Communication method, data processing system, and related device
By utilizing historical security context in the Kubernetes data processing system to generate and verify authentication information between nodes, the problem of high latency in inter-node communication is solved, achieving more efficient secure connections and resource utilization.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- HUAWEI TECH CO LTD
- Filing Date
- 2025-08-05
- Publication Date
- 2026-07-02
AI Technical Summary
In data processing systems such as Kubernetes, the high latency of communication between nodes affects the efficiency of business operations, especially the resource overhead and latency caused by the frequent establishment and disconnection of secure connections when the communication needs between nodes change dynamically.
When a node establishes a secure connection for the first time, it uses the historical security context to generate authentication information and perform verification, avoiding the process of regenerating the security context and directly reusing the historical security context for communication.
It reduces data communication latency between nodes, reduces resource overhead, and improves the efficiency and stability of node operation.
Smart Images

Figure CN2025112653_02072026_PF_FP_ABST
Abstract
Description
Communication methods, data processing systems and related equipment
[0001] This application claims priority to Chinese Patent Application No. 202411957817.8, filed on December 27, 2024, entitled "Communication Method, Data Processing System and Related Equipment", the entire contents of which are incorporated herein by reference. Technical Field
[0002] This application relates to the field of communication technology, and in particular to a communication method, a data processing system and related equipment. Background Technology
[0003] In data processing systems such as Kubernetes, computing devices and other nodes, while running services, can typically communicate with other nodes based on protocols such as Mutual Transport Layer Security (mTLS) to improve communication security between different nodes. The mTLS protocol establishes two-way authentication between different nodes, meaning both communicating parties verify each other's identity to ensure both are legitimate and trustworthy, thereby guaranteeing the security and confidentiality of the communication data.
[0004] Taking the mTLS protocol as an example (other types of protocols are similar), during the process of establishing a secure connection through a handshake, different nodes usually verify each other's certificates, signatures, and parameters used to negotiate keys. After successful verification, a secure transport layer security (TLS) connection is created to exchange encrypted information in order to enable communication between different nodes.
[0005] In real-world applications, the communication needs between different nodes can change dynamically. Specifically, during certain time periods, two nodes may continuously exchange data based on an established secure connection; however, during other time periods, there may be no need for data communication, causing the nodes to disconnect from the secure connection. Throughout the overall data communication process, the latency between these two nodes is relatively high, thus impacting the efficiency of their operational processes. Summary of the Invention
[0006] This application provides a communication method to reduce communication latency between two nodes and improve the efficiency of node operation. Furthermore, this application also provides a corresponding data processing system, computing device, computer-readable storage medium, and computer program product.
[0007] Firstly, this application provides a communication method applicable to a data processing system, which includes a first node and a second node. Specifically, the first node sends a first message to the second node, such as a message named "Client Hello," which requests a secure connection with the second node. If the first node and the second node are not establishing a secure connection for the first time, the second node generates first authentication information based on a historical security context generated during the establishment of secure connections between the first node and the second node in the past (e.g., a PMS generated during a historical handshake). This historical security context is used for secure communication between the first node and the second node. Then, the second node sends a second message to the first node, such as a message named "Server Hello," which includes the first authentication information. The first node verifies the first authentication information according to the historical security context. If the first authentication information is verified, the first node and the second node can successfully establish a secure connection, and the first node and the second node communicate based on the secure connection requested by the first message.
[0008] During the establishment of a secure connection, if the second node determines that this is not the first time it has established a secure connection with the first node, it directly generates authentication information based on the security context used when the first and second nodes established secure connections in the past (i.e., the historical security context). Simultaneously, if the first node determines that this is not the first time it has established a secure connection with the second node, it will also directly verify the authentication information based on this historical security context. This eliminates the need for both the first and second nodes to generate a security context during the initial connection establishment process, thus accelerating the connection establishment process and reducing data communication latency, thereby improving the efficiency of node operations. Furthermore, during subsequent secure connection establishment, the node does not need to generate a security context, effectively reducing resource overhead.
[0009] In one possible implementation, if the first authentication information passes verification, the first node can also send a third message to the second node. This third message could be, for example, a message named "Client Finish," used to terminate the process of establishing a secure connection between the first and second nodes. Thus, after the first authentication information passes verification, the first node can notify the second node of the successful establishment of the secure connection by sending a third message, thereby improving the reliability of the secure connection established between the two parties.
[0010] In one possible implementation, the first message is used to request the establishment of a secure connection with the second node. Specifically, the first message requests a secure connection between a first computing instance in the first node and a second computing instance in the second node. The historical security context is generated during the establishment of secure connections between the first and second nodes in the past time period. Specifically, the historical security context is generated during the establishment of secure connections between a third computing instance in the first node and a fourth computing instance in the second node in the past time period. The historical security context is used for secure communication between the first and second nodes, specifically for secure communication between the third and fourth computing instances. The secure connection requested by the first message is specifically a secure connection between the first computing instance in the first node and the second computing instance in the second node. Thus, the first and second nodes can reuse the historical security context used when establishing a secure connection between the third and fourth computing instances to establish a secure connection between the first and second computing instances, without needing to generate a new security context. This speeds up the process of establishing a secure connection between the two nodes, reducing data communication latency and improving the efficiency of node operation.
[0011] For example, the first computation instance and the third computation instance can be the same computation instance, or the first computation instance and the third computation instance can be different computation instances. The second computation instance and the fourth computation instance can be different computation instances, or the second computation instance and the fourth computation instance can be the same computation instance.
[0012] In one possible implementation, the first node includes a first proxy component, and the second node includes a second proxy component. The first and second proxy components are used to perform a process of establishing a secure connection between the first and second computing instances. Furthermore, the first and second proxy components are also used to perform a process of establishing a secure connection between a third and a fourth computing instance. Thus, each node can utilize the proxy components to establish secure connections between one or more computing instances and computing instances in other nodes, thereby enabling the reuse of the security context corresponding to some computing instances to accelerate the process of establishing secure connections for other computing instances.
[0013] In one possible implementation, the historical security context used to verify the first authentication information can be stored in the kernel of the first node. The first proxy component and the second proxy component are used in kernel mode to execute the process of establishing a secure connection between the computing instances in the first node and the computing instances in the second node. In this way, the two nodes can implement the process of establishing a secure connection for the computing instances in kernel mode, thereby improving the security of establishing a secure connection.
[0014] In one possible implementation, the first message includes the identifier of the first node, and the second message includes the identifier of the second node. Then, after receiving the first message but before generating the first authentication information, the second node can also query the second master secret file based on the identifier of the first node. The second master secret file records the historical security context corresponding to the first node. Furthermore, after receiving the second message but before verifying the first authentication information, the first node can also query the first master secret file based on the identifier of the second node. The first master secret file records the historical security context corresponding to the second node. In this way, the first and second nodes can generate and verify authentication information based on the queried historical security context without needing to perform the process of generating a security context. This not only reduces the resource overhead of these two nodes but also improves the efficiency of establishing a secure connection between them.
[0015] In one possible implementation, the second node can also query the second master secret file based on the identifier of the first node, and if the historical security context corresponding to the first node is found in the second master secret file, it determines that the first node and the second node have not established a secure connection for the first time. Alternatively, the first node can query the first master secret file based on the identifier of the second node, and if the historical security context corresponding to the second node is found in the first master secret file, it determines that the first node and the second node have not established a secure connection for the first time. Or, the first node can determine that the first node and the second node have not established a secure connection for the first time based on the connection identifier in the second message. Or, if the second message does not include the second identity authentication information, the first node determines that the first node and the second node have not established a secure connection for the first time. The second identity authentication information is information used to verify the identity security of the second node.
[0016] In one possible implementation, the second message does not include second identity authentication information, which is information used to verify the identity security of the second node; alternatively, the third message sent by the first node does not include first identity authentication information, which is information used to verify the identity security of the first node, and the third message is used to terminate the process of establishing a secure connection between the first and second nodes. Thus, during the process of establishing a secure connection, the first and second nodes do not need to carry identity authentication information in the messages they send to each other. This not only reduces the bandwidth resources required when the first and second nodes send messages to each other, but also improves the efficiency of establishing a secure connection between the first and second nodes, reduces the latency of establishing a secure connection, and lowers the computational overhead because the identity authentication process is eliminated.
[0017] In one possible implementation, after the first node sends a third message to the second node, if the first node does not have a historical security context, but the second node does, the method further includes: the first node sending a fourth message to the second node, the fourth message requesting the establishment of a secure connection with the second node; the second node sending a fifth message back to the first node, the fifth message not including third authentication information, which is information used to verify the identity security of the second node; if the first node cannot find the historical security context and the fifth message does not include the third authentication information, the first node sending an alarm message (such as an Alert message) to the second node, the alarm message instructing the second node to execute the initial secure connection establishment process; the second node sending a sixth message to the first node, the sixth message including the third authentication information; and the first node sending a seventh message to the second node, the seventh message terminating the secure connection establishment process between the first and second nodes. Thus, if the first and second nodes fail to synchronously save the historical security context due to clock asynchrony or other reasons, the first node can successfully establish a secure connection with the second node by sending an alarm message, thereby improving the stability of the secure connection establishment between the first and second nodes.
[0018] In one possible implementation, the first node verifies the first authentication information based on the historical security context, including: the first node generating a first master key based on the historical security context, the first master key being used to encrypt or decrypt interaction data between the first node and the second node; the first node generating second authentication information based on the first master key; and when the second authentication information matches the first authentication information, the first node determines that the first authentication information has passed verification. The method further includes: the first node storing the identifier of a second computing instance in the second node in a connection-level master key file, corresponding to the first master key, and the second message including the identifier of the second computing instance. Thus, after a secure connection is established between the first node and the second node, the first node can encrypt or decrypt the interaction data based on the stored master key.
[0019] In one possible implementation, the first master key is used to encrypt or decrypt data exchanged between the first and second computing instances in the first node based on the first secure connection; the connection-level master key file stores the identifier of the second computing instance and the second master key, which is used to encrypt or decrypt data exchanged between the first and second computing instances based on the second secure connection. Thus, the first and second nodes can establish multiple secure connections for the two computing instances and can use different master keys to encrypt or decrypt data transmitted over different secure connections, thereby improving the security, flexibility, and reliability of data exchanged between different computing instances.
[0020] In one possible implementation, the first node queries the connection-level master key file before sending the first message. Sending the first message to the second node includes: if the first master key corresponding to the identifier of the second computing instance does not exist in the connection-level master key file, the first node sends the first message to the second node. Thus, the first node can request to establish a secure connection with the second node only if it determines, by querying the connection-level master key file, that no secure connection has been established with the second node. If it determines, by querying the connection-level master key file, that a secure connection has already been established with the second node, it does not need to request to establish a secure connection. This avoids frequently establishing secure connections and thus preventing delays in data communication between different nodes.
[0021] In one possible implementation, before the first node sends the first message to the second node, the first node may also send an eighth message to the second node. The eighth message is used to request a secure connection between a third computing instance in the first node and a fourth computing instance in the second node. The eighth message includes the identifier of the first node. The second node queries the second master secret file based on the identifier of the first node. If the security context corresponding to the identifier of the first node is not found in the second master secret file, the second node generates a historical security context and generates third authentication information based on the historical security context. The second node saves the identifier of the first node and the historical security context in the second master secret file. The second node sends a ninth message to the first node. The ninth message includes the third authentication information, the fourth identity authentication information, and the identifier of the second node. The fourth security context is information used to verify the identity security of the second node. The first node generates the historical security context and saves the identifier of the second node and the historical security context in the first master secret file. The first node verifies the third authentication information and the fourth identity authentication information. If the third authentication information and the fourth identity authentication information are successfully authenticated, the first node sends a tenth message to the second node. The tenth message is used to terminate the process of establishing a secure connection between the third computing instance and the fourth computing instance. In this way, the first node and the second node can establish an initial secure connection based on the above method.
[0022] In one possible implementation, the eighth message also includes an identifier of the third computing instance, and the ninth message also includes an identifier of the fourth computing instance.
[0023] Secondly, this application provides a communication method applied to a data processing system, the data processing system including a first node and a second node, the method comprising: the first node sending a first message to the second node, the first message being used to request a secure connection between a first computing instance in the first node and a second computing instance in the second node; in the case where the first node and the second node have not established a secure connection for the first time, the second node generating first authentication information based on a historical security context, the historical security context being generated during the process of establishing a secure connection between a third computing instance in the first node and a fourth computing instance in the second node in a past time period, the historical security context being used for secure communication between the third computing instance and the fourth computing instance; the second node sending a second message to the first node, the second message including the first authentication information; the first node verifying the first authentication information according to the historical security context; wherein, if the first authentication information is verified, the first node and the second node can successfully establish a secure connection, and the first node and the second node communicate based on the secure connection requested by the first message.
[0024] In one possible implementation, if the first authentication information is verified, the first node sends a third message to the second node. The third message is used to terminate the process of establishing a secure connection between the first computing instance and the second computing instance.
[0025] For example, the first computation instance and the third computation instance can be the same computation instance, or the first computation instance and the third computation instance can be different computation instances. The second computation instance and the fourth computation instance can be different computation instances, or the second computation instance and the fourth computation instance can be the same computation instance.
[0026] Thirdly, this application provides a data processing system, which includes a first node and a second node. The first node is configured to send a first message to the second node, the first message requesting the establishment of a secure connection with the second node. The second node is configured to generate first authentication information based on a historical security context when the first node and the second node have established a secure connection before, the historical security context being generated during the establishment of secure connections between the first node and the second node in the past time period and used for secure communication between the first node and the second node. The second node is also configured to send a second message to the first node, the second message including the first authentication information. The first node is further configured to verify the first authentication information based on the historical security context. Wherein, if the first authentication information is verified, the first node and the second node can successfully establish a secure connection, and the first node and the second node communicate based on the secure connection requested by the first message.
[0027] In one possible implementation, the first node is further configured to send a third message to the second node if the first authentication information is verified, the third message being used to terminate the process of establishing a secure connection between the first node and the second node.
[0028] In one possible implementation, the first message is used to request the establishment of a secure connection with the second node. Specifically, the first message is used to request the establishment of a secure connection between a first computing instance in the first node and a second computing instance in the second node. The historical security context is generated during the process of establishing a secure connection between the first node and the second node in a past time period. Specifically, the historical security context is generated during the process of establishing a secure connection between a third computing instance in the first node and a fourth computing instance in the second node in a past time period. The historical security context is used for secure communication between the first node and the second node, specifically for secure communication between the third computing instance and the fourth computing instance. The secure connection requested by the first message is specifically a secure connection between the first computing instance in the first node and the second computing instance in the second node.
[0029] In one possible implementation, the first node includes a first proxy component, the second node includes a second proxy component, the first proxy component and the second proxy component are used to perform a process of establishing a secure connection between the first computing instance and the second computing instance, and the first proxy component and the second proxy component are also used to perform a process of establishing a secure connection between the third computing instance and the fourth computing instance.
[0030] In one possible implementation, the historical security context is stored in the kernel of the first node, and the first proxy component and the second proxy component are used in kernel mode to perform the process of establishing a secure connection between the computing instance in the first node and the computing instance in the second node.
[0031] In one possible implementation, the first message includes an identifier of a first node, and the second message includes an identifier of a second node; the second node is further configured to, after receiving the first message and before generating the first authentication information, query a second master secret file based on the identifier of the first node, the second master secret file recording the historical security context corresponding to the first node; the first node is further configured to, after receiving the second message and before verifying the first authentication information, query a first master secret file based on the identifier of the second node, the first master secret file recording the historical security context corresponding to the second node.
[0032] In one possible implementation, the second node is further configured to query a second master secret file based on the identifier of the first node, and, if the historical security context corresponding to the first node is found in the second master secret file, determine that the first node and the second node have not established a secure connection for the first time; the first node is further configured to query a first master secret file based on the identifier of the second node, and, if the historical security context corresponding to the second node is found in the first master secret file, determine that the first node and the second node have not established a secure connection for the first time, or, based on a connection identifier in a second message, determine that the first node and the second node have not established a secure connection for the first time, or, when the second message does not include second identity authentication information, determine that the first node and the second node have not established a secure connection for the first time, wherein the second identity authentication information is information used to verify the identity security of the second node.
[0033] In one possible implementation, the second message does not include the second identity authentication information, which is information used to verify the identity security of the second node; or, the third message sent by the first node does not include the first identity authentication information, which is information used to verify the identity security of the first node, and the third message is used to terminate the process of establishing a secure connection between the first node and the second node.
[0034] In one possible implementation, after the first node sends a third message to the second node, the first node does not have a historical security context, while the second node does. The first node is further configured to send a fourth message to the second node, which requests to establish a secure connection with the second node. The second node is further configured to send a fifth message back to the first node, which does not include third authentication information, which is information used to verify the identity security of the second node. The first node is further configured to send an alarm message to the second node if no historical security context is found and the fifth message does not include third authentication information, which instructs the second node to execute the initial secure connection establishment process. The second node is further configured to send a sixth message to the first node, which includes the third authentication information. The first node is further configured to send a seventh message to the second node, which terminates the secure connection establishment process between the first node and the second node.
[0035] In one possible implementation, the first node is specifically configured to: generate a first master key based on a historical security context, the first master key being used to encrypt or decrypt interaction data between the first node and the second node; generate second authentication information based on the first master key; determine that the first authentication information has passed verification when the second authentication information matches the first authentication information; the first node is also configured to store the identifier of the second computing instance in the second node corresponding to the first master key in a connection-level master key file, and the second message includes the identifier of the second computing instance.
[0036] In one possible implementation, the first master key is used to encrypt or decrypt data exchanged between the first computing instance and the second computing instance in the first node based on the first secure connection; the connection-level master key file stores the identifier of the second computing instance and the second master key, which is used to encrypt or decrypt data exchanged between the first computing instance and the second computing instance based on the second secure connection.
[0037] In one possible implementation, the first node is further configured to query the connection-level master key file before sending the first message; specifically, the first node is configured to send the first message to the second node if the first master key corresponding to the identifier of the second computing instance does not exist in the connection-level master key file.
[0038] In one possible implementation, the first node is further configured to send an eighth message to the second node before sending the first message to the second node. The eighth message is used to request a secure connection between the third computing instance in the first node and the fourth computing instance in the second node. The eighth message includes the identifier of the first node. The second node is further configured to: query a second master secret file based on the identifier of the first node; if the security context corresponding to the identifier of the first node is not found in the second master secret file, generate a historical security context and generate third authentication information based on the historical security context; save the identifier of the first node and the historical security context in the second master secret file; send a ninth message to the first node. The ninth message includes the third authentication information, the fourth identity authentication information, and the identifier of the second node. The fourth security context is information used to verify the identity security of the second node. The first node is further configured to: generate the historical security context and save the identifier of the second node and the historical security context in the first master secret file; verify the third authentication information and the fourth identity authentication information; and if the third authentication information and the fourth identity authentication information are successfully authenticated, send a tenth message to the second node. The tenth message is used to terminate the process of establishing a secure connection between the third computing instance and the fourth computing instance.
[0039] In one possible implementation, the eighth message also includes an identifier of the third computing instance, and the ninth message also includes an identifier of the fourth computing instance.
[0040] The data processing system provided in the third aspect corresponds to the data processing method provided in the first aspect. Therefore, the technical effects of any implementation method in the third aspect can be found in the relevant descriptions of the technical effects of the corresponding implementation methods in the first aspect, and will not be repeated here.
[0041] Fourthly, this application provides a data processing system, which includes a first node and a second node. The first node is configured to send a first message to the second node, the first message being used to request a secure connection between a first computing instance in the first node and a second computing instance in the second node. The second node is configured to: generate first authentication information based on a historical security context when the first node and the second node are not establishing a secure connection for the first time, the historical security context being generated during the process of establishing a secure connection between a third computing instance in the first node and a fourth computing instance in the second node in a past time period, and the historical security context being used for secure communication between the third computing instance and the fourth computing instance; send a second message to the first node, the second message including the first authentication information; the first node is further configured to verify the first authentication information according to the historical security context; wherein, if the first authentication information is verified, the first node and the second node can successfully establish a secure connection, and the first node and the second node communicate based on the secure connection requested by the first message.
[0042] In one possible implementation, the first node is further configured to send a third message to the second node if the first authentication information is verified. The third message is used to terminate the process of establishing a secure connection between the first computing instance and the second computing instance.
[0043] The data processing system provided in the fourth aspect corresponds to the data processing method provided in the second aspect. Therefore, the technical effects of any implementation method in the fourth aspect can be found in the relevant descriptions of the technical effects of the corresponding implementation methods in the second aspect above, and will not be repeated here.
[0044] Fifthly, this application provides a communication method applicable to a first node. The method includes: sending a first message to a second node, the first message being used by the first node to request the establishment of a secure connection with the second node; receiving a second message from the second node, the second message including first authentication information, the first authentication information being generated based on a historical security context when the first node and the second node have not established a secure connection for the first time, the historical security context being generated during the establishment of secure connections between the first node and the second node in the past time period, and the historical security context being used for secure communication between the first node and the second node; verifying the first authentication information according to the historical security context; wherein, if the first authentication information is verified, the first node and the second node communicate based on the secure connection requested by the first message. It should be noted that the memory can be integrated into the processor or can be independent of the processor. The computing device may also include a bus. The processor is connected to the memory via the bus. The memory may include readable storage and random access memory.
[0045] Sixthly, this application provides a communication method applicable to a second node. The method includes: receiving a first message from a first node, the first message being used by the first node to request the establishment of a secure connection with the second node; if the first node and the second node are not establishing a secure connection for the first time, generating first authentication information based on a historical security context, the historical security context being generated during the establishment of secure connections between the first node and the second node in the past time period, and the historical security context being used for secure communication between the first node and the second node; sending a second message to the first node, the second message including the first authentication information; wherein, if the first authentication information is verified by the first node, the first node and the second node communicate based on the secure connection requested by the first message. It should be noted that the memory can be integrated into the processor or can be independent of the processor. The computing device may also include a bus. The processor is connected to the memory via the bus. The memory may include readable storage and random access memory.
[0046] In a seventh aspect, this application provides a computing device including a processor and a memory. The processor and the memory communicate with each other. The processor executes instructions stored in the memory to cause the computing device to perform the operational steps of the communication method described in the fifth aspect above.
[0047] Eighthly, this application provides a computing device including a processor and a memory. The processor and the memory communicate with each other. The processor executes instructions stored in the memory to cause the computing device to perform the operational steps of the communication method described in the sixth aspect.
[0048] Ninthly, this application provides a computer-readable storage medium storing instructions that, when executed on at least one computing device, cause the at least one computing device to perform the operational steps of the communication method described in the first aspect or any implementation thereof.
[0049] In a tenth aspect, this application provides a computer program product containing instructions that, when run on at least one computing device, causes the at least one computing device to perform the operational steps of the communication method described in the first aspect or any implementation thereof.
[0050] Based on the implementation methods provided in the above aspects, this application can be further combined to provide more implementation methods. Attached Figure Description
[0051] Figure 1 is a schematic diagram of the structure of an exemplary data processing system provided in this application;
[0052] Figure 2 is a schematic diagram of the process of establishing a TCP connection and a more secure connection between node 101 and node 102.
[0053] Figure 3 is a schematic diagram of frequent secure connections being established between node 101 and node 102;
[0054] Figure 4 is a flowchart illustrating a communication method provided in this application;
[0055] Figure 5 is a schematic diagram of the interaction between computation instance 1, proxy component 1, proxy component 2 and computation instance 2 provided in this application;
[0056] Figure 6 is a flowchart illustrating a communication method provided in this application;
[0057] Figure 7 is a schematic diagram of the hardware structure of a computing device provided in this application. Detailed Implementation
[0058] To reduce data communication latency between different nodes and improve the efficiency of node operation, this application provides a communication method in which two nodes, when establishing a secure connection for the first time, directly use the security context used when establishing a secure connection in the past to generate authentication information and verify the integrity of the authentication information, without having to perform the process of generating a security context. This speeds up the process of establishing a secure connection between the two nodes, thereby reducing data communication latency and improving the efficiency of node operation.
[0059] To facilitate understanding of the technical solution of this application, the relevant technical terms involved in this application will be explained below.
[0060] A container is a lightweight virtualization technology that typically packages an application and its dependencies into a portable image and runs it in an isolated environment. The resources available to different containers are isolated from each other, thereby improving the security of applications running within containers.
[0061] Security context refers to information used to ensure secure communication between two nodes. In this application, security context may be, for example, information used in the generation of keys for information authentication or encryption / decryption of communication data during the establishment of a secure connection between two nodes, such as a pre-shared master secret (PMS) or other information that can have a similar effect.
[0062] Identity authentication information refers to information used to verify identity security. In this application, identity authentication information can be used to verify the identity security of nodes that actively establish secure connections, or it can be used to verify the identity security of nodes that passively establish secure connections. In practical application scenarios, identity authentication information can be, for example, a node's digital signature (application level), digital certificate (application level), or root of trust (for hardware-level nodes such as groups / domains).
[0063] The technical solutions in this application will now be described with reference to the accompanying drawings.
[0064] Referring to Figure 1, a schematic diagram of a data processing system is shown. As shown in Figure 1, the data processing system 10 may include multiple nodes. Figure 1 illustrates this using nodes 101 and 102 as an example. In practical applications, the data processing system 10 may also include three or more nodes.
[0065] For example, node 101 (or node 102) can be implemented by software or hardware.
[0066] When implemented through software, node 101 can specifically be one or more containers, virtual machines, or other types of software products. For example, in Kubernetes, node 101 can specifically be a container group (Pod), which can include one or more containers, each of which can run one or more applications, such as program software, services, or microservices.
[0067] When implemented in hardware, node 101 can be implemented using a processor; or, node 101 can be implemented using a computing device that includes a processor, such as a server. The processor can be a central processing unit (CPU) or an accelerator, such as a deep-learning processing unit (DPU), a data processing unit (DPU), a graphics processing unit (GPU), a neural network processing unit (NPU), or a tensor processing unit (TPU), or other types of processors.
[0068] For example, nodes 101 and 102 can be deployed on the same computing device, such as two different container groups, containers, or virtual machines on the same computing device, or they can be deployed on different computing devices, such as container groups on different computing devices. Alternatively, nodes 101 and 102 can be a group or at least one computing device within a group, wherein a group can be a collection of multiple computing devices. Alternatively, nodes 101 and 102 can be a domain or at least one computing device within a domain, typically the number of computing devices included in a single domain exceeds the number of computing devices included in a single group.
[0069] Each node can include multiple computing instances. Figure 1 illustrates this by showing nodes 101 and 102 each with three computing instances. In practical applications, the number of computing instances running on each node can be other numbers, and different nodes can have the same or different number of computing instances.
[0070] A computing instance refers to an instance that can be used to run a service, which can be implemented through software or hardware. The service it runs can be, for example, image processing or speech recognition, and there are no restrictions on this.
[0071] When a compute instance is implemented in software, it can be an application, service, or microservice. When a compute instance is implemented in hardware, it can be a processor such as a CPU, GPU, or NPU.
[0072] In real-world applications, during the operation of business processes, the computing instances in node 101 may need to interact with computing instances in node 102 (or other nodes) to exchange data, such as synchronizing or migrating business data on node 101 to node 102.
[0073] Typically, as shown in Figure 2, node 101 can establish a TCP connection through a three-way handshake based on the Transmission Control Protocol (TCP). Specifically, taking node 101 requesting a TCP connection from node 102 as an example, node 101 can send TCP segment 1 with the SYN flag set to 1. Upon receiving TCP segment 1, node 102 can send TCP segment 2 with both the SYN and ACK flags set to 1 to acknowledge node 101's connection request. Finally, node 101 can send TCP segment 3 with the ACK flag set to 1 to acknowledge the connection. Since TCP connections typically do not provide data encryption or authentication, communication between node 101 and node 102 based on the established TCP connection is susceptible to eavesdropping, tampering, or forgery during data transmission, resulting in low security for data interaction.
[0074] To this end, node 101 can further establish a secure connection with node 102 based on a more secure protocol to improve the security of data communication. For example, based on the connection established through the TCP protocol, node 101 can further establish a more secure connection with node 102 by handshaking with node 102 based on the mTLS protocol, and then interact with node 102 based on this secure connection, thereby ensuring the security of data interaction between node 101 and node 102.
[0075] As shown in Figure 2, during the establishment of a secure connection, node 101 sends a hello message 1 to node 102 to request a handshake. Upon receiving hello message 1, node 102 can generate a Protocol Message Management (PMS) based on parameter 1 (used for key negotiation) carried in hello message 1, and then send hello message 2 to node 101. Hello message 2 can carry parameter 2 (used for key negotiation). Correspondingly, node 101 can also generate a PMS based on the parameters for key negotiation carried in hello message 2 (consistent with the PMS generated by node 102). In practical applications, hello message 2 can also include node 102's digital certificate 2, digital signature 2, etc. Thus, node 101 can verify digital certificate 2 and digital signature 2 in hello message 2. Finally, node 101 can send a finish message to node 102 (e.g., if digital certificate 2 and digital signature 2 have been verified). The finish message can carry information such as node 101's digital certificate 1 and digital signature 1. After verifying that the data certificate 1 and data signature 1 carried in the finish message have passed verification, node 102 can confirm that the handshake with node 101 has been successful, that is, a secure connection has been successfully established with node 101 and data interaction can begin. During the data interaction between node 101 and node 102, they can use their respective generated PMS to encrypt or decrypt the data.
[0076] During the operation of business processes, nodes 101 and 102 may have different data interaction needs at different times. As shown in Figure 3, nodes 101 and 102 need to communicate during time periods 1, 3, and 5. At this time, nodes 101 and 102 can handshake and establish a secure connection based on the mTLS protocol to facilitate data interaction. During time periods 2, 4, and 6, nodes 101 and 102 do not need to communicate. During these time periods, the secure connection between nodes 101 and 102 is usually disconnected (to release communication resources on the nodes). Thus, during the multiple time periods shown in Figure 3, nodes 101 and 102 may frequently handshake to establish a secure connection, resulting in nodes 101 and 102 frequently performing the process of generating a PSM and performing asymmetric computation processes for digital certificates and digital signatures. In practical applications, the latency overhead of generating a PSM, verifying digital certificates, and verifying digital signatures accounts for more than 70% of the total latency overhead of the handshake between nodes 101 and 102. Therefore, the frequent handshake processes between node 101 and node 102 generate significant latency overhead, thus affecting the efficiency of the services operated by nodes 101 and 102. Furthermore, the generation and verification of digital certificates and digital signatures by each node incurs substantial resource overhead, including computational and storage resources.
[0077] Based on this, in the data processing system 10 shown in Figure 1, when node 101 needs to establish a secure connection with node 102, node 101 can send message 1 to node 102. Message 1 is used to request the establishment of a secure connection with node 102. Message 1 can be, for example, a message named "Client Hello". Then, node 102 can determine whether it is the first time establishing a secure connection with node 101. If it is determined that it is not the first time establishing a secure connection with node 101, node 102 generates authentication information based on the historical security context generated during the previous establishment of a secure connection. The historical security context can be, for example, a PMS generated during the previous establishment of a secure connection. The authentication information can be, for example, an integrity check value (ICV) or a verification code. Furthermore, node 102 can send message 2, which includes this authentication information, to node 101. Message 2 can be, for example, a message named "Server Hello". For example, the authentication information in message 2 can be used to verify whether message 2 transmitted to node 101 has any missing information compared to message 2 sent by node 102. Node 101 can determine whether it is establishing a secure connection with Node 102 for the first time. If it determines that this is not the first time establishing a secure connection with Node 102, Node 102 verifies the authentication information based on the historical security context. If the authentication information is verified, a secure connection can be successfully established between Node 101 and Node 102, and they can communicate based on the established secure connection. Furthermore, if the authentication information is verified, Node 101 can send message 3 to Node 102. This message 3 could be, for example, a message named "Client Finish," and message 3 is used to terminate the process of establishing a secure connection between Node 101 and Node 102.
[0078] Thus, when node 101 and node 102 are not establishing a secure connection for the first time, node 102 can directly generate authentication information based on the historical security context used when establishing a secure connection in the past. At the same time, when node 101 determines that it is not establishing a secure connection with node 102 for the first time, it will also directly verify the integrity of the authentication information based on the historical security context used when establishing a secure connection in the past. This eliminates the need for nodes 101 and 102 to perform the process of generating a security context, thereby speeding up the process of establishing a secure connection between the two nodes, reducing the data communication latency between the two nodes, and thus helping to improve the efficiency of node operation services.
[0079] In the application scenario shown in Figure 3, since node 101 and node 102 have already completed a secure connection establishment process in time period 1, in time periods 3 and 5, node 101 and node 102 can accelerate the secure connection establishment process in time periods 3 and 5 based on the PMS (i.e. the aforementioned historical security context) generated during the initial secure connection establishment process, thereby effectively reducing the data communication latency between the two nodes.
[0080] In addition, after the initial establishment of a secure connection, each node does not need to perform the process of generating a security context during subsequent secure connection establishment processes between node 101 and node 102. This can effectively reduce the resource overhead incurred by the nodes during the secure connection establishment process.
[0081] Furthermore, in the case where nodes 101 and 102 establish a secure connection for the first time, it indicates that nodes 101 and 102 have already authenticated each other using digital certificates and digital signatures during the previous secure connection establishment process. Therefore, messages 2 sent by node 102 to node 101 and messages 3 sent by node 101 to node 102 do not need to carry digital certificates and digital signatures. This allows nodes 101 and 102 to avoid performing the process of verifying digital certificates and digital signatures during the non-first secure connection establishment process. This not only further reduces data communication latency but also further reduces the resource overhead incurred by nodes during the secure connection establishment process, including the bandwidth, computing, and storage resources (such as memory) required for verifying digital certificates and digital signatures.
[0082] As shown in Figure 1, nodes 101 and 102 may further include proxy components. Proxy component 1 in node 101 can execute the process of establishing secure connections between computing instances in node 101 and computing instances in other nodes; proxy component 2 in node 102 can execute the process of establishing secure connections between computing instances in node 102 and computing instances in other nodes. Furthermore, the proxy components in each node can be implemented through software or hardware, without limitation.
[0083] The data processing system 10 shown in Figure 1 is merely an example. In other possible implementations, the data processing system may include more nodes, and these nodes may be deployed on multiple different computing devices, with multiple nodes deployed on each device. This allows nodes on different computing devices to establish secure connections based on the aforementioned method, and also allows different nodes within the same computing device to establish secure connections based on the aforementioned method (e.g., a virtual switch can be built within a node, and different nodes within the same computing device can use this virtual switch to perform the process of establishing a secure connection). Alternatively, in other possible data processing systems, based on the data processing system shown in Figure 1, a service mesh, such as Istio in the Kubernetes system, may be included. This service mesh can manage microservice-type computing instances in each node. Alternatively, in other possible data processing systems, the proxy component in each node can be integrated into the computing instance, allowing the computing instance to use its internal proxy component to perform the process of establishing a secure connection with other computing instances across nodes. This application does not limit the specific implementation of the data processing system 10.
[0084] For ease of understanding, embodiments of the communication method provided in this application will be described below with reference to the accompanying drawings.
[0085] Referring to Figure 4, which is a flowchart illustrating a communication method provided in an embodiment of this application, this method can be applied to the data processing system 10 shown in Figure 1, or to other applicable data processing systems. For ease of explanation, this embodiment takes the establishment of a secure connection between the data processing system 10 shown in Figure 1 and node 101 and node 102 in a situation where a secure connection is not established for the first time as an example for illustrative purposes.
[0086] The communication method shown in Figure 4 may specifically include the following steps.
[0087] S401: Node 101 sends message 1 to node 102, which requests to establish a secure connection with node 102.
[0088] In practical applications, node 101 may need to interact with node 102 during business operations, such as backing up newly generated data to node 102. Since node 101 and node 102 may not have established a secure connection before, or the established secure connection may have been broken after the previous data transmission, node 101 can send message 1 to node 102 to request the establishment of a secure connection when it needs to interact with node 102. This allows for secure communication with node 102 after a successful secure connection is established. A secure connection refers to a communication connection with relatively high security (e.g., compared to a TCP connection), such as a connection that requires encryption and decryption of communication data using a key before transmission.
[0089] In one possible implementation, as shown in Figure 1, node 101 may include compute instance 1 and proxy component 1. During the execution of business operations, compute instance 1 can establish a secure connection with node 102 through proxy component 1. For example, in a Kubernetes system, node 101 may specifically be a Pod, which may include an application and a sidecar. The sidecar may include a proxy component, and applications in different Pods can establish secure connections through the proxy component in the sidecar.
[0090] In practice, as shown in Figure 5, computing instance 1 can generate a handshake request for node 102 and call the interface provided by proxy component 1, such as the socket file descriptor interface, to send the handshake request to proxy component 1, thereby triggering proxy component 1 to execute the process of establishing a secure connection with node 102. The handshake request may carry indication information of the communicating party, such as the identifier of computing instance 2 in node 102 (e.g., the name of computing instance 2), or other types of information; there are no limitations on this. Alternatively, proxy component 1 can provide different interfaces for different nodes, so computing instance 1 can instruct proxy component 1 to execute the process of establishing a secure connection with node 102 by calling the interface corresponding to node 102.
[0091] In practical applications, computing instance 1 may be communicating with computing instance 2 in node 102 for the first time, or may have communicated with computing instance 2 in the past (the secure connection established after the communication was closed), or computing instance 1 and computing instance 2 may be in a connected state. In this embodiment, whenever computing instance 1 needs to interact with computing instance 2, it can request to establish a secure connection with node 102 by calling the interface provided by proxy component 1. This allows a new secure connection to be established if computing instance 1 and computing instance 2 are not currently connected, and encrypted communication can be directly performed with computing instance 2 based on the existing secure connection if computing instance 1 and computing instance 2 are currently connected.
[0092] Accordingly, agent component 1 can initiate a process to establish a secure connection with node 102 based on the handshake request.
[0093] In specific implementation, proxy component 1 can query the connection-level master key file 1 in node 101, as shown in Figure 5. When proxy component 1 retrieves the master key corresponding to computing instance 2 from the connection-level master key file 1, it indicates that a secure connection currently exists between computing instance 1 and computing instance 2. Therefore, proxy component 1 can perform encrypted communication with node 102 based on this secure connection. For example, the connection-level master key file 1 can at this time store information such as the identifier of computing instance 2 and the master key, and can also store information such as the identifier of node 102, the identifier of computing instance 1, and the identifier of node 101. For example, the connection-level master key file 1 can specifically store data in the form of a table, and the connection-level master key file 1 can be maintained in node 101, such as in the kernel of node 101, to improve the security of node 101 storing the connection-level master key file 1.
[0094] When proxy component 1 fails to find the master key corresponding to computing instance 2 from the connection-level master key file 1, it indicates that there is currently no secure connection between computing instance 1 and computing instance 2. At this time, proxy component 1 can begin the process of establishing a secure connection with node 102, so that computing instance 1 and computing instance 2 can communicate securely based on the successfully established secure connection. In this embodiment, the process of establishing a secure connection between node 101 and node 102 is mainly described. Therefore, the following explanation will continue with the example of proxy component 1 failing to find the master key corresponding to computing instance 2 from the connection-level master key file 1.
[0095] In one possible implementation, proxy component 1 can create an identifier (connection ID) for the connection to be established with node 102, and generate parameter 1 and a random number R1 for key negotiation. This key negotiation parameter 1 is used by node 101 and node 102 to negotiate the key to be generated, such as PMS as described below. Then, proxy component 1 can generate message 1, for example, a message named "Client Hello," and send message 1 to node 102. Message 1 may include not only the identifier (CID-a) of the secure connection generated by proxy component 1, key negotiation parameter 1, and random number R1, but also the identifier of computing instance 1 and the identifier of node 101 (or it may only include the identifier of node 101, etc.), as shown in Figure 5. For example, the identifier of node 101 may specifically be the identifier of proxy component 1, or the MAC address or IP address of node 101, etc.
[0096] For example, proxy component 1 can calculate a temporary key (or public key) based on the Diffie-Hellman (DH) algorithm or the elliptic curve Diffie-Hellman (ECDH) algorithm, which is the aforementioned key negotiation parameter 1. Additionally, proxy component 1 can generate a random number R1 based on a pseudo-random number generator (PRNG) algorithm or a hardware random number generator (HRNG) algorithm. In this embodiment, the specific implementation method of proxy component 1 in generating key negotiation parameter 1 and random number R1 is not limited.
[0097] S402: When node 101 and node 102 establish a secure connection for the first time, node 102 generates authentication information 1 based on the historical security context. The historical security context was generated during the process of establishing a secure connection between node 101 and node 102 in the past time period. The historical security context is used for secure communication between node 101 and node 102.
[0098] In this embodiment, after receiving message 1, node 102 can determine whether a secure connection has been established between node 101 and node 102 for the first time. Similar to node 101, node 102 may include computing instance 2 and proxy component 2, as shown in Figure 1.
[0099] For example, proxy component 2 can receive message 1, and proxy component 2 can parse the identifier of node 101 from message 1, and query whether the master secret file 2 includes the security context corresponding to node 101 based on the identifier, as shown in Figure 5. The security context may be, for example, PMS. For example, the master secret file 2 may be maintained in node 102, for example, in the kernel of node 102.
[0100] If the master secret file 2 includes the security context corresponding to node 101, it indicates that a secure connection has not been established for the first time between node 101 and node 102. That is, node 101 and node 102 have completed at least one secure connection establishment process in the past time period, and the security context was generated during the establishment of the secure connection. For ease of distinction and description, the security context retrieved from the master secret file 2 (and the master secret file 1 below) will be referred to as the historical security context. If the master secret file 2 does not include the historical security context corresponding to node 101, then node 101 and node 102 can establish a secure connection according to the process of establishing a secure connection for the first time. In this embodiment, the process of establishing a secure connection between node 101 and node 102 in the case of a non-first secure connection is mainly described. For this purpose, it is assumed that node 102 finds the historical security context corresponding to node 101 in the master secret file 2. Furthermore, since the master secret file 2 includes the historical security context corresponding to node 101, the proxy component 2 does not need to generate a new security context based on parameter 1 carried in message 1 for negotiating the key.
[0101] After confirming that a secure connection has been established between node 101 and node 102 (i.e., the master secret corresponding to node 101 exists in master secret file 2), proxy component 2 can generate a master key based on the retrieved historical security context, as shown in Figure 5. Specifically, proxy component 2 can first generate a random number R2 using a random algorithm, such as the PRNG or HRNG algorithm. Then, proxy component 2 can generate the master key based on the retrieved historical security context, R1 carried in message 1, and the generated R2. For example, assuming the historical security context is PMS, then the master key = f(PMS, R1, R2). For instance, the proxy component can generate the master key using a key derivation function (KDF) algorithm. Specifically, the KDF algorithm can be an HMAC-based extract-and-expand key derivation function (HKDF) algorithm, a password-based key derivation function (PBKDF) algorithm, or other types of algorithms. Among them, the HKDF algorithm is a derived algorithm based on hash-based message authentication code (HMAC). Through two processes, extraction and expansion, it can derive a cryptographically strong key from the original key material.
[0102] Next, proxy component 2 can further generate authentication information 1 based on the generated master key, as shown in Figure 5. This authentication information 1 can be, for example, an integrity check value (ICV), to verify the message 2 subsequently fed back from node 102 to node 101, such as verifying the completeness and authenticity of the information in message 2. For example, proxy component 2 can generate authentication information 1 using the HMAC algorithm based on the master key, or it can generate authentication information 1 based on other algorithms; there is no limitation on this. In practical applications, proxy component 2 can also combine the master key and target character 1 to generate authentication information, thereby improving the security and reliability of the generated authentication information by enriching the algorithm input. For example, target character 1 can be characters such as "handshake" or "connectionID," or it can be other characters; there is no limitation on this.
[0103] Furthermore, proxy component 2 can also store the master key generated during the establishment of this secure connection. Specifically, proxy component 2 can record the identifier of computing instance 1 and the corresponding master key in the connection-level master key file 2, as shown in Figure 5. The connection-level master key file 2 can be maintained in node 102, such as in the kernel of node 102. In practical applications, the connection-level master key file 2 records information such as the identifier of computing instance 1 and the master key generated by proxy component 2. It can also associate and store the identifiers of node 101, node 102, and computing instance 2, without limitation.
[0104] S403: Node 102 sends message 2 to node 101, which includes authentication information 1.
[0105] In this embodiment, after generating authentication information 1, node 102 can further generate message 2 including authentication information 1, such as a message named "Server Hello", and send message 2 to node 101.
[0106] For example, message 2 may include not only authentication information 1, but also information related to node 102. For instance, as shown in Figure 5, message 2 may include the identifier of node 102 and the identifier of computing instance 2 (or may only include the identifier of node 102). Furthermore, message 2 may also carry a random number R2 generated by the proxy component 102, as shown in Figure 5.
[0107] In practical applications, nodes 101 and 102 can negotiate the identifier for the secure connection between compute instance 1 and compute instance 2. If node 102 confirms the use of the identifier for the secure connection created by node 101 (i.e., the identifier carried in message 1), then message 2 sent by node 102 can also carry this identifier. If node 102 confirms not to use the identifier, such as if the identifier conflicts with the identifier created by node 102 for the secure connection between compute instance 2 and compute instances in other nodes, then node 102 can create a new identifier for the secure connection to be established between compute instance 1 and compute instance 2, as shown in Figure 5 (CID-b). Therefore, message 2 sent by node 102 can also include the newly created identifier for the secure connection, as shown in Figure 5, so that nodes 101 and 102 can use this identifier to distinguish the secure connection.
[0108] It is worth noting that when a secure connection is not established for the first time between node 101 and node 102, it indicates that node 101 and node 102 have already completed the identity verification process during the previous secure connection establishment process (such as the initial secure connection establishment process). For example, during the initial secure connection establishment process between node 101 and node 102, node 101 has already performed the verification process for the digital certificate and digital signature sent by node 102, thus establishing mutual trust between node 101 and node 102.
[0109] Based on this, in one possible implementation, message 2 sent by node 102 may not need to carry authentication information. This authentication information refers to information used to verify the identity security of node 102, such as the digital certificate and digital signature corresponding to node 102. In this way, node 102 can avoid consuming computing power to generate the digital certificate and digital signature, thereby effectively reducing the computing power consumption of node 102 during the establishment of a secure connection. Furthermore, since message 2 sent by node 102 does not need to carry the digital certificate and data signature, it can effectively reduce the number of bytes exchanged between node 102 and node 101, reduce the bandwidth resources required for node 102 to send message 2 to node 101, improve the efficiency of establishing a secure connection between node 102 and node 101, and reduce the latency of establishing a secure connection.
[0110] S404: If node 101 and node 102 establish a secure connection for the first time, node 101 verifies the authentication information 1 in message 2 based on the historical security context.
[0111] Upon receiving message 2, node 101 can first determine whether a secure connection has been established with node 102 for the first time. This embodiment provides several implementation examples of how node 101 determines whether a secure connection has been established with node 102 for the first time.
[0112] In the first implementation example, proxy component 1 in node 101 can parse the identifier of node 102 from message 2, and query whether the master secret file 1 includes the historical security context corresponding to node 102 based on the identifier of node 102, as shown in Figure 5. Exemplarily, the master secret file 1 can be maintained in node 101, for example, in the kernel of node 101. When the master secret file 1 includes the historical security context corresponding to node 102, it indicates that node 101 and node 102 have previously performed a secure connection establishment process and generated the historical security context. At this time, proxy component 1 can determine that this is not the first time a secure connection has been established between node 101 and node 102.
[0113] In the second implementation example, proxy component 1 can parse the received message 2, and if it determines that message 2 does not carry authentication information for verifying the identity security of node 102, it determines that the secure connection between node 101 and node 102 is not being established for the first time. In practical applications, when node 102 determines that it is establishing a secure connection with node 101 for the first time, the message it sends back may carry the authentication information; however, when it determines that it is establishing a secure connection with node 101 for the first time, the message it sends back will not include the authentication information. Therefore, proxy component 1 can determine whether the secure connection between node 101 and node 102 is being established for the first time based on whether message 2 carries authentication information.
[0114] In the third implementation example, message 2 sent by node 102 may also carry a connection identifier, which can be used to indicate whether a secure connection is being established for the first time between node 101 and node 102. In practical applications, this connection identifier can be carried through a field specified in message 2. For example, when the value of this field is 1, the connection identifier can be used to indicate that a secure connection is not being established for the first time; when the value of this field is 0, the connection identifier can be used to indicate that a secure connection is being established for the first time. Accordingly, the proxy component 1 in node 101 can parse the connection identifier from the received message 2 and determine whether a secure connection is being established for the first time between node 101 and node 102 based on the connection identifier.
[0115] It is understood that the above-described implementation of the proxy component 1 in determining whether a secure connection is being established between node 101 and node 102 for the first time is only an example. In actual applications, the proxy component can also determine whether a secure connection is being established between two nodes for the first time in other ways, and there is no limitation on this.
[0116] In this embodiment, when nodes 101 and 102 are not establishing a secure connection for the first time, nodes 101 and 102 store the same historical security context. For example, during the process of establishing a secure connection between computing instance 3 and computing instance 4 in the past, nodes 101 and 102 can store the generated historical security context in their respective master secret files.
[0117] If the proxy component 1 determines that the secure connection between node 101 and node 102 is not being established for the first time, it can verify the authentication information 1 in message 2 based on the historical security context obtained from the master secret file 1, as shown in Figure 5, to determine whether the received message 2 is complete and authentic.
[0118] In specific implementation, since the historical security context retrieved by proxy component 1 from master secret file 1 is usually the same as the historical security context stored in master secret file 2 in node 102, proxy component 1 can generate a master key based on the historical security context in master secret file 1, the locally generated random number R1, and the random number R2 carried in message 2, and use this master key to generate authentication information 2. Specifically, when proxy component 1 generates authentication information 1 by combining it with target character 1, proxy component 1 can also generate authentication information 2 based on target character 1. Then, proxy component 1 can compare whether the locally generated authentication information 2 matches the authentication information 1 carried in message 2. Furthermore, when authentication information 2 matches authentication information 1 (e.g., authentication information 2 is the same as authentication information 1), proxy component 1 can determine that authentication information 1 has passed verification, that is, it can be determined that message 2 received by proxy component 1 is a genuine and complete message sent by node 102.
[0119] Conversely, when authentication information 2 does not match authentication information 1, proxy component 1 can determine that authentication information 1 has failed verification. In this case, proxy component 1 can send an Alert message to node 102 to notify node 102 that the secure connection establishment has failed. Furthermore, the Alert message can also carry a reason for failure, which indicates that authentication information 1 has failed verification. The specific implementation methods of proxy component 1 in generating the master key and authentication information 2 are similar to those of proxy component 2 in generating the master key and authentication information 1, and can be found in the relevant descriptions above, which will not be repeated here. In practical applications, proxy component 1 can also use historical security context to verify authentication information 1 in other ways, and this is not limited.
[0120] In a further possible implementation, after confirming that authentication information 1 has passed verification, proxy component 1 can also save the master key generated based on the historical security context. For example, proxy component 1 can save the identifier of computing instance 2 and the locally generated master key in the connection-level master key file 1, as shown in Figure 5, and can further associate and save the identifier of computing instance 2, the identifier of computing instance 1, and the identifier of node 101, etc.
[0121] In this embodiment, after the proxy component 1 determines that the authentication information 1 has been verified, it can determine that a secure connection has been successfully established between computing instance 1 and computing instance 2; and after the proxy component 2 sends message 2, it can determine that a secure connection has been successfully established between computing instance 1 and computing instance 2.
[0122] Alternatively, after determining that authentication information 1 has passed verification, proxy component 1 can notify node 102 of the successful establishment of a secure connection between computing instance 1 and computing instance 2 by sending a message to node 102. In this case, as shown in Figure 4, the method embodiment may further include the following step S405.
[0123] S405: If authentication information 1 is verified, node 101 sends message 3 to node 102. Message 3 is used to terminate the process of establishing a secure connection between node 101 and node 102.
[0124] In this embodiment, when the authentication information is verified, node 101 and node 102 can complete the key negotiation through the interaction of message 1 and message 2. At this time, node 101 can send message 3 to node 102, such as a message named "Client Finish", so as to use message 3 to notify node 102 to end the process of establishing a secure connection (that is, the secure connection is successfully established).
[0125] As an implementation example, message 3 sent by proxy component 1 can carry authentication information 2 (generated based on historical security context, R1, and R2). Correspondingly, after receiving message 3, proxy component 2 in node 102 can verify the authentication information 2 using the master key corresponding to node 101 in the connection-level master key file 2, thereby verifying the integrity and authenticity of message 3 received by node 102, as shown in Figure 5. Thus, after confirming that the authentication information 2 has passed verification, proxy component 2 confirms the establishment of a secure connection with node 101. At this time, proxy component 2 can send a notification message to computing instance 2. This notification message can be used to notify computing instance 2 that the bidirectional verification between computing instance 2 and computing instance 1 has ended (or that the secure connection has been successfully established), as shown in Figure 5. It can also notify computing instance 2 that the secure connection has been established and that entries for the master key have been generated, etc.
[0126] Furthermore, since this is not the first time that a secure connection has been established between node 101 and node 102, message 3 may not carry authentication information for verifying the identity of node 101. This can effectively reduce the number of bytes exchanged between node 101 and node 102, improve the efficiency of establishing a secure connection between node 101 and node 102, and reduce the latency of establishing a secure connection.
[0127] In a further possible implementation, after confirming the establishment of a secure connection with node 101, node 102 may further send a message to node 101 so that node 101 can confirm the successful establishment of a secure connection with node 102 based on the received message.
[0128] Based on this, the embodiment shown in Figure 4 may further include the following step S406.
[0129] S406: Node 102 sends message 4 to node 101. Message 4 is used to terminate the process of establishing a secure connection between node 102 and node 101.
[0130] In practical applications, message 4 sent by node 102 could be, for example, a message named "Server Finish". Furthermore, message 4 does not need to carry information for authenticating node 102, and it may or may not include authentication information 1; there is no limitation on this. Accordingly, upon receiving message 4, node 101 can confirm the establishment of a secure connection with node 102. At this point, the proxy component 1 in node 101 can report the successful establishment of the secure connection to computing instance 1.
[0131] In practical applications, after receiving message 3, node 102 may not need to send message 4 to node 101. Therefore, after successfully sending message 3, node 101 can automatically confirm the establishment of a secure connection with node 102. This embodiment does not limit this. In this case, the proxy component 1 in node 101 can report the successful establishment of the secure connection to computing instance 1 after successfully sending message 3, as shown in Figure 5.
[0132] After a secure connection is successfully established between node 101 and node 102, computing instance 1 in node 101 can communicate encryptedly with computing instance 2 in node 102 based on this connection.
[0133] Taking the example of computing instance 1 sending data to computing instance 2, computing instance 1 can provide the data to be sent (which can be plaintext) to proxy component 1. Proxy component 1 can use the master key corresponding to computing instance 2 stored in connection-level master key file 1 to generate a session key, and use this session key to encrypt the data to be sent, obtaining ciphertext. Then, proxy component 1 can send the ciphertext to node 102 based on the secure connection established with node 102. After receiving the ciphertext, proxy component 2 in node 102 can use the same session key corresponding to computing instance 1 stored in connection-level master key file 2 to generate the same session key, and use this session key to decrypt the ciphertext, obtaining plaintext data. Then, proxy component 2 can send the plaintext data to computing instance 2, thereby realizing encrypted data communication between computing instance 1 and computing instance 2. For example, proxy component 1 can use algorithms such as HKDF or PBKDF to generate a session key based on the master key.
[0134] Furthermore, proxy component 1 can combine the master key and target character 2 to generate a session key, thereby enhancing the security and reliability of the generated session key through enriched algorithm input. For example, target character 2 can be at least one of the following characters: "handshake", "connectionID", and identifier of the secure connection created by node 101 and / or node 102, or other characters, without limitation. Alternatively, proxy component 1 can directly use the master key as the key for encrypting the data to be sent; correspondingly, proxy component 2 can directly use the master key to decrypt the received ciphertext.
[0135] It is worth noting that Figure 4 above illustrates the establishment of a secure connection between computing instance 1 and computing instance 2 as an example. In practical applications, nodes 101 and 102 can establish multiple different secure connections between computing instance 1 and computing instance 2. For example, they can establish secure connection 1 for transmitting text or images, secure connection 2 for transmitting video or audio, etc. In this case, the connection-level master key file 1 (similar to other connection-level master key files) can record the master keys corresponding to multiple secure connections. Thus, node 101 can use the master key corresponding to each secure connection to encrypt or decrypt the data transmitted based on that secure connection.
[0136] Taking the connection-level master key file 1, which includes master key 1 corresponding to secure connection 1 and master key 2 corresponding to secure connection 2, as an example, when computing instance 1 and computing instance 2 interact with each other based on secure connection 1, node 101 can use master key 1 to encrypt or decrypt the interactive data; and when computing instance 1 and computing instance 2 interact with each other based on secure connection 2, node 101 can use master key 2 to encrypt or decrypt the interactive data.
[0137] Accordingly, during the process of establishing various secure connections between node 101 and node 102, node 101 may carry indication information in the message 1 it sends. This indication information may be, for example, the identifier of the secure connection, such as the CID mentioned above; or, for example, the identifier of the interface called by computing instance 1, different interfaces may correspond to different secure connections.
[0138] In a further possible implementation, the computing instances in nodes 101 and 102 can run in user space, and the proxy components in nodes 101 and 102 can run in kernel space. Thus, during the establishment of a secure connection between nodes 101 and 102, proxy components 1 and 2 can execute the secure connection establishment process in kernel space. Specifically, proxy components 1 and 2 can perform processes such as querying the master secret file, connection-level master key file, generating the master key, generating authentication information, and generating messages (which can be achieved through message encapsulation) in kernel space. This not only improves the security of establishing a secure connection between nodes 101 and 102, but also eliminates the need for frequent switching between kernel space and user space in nodes 101 and 102, thereby reducing node resource overhead. Furthermore, when computing instance 1 and computing instance 2 perform encrypted data communication, proxy components 1 and 2 can also perform the corresponding encryption and decryption processes in kernel space, further enhancing the security of encrypted data communication. At this point, within the node, the proxy component can provide a simplified interface for user-space compute instances, eliminating the need to store and maintain key information (including security context, master key, and session key) in user space. This enhances the security of encrypted communication between different compute instances. When a compute instance needs to interact with other compute instances, it only needs to specify the identifier of the peer compute instance or the peer node in the node, or further specify the interface to be called within the node (different interfaces can be used for encrypted data communication with different compute instances, or different interfaces can be used to indicate encrypted data communication based on different secure connections).
[0139] In some practical application scenarios, two nodes establish a secure connection by exchanging messages to complete a handshake. Therefore, the process of establishing a secure connection between nodes 101 and 102, as shown in Figure 4, can also be referred to as the handshake process between nodes 101 and 102. That is, if this is not the first handshake between nodes 101 and 102, node 102 can reuse the historical security context generated during its previous handshake with node 101 to generate authentication information. Node 101 can reuse the historical security context generated during its previous handshake with node 102 to verify this authentication information. After the authentication information passes verification, the handshake between nodes 101 and 102 is successful, and the secure connection is established.
[0140] The above, in conjunction with Figures 4 and 5, describes the process of establishing a secure connection between node 101 and node 102 when it is not the first time establishing a secure connection. The following, in conjunction with Figure 6, describes the process of establishing a secure connection for the first time between node 101 and node 102.
[0141] Referring to Figure 6, a flowchart of another communication method is shown. This method is still described using the data processing system 10 shown in Figure 1 as an example. Specifically, the communication method shown in Figure 6 may include the following steps.
[0142] S601: Compute instance 1 sends a handshake request for compute instance 2 to proxy component 2.
[0143] S602: Based on the handshake request, the proxy component 1 queries whether the master key corresponding to the computing instance 2 exists in the connection-level master key file 1.
[0144] S603: If the master key corresponding to computing instance 2 does not exist in the connection-level master key file 1, the proxy component 1 sends message 1 to node 101. Message 1 is used to request to establish a secure connection with node 102, and message 1 includes the identifier of node 101.
[0145] In practical applications, message 1 may also include the identifier of computation instance 1, the identifier CID-a of the secure connection created by proxy component 1, parameter 1 generated by proxy component 1 for key negotiation, and random number R1, as shown in Figure 6.
[0146] The implementation of how the proxy component 1 generates parameter 1 for key negotiation and random number R1 can be found in the relevant description in the embodiment shown in Figure 4, and will not be repeated here.
[0147] S604: Agent component 2 queries whether the historical security context corresponding to node 101 exists in the master secret file 2 based on the identifier of node 101 carried in message 1.
[0148] S605: If the historical security context corresponding to the identifier of node 101 is not found in the master secret file 2, the proxy component 2 generates a security context and generates a master key and ICV1 based on the security context.
[0149] In this embodiment, the security context generated by proxy component 2 may be, for example, a PMS. Furthermore, the authentication information used to verify subsequent messages sent by proxy component 2 may specifically be ICV1.
[0150] In one possible implementation, proxy component 2 can locally generate parameter 2 and random number R2 for negotiating the key. The implementation of proxy component 2 generating parameter 2 and random number R2 can be found in the relevant description in the embodiment shown in Figure 4, and will not be repeated here. Then, proxy component 2 can generate a security context based on parameter 1 in message 1 and the locally generated parameter 2, and generate a master key based on the security context, random number R1, and random number R2. Finally, proxy component 2 generates ICV1 based on the master key.
[0151] In this embodiment, proxy component 2 can generate a security context based on DH or ECDH algorithms. Furthermore, the implementation methods for proxy component 2 to generate a master key based on the security context and to generate an ICV1 based on the master key can be found in the relevant descriptions in the above embodiments, and will not be repeated here.
[0152] In this embodiment, the PMS generated by the proxy component 2 can be used as the historical security context mentioned in the embodiment of Figure 4 above.
[0153] S606: Agent component 2 stores the identifier of node 101 and the corresponding generated security context in master secret file 2, and stores the identifier of computing instance 1 and the corresponding master key in connection-level master key file 2.
[0154] S607: Agent component 2 sends message 2 to node 101, wherein message 2 may include the identifier of node 102, digital certificate, digital signature and ICV1.
[0155] In practical applications, message 2 may also include the identifier of computation instance 2, the identifier CID-b of the secure connection created by proxy component 2, parameter 2 generated by proxy component 2 for key negotiation, random number R2 generated by proxy component 2, etc., as shown in Figure 6.
[0156] The process of proxy component 2 generating digital certificates and digital signatures has relevant applications in real-world scenarios, and will not be elaborated upon here. Furthermore, the digital certificate and digital signature of node 102 can be used as identity authentication information to verify the identity security of node 102.
[0157] S608: Proxy component 1 generates the security context and master key corresponding to the identifier of node 102, and saves the identifier of node 102 and the security context in the master secret file 1, and saves the identifier of computing instance 2 and the master key in the connection level master key file 1.
[0158] For example, the proxy component 1 can generate a security context based on the parameter 2 carried in the message 2 and the previously localized parameter 1, and save the security context and the identifier of node 102 in the main secret file 1.
[0159] S609: Agent component 1 verifies the ICV1, digital certificate, and digital signature in message 2.
[0160] S610: If ICV1, digital certificate and digital signature are verified, the agent component 1 reports to the computing instance 1 that the secure connection has been established successfully, and sends message 3 to node 102. Message 3 is used to end the process of establishing a secure connection between node 101 and node 102.
[0161] As shown in Figure 6, message 3 may include the digital certificate of node 101, digital signature, and ICV2 generated by proxy component 1.
[0162] S611: Agent component 2 verifies the ICV2, digital certificate, and digital signature in message 3.
[0163] S612: If the verification is successful, the agent component 2 confirms the establishment of a secure connection with node 101 and notifies that the two-way verification between compute instance 2 and compute instance 1 is complete.
[0164] Thus, during the initial establishment of a secure connection between node 101 and node 102, the messages exchanged between node 101 and node 102 can carry instance-level identifiers and node-level identifiers. This allows node 101 and node 102 to save the node-level security context in the master secret file and the instance-level master key in the connection-level master key file during the initial secure connection establishment. This enables the use of the node-level security context (i.e., the historical security context mentioned in the embodiment shown in Figure 4) to accelerate the establishment of a secure connection between node 101 and node 102 during subsequent non-initial secure connection establishment processes. Furthermore, the connection-level master key file is used to encrypt and decrypt communication data between instance 1 and instance 2 during subsequent communication processes.
[0165] It should be noted that in practical applications, the historical security contexts in Master Secret File 1 and Master Secret File 2 typically have a certain validity period. Within this validity period, Node 101 and Node 102 can establish a secure connection based on this historical security context. When the historical security contexts in Master Secret File 1 and Master Secret File 2 expire (i.e., their lifespan exceeds the validity period), Node 101 and Node 102 will delete the historical security contexts in their respective Master Secret Files. Furthermore, when Node 101 and Node 102 need to establish a secure connection again, these two nodes can generate a new security context following the initial secure connection establishment process and save it in the Master Secret File, then execute the subsequent initial secure connection establishment process.
[0166] However, since the clocks of different nodes are difficult to synchronize strictly, the operation of deleting the historical security context in the master secret file is not synchronized. Thus, if node 101 deletes the historical security context in master secret file 1 (corresponding to computing instance 2) and node 102 does not delete the historical security context in master secret file 2 (corresponding to computing instance 1), node 102 may execute the process of establishing a non-first secure connection with node 101, while node 101 executes the process of establishing a first secure connection with node 102.
[0167] Based on this, in a further possible implementation, after receiving message 1 sent by node 101, if node 102 finds the historical security context corresponding to computing instance 1 in the master secret file 1, then node 102 can use the historical security context to generate message 2-1 and send message 2-1 to node 101. The process by which node 102 generates message 2-1 based on the historical security context can be found in the description of the relevant parts of steps S402 and S403 in the embodiment shown in Figure 4 above. At this time, message 2-1 does not carry identity authentication information used to verify the identity security of node 102.
[0168] Accordingly, upon receiving message 2-1, node 101, since message 2-1 does not carry authentication information (or message 2-1 carries an identifier indicating that this is not the first time a secure connection has been established), and the master secret file 1 stored locally by node 101 does not record the historical security context corresponding to computing instance 2, can send an alarm message to node 102. This alarm message could be, for example, an Alert message, to instruct node 102 to execute the procedure for establishing a secure connection for the first time.
[0169] Therefore, after receiving the alarm message, node 102 can generate a new security context locally and send message 2-2 to node 101. The implementation of node 102 generating the new security context and sending message 2-2 to node 101 can be found in the description of the relevant parts of steps S605 and S607 in the embodiment shown in Figure 6 above. Furthermore, node 102 can save the identifier of node 101 and the locally generated new security context in the master secret file 2 to update the security context.
[0170] After receiving message 2-2, node 101 can verify the information carried in message 2-2 and send message 3 to node 102 after successful verification. The implementation of node 101's verification of the information in message 2-2 and sending message 3 can be found in the relevant descriptions of steps S608 to S6010 in the embodiment shown in Figure 6 above. Furthermore, node 101 can store the identifier of node 102 and its correspondence with the locally generated PMS in the master secret file 1 to update the security context.
[0171] In this way, the security context stored in the master secret file 1 in node 101 can be synchronized with the security context stored in the master secret file 2 in node 102, thereby avoiding the difference between the security contexts recorded in the two master secret files, which would affect the establishment of a secure connection between node 101 and node 102.
[0172] It should be noted that the embodiment shown in Figure 6 above is only an implementation example and is not intended to limit the scope. For example, in other possible embodiments, when node 101 and node 102 establish a secure connection for the first time, the message 1 sent by the proxy component 1 to node 102 may carry information such as the digital certificate and digital signature of node 101. Therefore, the message 3 sent by the proxy component to node 102 may not need to carry the digital certificate and digital signature.
[0173] It is worth noting that other reasonable combinations of steps that can be conceived by those skilled in the art based on the above description also fall within the scope of protection of this application. Secondly, those skilled in the art should also be aware that the embodiments described in the specification are preferred embodiments, and the actions involved are not necessarily essential to this application.
[0174] Figure 7 is a schematic diagram of the hardware structure of a computing device 700 provided in this application. The computing device 700 can, for example, implement node 101 or node 102 in the embodiments shown in Figure 5 or Figure 6 above.
[0175] As shown in Figure 7, the computing device 700 includes a processor 701, a memory 702, and a communication interface 703. The processor 701, memory 702, and communication interface 703 communicate via a bus 704, or via wireless transmission or other means. The memory 702 stores instructions, and the processor 701 executes the instructions stored in the memory 702. Further, the computing device 700 may also include a memory unit 705, which is connected to the processor 701, the storage medium 702, and the communication interface 703 via the bus 704. The memory 702 stores program code, and the processor 701 can read the program code stored in the memory 702 into the memory unit 705 and execute the program code in the memory unit 705, enabling the computing device to perform the following operations as a first node:
[0176] Send a first message to the second node. The first message is used by the first node to request the establishment of a secure connection with the second node.
[0177] Receive a second message from the second node. The second message includes first authentication information. The first authentication information is generated based on the historical security context when the first node and the second node are not establishing a secure connection for the first time. The historical security context is generated during the process of establishing a secure connection between the first node and the second node in the past time period. The historical security context is used for secure communication between the first node and the second node.
[0178] The first authentication information is verified based on the historical security context; wherein, if the first authentication information is verified, the first node and the second node communicate based on the secure connection requested by the first message.
[0179] Alternatively, processor 701 executes program code in memory unit 705 so that the computing device can perform the following operations as a second node:
[0180] Receive the first message from the first node, which is used by the first node to request the establishment of a secure connection with the second node;
[0181] In cases where the first node and the second node have not established a secure connection for the first time, the first authentication information is generated based on the historical security context. The historical security context is generated during the process of establishing a secure connection between the first node and the second node in the past time period and is used for secure communication between the first node and the second node.
[0182] A second message is sent to the first node, the second message including the first authentication information; wherein, if the first authentication information is verified by the first node, the first node and the second node communicate based on the secure connection requested by the first message.
[0183] In practical applications, the processor 701 executes the program code in the memory unit 705, and can also execute other operations performed by node 101 or node 102 in the embodiments shown in Figure 4 or Figure 5.
[0184] It should be understood that in this embodiment, the processor 701 can be a CPU, but it can also be other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete device assemblies, etc. A general-purpose processor can be a microprocessor or any conventional processor.
[0185] The memory 702 may include read-only memory and random access memory, and provides instructions and data to the processor 701. The memory 702 may also include non-volatile random access memory.
[0186] The memory 702 can be volatile memory or non-volatile memory, or it can include both. The non-volatile memory can be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. The volatile memory can be random access memory (RAM), which is used as an external cache. By way of example, but not limitation, many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous link dynamic random access memory (SLDRAM), and direct rambus RAM (DR RAM).
[0187] The communication interface 703 is used to communicate with other devices connected to the computing device 700. The bus 704 may include a data bus, a power bus, a control bus, and a status signal bus, etc. However, for clarity, all buses are labeled as bus 704 in the figure.
[0188] It should be understood that the computing device 700 of this application embodiment may correspond to the method executed by node 101 in the method embodiment shown in FIG5 or FIG6 of this application embodiment, or may correspond to the method executed by node 102 in the method embodiment shown in FIG5 or FIG6 of this application embodiment. The above and other operations and / or functions implemented by the computing device 700 are respectively to implement the flow of the corresponding method in FIG5 or FIG6. For the sake of brevity, they will not be described in detail here.
[0189] This application also provides a computer-readable storage medium. The computer-readable storage medium can be any available medium that a computing device can store, or a data storage device such as a data center containing one or more available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid-state drive). The computer-readable storage medium includes instructions that instruct the computing device to perform the aforementioned communication method.
[0190] This application also provides a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on a computing device, all or part of the processes or functions described in this application are generated.
[0191] The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions may be transmitted from one website, computer, or data center to another website, computer, or data center via wired (e.g., coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means.
[0192] The computer program product can be a software installation package. If any of the aforementioned communication methods are required, the computer program product can be downloaded and executed on a computing device.
[0193] The above embodiments can be implemented, in whole or in part, by software, hardware, firmware, or any other combination thereof. When implemented using software, the above embodiments can be implemented, in whole or in part, as a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded or executed on a computer, all or part of the processes or functions described in the embodiments of this application are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that includes one or more sets of available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. A semiconductor medium can be a solid-state drive.
[0194] The terminology used in the above embodiments is for the purpose of describing specific embodiments only and is not intended to be a limitation of this application. As used in the specification and appended claims of this application, the singular expressions “a,” “an,” “the,” “the,” “the,” and “this” are intended to also include expressions such as “one or more,” unless the context clearly indicates otherwise. It should also be understood that in the embodiments of this application, “one or more” refers to one, two, or more; the character “ / ” generally indicates that the preceding and following objects are in an “or” relationship. In the embodiments of this application, “simultaneously” means within the same time period, including situations where they are at the same moment. The terms “first,” “second,” etc., in the specification, claims, and drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such terms can be used interchangeably where appropriate, and this is merely a way of distinguishing objects with the same attributes in the embodiments of this application.
[0195] References to "one embodiment" or "some embodiments" as described in this specification mean that one or more embodiments of this application include a specific feature, structure, or characteristic described in connection with that embodiment. Therefore, the phrases "in one embodiment," "in some embodiments," "in other embodiments," "in still other embodiments," etc., appearing in different parts of this specification do not necessarily refer to the same embodiment, but rather mean "one or more, but not all, embodiments," unless otherwise specifically emphasized. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless otherwise specifically emphasized.
[0196] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any person skilled in the art can easily conceive of various equivalent modifications or substitutions within the technical scope disclosed in this application, and these modifications or substitutions should all be covered within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
Claims
1. A communication method, characterized in that, The method is applied to a data processing system, the data processing system including a first node and a second node, and the method includes: The first node sends a first message to the second node, the first message being used to request the establishment of a secure connection with the second node; In the case where the first node and the second node have not established a secure connection for the first time, the second node generates first authentication information based on the historical security context. The historical security context is generated during the process of establishing a secure connection between the first node and the second node in the past time period, and the historical security context is used for secure communication between the first node and the second node. The second node sends a second message to the first node, the second message including the first authentication information; The first node verifies the first authentication information based on the historical security context; wherein, if the first authentication information is verified, the first node and the second node communicate based on the secure connection requested by the first message.
2. The method according to claim 1, characterized in that, The method further includes: If the first authentication information is verified, the first node sends a third message to the second node, which is used to terminate the process of establishing a secure connection between the first node and the second node.
3. The method according to claim 1 or 2, characterized in that, The first message is used to request the establishment of a secure connection with the second node. Specifically, the first message is used to request the establishment of a secure connection between the first computing instance in the first node and the second computing instance in the second node. The historical security context is generated during the process of establishing a secure connection between the first node and the second node in the past time period, specifically during the process of establishing a secure connection between the third computing instance in the first node and the fourth computing instance in the second node in the past time period. The historical security context is used for secure communication between the first node and the second node, specifically for secure communication between the third computing instance and the fourth computing instance.
4. The method according to claim 3, characterized in that, The first node includes a first proxy component, and the second node includes a second proxy component. The first proxy component and the second proxy component are used to perform a process of establishing a secure connection between the first computing instance and the second computing instance. Furthermore, the first proxy component and the second proxy component are also used to perform a process of establishing a secure connection between the third computing instance and the fourth computing instance.
5. The method according to claim 4, characterized in that, The historical security context is stored in the kernel of the first node, and the first proxy component and the second proxy component are used in kernel mode to perform the process of establishing a secure connection between the computing instance in the first node and the computing instance in the second node.
6. The method according to any one of claims 1 to 5, characterized in that, The first message includes an identifier of a first node, the second message includes an identifier of a second node, and the method further includes: After receiving the first message and before generating the first authentication information, the second node queries the second master secret file based on the identifier of the first node. The second master secret file records the historical security context corresponding to the first node. After receiving the second message and before verifying the first authentication information, the first node queries the first master secret file based on the identifier of the second node. The first master secret file records the historical security context corresponding to the second node.
7. The method according to claim 6, characterized in that, The method further includes: The second node queries the second master secret file based on the identifier of the first node, and if the historical security context corresponding to the first node is found in the second master secret file, it determines that the first node and the second node have not established a secure connection for the first time. The first node queries the first master secret file based on the identifier of the second node. If the historical security context corresponding to the second node is found in the first master secret file, the first node determines that the first node and the second node have not established a secure connection for the first time. Alternatively, the first node determines that the first node and the second node have not established a secure connection for the first time based on the connection identifier in the second message. Or, if the second message does not include second identity authentication information, the first node determines that the first node and the second node have not established a secure connection for the first time. The second identity authentication information is information used to verify the identity security of the second node.
8. The method according to any one of claims 1 to 7, characterized in that, The second message does not include second identity authentication information, which is information used to verify the identity security of the second node; Alternatively, the third message sent by the first node may not include the first identity authentication information, which is information used to verify the identity security of the first node, and the third message may be used to terminate the process of establishing a secure connection between the first node and the second node.
9. The method according to any one of claims 1 to 8, characterized in that, After the first node sends a third message to the second node, the first node does not have the historical security context, while the second node has the historical security context. The method further includes: The first node sends a fourth message to the second node, the fourth message being used to request the establishment of a secure connection with the second node; The second node sends a fifth message back to the first node. The fifth message does not include third identity authentication information, which is information used to verify the identity security of the second node. If the first node fails to find the historical security context and the fifth message does not include the third identity authentication information, it sends an alarm message to the second node. The alarm message is used to instruct the second node to execute the process of establishing a secure connection for the first time. The second node sends a sixth message to the first node, the sixth message including the third identity authentication information; The first node sends a seventh message to the second node, which is used to terminate the process of establishing a secure connection between the first node and the second node.
10. The method according to any one of claims 1 to 9, characterized in that, The first node verifies the first authentication information based on the historical security context, including: The first node generates a first master key based on the historical security context. The first master key is used to encrypt or decrypt the interaction data between the first node and the second node. The first node generates second authentication information based on the first master key; When the second authentication information matches the first authentication information, the first node determines that the first authentication information has been verified. The method further includes: The first node stores the identifier of the second computing instance in the second node in the connection-level master key file, corresponding to the first master key, and the second message includes the identifier of the second computing instance.
11. The method according to claim 10, characterized in that, The first master key is used to encrypt or decrypt data exchanged between the first computing instance and the second computing instance in the first node based on the first secure connection. The connection-level master key file stores the identifier of the second computing instance and the second master key. The second master key is used to encrypt or decrypt data exchanged between the first computing instance and the second computing instance based on the second secure connection.
12. The method according to claim 10 or 11, characterized in that, The method further includes: Before sending the first message, the first node queries the connection-level master key file; The first node sends a first message to the second node, including: If the first master key corresponding to the identifier of the second computing instance does not exist in the connection-level master key file, the first node sends the first message to the second node.
13. A data processing system, characterized in that, The data processing system includes a first node and a second node; The first node is used to send a first message to the second node, the first message being used to request the establishment of a secure connection with the second node; The second node is configured to generate first authentication information based on a historical security context when the first node and the second node establish a secure connection for the first time, wherein the historical security context is generated during the establishment of a secure connection between the first node and the second node in the past time period and is used for secure communication between the first node and the second node; and to send a second message to the first node, wherein the second message includes the first authentication information. The first node is further configured to verify the first authentication information based on the historical security context; wherein, if the first authentication information is verified, the first node and the second node communicate based on the secure connection requested by the first message.
14. The system according to claim 13, characterized in that, The first node is further configured to send a third message to the second node if the first authentication information is verified, the third message being used to terminate the process of establishing a secure connection between the first node and the second node.
15. The system according to claim 13 or 14, characterized in that, The first message is used to request the establishment of a secure connection with the second node. Specifically, the first message is used to request the establishment of a secure connection between the first computing instance in the first node and the second computing instance in the second node. The historical security context is generated during the process of establishing a secure connection between the first node and the second node in the past time period, specifically during the process of establishing a secure connection between the third computing instance in the first node and the fourth computing instance in the second node in the past time period. The historical security context is used for secure communication between the first node and the second node, specifically for secure communication between the third computing instance and the fourth computing instance.
16. The system according to claim 15, characterized in that, The first node includes a first proxy component, and the second node includes a second proxy component. The first proxy component and the second proxy component are used to perform a process of establishing a secure connection between the first computing instance and the second computing instance. Furthermore, the first proxy component and the second proxy component are also used to perform a process of establishing a secure connection between the third computing instance and the fourth computing instance.
17. The system according to claim 16, characterized in that, The historical security context is stored in the kernel of the first node, and the first proxy component and the second proxy component are used in kernel mode to perform the process of establishing a secure connection between the computing instance in the first node and the computing instance in the second node.
18. The system according to any one of claims 13 to 17, characterized in that, The first message includes the identifier of the first node, and the second message includes the identifier of the second node; The second node is further configured to query a second master secret file based on the identifier of the first node after receiving the first message and before generating the first authentication information. The second master secret file records the historical security context corresponding to the first node. The first node is further configured to, after receiving the second message and before verifying the first authentication information, query the first master secret file according to the identifier of the second node, wherein the first master secret file records the historical security context corresponding to the second node.
19. The system according to claim 18, characterized in that, The second node is further configured to query the second master secret file based on the identifier of the first node, and, if the historical security context corresponding to the first node is found in the second master secret file, determine that the first node and the second node have not established a secure connection for the first time. The first node is further configured to query the first master secret file based on the identifier of the second node, and, if the historical security context corresponding to the second node is found in the first master secret file, determine that the first node and the second node have not established a secure connection for the first time, or, based on the connection identifier in the second message, determine that the first node and the second node have not established a secure connection for the first time, or, if the second message does not include second identity authentication information, determine that the first node and the second node have not established a secure connection for the first time, wherein the second identity authentication information is information used to verify the identity security of the second node.
20. The system according to any one of claims 13 to 19, characterized in that, The second message does not include second identity authentication information, which is information used to verify the identity security of the second node; Alternatively, the third message sent by the first node may not include the first identity authentication information, which is information used to verify the identity security of the first node, and the third message may be used to terminate the process of establishing a secure connection between the first node and the second node.
21. The system according to any one of claims 13 to 20, characterized in that, After the first node sends the third message to the second node, the first node does not save the historical security context, while the second node saves the historical security context. The first node is also configured to send a fourth message to the second node, the fourth message being used to request the establishment of a secure connection with the second node; The second node is also configured to send a fifth message back to the first node, wherein the fifth message does not include third identity authentication information, and the third identity authentication information is information used to verify the identity security of the second node; The first node is further configured to send an alarm message to the second node if the historical security context is not found and the fifth message does not include the third identity authentication information. The alarm message is used to instruct the second node to execute the process of establishing a secure connection for the first time. The second node is also configured to send a sixth message to the first node, the sixth message including the third identity authentication information; The first node is also configured to send a seventh message to the second node, the seventh message being used to terminate the process of establishing a secure connection between the first node and the second node.
22. A communication method, characterized in that, The method is applied to the first node, and the method includes: Send a first message to the second node, the first message being used by the first node to request the establishment of a secure connection with the second node; Receive a second message from the second node, the second message including first authentication information, the first authentication information being generated based on historical security context when the first node and the second node are not establishing a secure connection for the first time, the historical security context being generated during the process of the first node and the second node establishing a secure connection in the past time period, the historical security context being used for secure communication between the first node and the second node; The first authentication information is verified based on the historical security context; wherein, if the first authentication information is verified, the first node and the second node communicate based on the secure connection requested by the first message.
23. A communication method, characterized in that, The method is applied to the second node, and the method includes: Receive a first message from the first node, the first message being used by the first node to request the establishment of a secure connection with the second node; In the case where the first node and the second node have not established a secure connection for the first time, first authentication information is generated based on the historical security context. The historical security context is generated during the process of establishing a secure connection between the first node and the second node in the past time period. The historical security context is used for secure communication between the first node and the second node. A second message is sent to the first node, the second message including the first authentication information; wherein, if the first authentication information is verified by the first node, the first node and the second node communicate based on the secure connection requested by the first message.
24. A computing device, characterized in that, The computing device includes a processor and a memory, the processor being configured to execute instructions stored in the memory to cause the computing device to perform the steps of the method as described in claim 22.
25. A computing device, characterized in that, The computing device includes a processor and a memory, wherein the processor is configured to execute instructions stored in the memory to cause the computing device to perform the steps of the method as described in claim 23.
26. A computer-readable storage medium, characterized in that, Includes instructions that, when executed on at least one computing device, cause the plurality of computing devices to perform the steps of the method as described in any one of claims 1 to 12.
27. A computer program product containing instructions, characterized in that, When it is run on multiple computing devices, it causes the at least one computing device to perform the steps of the method as described in any one of claims 1 to 12.