Communication connection establishment method, apparatus, device, and medium
By using QUIC and SPA technologies and leveraging authentication and connection identifier generation between the client and server, the problem of communication connection loss caused by IP address changes is solved, achieving seamless communication connection when the network environment changes, thus improving security and user experience.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA TELECOM CORP LTD TECHNOLOGY INNOVATION CENTER
- Filing Date
- 2024-12-25
- Publication Date
- 2026-06-23
AI Technical Summary
In existing technologies, communication connections based on IP addresses are prone to disconnection in environments with multiple external network exit IPs or IP migration, affecting user experience. They also have vulnerabilities such as Source Network Address Translation (SNAT) port amplification and UDP-SPA authentication security issues.
Employing Fast User Datagram Protocol Internet Connection (QUIC) and Single Packet Authorization (SPA) technologies, a unique connection identifier is generated through authentication requests and responses between the client and server, ensuring the continuity of communication connections even when IP addresses change. UDP+CID SPA packets are used for door knocking authentication and QUIC protocol transmission, avoiding reliance on IP addresses for authentication.
Even when IP addresses change, it maintains the continuity of access between the client and the server, improves security during the access process, avoids vulnerabilities and connection drops caused by traditional IP authentication, and achieves seamless communication connection migration.
Smart Images

Figure CN119743511B_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to the field of network security technology, and in particular to a method, apparatus, device and medium for establishing a communication connection. Background Technology
[0002] Port knocking is a network security technique that requires a client to send a series of connection requests to a specific port in a specific order before attempting to access a service. If the sequence is correct, the server will temporarily grant the client access.
[0003] Software-Defined Perimeter (SDP) is a next-generation network security architecture based on the zero-trust concept. Its main functions include infrastructure hiding, reducing DoS attacks, detecting erroneous packets, preventing unauthorized network access, and application and service access control. Zero-trust SDP uses Single Packet Authorization (SPA) technology to implement network authorization. SPA is a lightweight network security protocol and one of the core functions of SDP.
[0004] In related technologies, traditional SPA technology has the problem that multiple devices sharing the same source IP can be authorized at the same time, which is the source network address translation (SNAT) port amplification vulnerability. At the same time, single-packet authorization UDP-SPA based on the user datagram protocol often uses the source IP to determine whether the authentication packet and the communication establishment packet are from the same sender. That is, if one terminal passes the authentication after knocking, all devices under the same SNAT can bypass the verification and establish communication directly.
[0005] Furthermore, the method of obtaining the client's external IP address and including it in an SPA request packet to request authorization, based on the Transmission Control Protocol (TCP) connection, means that IP changes may cause the established connection to break. If data transmission is still desired, a new connection needs to be established, often resulting in network congestion. Therefore, establishing communication connections based on IP addresses can negatively impact user experience in environments with multiple external IP addresses or IP address migration.
[0006] It should be noted that the information disclosed in the background section above is only used to enhance the understanding of the background of this disclosure, and therefore may include information that does not constitute prior art known to those skilled in the art. Summary of the Invention
[0007] This disclosure provides a method, apparatus, device, and medium for establishing a communication connection, which at least to some extent overcomes the problem in related technologies where the connection between the client and the server is lost due to changes in IP address.
[0008] Other features and advantages of this disclosure will become apparent from the following detailed description, or may be learned in part from practice of this disclosure.
[0009] According to one aspect of this disclosure, a method for establishing a communication connection is provided, applied to a client, comprising: sending an authentication request to a server, wherein the authentication request carries the client's identity information and a first connection identifier, the first connection identifier being used by the client to establish a Quick User Datagram Protocol Internet Connection (QUIC) connection with the server and uniquely identifying the client; monitoring whether a second connection identifier returned by the server is received, wherein the second connection identifier is a connection identifier generated by the server based on the first connection identifier, the second connection identifier being used by the client to establish a QUIC connection with the server and uniquely identifying the server; and if the second connection identifier returned by the server is received, establishing a communication connection between the client and the server according to the second connection identifier and the QUIC protocol.
[0010] In some embodiments, after monitoring whether a second connection identifier returned by the server is received, the method further includes: if a second connection identifier returned by the server is not received, then within a preset time period, resending an authentication request to the server until a second connection identifier returned by the server is received.
[0011] In some embodiments, after establishing a communication connection between the client and the server according to the second connection identifier and the QUIC protocol, the method further includes: detecting whether the client's IP address has changed; if the client's IP address has changed, verifying whether the first connection identifier is valid; if yes, maintaining the communication connection between the client and the server; if no, resending an authentication request to the server to re-establish the communication connection between the client and the server.
[0012] According to another aspect of this disclosure, a method for establishing a communication connection is also provided, applied to a server, comprising: receiving an authentication request sent by a client, wherein the authentication request carries the client's identity information and a first connection identifier, the first connection identifier being used by the client to establish a Quick User Datagram Protocol Internet Connection (QUIC) connection with the server and uniquely identifying the client; verifying whether the first connection identifier is valid according to a predetermined authentication rule; if valid, generating a second connection identifier based on the first connection identifier and returning the second connection identifier to the client, wherein the second connection identifier is used by the client to establish a QUIC connection with the server and uniquely identifying the server.
[0013] According to another aspect of this disclosure, a communication system is also provided, comprising: a client and a server; wherein the client is configured to send an authentication request to the server, wherein the authentication request carries the client's identity information and a first connection identifier, the first connection identifier being used by the client to establish a Quick User Datagram Protocol (QUIC) connection with the server and uniquely identifying the client; the server is configured to receive the authentication request sent by the client; wherein the server is further configured to verify whether the first connection identifier is valid according to a predetermined authentication rule, and if so, generate a second connection identifier based on the first connection identifier and return the second connection identifier to the client, wherein the second connection identifier is used by the client to establish a QUIC connection with the server and uniquely identify the server; wherein the client is further configured to, if it receives the second connection identifier returned by the server, establish a communication connection between the client and the server according to the second connection identifier and the QUIC protocol.
[0014] According to another aspect of this disclosure, a terminal device is also provided, comprising: an authentication request sending module, configured to send an authentication request to a server, wherein the authentication request carries client identity information and a first connection identifier, the first connection identifier being used by the client to establish a Quick User Datagram Protocol (QUIC) Internet connection with the server and uniquely identifying the client; a connection identifier detection module, configured to monitor whether a second connection identifier returned by the server is received, wherein the second connection identifier is a connection identifier generated by the server based on the first connection identifier, the second connection identifier being used by the client to establish a QUIC connection with the server and uniquely identifying the server; and a communication connection establishment module, configured to, if the second connection identifier returned by the server is received, establish a communication connection between the client and the server according to the second connection identifier and the QUIC protocol.
[0015] According to another aspect of this disclosure, a server is also provided, comprising: a verification request receiving module, configured to receive an authentication request sent by a client, wherein the authentication request carries the client's identity information and a first connection identifier, the first connection identifier being used by the client to establish a Quick User Datagram Protocol (QUIC) Internet connection with the server and uniquely identifying the client; a connection identifier verification module, configured to verify whether the first connection identifier is valid according to a predetermined verification rule; and a connection identifier return module, configured to, if valid, generate a second connection identifier based on the first connection identifier and return the second connection identifier to the client, wherein the second connection identifier is used by the client to establish a QUIC connection with the server and uniquely identifies the server.
[0016] According to another aspect of this disclosure, an electronic device is also provided, comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the communication connection establishment method described in any of the preceding claims by executing the executable instructions.
[0017] According to another aspect of this disclosure, a computer-readable storage medium is also provided, on which a computer program is stored, which, when executed by a processor, implements the communication connection establishment method described in any of the preceding claims.
[0018] According to another aspect of this disclosure, a computer program product is also provided, including a computer program that, when executed by a processor, implements the communication connection establishment method of any of the above.
[0019] The communication connection establishment method, apparatus, device, and medium provided in the embodiments of this disclosure involve a client sending an authentication request to a server. The server verifies the validity of a first connection identifier carried in the request. If valid, the server generates a second connection identifier based on the first connection identifier and returns it to the client, enabling the client to establish a communication connection with the server based on the second connection identifier and the QUIC protocol. The embodiments of this disclosure can maintain the continuity of access between the client and the server even when IP addresses change, thus improving security during the access process.
[0020] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and are not intended to limit this disclosure. Attached Figure Description
[0021] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this disclosure and, together with the description, serve to explain the principles of this disclosure. It is obvious that the drawings described below are merely some embodiments of this disclosure, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort.
[0022] Figure 1 This diagram illustrates a flowchart of a communication connection establishment method according to an embodiment of the present disclosure;
[0023] Figure 2 This diagram illustrates another communication connection establishment method according to an embodiment of the present disclosure.
[0024] Figure 3 This diagram illustrates a signaling interaction flowchart for establishing a communication connection according to an embodiment of the present disclosure.
[0025] Figure 4 A schematic diagram of a data packet structure for a QUIC protocol according to an embodiment of this disclosure is shown;
[0026] Figure 5 This diagram illustrates another communication connection establishment method according to an embodiment of the present disclosure.
[0027] Figure 6 This diagram illustrates the structure of a communication system according to an embodiment of the present disclosure;
[0028] Figure 7 This diagram illustrates the structure of a terminal device according to an embodiment of the present disclosure.
[0029] Figure 8 This diagram illustrates the structure of a server according to an embodiment of the present disclosure;
[0030] Figure 9 A schematic diagram of the structure of an electronic device according to an embodiment of the present disclosure is shown. Detailed Implementation
[0031] Exemplary embodiments will now be described more fully with reference to the accompanying drawings. However, these exemplary embodiments can be implemented in many forms and should not be construed as limited to the examples set forth herein; rather, they are provided so that this disclosure will be more comprehensive and complete, and will fully convey the concept of the exemplary embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
[0032] Furthermore, the accompanying drawings are merely illustrative of this disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and therefore repeated descriptions of them will be omitted. Some block diagrams shown in the drawings are functional entities and do not necessarily correspond to physically or logically independent entities. These functional entities may be implemented in software, in one or more hardware modules or integrated circuits, or in different network and / or processor devices and / or microcontroller devices.
[0033] To facilitate understanding, before introducing the embodiments of this disclosure, the following explanations are provided for several terms involved in the embodiments of this disclosure:
[0034] SDP: Software Defined Perimeter. A next-generation network security architecture based on the Zero Trust concept, its main functions include infrastructure hiding, reducing Denial-of-Service (DoS) attacks, detecting erroneous packets, preventing unauthorized network access, and application and service access control.
[0035] SPA: Single Packet Authorization. A lightweight network security protocol and one of the core functions of SDP. The main purpose of SPA is to check the identity of devices or users before allowing access to the network where controllers, gateways, and other related system components reside, thus achieving a zero-trust "authenticate before connecting" security model.
[0036] QUIC: Quick User Datagram Protocol Internet Connections. A transport layer protocol based on the User Datagram Protocol (UDP), designed to address some limitations of the Transmission Control Protocol (TCP) in modern network applications, providing a faster, more secure, and more reliable solution for web communication.
[0037] The specific implementation methods of the embodiments of this disclosure will now be described in detail with reference to the accompanying drawings.
[0038] Figure 1 This diagram illustrates a flowchart of a communication connection establishment method according to an embodiment of the present disclosure, applied to a client, such as... Figure 1 As shown, the method includes the following steps:
[0039] S102, send an authentication request to the server. The authentication request carries the client's identity information and a first connection identifier. The first connection identifier is used by the client to establish a Quick User Datagram Protocol (QUIC) Internet connection with the server and is a unique identifier of the client.
[0040] In one embodiment of this disclosure, the client first sends an authentication request to the server. The authentication request may carry the client's identity information and a first connection identifier (CID). This first connection identifier is randomly generated by the client according to a preset field length and can perform single authentication, replacing the terminal IP-based authentication used in related technologies to avoid the amplification vulnerability caused by shared IP exits. The first connection identifier is used to uniquely identify the client.
[0041] S104, monitor whether the second connection identifier returned by the server is received. The second connection identifier is a connection identifier generated by the server based on the first connection identifier. The second connection identifier is used by the client to establish a QUIC connection with the server and is a unique identifier of the server.
[0042] In one embodiment of this disclosure, the client can monitor whether it receives a second connection identifier (CID) returned by the server within a preset time period. This second connection identifier is randomly generated by the server according to a preset field length after verifying the first connection identifier and confirming that the verification is successful. The field length of the second connection identifier can be the same as that of the first connection identifier. The second connection identifier is used to uniquely identify the server.
[0043] S106. If the second connection identifier returned by the server is received, a communication connection between the client and the server is established according to the second connection identifier and the QUIC protocol.
[0044] In one embodiment of this disclosure, after receiving the second connection identifier returned by the server, the client can establish a communication connection with the server based on the second connection identifier and the QUIC protocol.
[0045] As described above, in this embodiment, the client sends an authentication request to the server and monitors whether it receives a second connection identifier returned by the server. If so, a communication connection is established between the client and the server based on the second connection identifier and the QUIC protocol. This embodiment can maintain the continuity of access between the client and the server even when the IP address changes, thus improving security during the access process.
[0046] In one embodiment of this disclosure, after S104 above, the method further includes: if the second connection identifier returned by the server is not received, then within a preset time period, the authentication request is resent to the server until the second connection identifier returned by the server is received.
[0047] In one embodiment of this disclosure, there is a possibility that the first connection identifier may fail to be verified on the server side. The client can repeatedly send authentication requests to the server at preset time intervals or a preset number of times within a preset time period, until the client receives a second connection identifier returned by the server or the preset time period expires, at which point it stops sending authentication requests to the server. It should be noted that the number of times or the time interval for the client to resend authentication requests to the server can be determined according to actual circumstances, and this embodiment of the disclosure does not impose specific limitations on this.
[0048] In one embodiment of this disclosure, after S106 above, the method further includes: detecting whether the client's IP address has changed; if the client's IP address has changed, verifying whether the first connection identifier is valid; if yes, maintaining the communication connection between the client and the server; if no, resending the authentication request to the server to re-establish the communication connection between the client and the server.
[0049] In one embodiment of this disclosure, changes in the network environment may cause the client's IP address to change. Therefore, the client's IP address is continuously monitored, and when a change in the client's IP address is detected, the validity of the first connection identifier is verified.
[0050] In one embodiment of this disclosure, the first connection identifier typically has an expiration date, and its validity can be determined by whether the expiration date has passed. If the first connection identifier is still valid, the communication connection between the client and the server remains unchanged; if the first connection identifier expires, its expiration date needs to be redefined, and an authentication request is resent to the server based on the first connection identifier to re-establish the communication connection between the two.
[0051] In one embodiment of this disclosure, if the first connection identifier fails, a new connection identifier can be regenerated on the client side according to a preset field length, and its validity period can be defined. The newly generated connection identifier can then be carried in the authentication request to be sent to the server.
[0052] Figure 2 This diagram illustrates another communication connection establishment method according to an embodiment of the present disclosure, applied to the server side, such as... Figure 2 As shown, the method includes the following steps:
[0053] S202, Receive an authentication request sent by the client, wherein the authentication request carries the client's identity information and a first connection identifier, the first connection identifier being used by the client to establish a Quick User Datagram Protocol Internet connection (QUIC) connection with the server and is a unique identifier of the client.
[0054] S204, According to the predetermined verification rules, verify whether the first connection identifier is valid.
[0055] In one embodiment of this disclosure, the authentication request may be a Single Packet Authorization (SPA) verification packet sent by the client to the server. The server and the client may predetermine the verification rules, such as verifying a pre-set shared key, verifying whether the timestamp contained in the SPA packet is within a preset time range, verifying the validity and / or legality of a preset CID, or verifying the user credentials contained in the SPA packet (e.g., username, password hash value, etc.).
[0056] It should be noted that any verification rule that can verify the client's identity can be adopted according to the actual situation, and this embodiment of the disclosure does not impose any specific limitations on it.
[0057] S206, if so, then generate a second connection identifier based on the first connection identifier and return the second connection identifier to the client, wherein the second connection identifier is used by the client to establish a QUIC connection with the server and is a unique identifier of the server.
[0058] In one embodiment of this disclosure, after the first connection identifier (i.e., the CID that uniquely identifies the client) passes verification, the server can randomly generate a second connection identifier according to a preset field length (which can be the same as the length of the client's CID field), which is used to uniquely identify the server's CID. For example, a random number generator can be used to create the CID to ensure that each CID is random and unpredictable, thereby increasing security.
[0059] In one embodiment of this disclosure, the server CID can be generated by combining the first connection identifier with other information (e.g., timestamp, server private key, or random number) using a preset hash algorithm. This can introduce more entropy while maintaining the association with the client CID.
[0060] It should be noted that the above is only an example of a method for generating a second connection identifier through a first connection identifier. Other methods can also be used to generate a second connection identifier while ensuring the association between the client CID and the server CID. This disclosure does not specifically limit this method.
[0061] As described above, in this embodiment of the present disclosure, after receiving an authentication request from the client, the server verifies whether the first connection identifier carried in the request is valid according to a predetermined authentication rule. If valid, the server generates a second connection identifier based on the first connection identifier and returns it to the client. This embodiment of the present disclosure can maintain the continuity of access between the client and the server even when the IP address changes, thereby improving the security of the access process.
[0062] Figure 3This diagram illustrates a communication connection establishment signaling interaction flowchart according to an embodiment of the present disclosure, such as... Figure 3 As shown, the interaction process includes the following steps:
[0063] S301, the client sends a single-packet authorized UDP+CID SPA packet based on the User Datagram Protocol and connection identifier to the server.
[0064] In one embodiment of this disclosure, the UDP+CID SPA packet may carry authentication information and a CID generated on the client side to uniquely identify the client, i.e., the source CID. The source CID is randomly generated based on a pre-defined field length and is independent of the IP address. This embodiment of the disclosure achieves connection-oriented identifier negotiation through a door-knocking approach using UDP+CID SPA.
[0065] In one embodiment of this disclosure, the information carried in the SPA package may be as shown in the following table:
[0066] Table 1
[0067] Information name carried in the SPA package Example Timestamp 2021-05-26 17:30:00 Version number 1.0.1 username Alice Message Type UDP Request port 62201 random characters pT5CZgPChkbZf40m Client IP 192.168.0.10 Server IP 172.16.10.10 Source CID 0x123456789abcdef0 CID validity period 30min / 1h / … Firewall rules ACCEPT / DROPREJECT Third-party authentication information KEY / HMAC
[0068] It should be noted that the SPA package may carry any authentication information as needed. The information in the table above is only for illustrative purposes. This disclosure does not specifically limit the information carried in the SPA package or the content of the information.
[0069] S302: After receiving the SPA packet, the server extracts the authentication information and source CID for verification.
[0070] In one embodiment of this disclosure, the server verifies the authentication information and source CID extracted from the SPA packet according to preset verification rules. Specifically, this may include, but is not limited to, decrypting the authentication information according to a preset shared key or other security mechanisms, verifying whether the timestamp information carried in the SPA packet is within a preset time range, or confirming the validity and legality of the CID.
[0071] It should be noted that any one or more authentication methods can be used depending on the actual situation, and this disclosure does not impose any specific limitations on this.
[0072] S303 If the client authentication is successful, the server generates the destination CID based on the source CID.
[0073] In one embodiment of this disclosure, the target CID is a CID used to uniquely identify the server.
[0074] In one embodiment of this disclosure, the server can randomly generate a destination CID according to a preset field length (which may be the same as the source CID field length). Specifically, a random number generator can be used, for example, to create the CID, ensuring that each CID is random and unpredictable, thereby increasing security.
[0075] In one embodiment of this disclosure, the source CID can be combined with other information (e.g., timestamp, server private key, or random number) and a preset hash algorithm can be used to generate the destination CID. This can introduce more entropy while maintaining the association with the source CID.
[0076] S304, the server returns the destination CID to the client.
[0077] S305 allows the server to dynamically adjust firewall rules (IP ACLs) based on verification results, allowing specific traffic to pass through and access the target service.
[0078] S306, the client establishes a communication connection with the server based on the received destination CID and QUIC protocol.
[0079] It should be noted that S305 can be executed at any position between S302 and S304, and this embodiment does not specifically limit it.
[0080] As can be seen from the above, in the door knocking authentication and subsequent communication connection scenarios of Software Defined Boundary (SDP), the UDP+CID SPA packet determines whether the verification packet and the communication establishment packet belong to the same sender by using the CID. The verification is based on a single connection, which is more secure. At the same time, as long as the CID, TLS key and other information are still retained, the original connection can be seamlessly reused even when the network environment changes, eliminating the cost of reconnection and realizing connection migration.
[0081] In one embodiment of this disclosure, the signaling interaction process described above can be modularized. Specifically, it includes a UDP+CID knock authentication module and a QUIC protocol transmission module, wherein the UDP+CID knock authentication module, as part of the SDP pre-knock authentication, can include a UDP+CID knock authentication module on the client and a UDP+CID knock authentication module on the server.
[0082] In one embodiment of this disclosure, the UDP+CID knock-on authentication module on the client is used to carry the user's identity information and the source CID of the current connection in the authentication information to facilitate identity verification. The source CID can be a CID randomly generated according to a pre-set field length, independent of the IP address. The UDP+CID knock-on authentication module on the server is used to complete the verification of the SPA packet and generate the corresponding server-side destination CID based on the source CID after the verification is successful.
[0083] In one embodiment of this disclosure, the QUIC protocol transmission module is used to provide network connection and data transmission after SPA authentication based on the QUIC protocol. Specifically, Figure 4 This illustration shows a schematic diagram of a data packet structure for the QUIC protocol in an embodiment of this disclosure, as follows: Figure 4 As shown, the UDP Header represents the UDP header, used to transmit data packets over the network, and includes fields such as source port, destination port, length, and checksum. The Packet Header represents the QUIC protocol-specific header, used to identify basic information about the QUIC packet, possibly including version number, packet type, etc. The QUIC protocol header information includes the following fields: Source CID, representing the client's connection ID, used to uniquely identify the client; Destination CID, representing the server's connection ID, used to uniquely identify the server; Payload, containing the actual data or control information. The Packet Header, Source CID, Destination CID, and Payload are encrypted and transmitted using TLS to ensure data security.
[0084] In one embodiment of this disclosure, as the payload of a UDP packet, the QUIC protocol identifies each connection in the header based on the destination CID, rather than the traditional source and destination IP addresses. After the initial knock-on authentication completes the negotiation of the source and destination CIDs, subsequent communication can identify each connection based on the single identifier of the destination CID, and establish reliable transmission over a TLS tunnel on top of UDP. During the connection's validity period (i.e., within the source CID's validity period), a continuous connection unaffected by changes in the network IP can be achieved. After the validity period, the connection can be maintained by initiating UDP+CID SPA authentication again on the client side based on the existing source CID, or authentication can be initiated to start a new connection after a disconnection.
[0085] In one embodiment of this disclosure, knock-on authentication performs single authentication based on the connection identifier, replacing traditional authentication based on the client IP, thus avoiding the amplification vulnerability caused by shared IP exits. Furthermore, after knock-on authentication, a communication connection is established and maintained based on the QUIC protocol using an IP-independent CID. Subsequent business access from both the client and server relies on this connection, ensuring end-to-end access continuity even in environments with changing network IPs.
[0086] Figure 5 This invention discloses a flowchart of another communication connection establishment method in an embodiment of the present invention, as shown below. Figure 5 As shown, the method includes the following steps:
[0087] S501, the client sends an SPA packet to the server.
[0088] In one embodiment of this disclosure, the SPA knock packet carries the client's authentication information and source CID.
[0089] In step S502, the server extracts the authentication information from the SPA packet and verifies whether the client has passed authentication. If successful, proceed to step S503; otherwise, proceed to step S501.
[0090] S503: The server generates a destination CID based on the obtained source CID and returns the destination CID to the client.
[0091] In one embodiment of this disclosure, the target CID is an identifier used to establish a subsequent communication connection.
[0092] S504: The client establishes a TLS connection between the client and server based on the QUIC protocol on top of UDP packet transmission.
[0093] In one embodiment of this disclosure, the identification of data packets between the client and the server relies on CID rather than IP address.
[0094] S505: Monitor whether the client's IP address has changed. If not, proceed to step 506; if yes, proceed to step S507.
[0095] S506 maintains the connection between the client and the server unchanged.
[0096] S507: The client confirms whether it needs to continue the connection. If yes, proceed to S508; otherwise, proceed to S509.
[0097] In one embodiment of this disclosure, the connection duration of the client can be preset. That is, within the preset duration, the client is required to continue the connection by default, and beyond the preset duration, the client is not required to maintain the connection by default.
[0098] S508: The client verifies whether the source CID is still valid. If yes, proceed to S506; otherwise, proceed to S501.
[0099] S509, the client sends a termination SPA packet to the server with a very short effective time.
[0100] In one embodiment of this disclosure, the SPA termination packet is used by the client to actively disconnect the communication connection with the server.
[0101] As described above, in this embodiment, after the client sends an authentication request to the server, the server verifies whether the first connection identifier carried in the request is valid. If valid, the server generates a second connection identifier based on the first connection identifier and returns it to the client, enabling the client to establish a communication connection between the client and the server based on the second connection identifier and the QUIC protocol. This embodiment can maintain the continuity of access between the client and the server even when the IP address changes, thus improving security during the access process.
[0102] Figure 6 This diagram illustrates the structure of a communication system according to an embodiment of the present disclosure, such as... Figure 6 As shown, the system includes: client 601 and server 602.
[0103] The client 601 is used to send an authentication request to the server 602. The authentication request carries the client 601's identity information and a first connection identifier. The first connection identifier is used by the client 601 to establish a Quick User Datagram Protocol Internet connection (QUIC) connection with the server 602 and is a unique identifier for the client 601.
[0104] Server 602 is used to receive authentication requests sent by client 601;
[0105] The server 602 is also used to verify whether the first connection identifier is valid according to the predetermined verification rules. If it is valid, the server generates a second connection identifier based on the first connection identifier and returns the second connection identifier to the client 601. The second connection identifier is used by the client 601 to establish a QUIC connection with the server 602 and is used to uniquely identify the server 602.
[0106] The client 601 is also used to establish a communication connection between the client 601 and the server 602 according to the second connection identifier and the QUIC protocol if it receives the second connection identifier returned by the server 602.
[0107] As described above, in this embodiment, after the client sends an authentication request to the server, the server verifies whether the first connection identifier carried in the request is valid. If valid, the server generates a second connection identifier based on the first connection identifier and returns it to the client, enabling the client to establish a communication connection between the client and the server based on the second connection identifier and the QUIC protocol. This embodiment can maintain the continuity of access between the client and the server even when the IP address changes, thus improving security during the access process.
[0108] Based on the same inventive concept, this disclosure also provides a terminal device, as described in the following embodiments. Since the principle by which this device embodiment solves the problem is similar to that of the above-described method embodiment, the implementation of this device embodiment can refer to the implementation of the above-described method embodiment, and repeated details will not be elaborated further.
[0109] Figure 7 This diagram illustrates the structure of a terminal device according to an embodiment of the present disclosure, such as... Figure 7 As shown, the device includes: a verification request sending module 701, a connection identifier detection module 702, and a communication connection establishment module 703.
[0110] The authentication request sending module 701 is used to send an authentication request to the server. The authentication request carries the client's identity information and a first connection identifier. The first connection identifier is used to establish a Quick User Datagram Protocol (QUIC) connection between the client and the server and is a unique identifier of the client. The connection identifier detection module 702 is used to monitor whether a second connection identifier returned by the server is received. The second connection identifier is a connection identifier generated by the server based on the first connection identifier. The second connection identifier is used to establish a QUIC connection between the client and the server and is a unique identifier of the server. The communication connection establishment module 703 is used to establish a communication connection between the client and the server according to the second connection identifier and the QUIC protocol if the second connection identifier returned by the server is received.
[0111] As described above, in this embodiment, the client sends an authentication request to the server and monitors whether it receives a second connection identifier returned by the server. If so, a communication connection is established between the client and the server based on the second connection identifier and the QUIC protocol. This embodiment can maintain the continuity of access between the client and the server even when the IP address changes, thus improving security during the access process.
[0112] In one embodiment of this disclosure, the device further includes: a secondary authentication request sending module 704, configured to resend an authentication request to the server within a preset time period if a second connection identifier is not received from the server, until a second connection identifier is received from the server.
[0113] In one embodiment of this disclosure, the apparatus further includes: an IP address detection module 705, configured to detect whether the client's IP address has changed; if the client's IP address has changed, verify whether the first connection identifier is valid; if yes, maintain the communication connection between the client and the server; if no, resend the authentication request to the server to re-establish the communication connection between the client and the server.
[0114] Based on the same inventive concept, this disclosure also provides a server, as described in the following embodiments. Since the principle by which this device embodiment solves the problem is similar to that of the above-described method embodiment, the implementation of this device embodiment can refer to the implementation of the above-described method embodiment, and repeated details will not be elaborated further.
[0115] Figure 8 This diagram illustrates the structure of a server according to an embodiment of the present disclosure, such as... Figure 8 As shown, the device includes: a verification request receiving module 801, a connection identifier verification module 802, and a connection identifier return module 803.
[0116] The authentication request receiving module 801 is used to receive an authentication request sent by the client. The authentication request carries the client's identity information and a first connection identifier. The first connection identifier is used to establish a Quick User Datagram Protocol (QUIC) Internet connection between the client and the server and is a unique identifier of the client. The connection identifier verification module 802 is used to verify whether the first connection identifier is valid according to a predetermined verification rule. The connection identifier return module 803 is used to generate a second connection identifier based on the first connection identifier if the first connection identifier is valid, and return the second connection identifier to the client. The second connection identifier is used to establish a QUIC connection between the client and the server and is a unique identifier of the server.
[0117] As described above, in this embodiment of the present disclosure, after receiving an authentication request from the client, the server verifies whether the first connection identifier carried in the request is valid according to a predetermined authentication rule. If valid, the server generates a second connection identifier based on the first connection identifier and returns it to the client. This embodiment of the present disclosure can maintain the continuity of access between the client and the server even when the IP address changes, thereby improving the security of the access process.
[0118] Those skilled in the art will understand that various aspects of this disclosure can be implemented as a system, method, or program product. Therefore, various aspects of this disclosure can be specifically implemented in the following forms: a completely hardware implementation, a completely software implementation (including firmware, microcode, etc.), or a combination of hardware and software aspects, collectively referred to herein as a "circuit," "module," or "system."
[0119] The following reference Figure 9 To describe an electronic device 900 according to such an embodiment of the present disclosure. Figure 9 The electronic device 900 shown is merely an example and should not impose any limitation on the functionality and scope of use of the embodiments disclosed herein.
[0120] like Figure 9 As shown, the electronic device 900 is manifested in the form of a general-purpose computing device. The components of the electronic device 900 may include, but are not limited to: at least one processing unit 910, at least one storage unit 920, and a bus 930 connecting different system components (including the storage unit 920 and the processing unit 910).
[0121] The storage unit stores program code that can be executed by the processing unit 910, causing the processing unit 910 to perform the steps described in the "Exemplary Methods" section above according to various exemplary embodiments of this disclosure.
[0122] In one embodiment of this disclosure, when the electronic device 900 is a terminal device, the processing unit 910 can perform the following steps of the above method embodiment: sending an authentication request to the server, wherein the authentication request carries the client's identity information and a first connection identifier, the first connection identifier being used by the client to establish a Quick User Datagram Protocol Internet Connection (QUIC) connection with the server and uniquely identifying the client; monitoring whether a second connection identifier returned by the server is received, wherein the second connection identifier is a connection identifier generated by the server based on the first connection identifier, the second connection identifier being used by the client to establish a QUIC connection with the server and uniquely identifying the server; if the second connection identifier returned by the server is received, then establishing a communication connection between the client and the server according to the second connection identifier and the QUIC protocol.
[0123] In one embodiment of this disclosure, when the electronic device 900 is a server, the processing unit 910 can perform the following steps of the above method embodiment: receiving an authentication request sent by a client, wherein the authentication request carries the client's identity information and a first connection identifier, the first connection identifier being used by the client to establish a Quick User Datagram Protocol Internet Connection (QUIC) connection with the server and uniquely identifying the client; verifying whether the first connection identifier is valid according to a predetermined verification rule; if so, generating a second connection identifier based on the first connection identifier and returning the second connection identifier to the client, wherein the second connection identifier is used by the client to establish a QUIC connection with the server and uniquely identifies the server.
[0124] Storage unit 920 may include readable media in the form of volatile storage units, such as random access memory (RAM) 9201 and / or cache memory 9202, and may further include read-only memory (ROM) 9203.
[0125] Storage unit 920 may also include a program / utility 9204 having a set (at least one) program module 9205, such program module 9205 including but not limited to: operating system, one or more application programs, other program modules and program data, each or some combination of these examples may include an implementation of a network environment.
[0126] Bus 930 can represent one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local bus using any of the various bus structures.
[0127] Electronic device 900 can also communicate with one or more external devices 940 (e.g., keyboard, pointing device, Bluetooth device, etc.), and with one or more devices that enable a user to interact with electronic device 900, and / or with any device that enables electronic device 900 to communicate with one or more other computing devices (e.g., router, modem, etc.). This communication can be performed via input / output (I / O) interface 950. Furthermore, electronic device 900 can also communicate with one or more networks (e.g., local area network (LAN), wide area network (WAN), and / or public networks, such as the Internet) via network adapter 960. As shown, network adapter 960 communicates with other modules of electronic device 900 via bus 930. It should be understood that, although not shown in the figures, other hardware and / or software modules can be used in conjunction with electronic device 900, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems.
[0128] From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, terminal device, or network device, etc.) to execute the methods according to the embodiments of this disclosure.
[0129] Based on the same inventive concept, this disclosure also provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the communication connection establishment method described above. Since the principle by which this computer-readable storage medium embodiment solves the problem is similar to that of the above method embodiments, the implementation of this computer-readable storage medium embodiment can refer to the implementation of the above method embodiments, and repeated details will not be elaborated further.
[0130] More specific examples of computer-readable storage media in this disclosure may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.
[0131] In this disclosure, a computer-readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, carrying readable program code. Such propagated data signals may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A readable signal medium may also be any readable medium other than a readable storage medium, capable of transmitting, propagating, or transmitting a program for use by or in connection with an instruction execution system, apparatus, or device.
[0132] Optionally, the program code contained on the computer-readable storage medium may be transmitted using any suitable medium, including but not limited to wireless, wired, optical fiber, RF, etc., or any suitable combination thereof.
[0133] In practical implementation, program code for performing the operations of this disclosure can be written in any combination of one or more programming languages, including object-oriented programming languages such as Java and C++, and conventional procedural programming languages such as C or similar languages. The program code can execute entirely on the user's computing device, partially on the user's device, as a standalone software package, partially on the user's computing device and partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).
[0134] Based on the same inventive concept, this disclosure also provides a computer program product, including a computer program or instructions, which, when executed by a processor, implements the communication connection establishment method of any one of the above method embodiments. Since the principle by which this computer program product embodiment solves the problem is similar to that of the above method embodiments, the implementation of this computer program product embodiment can refer to the implementation of the above method embodiments, and repeated details will not be elaborated further.
[0135] It should be noted that although several modules or units for the device used to perform actions have been mentioned in the detailed description above, this division is not mandatory. In fact, according to embodiments of this disclosure, the features and functions of two or more modules or units described above can be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided and embodied by multiple modules or units.
[0136] Furthermore, although the steps of the method in this disclosure are described in a specific order in the accompanying drawings, this does not require or imply that the steps must be performed in that specific order, or that all the steps shown must be performed to achieve the desired result. Additional or alternative steps may be omitted, multiple steps may be combined into one step, and / or a step may be broken down into multiple steps.
[0137] From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, mobile terminal, or network device, etc.) to execute the methods according to the embodiments of this disclosure.
[0138] Other embodiments of this disclosure will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of this disclosure that follow the general principles of this disclosure and include common knowledge or customary techniques in the art not disclosed herein. The specification and examples are to be considered exemplary only, and the true scope and spirit of this disclosure are indicated by the appended claims.
Claims
1. A method for establishing a communication connection, characterized in that, Applied to the client side, including: Send an authentication request based on the Single Packet Authorization (SPA) protocol to the server. The authentication request carries the client's identity information and a first connection identifier. The first connection identifier is used by the client to establish a Quick User Datagram Protocol Internet Connection (QUIC) connection with the server and is a unique identifier of the client. The authentication request is a knock-on authentication packet of the Single Packet Authorization (SPA) protocol. The SPA packet is used to perform zero-trust authentication on the client before establishing a QUIC connection. Monitor whether a second connection identifier is received from the server, wherein the second connection identifier is a connection identifier generated by the server based on the first connection identifier, the second connection identifier is associated with the first connection identifier, and the second connection identifier is used by the client to establish a QUIC connection with the server and is a unique identifier of the server; If a second connection identifier is received from the server, a communication connection is established between the client and the server based on the second connection identifier and the QUIC protocol; after establishing the communication connection between the client and the server based on the second connection identifier and the QUIC protocol, the method further includes: Detect whether the client's IP address has changed; If the client's IP address changes, verify whether the first connection identifier is valid; If so, then maintain the communication connection between the client and the server; If not, then resend the authentication request to the server to re-establish the communication connection between the client and the server; The first connection identifier has an expiration date, and the method further includes: Verify that the first connection identifier is within its validity period; If so, then maintain the communication connection between the client and the server; If not, an SPA packet is sent to the server to re-establish the communication connection between the client and the server.
2. The communication connection establishment method according to claim 1, characterized in that, After monitoring whether a second connection identifier is received from the server, the method further includes: If the second connection identifier is not received from the server, the authentication request will be resent to the server within a preset time period until the second connection identifier is received from the server.
3. A method for establishing a communication connection, characterized in that, Applied to the server side, including: The system receives an authentication request sent by a client based on the Single Packet Authorization (SPA) protocol. The authentication request carries the client's identity information and a first connection identifier. The first connection identifier is used by the client to establish a Quick User Datagram Protocol (QUIC) connection with the server and is used to uniquely identify the client. The authentication request is a knock-on authentication packet of the Single Packet Authorization (SPA) protocol. The SPA packet is used to perform zero-trust authentication on the client before establishing a QUIC connection. According to the predetermined verification rules, verify whether the first connection identifier is valid; If so, a second connection identifier is generated based on the first connection identifier, and the second connection identifier is returned to the client. The second connection identifier is associated with the first connection identifier, and the second connection identifier is used by the client to establish a QUIC connection with the server and is a unique identifier of the server. The first connection identifier has an expiration date. After the client and the server establish a QUIC connection, the method further includes: When the client resends the authentication request, the step of verifying whether the first connection identifier is valid according to the predetermined authentication rules is re-executed; wherein the resent authentication request is resent by the client when it detects that the client's IP address has changed or the first connection identifier is invalid.
4. A communication system, characterized in that, include: Client and server; The client is used to send an authentication request based on the Single Packet Authorization (SPA) protocol to the server. The authentication request carries the client's identity information and a first connection identifier. The first connection identifier is used by the client to establish a Quick User Datagram Protocol (QUIC) connection with the server and is used to uniquely identify the client. The authentication request is a knock-on authentication packet of the Single Packet Authorization (SPA) protocol. The SPA packet is used to perform zero-trust authentication on the client before establishing a QUIC connection. The server is used to receive authentication requests sent by the client; The server is further configured to verify whether the first connection identifier is valid according to a predetermined verification rule. If it is valid, the server generates a second connection identifier based on the first connection identifier and returns the second connection identifier to the client. The second connection identifier is associated with the first connection identifier and is used by the client to establish a QUIC connection with the server and to uniquely identify the server. The client is further configured to, if it receives a second connection identifier returned by the server, establish a communication connection between the client and the server according to the second connection identifier and the QUIC protocol; The client is also used to detect whether the client's IP address has changed; if the client's IP address has changed, it verifies whether the first connection identifier is valid; if yes, it maintains the communication connection between the client and the server; if no, it resends an authentication request to the server to re-establish the communication connection between the client and the server. The first connection identifier has an expiration period, and the client is also used to verify whether the first connection identifier is within the expiration period; if it is, the client maintains the communication connection between the client and the server; if not, the client sends an SPA packet to the server to re-establish the communication connection between the client and the server.
5. A terminal device, characterized in that, include: The authentication request sending module is used to send an authentication request based on the Single Packet Authorization (SPA) protocol to the server. The authentication request carries the client's identity information and a first connection identifier. The first connection identifier is used by the client to establish a Quick User Datagram Protocol (QUIC) connection with the server and is used to uniquely identify the client. The authentication request is a knock-on authentication packet of the Single Packet Authorization (SPA) protocol. The SPA packet is used to perform zero-trust authentication on the client before establishing a QUIC connection. The connection identifier detection module is used to monitor whether a second connection identifier is received from the server. The second connection identifier is a connection identifier generated by the server based on the first connection identifier. The second connection identifier is associated with the first connection identifier. The second connection identifier is used by the client to establish a QUIC connection with the server and is a unique identifier of the server. The communication connection establishment module is used to establish a communication connection between the client and the server based on the second connection identifier and the QUIC protocol if the second connection identifier returned by the server is received. The IP address detection module is used to detect whether the client's IP address has changed; if the client's IP address has changed, it verifies whether the first connection identifier is valid; if yes, it maintains the communication connection between the client and the server; if no, it resends the authentication request to the server to re-establish the communication connection between the client and the server. The first connection identifier has an expiration period, and the terminal device is further configured to: verify whether the first connection identifier is within the expiration period; if yes, maintain the communication connection between the client and the server; if no, send an SPA packet to the server to re-establish the communication connection between the client and the server.
6. A server, characterized in that, include: The authentication request receiving module is used to receive an authentication request sent by the client, wherein the authentication request carries the client's identity information and a first connection identifier, the first connection identifier being used by the client to establish a Quick User Datagram Protocol Internet connection (QUIC) connection with the server and uniquely identifying the client; The connection identifier verification module is used to verify whether the first connection identifier is valid according to a predetermined verification rule; A connection identifier return module is used to generate a second connection identifier based on the first connection identifier if the first connection identifier is true, and return the second connection identifier to the client. The second connection identifier is associated with the first connection identifier and is used by the client to establish a QUIC connection with the server and to uniquely identify the server. The first connection identifier has an expiration period, and the server is further configured to: when receiving a resent authentication request from the client, re-execute the step of verifying whether the first connection identifier is valid according to a predetermined authentication rule; wherein the resent authentication request is resent by the client when it detects that the client's IP address has changed or the first connection identifier is invalid.
7. An electronic device, characterized in that, include: processor; as well as Memory for storing the executable instructions of the processor; The processor is configured to execute the communication connection establishment method according to any one of claims 1 to 3 by executing the executable instructions.
8. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the communication connection establishment method according to any one of claims 1 to 3.
9. A computer program product, comprising: A computer program or instruction, characterized in that, when executed by a processor, the computer program or instruction implements the communication connection establishment method according to any one of claims 1 to 3.