judgment and verification module 47 set to judge whether the session ticket is within the validity period; if it is judged that the session ticket is within the validity period, verify the session ticket through the master key;
  • the client establishes a communication session.
  • the above judgment and verification module is further set to: if the session ticket is not verified by the primary key, the session ticket is verified by the secondary key; If the session ticket is verified, a communication session is established with the client.
  • FIG. 5 is a schematic structural diagram of the electronic device, wherein the electronic device includes a processor 51 and a memory 52 , and the memory 52 stores data that can be used by the processor 51 Executed computer-executable instructions, the processor 51 executes the computer-executable instructions to implement the above session ticket processing method.
  • the electronic device further includes a bus 53 and a communication interface 54 , wherein the processor 51 , the communication interface 54 and the memory 52 are connected through the bus.
  • the memory 52 may include a high-speed random access memory (RAM, Random Access Memory), and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory.
  • the communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 54 (which may be wired or wireless), which may use the Internet, a wide area network, a local network, a metropolitan area network, and the like.
  • the bus can be an ISA bus, a PCI bus, an EISA bus, or the like.
  • the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one bidirectional arrow is shown in FIG. 5, but it does not mean that there is only one bus or one type of bus.
  • the processor 51 may be an integrated circuit chip with signal processing capability. In the implementation process, each step of the above-mentioned method can be completed by a hardware integrated logic circuit in the processor 51 or an instruction in the form of software.
  • the above-mentioned processor 51 can be a general-purpose processor, including a central processing unit (Central Processing Unit, referred to as CPU), a network processor (Network Processor, referred to as NP), etc.; it can also be a digital signal processor (Digital Signal Processing, referred to as DSP) ), Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, and discrete hardware components.
  • CPU Central Processing Unit
  • NP Network Processor
  • DSP Digital Signal Processing
  • ASIC Application Specific Integrated Circuit
  • FPGA Field-Programmable Gate Array
  • a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • the steps of the method disclosed in conjunction with the embodiments of the present application may be directly embodied as executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor.
  • the software modules may be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other storage media mature in the art.
  • the storage medium is located in the memory, and the processor 51 reads the information in the memory 52, and completes the steps of the session ticket processing method in the foregoing embodiment in combination with its hardware.
  • Embodiments of the present application further provide a computer-readable storage medium, where computer-executable instructions are stored in the computer-readable storage medium, and when the computer-executable instructions are invoked and executed by a processor, the computer-executable instructions cause the processor to
  • a computer-readable storage medium where computer-executable instructions are stored in the computer-readable storage medium, and when the computer-executable instructions are invoked and executed by a processor, the computer-executable instructions cause the processor to
  • the session ticket processing method, session ticket processing apparatus, and computer program product of an electronic device provided by the embodiments of the present application include a computer-readable storage medium storing program codes, and the instructions included in the program codes can be configured to execute the preceding steps.
  • the specific implementation can refer to the method embodiment, which will not be repeated here.
  • the functions, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a processor-executable non-volatile computer-readable storage medium.
  • the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the related technology or the part of the technical solution.
  • the computer software product is stored in a storage medium, including several
  • the instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .
  • the embodiments of the present application bring the following beneficial effects: the method, device, electronic device and computer-readable storage medium for processing session tickets provided by the embodiments of the present application receive a new session ticket sent by the management server; update the session configuration, Determine the original session ticket in the session configuration as the primary key, and determine the new session ticket as the secondary key; where both the primary key and the secondary key are set to decrypt the communication session, and the primary key is used preferentially.
  • the key decrypts the communication session, and the master key is also set to encrypt the communication session created after receiving the new session ticket; if receiving confirmation that the distributed cluster has completed updating the session configuration, the new session
  • the ticket is determined as the primary key, and the original session ticket is determined as the secondary key; when the preset time arrives, the original session ticket is deleted.
  • the session encrypted by the ticket can also decrypt the session encrypted with the new session ticket.
  • the original session ticket on the server is deleted, and only the new session ticket is retained, which effectively alleviates the period of session ticket replacement.
  • some sessions caused by hard-replaced session tickets cannot be successfully decrypted due to the need to decrypt the original session tickets, causing the short handshake rate of the entire network to plummet, which can improve the short handshake rate of the entire network, save CPU consumption, and improve the security of cluster communication .
  • the terms “installed”, “connected” and “connected” should be understood in a broad sense, for example, it may be a fixed connection or a detachable connection , or integrally connected; it can be a mechanical connection or an electrical connection; it can be a direct connection, or an indirect connection through an intermediate medium, or the internal communication between the two components.
  • installed should be understood in a broad sense, for example, it may be a fixed connection or a detachable connection , or integrally connected; it can be a mechanical connection or an electrical connection; it can be a direct connection, or an indirect connection through an intermediate medium, or the internal communication between the two components.
  • the present application is applied to the field of communication technology, and provides a session ticket processing method, device, electronic device and computer-readable storage medium, which can improve the short handshake rate of the entire distributed cluster network, reduce CPU consumption, and improve the efficiency of cluster communication. safety.

Abstract

The present application relates to the technical filed of communications. Provided are a session ticket processing method and apparatus, an electronic device, and a computer readable storage medium. The method comprises: receiving a new session ticket sent by a management server; updating session configuration, determining an original session ticket in the session configuration to be a primary key, and determining the new session ticket to be a secondary key, wherein both the primary key and the secondary key are configured to decrypt a communication session, it is preferred to use the primary key to decrypt the communication session, and the primary key is further configured to encrypt a communication session created after the new session ticket is received; if acknowledgement information indicating that a distributed cluster completes the update of the session configuration is received, determining the new session ticket as the primary key, and determining the original session ticket as the secondary key; and deleting the original session ticket when a preset time is reached. According to the session ticket processing method provided by the present application, the brief handshake rate of the whole network can be improved, the CPU consumption is saved, and the security of cluster communication is improved.

Description

会话票证的处理方法、装置、电子设备及计算机可读存储介质Method, apparatus, electronic device and computer-readable storage medium for processing session ticket
相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS
本申请要求于2020年07月30日提交中国专利局的申请号为202010754910.4、名称为“会话票证的处理方法、装置及电子设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese Patent Application No. 202010754910.4 and entitled "Method, Apparatus and Electronic Equipment for Processing Session Tickets" filed with the China Patent Office on July 30, 2020, the entire contents of which are incorporated herein by reference Applying.
技术领域technical field
本申请涉及通信技术领域,尤其是涉及一种会话票证的处理方法、装置、电子设备及计算机可读存储介质。The present application relates to the field of communication technologies, and in particular, to a session ticket processing method, apparatus, electronic device, and computer-readable storage medium.
背景技术Background technique
随着HTTPS(Hyper Text Transfer Protocol over SecureSocket Layer,超文本传输安全协议)的访问占互联网访问的比率越来越大,对于CDN(Content Delivery Network,内容分发网络)而言,如何降低因为HTTPS造成的CPU消耗成为重要课题,这就需要提高简短握手率,而其中很重要的一个方案即为简短握手的会话票证(ticket)机制。As HTTPS (Hyper Text Transfer Protocol over SecureSocket Layer) access accounts for an increasing proportion of Internet access, for CDN (Content Delivery Network), how to reduce the cost caused by HTTPS CPU consumption has become an important issue, which requires improving the short handshake rate, and a very important solution is the session ticket mechanism of the short handshake.
目前,分布式集群的网页服务器Nginx可以支持分布式会话票证(ticket)机制,但不支持分布式会话标识(session id)机制。在实际操作中,当网页服务器中旧的会话票证达到设定的安全期限时,需要获取新的会话票证,如果用新的会话票证直接替代旧的会话票证,由于集群中各服务器更换会话票证的时间有迟延差异,而在更换会话票证期间,同一客户端的两次通信连接请求可能到达两台不同的服务器,如果这两台服务器的会话票证不一致,则会造成该客户端与其中一台服务器可以简短握手,但与另一台服务器却不能简短握手,这种情况将使得全网简短握手率骤降,并增大服务器CPU的消耗。At present, the distributed cluster web server Nginx can support the distributed session ticket (ticket) mechanism, but does not support the distributed session ID (session id) mechanism. In actual operation, when the old session ticket in the web server reaches the set security period, a new session ticket needs to be obtained. If the new session ticket is used to directly replace the old session ticket, because each server in the cluster replaces the session ticket There is a difference in time delay, and during the exchange of session tickets, two communication connection requests from the same client may reach two different servers. If the session tickets of the two servers are inconsistent, the client and one of the servers may The short handshake is not possible with another server. This situation will cause the short handshake rate of the entire network to plummet and increase the CPU consumption of the server.
整体而言,相关分布式集群中的会话票证部署方式,会降低集群全网的简短握手率,增大服务器CPU的消耗,并降低集群通信的安全性。On the whole, the deployment of session tickets in related distributed clusters will reduce the short handshake rate of the entire cluster network, increase server CPU consumption, and reduce the security of cluster communication.
发明内容SUMMARY OF THE INVENTION
有鉴于此,本申请的目的在于提供一种会话票证的处理方法、装置、电子设备及计算机可读存储介质,可以提高分布式集群全网的简短握手率,降低CPU的消耗,并提升集群通信的安全性。In view of this, the purpose of this application is to provide a session ticket processing method, device, electronic device and computer-readable storage medium, which can improve the short handshake rate of the entire distributed cluster network, reduce CPU consumption, and improve cluster communication. security.
第一方面,本申请实施例提供了一种会话票证的处理方法,应用于分布式集群的服务器,该服务器与预设的管理服务器通信连接,该管理服务器设置为生成会话票证,并将该 会话票证发送至该分布式集群的各台服务器,该方法包括:接收该管理服务器发送的新会话票证;更新会话配置,将会话配置中的原会话票证确定为主密钥,将该新会话票证确定为次密钥,其中,该主密钥和该次密钥均设置为对通信会话进行解密,且优先使用该主密钥对通信会话进行解密,该主密钥还设置为对在接收到该新会话票证之后创建的通信会话进行加密;如果接收到该分布式集群完成更新会话配置的确认信息,将该新会话票证确定为主密钥,将该原会话票证确定为次密钥;以及当预设时间到达时,删除该原会话票证。In a first aspect, an embodiment of the present application provides a method for processing session tickets, which is applied to a server in a distributed cluster, the server is in communication connection with a preset management server, and the management server is configured to generate a session ticket and store the session ticket. Sending the ticket to each server of the distributed cluster, the method includes: receiving a new session ticket sent by the management server; updating the session configuration, determining the original session ticket in the session configuration as the master key, and determining the new session ticket is the secondary key, wherein both the primary key and the secondary key are set to decrypt the communication session, and the primary key is preferentially used to decrypt the communication session, and the primary key is also set to decrypt the communication session when the primary key is received. The communication session created after the new session ticket is encrypted; if a confirmation message that the distributed cluster has completed updating the session configuration is received, the new session ticket is determined as the primary key, and the original session ticket is determined as the secondary key; and when When the preset time arrives, the original session ticket is deleted.
在一实施例中,上述通信会话为安全套接字层SSL会话和传输层安全TLS会话中的一种。In one embodiment, the above communication session is one of a secure socket layer SSL session and a transport layer security TLS session.
在一实施例中,上述预设时间不少于该原会话票证的有效期时长。In one embodiment, the preset time is not less than the validity period of the original session ticket.
在一实施例中,在上述接收该管理服务器发送的新会话票证的步骤之前,该方法还包括:开启会话票证机制的预设开关控件。In an embodiment, before the above step of receiving a new session ticket sent by the management server, the method further includes: enabling a preset switch control of the session ticket mechanism.
在一实施例中,上述服务器与预设的客户端通信连接,该方法还包括:接收客户端发送的通信连接请求,该通信连接请求中携带有会话票证;判断该会话票证是否在有效期内;如果判断为该会话票证在有效期内,通过该主密钥对该会话票证进行验证;以及如果通过该主密钥对该会话票证验证通过,与该客户端建立通信会话。In one embodiment, the above-mentioned server is communicated with a preset client, and the method further includes: receiving a communication connection request sent by the client, the communication connection request carrying a session ticket; judging whether the session ticket is within the validity period; If it is determined that the session ticket is within the validity period, the session ticket is verified through the master key; and if the session ticket is verified through the master key, a communication session is established with the client.
在一实施例中,上述方法还包括:如果通过该主密钥对该会话票证验证未通过,通过该次密钥对该会话票证进行验证;以及如果通过该次密钥对该会话票证验证通过,与该客户端建立通信会话。In one embodiment, the above method further includes: if the session ticket is not verified by the primary key, verifying the session ticket by the secondary key; and if the session ticket is verified by the secondary key , establishes a communication session with the client.
第二方面,本申请实施例还提供一种会话票证的处理装置,应用于分布式集群的服务器,该服务器与预设的管理服务器通信连接,该管理服务器设置为生成会话票证,并将该会话票证发送至该分布式集群的各台服务器,该装置包括:新会话票证接收模块,设置为接收该管理服务器发送的新会话票证;会话配置更新模块,设置为更新会话配置,将会话配置中的原会话票证确定为主密钥,将该新会话票证确定为次密钥,其中,该主密钥和该次密钥均设置为对通信会话进行解密,且优先使用该主密钥对通信会话进行解密,该主密钥还设置为对在接收到该新会话票证之后创建的通信会话进行加密;主次密钥调整模块,设置为如果接收到该分布式集群完成更新会话配置的确认信息,将该新会话票证确定为主密钥,将该原会话票证确定为次密钥;以及原会话票证删除模块,设置为当预设时间到达时,删除该原会话票证。In a second aspect, an embodiment of the present application further provides a session ticket processing device, which is applied to a server in a distributed cluster, the server is in communication connection with a preset management server, and the management server is configured to generate a session ticket and store the session ticket. The ticket is sent to each server of the distributed cluster, and the device includes: a new session ticket receiving module, set to receive the new session ticket sent by the management server; a session configuration update module, set to update the session The original session ticket is determined as the primary key, and the new session ticket is determined as the secondary key, wherein the primary key and the secondary key are both set to decrypt the communication session, and the primary key is preferentially used to decrypt the communication session. For decryption, the primary key is also set to encrypt the communication session created after receiving the new session ticket; the primary and secondary key adjustment module is set to receive confirmation information that the distributed cluster has completed updating the session configuration, The new session ticket is determined as the primary key, and the original session ticket is determined as the secondary key; and the original session ticket deletion module is set to delete the original session ticket when the preset time arrives.
在一实施例中,上述通信会话为安全套接字层SSL会话和传输层安全TLS会话中的一种。In one embodiment, the above communication session is one of a secure socket layer SSL session and a transport layer security TLS session.
在一实施例中,上述装置还包括会话票证机制开启模块,设置为开启会话票证机制的预设开关控件。In one embodiment, the above-mentioned apparatus further includes a session ticket mechanism enabling module, which is configured as a preset switch control for enabling the session ticket mechanism.
在一实施例中,上述服务器与预设的客户端通信连接,上述装置还包括:通信连接请求接收模块,设置为接收客户端发送的通信连接请求,通信连接请求中携带有会话票证;以及判断验证模块,设置为判断会话票证是否在有效期内,如果判断为会话票证在有效期内,通过主密钥对会话票证进行验证,如果通过主密钥对会话票证验证通过,与客户端建立通信会话。In one embodiment, the above-mentioned server is connected to a preset client in communication, and the above-mentioned device further includes: a communication connection request receiving module, configured to receive a communication connection request sent by the client, and the communication connection request carries a session ticket; The verification module is set to judge whether the session ticket is within the validity period, and if it is judged that the session ticket is within the validity period, verify the session ticket through the master key, and establish a communication session with the client if the session ticket is verified through the master key.
在一实施例中,上述判断验证模块还设置为如果通过主密钥对会话票证验证未通过,通过次密钥对会话票证进行验证,如果通过次密钥对会话票证验证通过,与客户端建立通信会话。In one embodiment, the above-mentioned judgment and verification module is further configured to verify the session ticket by the secondary key if the session ticket is not verified by the primary key, and establish with the client if the session ticket is verified by the secondary key. communication session.
第三方面,本申请实施例还提供了一种电子设备,该电子设备包括处理器和存储器,该存储器存储有能够被该处理器执行的计算机可执行指令,该处理器执行该计算机可执行指令以实现上述会话票证的处理方法。In a third aspect, an embodiment of the present application further provides an electronic device, the electronic device includes a processor and a memory, the memory stores computer-executable instructions that can be executed by the processor, and the processor executes the computer-executable instructions To implement the above session ticket processing method.
第四方面,本申请实施例还提供了一种计算机可读存储介质,该计算机可读存储介质存储有计算机可执行指令,该计算机可执行指令在被处理器调用和执行时,计算机可执行指令促使处理器实现上述会话票证的处理方法。In a fourth aspect, embodiments of the present application further provide a computer-readable storage medium, where the computer-readable storage medium stores computer-executable instructions, and when the computer-executable instructions are called and executed by a processor, the computer-executable instructions The processor is prompted to implement the above session ticket processing method.
本申请的其他特征和优点将在随后的说明书中阐述,或者,部分特征和优点可以从说明书推知或毫无疑义地确定,或者通过实施本申请的上述技术即可得知。Additional features and advantages of the present application will be set forth in the description that follows, or some of the features and advantages may be inferred or unambiguously determined from the description, or may be learned by practicing the above-described techniques of the present application.
为使本申请的上述目的、特征和优点能更明显易懂,下文特举较佳实施例,并配合所附附图,作详细说明如下。In order to make the above-mentioned objects, features and advantages of the present application more obvious and easy to understand, the preferred embodiments are exemplified below, and are described in detail as follows in conjunction with the accompanying drawings.
附图说明Description of drawings
为了更清楚地说明本申请具体实施方式或相关技术中的技术方案,下面将对具体实施方式或相关技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本申请的一些实施方式,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the specific embodiments of the present application or related technologies, the following briefly introduces the accompanying drawings required in the description of the specific embodiments or related technologies. Obviously, the accompanying drawings in the following description are For some embodiments of the present application, for those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.
图1为本申请实施例提供的一种通过会话票证进行会话通信的应用场景示意图;1 is a schematic diagram of an application scenario of session communication through session tickets provided by an embodiment of the present application;
图2为本申请实施例提供的一种会话票证的处理方法的流程示意图;2 is a schematic flowchart of a method for processing a session ticket according to an embodiment of the present application;
图3为本申请实施例提供的另一种会话票证的处理方法的流程示意图;3 is a schematic flowchart of another session ticket processing method provided by an embodiment of the present application;
图4A为本申请实施例提供的一种会话票证的处理装置的结构示意图;4A is a schematic structural diagram of an apparatus for processing session tickets provided by an embodiment of the present application;
图4B为本申请实施例提供的另一种会话票证的处理装置的结构示意图;4B is a schematic structural diagram of another apparatus for processing session tickets according to an embodiment of the present application;
图5为本申请实施例提供的一种电子设备的结构示意图。FIG. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
附图标记说明:100-集群服务器;200-管理服务器;300-客户端;41-新会话票证接收模块;42-会话配置更新模块;43-主次密钥调整模块;44-原会话票证删除模块;51-处理器; 52-存储器;53-总线;54-通信接口。Reference numeral description: 100-cluster server; 200-management server; 300-client; 41-new session ticket receiving module; 42-session configuration update module; 43-primary and secondary key adjustment module; 44-existing session ticket deletion module; 51-processor; 52-memory; 53-bus; 54-communication interface.
具体实施方式detailed description
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合附图对本申请的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the present application will be described clearly and completely below with reference to the accompanying drawings. Obviously, the described embodiments are part of the embodiments of the present application, not all of them. example. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.
会话(Session)是一个客户端与服务器之间的不中断的请求响应序列,对客户端的每个请求,服务器能够识别出请求来自于同一个客户端。当一个未知的客户端向Web应用程序发送第一个请求时就开始了一个会话;当客户端明确结束会话或服务器在一个预定义的时限内不从客户端接受任何请求时,会话结束。A session is an uninterrupted request-response sequence between a client and a server. For each request from a client, the server can recognize that the request comes from the same client. A session is started when an unknown client sends its first request to a web application; a session ends when the client explicitly ends the session or the server does not accept any requests from the client within a predefined time limit.
在基于web的电子商务环境中,服务器允许客户端访问网站内的受保护资源之前,服务器通常实现作为守卫门形式的认证和/或授权服务,其中,这些认证和授权服务执行的安全处理可以分成以下两个阶段。In a web-based e-commerce environment, before the server allows clients to access protected resources within the website, the server typically implements authentication and/or authorization services in the form of guard gates, wherein the security processing performed by these authentication and authorization services can be divided into The following two stages.
在第一阶段,客户端和服务器建立安全通信会话,如安全套接字层(Secure Sockets Layer,SSL)会话,这可以包括客户端和远端服务器之间的证书和密钥交换,以便建立信任关系,并协商SSL会话中将设置为对消息进行加密的密钥和密码。许多网站都在它们的认证服务中采用SSL协议。SSL或其后续协议,如传输层安全(Transport Layer Security,TLS),是设置为建立从客户端到服务器的安全连接,以便防止消息伪造、数据篡改及窃听而广泛使用的协议。其中,SSL握手协议允许客户端与服务器在应用协议发送或接收其第一个数据字节之前协商加密算法和密钥。通过这种方式,SSL握手提供可以由更高网络层用于安全通信的安全通信会话或连接,包括用于后续认证操作或后续授权操作的凭证信息的后续传输。In the first phase, the client and server establish a secure communication session, such as a Secure Sockets Layer (SSL) session, which can include certificate and key exchange between the client and the remote server in order to establish trust relationship, and negotiate the key and cipher that will be set to encrypt messages in the SSL session. Many websites use the SSL protocol in their authentication services. SSL or its successors, such as Transport Layer Security (TLS), are widely used protocols set up to establish secure connections from clients to servers in order to prevent message forgery, data tampering, and eavesdropping. Among them, the SSL handshake protocol allows the client and server to negotiate encryption algorithms and keys before the application protocol sends or receives its first data byte. In this way, the SSL handshake provides a secure communication session or connection that can be used by higher network layers for secure communication, including subsequent transmission of credential information for subsequent authentication operations or subsequent authorization operations.
在第二阶段,在安全通信会话完成以后,凭证信息从客户端传输到服务器,用于后续的认证操作或后续的授权操作。例如,在SSL会话建立后,服务器请求客户端提供用户凭证,而客户端向服务器提供用户凭证,然后服务器在后续的认证或授权操作中验证该用户凭证。基于用户凭证的验证,服务器或者允许或者阻止客户端对受保护资源的访问。In the second phase, after the secure communication session is completed, credential information is transmitted from the client to the server for subsequent authentication operations or subsequent authorization operations. For example, after an SSL session is established, the server requests the client to provide user credentials, the client provides the user credentials to the server, and the server verifies the user credentials in subsequent authentication or authorization operations. Based on authentication of user credentials, the server either allows or blocks client access to protected resources.
在实际操作中,会话标识(session id)和会话票证(ticket)是简短握手的两种机制,其中,session id通常用于单机模式,而如果在集群全网部署一样的ticket,则可以实现分布式会话票证。In practice, session id and session ticket are two mechanisms for short handshakes. Among them, session id is usually used in stand-alone mode, and if the same ticket is deployed in the entire network of the cluster, distribution can be achieved. session ticket.
如图1所示,即为一种通过会话票证进行会话通信的应用场景示意图,其中,集群服务器100分别和客户端300以及管理服务器200通信连接,该管理服务器200设置为生成 会话票证,并将会话票证发送给集群服务器100。在图1示出的实施方式中,当客户端300需要访问集群服务器100上的数据资源时,首先在客户端300和集群服务器100之间建立安全通信会话,具体地,通过上述两个阶段建立安全会话,并且,服务器通过客户端300提供的会话票证对客户端300进行认证,以允许或阻止客户端300对请求资源的快速访问。As shown in FIG. 1 , which is a schematic diagram of an application scenario of session communication through session tickets, in which the cluster server 100 is connected to the client 300 and the management server 200 in communication respectively, and the management server 200 is configured to generate a session ticket and send The session ticket is sent to the cluster server 100 . In the embodiment shown in FIG. 1 , when the client 300 needs to access the data resources on the cluster server 100 , a secure communication session is first established between the client 300 and the cluster server 100 . Specifically, the above two stages are used to establish a secure communication session. The session is secured, and the server authenticates the client 300 through the session ticket provided by the client 300 to allow or prevent the client 300 from quickly accessing the requested resource.
在其中一种可能的实施方式中,上述管理服务器200可以是Nginx,Nginx是一个高性能的HTTP和反向代理web服务器,其中,在Nginx中支持分布式会话票证ticket,但不支持分布式会话标识session id。在实际操作中,同一个会话票证如果一直使用会存在被破解的风险,因而需要对会话通信中的会话票证进行更新替换。In one possible implementation, the management server 200 may be Nginx, which is a high-performance HTTP and reverse proxy web server, wherein Nginx supports distributed session tickets, but does not support distributed sessions Identifies the session id. In actual operation, if the same session ticket is used all the time, there is a risk of being cracked, so it is necessary to update and replace the session ticket in the session communication.
考虑到相关分布式集群中的会话票证部署方式,会降低集群全网的简短握手率,增大服务器CPU的消耗,并降低集群通信的安全性的问题,本申请实施例提供的一种会话票证的处理方法、装置及电子设备,该技术可以应用于需要对会话票证进行更新的各种场景中。为便于对本实施例进行理解,首先对本申请实施例所公开的一种会话票证的处理方法进行详细介绍。Considering that the deployment method of the session ticket in the relevant distributed cluster will reduce the brief handshake rate of the entire cluster network, increase the consumption of the server CPU, and reduce the security of the cluster communication, a session ticket provided by the embodiment of the present application The processing method, device and electronic device are provided, and the technology can be applied to various scenarios where session tickets need to be updated. In order to facilitate the understanding of this embodiment, a method for processing a session ticket disclosed in the embodiment of this application is first introduced in detail.
参见图2所示,为一种会话票证的处理方法的流程示意图,其中,该方法应用于分布式集群的服务器,该服务器与预设的管理服务器通信连接,并且,该管理服务器设置为生成会话票证,以及将该会话票证发送至该分布式集群的各台服务器。由图2可见,该方法包括以下步骤:Referring to FIG. 2, it is a schematic flowchart of a method for processing session tickets, wherein the method is applied to a server in a distributed cluster, the server is in communication connection with a preset management server, and the management server is configured to generate a session ticket, and send the session ticket to each server in the distributed cluster. As can be seen from Figure 2, the method includes the following steps:
步骤S202:接收该管理服务器发送的新会话票证。Step S202: Receive a new session ticket sent by the management server.
对于分布式集群中的服务器,其从管理服务器获取会话票证,该会话票证设置为对集群服务器和客户端之间建立的通信会话进行加密和解密。通常,管理服务器在生成会话票证时,设定该会话票证对应的有效期,通常设定为300秒,在会话票证的有效期内,集群服务器可以通过客户端提供的有效会话票证快速认证客户端的身份,如果验证通过,则建立会话通信,从而实现简短握手,快速建立通信会话。如果没有验证通过,例如该会话票证超过了有效期,则客户端无法与集群服务器快速建立通信会话,而需要通过完整握手过程以建立通信会话,在完整握手过程中,客户端会从集群服务器重新获取会话票证,并在该新获取的会话票证的有效期内,可以再次和集群服务器实现简短握手。For a server in a distributed cluster, it obtains a session ticket from the management server, which is set to encrypt and decrypt the communication session established between the cluster server and the client. Usually, when generating a session ticket, the management server sets the validity period corresponding to the session ticket, which is usually set to 300 seconds. During the validity period of the session ticket, the cluster server can quickly authenticate the identity of the client through the valid session ticket provided by the client. If the verification is passed, session communication is established, so as to realize a brief handshake and quickly establish a communication session. If the verification fails, for example, the session ticket has expired, the client cannot quickly establish a communication session with the cluster server, and needs to go through a complete handshake process to establish a communication session. During the complete handshake process, the client will re-obtain from the cluster server. Session ticket, and within the validity period of the newly obtained session ticket, a brief handshake can be implemented with the cluster server again.
在实际操作中,为了缓解集群服务器因长期使用相同的会话票证而带来的被破解风险,往往在一定期限内会对集群全网的会话票证进行更新。这里,该更新周期也称为会话票证的安全期限,其可以是一个月、半个月、一个星期或者其他时间周期,可以根据实际应用场景的需要灵活调整该安全期限的长短。In practice, in order to alleviate the risk of being cracked by cluster servers due to long-term use of the same session ticket, the session tickets of the entire cluster network are often updated within a certain period of time. Here, the update period is also called the security period of the session ticket, which can be one month, half a month, one week or other time periods, and the length of the security period can be flexibly adjusted according to the needs of the actual application scenario.
在其中一种应用场景中,当需要更换集群服务器中的会话票证时,由管理服务器生成新会话票证,并将原会话票证和该新会话票证同时下发到集群中的各个服务器。集群服务 器接收该管理服务器下发的原会话票证和新会话票证。In one of the application scenarios, when the session ticket in the cluster server needs to be replaced, the management server generates a new session ticket, and simultaneously issues the original session ticket and the new session ticket to each server in the cluster. The cluster server receives the original session ticket and the new session ticket issued by the management server.
步骤S204:更新会话配置,将会话配置中的原会话票证确定为主密钥,将该新会话票证确定为次密钥;其中,该主密钥和该次密钥均设置为对通信会话进行解密,且优先使用该主密钥对通信会话进行解密,该主密钥还设置为对在接收到该新会话票证之后创建的通信会话进行加密。Step S204: Update the session configuration, determine the original session ticket in the session configuration as the primary key, and determine the new session ticket as the secondary key; wherein, the primary key and the secondary key are both set to be used for the communication session. decrypt, and preferably use the master key to decrypt the communication session, the master key is also set to encrypt the communication session created after the receipt of the new session ticket.
其中,上述通信会话可以是安全套接字层SSL会话或者传输层安全TLS会话。这里,SSL会话和TLS会话均是为网络通信提供安全及数据完整性的安全协议,TLS与SSL在传输层与应用层之间对网络连接进行加密。The above communication session may be a secure socket layer SSL session or a transport layer security TLS session. Here, both the SSL session and the TLS session are security protocols that provide security and data integrity for network communication, and TLS and SSL encrypt network connections between the transport layer and the application layer.
在本实施例中,集群服务器将接收到的会话票证替换服务器中已有的会话票证,也即保留原会话票证,并在该原会话票证之后新增接收到的新会话票证。从而在集群服务器上同时存储有两个会话票证。In this embodiment, the cluster server replaces the received session ticket with the existing session ticket in the server, that is, retains the original session ticket, and adds a new received session ticket after the original session ticket. Thus, there are two session tickets stored on the cluster server at the same time.
这里,将会话配置中的原会话票证确定为主密钥,并且将该新会话票证确定为次密钥。在集群服务器与客户端建立通信会话时,使用主密钥对在接收到该新会话票证之后创建的通信会话进行加密,也即,如果需要发送会话票证给客户端,依然发送原会话票证,此时仍然使用原会话票证对新创建的通信会话进行加密。并且,如果在通信会话中需要对接收到的客户端的信息进行解密,优先使用主密钥,此时仍然使用原会话凭证,进行解密。Here, the original session ticket in the session configuration is determined as the primary key, and the new session ticket is determined as the secondary key. When the cluster server establishes a communication session with the client, the master key is used to encrypt the communication session created after receiving the new session ticket. That is, if the session ticket needs to be sent to the client, the original session ticket is still sent. The newly created communication session is still encrypted with the original session ticket. Moreover, if the received client information needs to be decrypted in the communication session, the master key is preferentially used, and the original session credentials are still used for decryption at this time.
步骤S206:如果接收到该分布式集群完成更新会话配置的确认信息,将该新会话票证确定为主密钥,将该原会话票证确定为次密钥。Step S206: If the confirmation message that the distributed cluster has completed updating the session configuration is received, the new session ticket is determined as the primary key, and the original session ticket is determined as the secondary key.
分布式集群中通常有较多数量的集群服务器,在会话票证更换期间,各个集群服务器从管理服务器接收到新会话票证,以及进行配置更新的时间有先后差异,当集群服务器完成会话配置的更新之后,会向管理服务器返回更新配置完成的信息,这里,在管理服务器确认集群中的所有服务器均已完成会话配置的更新时,通知集群中的服务器。当集群中的服务器接收到分布式集群完成更新会话配置的确认信息时,将该新会话票证确定为主密钥,将该原会话票证确定为次密钥。There are usually a large number of cluster servers in a distributed cluster. During the session ticket replacement, each cluster server receives a new session ticket from the management server, and the time for configuration update varies. After the cluster server completes the session configuration update , it will return the information that the update configuration is completed to the management server. Here, when the management server confirms that all servers in the cluster have completed the update of the session configuration, it notifies the servers in the cluster. When the server in the cluster receives confirmation information that the distributed cluster has completed updating the session configuration, it determines the new session ticket as the primary key and the original session ticket as the secondary key.
也即,对于每个集群服务器,此时该服务器中依然存储有两个会话票证,但是,对两个会话票证(也即密钥)进行了轮换,将新会话票证确定为主密钥,而将原会话票证确定为次密钥。在密钥轮换之后,如果需要向客户端发送会话票证,则会发送新会话票证,以通过新会话票证对之后创建的通信会话进行加密,并且,如果在之后的通信会话中需要对接收到的客户端的信息进行解密时,优先使用新会话票证进行解密,如果解密不成功,再使用原会话票证进行解密。That is, for each cluster server, there are still two session tickets stored in the server at this time, but the two session tickets (that is, the keys) are rotated, and the new session ticket is determined as the master key, and Identify the original session ticket as the secondary key. After the key rotation, if a session ticket needs to be sent to the client, a new session ticket is sent to encrypt the communication session created later with the new session ticket, and if the received communication session needs to be When the client's information is decrypted, the new session ticket is used first for decryption. If the decryption fails, the original session ticket is used for decryption.
步骤S208:当预设时间到达时,删除该原会话票证。Step S208: when the preset time arrives, delete the original session ticket.
由于在进行密钥轮换之前,仍然使用原会话票证对新创建的会话进行加密,在密钥轮 换之后,这些使用原会话票证进行加密的会话可能尚未结束,此时,还需要保留原会话票证,以对这部分会话进行解密,以保证客户端可以在此期间凭借原会话票证实现与集群服务器的简短握手。Since the newly created session is still encrypted with the original session ticket before the key rotation is performed, after the key rotation, these sessions encrypted with the original session ticket may not have ended. At this time, the original session ticket needs to be retained. This part of the session is decrypted to ensure that the client can achieve a brief handshake with the cluster server by virtue of the original session ticket during this period.
当使用原会话票证进行加密的所有会话都已经结束时,可以删除该原会话票证。在本实施例中,通过设定预设时间,以触发原会话票证的删除。在至少一种可能的实施方式中,该预设时间不少于原会话票证的有效期时长。例如,假设原会话票证的有效时长为300秒,则在密钥轮换之后至少达300秒时,删除原会话票证,这里,可以设置该预设时间为305秒或者其他大于300秒的时间,此处不作限制。When all sessions encrypted with the old session ticket have ended, the old session ticket can be deleted. In this embodiment, the deletion of the original session ticket is triggered by setting a preset time. In at least one possible implementation, the preset time is not less than the validity period of the original session ticket. For example, if the validity period of the original session ticket is 300 seconds, the original session ticket will be deleted when the key is rotated for at least 300 seconds. There are no restrictions.
这样,在删除原会话票证后,集群服务器上仅保留新会话票证,只通过该新会话票证对通信会话进行加密和解密,直至触发下一轮的会话票证替换,继续执行上述步骤S202至步骤S208。In this way, after deleting the original session ticket, only the new session ticket is kept on the cluster server, and only the communication session is encrypted and decrypted through the new session ticket, until the next round of session ticket replacement is triggered, and the above steps S202 to S208 are continued to be executed .
相比于传统用新会话票证直接替代原会话票证的硬替换方式,本实施例提供的会话票证的处理方式,使得在集群服务器上的会话票证更换期间,对于通过原会话票证进行加解密的尚未完成的会话,仍可以正常实现简短握手,有效缓解了硬替换新旧会话票证带来的全网握手率骤降的问题。Compared with the traditional hard replacement method of directly replacing the original session ticket with a new session ticket, the processing method of the session ticket provided in this embodiment makes the session ticket exchange on the cluster server, for those not yet encrypted and decrypted through the original session ticket. The completed session can still achieve a short handshake normally, which effectively alleviates the problem of a sharp drop in the handshake rate of the entire network caused by the hard replacement of old and new session tickets.
本申请实施例提供的一种会话票证的处理方法,接收该管理服务器发送的新会话票证;更新会话配置,将会话配置中的原会话票证确定为主密钥,将该新会话票证确定为次密钥;其中,该主密钥和该次密钥均设置为对通信会话进行解密,且优先使用该主密钥对通信会话进行解密,该主密钥还设置为对在接收到该新会话票证之后创建的通信会话进行加密;如果接收到该分布式集群完成更新会话配置的确认信息,将该新会话票证确定为主密钥,将该原会话票证确定为次密钥;当预设时间到达时,删除该原会话票证。该方式中,通过在分布式集群全网中部署统一的会话票证,同一客户端的不同请求发送给不同服务器时,都可以成功实现简短握手,从而提高简短握手率;并且,在会话票证更换期间,不但在集群的服务器上新增了新会话票证,还保留原会话票证,从而可以解密原来通过原会话票证加密的会话,也可解密用新会话票证加密的会话,直至通过原会话票证加密的会话都结束后,删除服务器上的原会话票证,仅保留新会话票证,从而有效缓解了会话票证更换期间,因为硬替换会话票证导致的部分会话因需要原会话票证解密而无法成功解密,使得全网简短握手率骤降的问题,可以提高全网简短握手率,节约CPU消耗,提升集群通信的安全性。In a session ticket processing method provided by an embodiment of the present application, a new session ticket sent by the management server is received; the session configuration is updated, the original session ticket in the session configuration is determined as the primary key, and the new session ticket is determined as the secondary key key; wherein, both the primary key and the secondary key are set to decrypt the communication session, and the primary key is preferentially used to decrypt the communication session, and the primary key is also set to decrypt the communication session when the new session is received. The communication session created after the ticket is encrypted; if the confirmation message that the distributed cluster has completed updating the session configuration is received, the new session ticket is determined as the primary key, and the original session ticket is determined as the secondary key; when the preset time When it arrives, delete the original session ticket. In this method, by deploying a unified session ticket in the entire distributed cluster network, when different requests from the same client are sent to different servers, a short handshake can be successfully implemented, thereby improving the short handshake rate; Not only a new session ticket is added to the clustered server, but the original session ticket is retained, so that the original session encrypted by the original session ticket can be decrypted, and the session encrypted by the new session ticket can also be decrypted until the session encrypted by the original session ticket can be decrypted. After the session is over, delete the original session ticket on the server, and only keep the new session ticket, which effectively alleviates the fact that during the session ticket replacement period, some sessions caused by the hard replacement of the session ticket cannot be successfully decrypted because the original session ticket is decrypted, making the entire network. The problem of the sudden drop in the short handshake rate can improve the short handshake rate of the entire network, save CPU consumption, and improve the security of cluster communication.
在图2所示会话票证的处理方法的基础上,本实施例进一步介绍了在会话票证更换期间,集群服务器通过原会话票证和新会话票证进行加解密通信会话的具体实现过程。参见图3所示,为另一种会话票证的处理方法的流程示意图,其中,该方法应用于分布式集群的服务器,该服务器与预设的管理服务器通信连接,该管理服务器设置为生成会话票证, 并将该会话票证发送至该分布式集群的各台服务器。由图3可见,该方法包括以下步骤:Based on the session ticket processing method shown in FIG. 2 , this embodiment further introduces the specific implementation process of the cluster server encrypting and decrypting the communication session through the original session ticket and the new session ticket during the session ticket replacement. Referring to FIG. 3, it is a schematic flowchart of another method for processing session tickets, wherein the method is applied to a server in a distributed cluster, and the server is in communication connection with a preset management server, and the management server is configured to generate session tickets. , and send the session ticket to each server in the distributed cluster. As can be seen from Figure 3, the method includes the following steps:
步骤S302:接收客户端发送的通信连接请求,该通信连接请求中携带有会话票证。Step S302: Receive a communication connection request sent by the client, where the communication connection request carries a session ticket.
在本实施例中,集群全网均由管理服务器下发统一的会话票证,因而,客户端从集群中的一个集群服务器获取的会话票证,同样可以用于与另一个集群服务器之间的简短握手。In this embodiment, the management server issues a unified session ticket for the entire network of the cluster. Therefore, the session ticket obtained by the client from one cluster server in the cluster can also be used for a brief handshake with another cluster server. .
步骤S304:判断该会话票证是否在有效期内;如果该会话票证在有效期内,则执行步骤S306,如果该会话票证不在有效期内,则执行步骤S316。Step S304: Determine whether the session ticket is within the validity period; if the session ticket is within the validity period, execute step S306, and if the session ticket is not within the validity period, execute step S316.
当集群服务器接收到客户端的通信连接请求时,判断该连接请求中携带的会话票证是否在有效期内,如果该会话票证在有效期内,则通过服务器中的主密钥对该会话票证进行验证。此时,如果是在密钥轮换之前,则主密钥为原会话票证,即通过原会话票证对该会话票证进行验证,检验其是否符合会话规则;如果此时在密钥轮换之后,则通过新会话票证进行验证。When the cluster server receives the communication connection request from the client, it determines whether the session ticket carried in the connection request is within the validity period, and if the session ticket is within the validity period, the session ticket is verified by the master key in the server. At this time, if it is before the key rotation, the master key is the original session ticket, that is, the session ticket is verified by the original session ticket to check whether it conforms to the session rules; The new session ticket is validated.
并且,如果该会话票证不在有效期内,则向客户端返回会话票证错误通知。And, if the session ticket is not valid, a session ticket error notification is returned to the client.
步骤S306:通过该主密钥对该会话票证进行验证。Step S306: Verify the session ticket by using the master key.
也即,通过主密钥对该会话票证进行解密,以检验其是否符合会话规则。That is, the session ticket is decrypted by the master key to verify whether it complies with the session rules.
步骤S308:判断通过该主密钥对该会话票证验证是否通过;如果通过该主密钥对该会话票证验证通过,则执行步骤S314;如果通过该主密钥对该会话票证验证未通过,则执行步骤S310。Step S308: Determine whether the session ticket verification is passed through the master key; if the session ticket verification is passed through the master key, then step S314 is executed; if the session ticket verification fails through the master key, then Step S310 is executed.
如果通过主密钥对该会话票证验证通过,则与该客户端建立通信会话,从而实现简短握手;如果通过主密钥对该会话票证验证未通过,则需要再通过次密钥对该会话票证进行验证。If the session ticket is verified through the primary key, a communication session is established with the client to achieve a short handshake; if the session ticket verification through the primary key fails, the session ticket needs to be verified through the secondary key. authenticating.
这里,以密钥轮换之后且原会话票证尚未删除期间接收到的通信连接请求为例,此时主密钥为新会话票证,次密钥为原会话票证。如果通信连接请求中携带的会话票证是新会话票证,则通过主密钥对该会话票证验证将会通过;而如果通信连接请求中携带的会话票证是原会话票证,则通过主密钥对该会话票证验证将不会通过,此时,需要通过次密钥再对该会话票证进行验证。Here, taking the communication connection request received after the key rotation and before the original session ticket is deleted as an example, at this time, the primary key is the new session ticket, and the secondary key is the original session ticket. If the session ticket carried in the communication connection request is a new session ticket, the verification of the session ticket through the master key will pass; and if the session ticket carried in the communication connection request is the original session ticket, the session ticket will be verified through the master key. The session ticket verification will not pass. In this case, the session ticket needs to be verified through the secondary key.
步骤S310:通过该次密钥对该会话票证进行验证。Step S310: Verify the session ticket through the secondary key.
也即,通过次密钥对该会话票证进行解密,以检验其是否符合会话规则。That is, the session ticket is decrypted by the secondary key to verify whether it complies with the session rules.
步骤S312:判断通过该次密钥对该会话票证验证是否通过;如果通过该次密钥对该会话票证验证通过,则执行步骤S314,如果通过该次密钥对该会话票证验证未通过,则执行步骤S316。Step S312: Determine whether the session ticket verification is passed by the secondary key; if the session ticket verification is passed by the secondary key, then step S314 is executed; if the session ticket verification is not passed by the secondary key, then Step S316 is executed.
如果通过次密钥对该会话票证验证通过,则与该客户端建立通信会话,从而实现简短握手;如果通过次密钥对该会话票证验证未通过,则向客户端返回会话票证错误通知,此 时,客户端需要通过完整握手以建立通信会话。If the session ticket is verified through the secondary key, a communication session is established with the client to achieve a short handshake; if the session ticket verification fails through the secondary key, a session ticket error notification is returned to the client. , the client needs to go through a full handshake to establish a communication session.
步骤S314:与该客户端建立通信会话。Step S314: Establish a communication session with the client.
集群服务器与客户端建立通信会话之后,客户端即可对该集群服务器上的数据资源进行访问等操作。After the cluster server and the client establish a communication session, the client can perform operations such as accessing data resources on the cluster server.
步骤S316:向客户端返回会话票证错误通知。Step S316: Return a session ticket error notification to the client.
如果通信连接请求中携带的会话票证已经超出有效期,或者不符合会话规则,则向客户端返回会话票证错误的通知,此时,客户端需要通过完整握手以与该集群服务器建立通信会话。If the session ticket carried in the communication connection request has exceeded the validity period, or does not meet the session rules, a notification of session ticket error is returned to the client. At this time, the client needs to establish a communication session with the cluster server through a complete handshake.
在至少一种可能的实施方式中,还可以在集群服务器上设置开关控件,设置为控制会话票证机制的启闭。当该开关控件开启时,执行前述实施例中提供的会话票证的处理方法。例如,可以通过下述代码实现分布式会话票证在Nginx服务中的配置:In at least one possible implementation manner, a switch control may also be set on the cluster server to control the opening and closing of the session ticket mechanism. When the switch control is turned on, the processing method of the session ticket provided in the foregoing embodiment is executed. For example, the configuration of distributed session tickets in the Nginx service can be implemented by the following code:
ssl_session_tickets    on;ssl_session_tickets on;
ssl_session_ticket_key ticket.key。ssl_session_ticket_key ticket.key.
其中,ticket.key也即是会话票证,其生成代码如下:Among them, ticket.key is also the session ticket, and its generation code is as follows:
openssl rand-out ticket.key 48。openssl rand-out ticket.key 48.
本实施例提供的会话票证的处理方法,在会话票证更换期间,集群服务器上同时保留有原会话票证和新会话票证,既可以解密通过原会话票证加密的会话,也可以解密用新会话票证加密的会话,缓解了相关技术中票证硬替换方式造成的全网简短握手率骤降的问题,可以提高全网简短握手率,节约CPU消耗,提升集群通信的安全性。In the session ticket processing method provided by this embodiment, during the session ticket replacement, the cluster server retains the original session ticket and the new session ticket at the same time, which can decrypt the session encrypted by the original session ticket or decrypt the session encrypted by the new session ticket. It can alleviate the problem of the short handshake rate of the entire network caused by the hard ticket replacement method in the related technology, which can improve the short handshake rate of the entire network, save CPU consumption, and improve the security of cluster communication.
对应于图2中所示的会话票证的处理方法,本申请实施例还提供了一种会话票证的处理装置,如图4A所示,其为一种会话票证的处理装置的结构示意图,其中,该装置应用于分布式集群的服务器,该服务器与预设的管理服务器通信连接,该管理服务器设置为生成会话票证,并将该会话票证发送至该分布式集群的各台服务器。Corresponding to the session ticket processing method shown in FIG. 2 , an embodiment of the present application further provides a session ticket processing apparatus, as shown in FIG. 4A , which is a schematic structural diagram of a session ticket processing apparatus, wherein, The device is applied to a server of a distributed cluster, the server is in communication connection with a preset management server, and the management server is configured to generate a session ticket and send the session ticket to each server of the distributed cluster.
由图4A可见,该装置包括依次相连的新会话票证接收模块41、会话配置更新模块42、主次密钥调整模块43和原会话票证删除模块44,其中,各个模块的功能如下:As can be seen from FIG. 4A , the device includes a new session ticket receiving module 41, a session configuration update module 42, a primary and secondary key adjustment module 43 and an original session ticket deletion module 44 that are connected in sequence, wherein the functions of each module are as follows:
新会话票证接收模块41,设置为接收该管理服务器发送的新会话票证;The new session ticket receiving module 41 is configured to receive the new session ticket sent by the management server;
会话配置更新模块42,设置为更新会话配置,将会话配置中的原会话票证确定为主密钥,将该新会话票证确定为次密钥;其中,该主密钥和该次密钥均设置为对通信会话进行解密,且优先使用该主密钥对通信会话进行解密,该主密钥还设置为对在接收到该新会话票证之后创建的通信会话进行加密;The session configuration update module 42 is configured to update the session configuration, determine the original session ticket in the session configuration as the primary key, and determine the new session ticket as the secondary key; wherein, the primary key and the secondary key are both set In order to decrypt the communication session, and preferably use the master key to decrypt the communication session, the master key is also set to encrypt the communication session created after receiving the new session ticket;
主次密钥调整模块43,设置为如果接收到该分布式集群完成更新会话配置的确认信息,将该新会话票证确定为主密钥,将该原会话票证确定为次密钥;The primary and secondary key adjustment module 43 is configured to determine the new session ticket as the primary key and the original session ticket as the secondary key if receiving confirmation information that the distributed cluster has completed updating the session configuration;
原会话票证删除模块44,设置为当预设时间到达时,删除该原会话票证。The original session ticket deletion module 44 is configured to delete the original session ticket when the preset time arrives.
本申请实施例提供的一种会话票证的处理装置,接收该管理服务器发送的新会话票证;更新会话配置,将会话配置中的原会话票证确定为主密钥,将该新会话票证确定为次密钥,其中,该主密钥和该次密钥均设置为对通信会话进行解密,且优先使用该主密钥对通信会话进行解密,该主密钥还设置为对在接收到该新会话票证之后创建的通信会话进行加密;如果接收到该分布式集群完成更新会话配置的确认信息,将该新会话票证确定为主密钥,将该原会话票证确定为次密钥;当预设时间到达时,删除该原会话票证。该装置中,通过在分布式集群全网中部署统一的会话票证,在会话票证更换期间,不但在集群的服务器上新增了新会话票证,还保留原会话票证,从而可以解密原来通过原会话票证加密的会话,也可解密用新会话票证加密的会话,直至通过原会话票证加密的会话都结束后,删除服务器上的原会话票证,仅保留新会话票证,从而有效缓解了会话票证更换期间,因为硬替换会话票证导致的部分会话因需要原会话票证解密而无法成功解密,使得全网简短握手率骤降的问题,可以提高全网简短握手率,节约CPU消耗,提升集群通信的安全性。A session ticket processing device provided by an embodiment of the present application receives a new session ticket sent by the management server; updates the session configuration, determines the original session ticket in the session configuration as the primary key, and determines the new session ticket as the secondary The primary key and the secondary key are both set to decrypt the communication session, and the primary key is preferentially used to decrypt the communication session, and the primary key is also set to decrypt the communication session when the new session is received. The communication session created after the ticket is encrypted; if the confirmation message that the distributed cluster has completed updating the session configuration is received, the new session ticket is determined as the primary key, and the original session ticket is determined as the secondary key; when the preset time When it arrives, delete the original session ticket. In this device, by deploying a unified session ticket in the entire distributed cluster network, during the session ticket replacement period, not only a new session ticket is added to the cluster server, but the original session ticket is also retained, so that the original session ticket can be decrypted through the original session. The session encrypted by the ticket can also decrypt the session encrypted with the new session ticket. After the session encrypted by the original session ticket ends, the original session ticket on the server is deleted, and only the new session ticket is retained, which effectively alleviates the period of session ticket replacement. , because some sessions caused by hard-replaced session tickets cannot be successfully decrypted due to the need to decrypt the original session tickets, causing the short handshake rate of the entire network to plummet, which can improve the short handshake rate of the entire network, save CPU consumption, and improve the security of cluster communication .
在其中一种可能的实施方式中,上述通信会话为安全套接字层SSL会话和传输层安全TLS会话中的一种。In one possible implementation manner, the above communication session is one of a secure socket layer SSL session and a transport layer security TLS session.
在另一种可能的实施方式中,上述预设时间不少于该原会话票证的有效期时长。In another possible implementation manner, the above-mentioned preset time is not less than the validity period of the original session ticket.
在另一种可能的实施方式中,由图4B可见,上述装置还包括会话票证机制开启模块45,设置为开启会话票证机制的预设开关控件。In another possible implementation manner, as can be seen from FIG. 4B , the above-mentioned apparatus further includes a session ticket mechanism enabling module 45 , which is set as a preset switch control for enabling the session ticket mechanism.
在另一种可能的实施方式中,由图4B可见,上述装置还包括通信连接请求接收模块46,设置为接收客户端发送的通信连接请求,该通信连接请求中携带有会话票证;判断验证模块47,设置为判断该会话票证是否在有效期内;如果判断为该会话票证在有效期内,通过该主密钥对该会话票证进行验证;如果通过该主密钥对该会话票证验证通过,与该客户端建立通信会话。In another possible implementation, it can be seen from FIG. 4B that the above-mentioned apparatus further includes a communication connection request receiving module 46, which is configured to receive a communication connection request sent by the client, and the communication connection request carries a session ticket; the judgment and verification module 47, set to judge whether the session ticket is within the validity period; if it is judged that the session ticket is within the validity period, verify the session ticket through the master key; The client establishes a communication session.
在另一种可能的实施方式中,上述判断验证模块还设置为:如果通过该主密钥对该会话票证验证未通过,通过该次密钥对该会话票证进行验证;如果通过该次密钥对该会话票证验证通过,与该客户端建立通信会话。In another possible implementation, the above judgment and verification module is further set to: if the session ticket is not verified by the primary key, the session ticket is verified by the secondary key; If the session ticket is verified, a communication session is established with the client.
本申请实施例提供的会话票证的处理装置,其实现原理及产生的技术效果和前述会话票证的处理方法实施例相同,为简要描述,会话票证的处理装置的实施例部分未提及之处,可参考前述会话票证的处理方法实施例中相应内容。The implementation principle and the resulting technical effects of the session ticket processing apparatus provided by the embodiments of the present application are the same as the foregoing embodiments of the session ticket processing method. Reference may be made to the corresponding content in the foregoing embodiments of the method for processing session tickets.
本申请实施例还提供了一种电子设备,如图5所示,为该电子设备的结构示意图,其中,该电子设备包括处理器51和存储器52,该存储器52存储有能够被该处理器51执行的计算机可执行指令,该处理器51执行该计算机可执行指令以实现上述会话票证的处理方 法。An embodiment of the present application also provides an electronic device, as shown in FIG. 5 , which is a schematic structural diagram of the electronic device, wherein the electronic device includes a processor 51 and a memory 52 , and the memory 52 stores data that can be used by the processor 51 Executed computer-executable instructions, the processor 51 executes the computer-executable instructions to implement the above session ticket processing method.
在图5示出的实施方式中,该电子设备还包括总线53和通信接口54,其中,处理器51、通信接口54和存储器52通过总线连接。In the embodiment shown in FIG. 5 , the electronic device further includes a bus 53 and a communication interface 54 , wherein the processor 51 , the communication interface 54 and the memory 52 are connected through the bus.
其中,存储器52可能包含高速随机存取存储器(RAM,Random Access Memory),也可能还包括非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器。通过至少一个通信接口54(可以是有线或者无线)实现该系统网元与至少一个其他网元之间的通信连接,可以使用互联网、广域网、本地网、城域网等。总线可以是ISA总线、PCI总线或EISA总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图5中仅用一个双向箭头表示,但并不表示仅有一根总线或一种类型的总线。The memory 52 may include a high-speed random access memory (RAM, Random Access Memory), and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 54 (which may be wired or wireless), which may use the Internet, a wide area network, a local network, a metropolitan area network, and the like. The bus can be an ISA bus, a PCI bus, an EISA bus, or the like. The bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one bidirectional arrow is shown in FIG. 5, but it does not mean that there is only one bus or one type of bus.
处理器51可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过处理器51中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器51可以是通用处理器,包括中央处理器(Central Processing Unit,简称CPU)、网络处理器(Network Processor,简称NP)等;还可以是数字信号处理器(Digital Signal Processing,简称DSP)、专用集成电路(Application Specific Integrated Circuit,简称ASIC)、现成可编程门阵列(Field-Programmable Gate Array,简称FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器,处理器51读取存储器52中的信息,结合其硬件完成前述实施例的会话票证的处理方法的步骤。The processor 51 may be an integrated circuit chip with signal processing capability. In the implementation process, each step of the above-mentioned method can be completed by a hardware integrated logic circuit in the processor 51 or an instruction in the form of software. The above-mentioned processor 51 can be a general-purpose processor, including a central processing unit (Central Processing Unit, referred to as CPU), a network processor (Network Processor, referred to as NP), etc.; it can also be a digital signal processor (Digital Signal Processing, referred to as DSP) ), Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, and discrete hardware components. The methods, steps, and logic block diagrams disclosed in the embodiments of this application can be implemented or executed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in conjunction with the embodiments of the present application may be directly embodied as executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software modules may be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other storage media mature in the art. The storage medium is located in the memory, and the processor 51 reads the information in the memory 52, and completes the steps of the session ticket processing method in the foregoing embodiment in combination with its hardware.
本申请实施例还提供了一种计算机可读存储介质,该计算机可读存储介质存储有计算机可执行指令,该计算机可执行指令在被处理器调用和执行时,该计算机可执行指令促使处理器实现上述会话票证的处理方法,具体实现可参见前述方法实施例,在此不再赘述。Embodiments of the present application further provide a computer-readable storage medium, where computer-executable instructions are stored in the computer-readable storage medium, and when the computer-executable instructions are invoked and executed by a processor, the computer-executable instructions cause the processor to For the implementation of the above-mentioned method for processing session tickets, reference may be made to the foregoing method embodiments for specific implementation, and details are not described herein again.
本申请实施例所提供的会话票证的处理方法、会话票证的处理装置和电子设备的计算机程序产品,包括存储了程序代码的计算机可读存储介质,所述程序代码包括的指令可设置为执行前面方法实施例中所述的会话票证的处理方法,具体实现可参见方法实施例,在此不再赘述。The session ticket processing method, session ticket processing apparatus, and computer program product of an electronic device provided by the embodiments of the present application include a computer-readable storage medium storing program codes, and the instructions included in the program codes can be configured to execute the preceding steps. For the method for processing a session ticket described in the method embodiment, the specific implementation can refer to the method embodiment, which will not be repeated here.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个处理器可执行的非易失的计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对相关技术做出贡献的部分或者该技术方案的部分可以以软件产品的 形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The functions, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a processor-executable non-volatile computer-readable storage medium. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the related technology or the part of the technical solution. The computer software product is stored in a storage medium, including several The instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .
本申请实施例带来了以下有益效果:本申请实施例提供的一种会话票证的处理方法、装置、电子设备及计算机可读存储介质,接收该管理服务器发送的新会话票证;更新会话配置,将会话配置中的原会话票证确定为主密钥,将该新会话票证确定为次密钥;其中,该主密钥和该次密钥均设置为对通信会话进行解密,且优先使用该主密钥对通信会话进行解密,该主密钥还设置为对在接收到该新会话票证之后创建的通信会话进行加密;如果接收到该分布式集群完成更新会话配置的确认信息,将该新会话票证确定为主密钥,将该原会话票证确定为次密钥;当预设时间到达时,删除该原会话票证。该方式中,通过在分布式集群全网中部署统一的会话票证,在会话票证更换期间,不但在集群的服务器上新增了新会话票证,还保留原会话票证,从而可以解密原来通过原会话票证加密的会话,也可解密用新会话票证加密的会话,直至通过原会话票证加密的会话都结束后,删除服务器上的原会话票证,仅保留新会话票证,从而有效缓解了会话票证更换期间,因为硬替换会话票证导致的部分会话因需要原会话票证解密而无法成功解密,使得全网简短握手率骤降的问题,可以提高全网简短握手率,节约CPU消耗,提升集群通信的安全性。The embodiments of the present application bring the following beneficial effects: the method, device, electronic device and computer-readable storage medium for processing session tickets provided by the embodiments of the present application receive a new session ticket sent by the management server; update the session configuration, Determine the original session ticket in the session configuration as the primary key, and determine the new session ticket as the secondary key; where both the primary key and the secondary key are set to decrypt the communication session, and the primary key is used preferentially. The key decrypts the communication session, and the master key is also set to encrypt the communication session created after receiving the new session ticket; if receiving confirmation that the distributed cluster has completed updating the session configuration, the new session The ticket is determined as the primary key, and the original session ticket is determined as the secondary key; when the preset time arrives, the original session ticket is deleted. In this method, by deploying a unified session ticket in the entire network of the distributed cluster, during the session ticket replacement, not only a new session ticket is added to the cluster server, but the original session ticket is also retained, so that the original session can be decrypted. The session encrypted by the ticket can also decrypt the session encrypted with the new session ticket. After the session encrypted by the original session ticket ends, the original session ticket on the server is deleted, and only the new session ticket is retained, which effectively alleviates the period of session ticket replacement. , because some sessions caused by hard-replaced session tickets cannot be successfully decrypted due to the need to decrypt the original session tickets, causing the short handshake rate of the entire network to plummet, which can improve the short handshake rate of the entire network, save CPU consumption, and improve the security of cluster communication .
另外,在本申请实施例的描述中,除非另有明确的规定和限定,术语“安装”、“相连”、“连接”应做广义理解,例如,可以是固定连接,也可以是可拆卸连接,或一体地连接;可以是机械连接,也可以是电连接;可以是直接相连,也可以通过中间媒介间接相连,可以是两个元件内部的连通。对于本领域的普通技术人员而言,可以具体情况理解上述术语在本申请中的具体含义。In addition, in the description of the embodiments of the present application, unless otherwise expressly specified and limited, the terms "installed", "connected" and "connected" should be understood in a broad sense, for example, it may be a fixed connection or a detachable connection , or integrally connected; it can be a mechanical connection or an electrical connection; it can be a direct connection, or an indirect connection through an intermediate medium, or the internal communication between the two components. For those of ordinary skill in the art, the specific meanings of the above terms in this application can be understood in specific situations.
在本申请的描述中,需要说明的是,术语“中心”、“上”、“下”、“左”、“右”、“竖直”、“水平”、“内”、“外”等指示的方位或位置关系为基于附图所示的方位或位置关系,仅是为了便于描述本申请和简化描述,而不是指示或暗示所指的装置或元件必须具有特定的方位、以特定的方位构造和操作,因此不能理解为对本申请的限制。此外,术语“第一”、“第二”、“第三”仅用于描述目的,而不能理解为指示或暗示相对重要性。In the description of this application, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. The indicated orientation or positional relationship is based on the orientation or positional relationship shown in the accompanying drawings, which is only for the convenience of describing the present application and simplifying the description, rather than indicating or implying that the indicated device or element must have a specific orientation or a specific orientation. construction and operation, and therefore should not be construed as limitations on this application. Furthermore, the terms "first", "second", and "third" are used for descriptive purposes only and should not be construed to indicate or imply relative importance.
最后应说明的是:以上所述实施例,仅为本申请的具体实施方式,用以说明本申请的技术方案,而非对其限制,本申请的保护范围并不局限于此,尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,其依然可以对前述实施例所记载的技术方案进行修改或可轻 易想到变化,或者对其中部分技术特征进行等同替换;而这些修改、变化或者替换,并不使相应技术方案的本质脱离本申请实施例技术方案的精神和范围,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。Finally, it should be noted that the above-mentioned embodiments are only specific implementations of the present application, and are used to illustrate the technical solutions of the present application, rather than limit them. The embodiments describe the application in detail, and those of ordinary skill in the art should understand that any person skilled in the art can still modify the technical solutions described in the foregoing embodiments within the technical scope disclosed in the application. Or can easily think of changes, or equivalently replace some of the technical features; and these modifications, changes or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions in the embodiments of the application, and should be covered in this application. within the scope of protection. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.
工业实用性Industrial Applicability
本申请应用于通信技术领域,提供一种会话票证的处理方法、装置、电子设备及计算机可读存储介质,可以提高分布式集群全网的简短握手率,降低CPU的消耗,并提升集群通信的安全性。The present application is applied to the field of communication technology, and provides a session ticket processing method, device, electronic device and computer-readable storage medium, which can improve the short handshake rate of the entire distributed cluster network, reduce CPU consumption, and improve the efficiency of cluster communication. safety.

Claims (13)

  1. 一种会话票证的处理方法,应用于分布式集群的服务器,所述服务器与预设的管理服务器通信连接,所述管理服务器设置为生成会话票证,并将所述会话票证发送至所述分布式集群的各台服务器,所述方法包括:A session ticket processing method is applied to a server of a distributed cluster, the server is in communication connection with a preset management server, and the management server is configured to generate a session ticket and send the session ticket to the distributed cluster. Each server of the cluster, the method includes:
    接收所述管理服务器发送的新会话票证;receiving a new session ticket sent by the management server;
    更新会话配置,将会话配置中的原会话票证确定为主密钥,将所述新会话票证确定为次密钥,其中,所述主密钥和所述次密钥均设置为对通信会话进行解密,且优先使用所述主密钥对通信会话进行解密,所述主密钥还设置为对在接收到所述新会话票证之后创建的通信会话进行加密;The session configuration is updated, the original session ticket in the session configuration is determined as the primary key, and the new session ticket is determined as the secondary key, wherein the primary key and the secondary key are both set to perform a communication session on the communication session. decrypting, and preferably using the master key to decrypt the communication session, the master key is also set to encrypt the communication session created after receiving the new session ticket;
    如果接收到所述分布式集群完成更新会话配置的确认信息,将所述新会话票证确定为主密钥,将所述原会话票证确定为次密钥;以及If receiving confirmation that the distributed cluster has completed updating the session configuration, determining the new session ticket as the primary key, and determining the original session ticket as the secondary key; and
    当预设时间到达时,删除所述原会话票证。When the preset time arrives, the original session ticket is deleted.
  2. 根据权利要求1所述的会话票证的处理方法,其中,所述通信会话为安全套接字层SSL会话和传输层安全TLS会话中的一种。The method for processing session tickets according to claim 1, wherein the communication session is one of a secure socket layer SSL session and a transport layer security TLS session.
  3. 根据权利要求1或2所述的会话票证的处理方法,其中,所述预设时间不少于所述原会话票证的有效期时长。The method for processing a session ticket according to claim 1 or 2, wherein the preset time is not less than the validity period of the original session ticket.
  4. 根据权利要求1至3中任一项所述的会话票证的处理方法,其中,在所述接收所述管理服务器发送的新会话票证的步骤之前,所述方法还包括:The method for processing session tickets according to any one of claims 1 to 3, wherein, before the step of receiving a new session ticket sent by the management server, the method further comprises:
    开启会话票证机制的预设开关控件。The preset switch control to enable the session ticket mechanism.
  5. 根据权利要求1至4中任一项所述的会话票证的处理方法,其中,所述服务器与预设的客户端通信连接,所述方法还包括:The method for processing session tickets according to any one of claims 1 to 4, wherein the server is communicatively connected to a preset client, and the method further comprises:
    接收所述客户端发送的通信连接请求,所述通信连接请求中携带有会话票证;receiving a communication connection request sent by the client, where the communication connection request carries a session ticket;
    判断所述会话票证是否在有效期内;Determine whether the session ticket is within the validity period;
    如果判断为所述会话票证在有效期内,通过所述主密钥对所述会话票证进行验证;以及If it is determined that the session ticket is within the validity period, verifying the session ticket with the master key; and
    如果通过所述主密钥对所述会话票证验证通过,与所述客户端建立通信会话。If the session ticket is verified through the master key, a communication session is established with the client.
  6. 根据权利要求5所述的会话票证的处理方法,其中,所述方法还包括:The method for processing session tickets according to claim 5, wherein the method further comprises:
    如果通过所述主密钥对所述会话票证验证未通过,通过所述次密钥对所述会话票证进行验证;以及If verification of the session ticket by the primary key fails, verifying the session ticket by the secondary key; and
    如果通过所述次密钥对所述会话票证验证通过,与所述客户端建立通信会话。If the session ticket is verified through the secondary key, a communication session is established with the client.
  7. 一种会话票证的处理装置,应用于分布式集群的服务器,所述服务器与预设的管理服务器通信连接,所述管理服务器设置为生成会话票证,并将所述会话票证发送 至所述分布式集群的各台服务器,所述装置包括:A session ticket processing device is applied to a server of a distributed cluster, the server is in communication connection with a preset management server, and the management server is configured to generate a session ticket and send the session ticket to the distributed cluster. Each server of the cluster, the device includes:
    新会话票证接收模块,设置为接收所述管理服务器发送的新会话票证;a new session ticket receiving module, configured to receive the new session ticket sent by the management server;
    会话配置更新模块,设置为更新会话配置,将会话配置中的原会话票证确定为主密钥,将所述新会话票证确定为次密钥,其中,所述主密钥和所述次密钥均设置为对通信会话进行解密,且优先使用所述主密钥对通信会话进行解密,所述主密钥还设置为对在接收到所述新会话票证之后创建的通信会话进行加密;A session configuration update module, configured to update the session configuration, determines the original session ticket in the session configuration as the primary key, and determines the new session ticket as the secondary key, wherein the primary key and the secondary key are set to decrypt the communication session, and preferably use the master key to decrypt the communication session, and the master key is also set to encrypt the communication session created after receiving the new session ticket;
    主次密钥调整模块,设置为如果接收到所述分布式集群完成更新会话配置的确认信息,将所述新会话票证确定为主密钥,将所述原会话票证确定为次密钥;以及a primary and secondary key adjustment module, configured to determine the new session ticket as the primary key and the original session ticket as the secondary key if receiving confirmation that the distributed cluster has completed updating the session configuration; and
    原会话票证删除模块,设置为当预设时间到达时,删除所述原会话票证。The original session ticket deletion module is configured to delete the original session ticket when the preset time arrives.
  8. 根据权利要求7所述的会话票证的处理装置,其中,所述通信会话为安全套接字层SSL会话和传输层安全TLS会话中的一种。The apparatus for processing session tickets according to claim 7, wherein the communication session is one of a secure socket layer SSL session and a transport layer security TLS session.
  9. 根据权利要求7或8所述的会话票证的处理装置,其中,The apparatus for processing session tickets according to claim 7 or 8, wherein,
    所述装置还包括会话票证机制开启模块,设置为开启会话票证机制的预设开关控件。The device further includes a session ticket mechanism opening module, which is set as a preset switch control for opening the session ticket mechanism.
  10. 根据权利要求7至9中任一项所述的会话票证的处理装置,其中,The apparatus for processing session tickets according to any one of claims 7 to 9, wherein,
    所述服务器与预设的客户端通信连接,所述装置还包括:The server is communicatively connected to a preset client, and the device further includes:
    通信连接请求接收模块,设置为接收所述客户端发送的通信连接请求,所述通信连接请求中携带有会话票证;以及a communication connection request receiving module, configured to receive a communication connection request sent by the client, where the communication connection request carries a session ticket; and
    判断验证模块,设置为判断所述会话票证是否在有效期内,如果判断为所述会话票证在有效期内,通过所述主密钥对所述会话票证进行验证,如果通过所述主密钥对所述会话票证验证通过,与所述客户端建立通信会话。The judgment and verification module is set to judge whether the session ticket is within the validity period, and if it is judged that the session ticket is within the validity period, the session ticket is verified by the master key, and if the session ticket is validated by the master key The session ticket verification is passed, and a communication session is established with the client.
  11. 根据权利要求10所述的会话票证的处理装置,其中,The apparatus for processing session tickets according to claim 10, wherein,
    所述判断验证模块还设置为如果通过所述主密钥对所述会话票证验证未通过,通过所述次密钥对所述会话票证进行验证,如果通过所述次密钥对所述会话票证验证通过,与所述客户端建立通信会话。The judgment and verification module is further configured to verify the session ticket by the secondary key if the session ticket is not verified by the primary key, and if the session ticket is verified by the secondary key If the verification is passed, a communication session is established with the client.
  12. 一种电子设备,所述电子设备包括处理器和存储器,所述存储器存储有能够被所述处理器执行的计算机可执行指令,所述处理器执行所述计算机可执行指令以实现权利要求1至6任一项所述的会话票证的处理方法。An electronic device comprising a processor and a memory, the memory storing computer-executable instructions executable by the processor, the processor executing the computer-executable instructions to implement claims 1 to 6. The processing method of the session ticket according to any one of the items.
  13. 一种计算机可读存储介质,所述计算机可读存储介质存储有计算机可执行指令,所述计算机可执行指令在被处理器调用和执行时,计算机可执行指令促使处理器实现权利要求1至6任一项所述的会话票证的处理方法。A computer-readable storage medium storing computer-executable instructions that, when invoked and executed by a processor, cause the processor to implement claims 1 to 6 The processing method of any one of the session tickets.
PCT/CN2021/098070 2020-07-30 2021-06-03 Session ticket processing method and apparatus, electronic device, and computer readable storage medium WO2022022057A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010754910.4A CN111866172A (en) 2020-07-30 2020-07-30 Processing method and device of session ticket and electronic equipment
CN202010754910.4 2020-07-30

Publications (1)

Publication Number Publication Date
WO2022022057A1 true WO2022022057A1 (en) 2022-02-03

Family

ID=72946339

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/098070 WO2022022057A1 (en) 2020-07-30 2021-06-03 Session ticket processing method and apparatus, electronic device, and computer readable storage medium

Country Status (2)

Country Link
CN (1) CN111866172A (en)
WO (1) WO2022022057A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111866172A (en) * 2020-07-30 2020-10-30 北京金山云网络技术有限公司 Processing method and device of session ticket and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488111A (en) * 2009-02-17 2009-07-22 普天信息技术研究院有限公司 Identification authentication method and system
US20130198509A1 (en) * 2012-01-26 2013-08-01 Mcafee, Inc. System and method for innovative management of transport layer security session tickets in a network environment
CN106790285A (en) * 2017-02-27 2017-05-31 杭州迪普科技股份有限公司 A kind of Session state reuse method and device
CN110622482A (en) * 2017-06-01 2019-12-27 国际商业机器公司 No cache session ticket support in TLS inspection
CN111866172A (en) * 2020-07-30 2020-10-30 北京金山云网络技术有限公司 Processing method and device of session ticket and electronic equipment

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9591084B1 (en) * 2013-11-14 2017-03-07 Avi Networks Network devices using TLS tickets for session persistence
US10285051B2 (en) * 2016-09-20 2019-05-07 2236008 Ontario Inc. In-vehicle networking
US10581948B2 (en) * 2017-12-07 2020-03-03 Akamai Technologies, Inc. Client side cache visibility with TLS session tickets
CN110830239B (en) * 2018-08-07 2023-02-28 阿里巴巴集团控股有限公司 Key updating method, device and system
CN111132154B (en) * 2019-12-26 2022-10-21 飞天诚信科技股份有限公司 Method and system for negotiating session key

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488111A (en) * 2009-02-17 2009-07-22 普天信息技术研究院有限公司 Identification authentication method and system
US20130198509A1 (en) * 2012-01-26 2013-08-01 Mcafee, Inc. System and method for innovative management of transport layer security session tickets in a network environment
CN106790285A (en) * 2017-02-27 2017-05-31 杭州迪普科技股份有限公司 A kind of Session state reuse method and device
CN110622482A (en) * 2017-06-01 2019-12-27 国际商业机器公司 No cache session ticket support in TLS inspection
CN111866172A (en) * 2020-07-30 2020-10-30 北京金山云网络技术有限公司 Processing method and device of session ticket and electronic equipment

Also Published As

Publication number Publication date
CN111866172A (en) 2020-10-30

Similar Documents

Publication Publication Date Title
US11588649B2 (en) Methods and systems for PKI-based authentication
JP6612358B2 (en) Method, network access device, application server, and non-volatile computer readable storage medium for causing a network access device to access a wireless network access point
US20210367795A1 (en) Identity-Linked Authentication Through A User Certificate System
US9847882B2 (en) Multiple factor authentication in an identity certificate service
CN109088889B (en) SSL encryption and decryption method, system and computer readable storage medium
TWI429256B (en) Authentication delegation based on re-verification of cryptographic evidence
US20220014524A1 (en) Secure Communication Using Device-Identity Information Linked To Cloud-Based Certificates
JP2005269656A (en) Efficient and secure authentication of computing system
WO2011076008A1 (en) System and method for transmitting files between wapi teminal and application sever
US10516653B2 (en) Public key pinning for private networks
US9998287B2 (en) Secure authentication of remote equipment
US11070537B2 (en) Stateless method for securing and authenticating a telecommunication
US11695747B2 (en) Multi-device single sign-on
WO2022100356A1 (en) Identity authentication system, method and apparatus, device, and computer readable storage medium
JP2017152880A (en) Authentication system, key processing coordination method, and key processing coordination program
CN110581829A (en) Communication method and device
CN110855561A (en) Intelligent gateway of Internet of things
WO2022022057A1 (en) Session ticket processing method and apparatus, electronic device, and computer readable storage medium
CN110830413B (en) Communication method, client, server, communication device and system
Singh et al. Survey and analysis of Modern Authentication system
WO2016141513A1 (en) Service processing method and apparatus
WO2017024588A1 (en) Service processing method and apparatus
JP6254964B2 (en) Authentication system, spare key management apparatus, spare key management method, and spare key management program
CN115988496A (en) Access authentication method and device
CN114003892A (en) Credible authentication method, safety authentication equipment and user terminal

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21849871

Country of ref document: EP

Kind code of ref document: A1