CN113992734A - Session connection method, device and equipment - Google Patents

Abstract

The present disclosure provides a session connection method, apparatus, and device, and relates to the technical field of mobile communications. The session connection method includes: sending a first data packet to a data receiving end according to a session connection request, so that the data receiving end performs identity authentication of the data sending end, and opens an authentication service when the identity authentication passes; generating second data according to rule parameter information packet, send the second data packet to the data receiving end, so that the data receiving end can perform the authorization authentication of the connection service on the authorization authentication information through the authentication service, and open the connection service when the authorization authentication is passed, so as to establish the connection service with the data transmission end through the connection service. session connection. By sending the request data separately, the attack terminal can avoid sending a forged connection request to the data receiver after obtaining the request data, and the data receiver can effectively identify the forged connection request sent by the attack terminal, ensuring the accuracy of verification.

Description

Session connection method, device and equipment

Technical Field

The present disclosure relates to the field of mobile communication technologies, and in particular, to a session connection method, device, and apparatus.

Background

In the related art, when the server establishes a session connection with the client, an attacker may often forge a legal data Packet, for example, a Single Packet Authorization (SPA) data Packet, and establish a session connection with the server through the forged data Packet.

Therefore, how to improve the security of session establishment when the server and the client establish a session connection is an urgent technical problem to be solved.

Disclosure of Invention

The disclosure provides a session connection method, a sending device, a receiving device and equipment, so as to improve the security of a server and a client when session connection is established.

According to a first aspect of the embodiments of the present disclosure, a session connection method is provided, which is applied to a data sending end, and the method includes:

sending a first data packet to a data receiving end according to the session connection request; the first data packet carries identity information of the data sending end, so that the data receiving end carries out identity authentication of the data sending end according to the identity information and opens an authentication service when the identity authentication is passed;

acquiring rule parameter information corresponding to the session connection request, and generating a second data packet according to the rule parameter information; wherein, the second data packet carries authorization authentication information;

and sending the second data packet to the data receiving end so that the data receiving end performs authorization authentication of the connection service on the authorization authentication information through the authentication service, and opening the connection service when the authorization authentication passes so as to establish session connection with the data sending end through the connection service.

In an optional implementation manner, the data sending end is configured with an information look-up table; acquiring rule parameter information corresponding to the session connection request, and generating a second data packet according to the rule parameter information, wherein the method comprises the following steps:

inquiring an information inquiry table according to the session connection request to obtain rule parameter information;

determining a corresponding data item and data item content corresponding to the data item according to the rule parameter information;

a second data package is generated based on the data item and the data item content.

In an optional implementation manner, querying the information lookup table according to the session connection request to obtain the rule parameter information includes:

acquiring the security level of the session connection request;

and acquiring rule parameter information matched with the security level from the information lookup table.

In an optional implementation manner, after sending the second data packet to the data receiving end, the method further includes:

sending a session connection request to a data receiving end so that the data receiving end establishes session connection with the data sending end according to the session connection request when receiving the session connection request through the connection service in an open state;

and sending the target data to the data receiving end so that the data receiving end receives the target data according to the established session connection.

According to a second aspect of the embodiments of the present disclosure, there is provided a session connection method applied to a data receiving end, the method including:

receiving a first data packet sent by a data sending end; the first data packet carries identity information of a data sending end;

performing identity authentication of the data sending end according to the identity information, and opening an authentication service if the identity authentication is passed;

receiving a second data packet sent by the data sending end; the second data packet is generated by the data sending end according to the rule parameter information corresponding to the session connection request, and the second data packet carries authorization authentication information;

and performing authorization authentication of the connection service according to the authorization authentication information, and if the authorization authentication is passed, opening the connection service to establish session connection with the data sending end through the connection service.

In an optional implementation manner, performing identity authentication of the data sending end according to the identity information includes:

decrypting the first data packet according to the first preset key to obtain the identity information of the data sending end;

and judging whether the identity information is correct according to a preset identity information base to obtain an identity authentication result.

In an optional implementation manner, the data receiving end is configured with an information checking table; the authorization authentication of the connection service is carried out according to the authorization authentication information, and the method comprises the following steps:

acquiring the security level of a session connection request corresponding to a second data packet, inquiring an information check table according to the security level to obtain rule check information, and decrypting the second data packet according to a second preset key to obtain authorization authentication information;

and judging whether the authorization authentication information is correct or not according to the rule checking information.

According to a third aspect of the embodiments of the present disclosure, there is provided a session connection apparatus configured at a data sending end, the apparatus including:

the first data packet sending module is used for sending a first data packet to a data receiving end according to the session connection request; the first data packet carries identity information of the data sending end, so that the data receiving end carries out identity authentication of the data sending end according to the identity information and opens an authentication service when the identity authentication is passed;

the second data packet generation module: the session connection request processing unit is used for acquiring rule parameter information corresponding to the session connection request and generating a second data packet according to the rule parameter information; wherein, the second data packet carries authorization authentication information;

and the second data packet sending module is used for sending a second data packet to the data receiving end so that the data receiving end performs authorization authentication of the connection service on the authorization authentication information through the authentication service, and opens the connection service when the authorization authentication is passed so as to establish session connection with the data sending end through the connection service.

According to a fourth aspect of the embodiments of the present disclosure, there is provided a session connection apparatus configured at a data receiving end, the apparatus including:

the first data packet receiving module is used for receiving a first data packet sent by a data sending end; the first data packet carries identity information of a data sending end;

the identity authentication module is used for performing identity authentication of the data sending end according to the identity information, and if the identity authentication passes, the authentication service is opened;

the second data packet receiving module is used for receiving a second data packet sent by the data sending end; the second data packet is generated by the data sending end according to the rule parameter information corresponding to the session connection request, and the second data packet carries authorization authentication information;

and the authorization authentication module is used for performing authorization authentication on the connection service according to the authorization authentication information, and if the authorization authentication passes, the connection service is opened so as to establish session connection with the data sending end through the connection service.

According to a fifth aspect of embodiments of the present disclosure, there is provided an apparatus comprising:

a memory and a processor;

the memory is used for storing programs executable by the computer;

the processor is configured to invoke a computer-executable program to implement the session connection method according to the first aspect or to implement the session connection method according to the second aspect.

According to a sixth aspect of embodiments of the present disclosure, there is provided a computer storage medium having stored thereon a computer program which, when executed by a processor, implements the session connection method of any one of the above.

According to a seventh aspect of embodiments of the present disclosure, there is provided a computer program product comprising computer instructions which, when executed by a processor, implement the session connection method of any one of the above.

Exemplary embodiments of the present disclosure have the following advantageous effects:

according to the session connection method in this exemplary embodiment, compared to the method for verifying by sending request data in a single packet in the related art, the data sending end of the present disclosure requests the data receiving end to perform session connection by sending the first data packet and the second data packet. The data sending end takes the first data packet and the second data packet as request data and sends the request data separately, namely the data sending end separates the request data, so that the attack terminal is difficult to monitor the complete request data, and the attack terminal is prevented from sending a forged connection request to the data receiving end after obtaining the complete request data. That is to say, before the open connection service performs session connection with the data sending end, the data receiving end respectively authenticates a plurality of data packets of the data sending end, and only after each authentication is passed, the open connection service performs session connection with the data sending end, and because the request data sent by the data sending end is separated, the attack terminal cannot easily acquire complete request data, which brings difficulty to the attack terminal to acquire complete request data to forge a connection request, so that the attack terminal is difficult to forge the connection request, and the security of the session connection is ensured to a great extent.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those skilled in the art without the benefit of inventive faculty. In the drawings:

FIG. 1 shows a schematic diagram of a system architecture in an embodiment of the present disclosure;

fig. 2 is a flowchart illustrating a session connection method at a data transmitting end in an embodiment of the present disclosure;

fig. 3 shows a flowchart of a session connection method at a data receiving end in the embodiment of the present disclosure;

fig. 4 shows a flowchart of a session connection method between a data sending end and a data receiving end in the embodiment of the present disclosure;

fig. 5 is a schematic structural diagram of a session connection apparatus in an embodiment of the present disclosure;

fig. 6 is a schematic structural diagram of another session connection apparatus in the embodiment of the present disclosure;

fig. 7 shows a schematic structural diagram of an apparatus in an embodiment of the disclosure.

Detailed Description

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.

The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.

The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.

It should also be noted that: reference to "a plurality" in this application means two or more. "and/or" describe the association relationship of the associated objects, meaning that there may be three relationships, e.g., A and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.

In the following, some embodiments of the present disclosure will be described in detail with reference to the accompanying drawings, and features in the following examples and embodiments may be combined with each other without conflict.

Fig. 1 is a system configuration diagram illustrating an operating environment of the present exemplary embodiment, and referring to fig. 1, the system may include a data transmitting end 110 and a data receiving end 120. The data transmitting end 110 and the data receiving end 120 are communicatively connected via a network, which may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

The data sending end 110 is a requesting device that requests to establish a session connection, and may be a server or a terminal device. The data receiving end 120 is a requested room device that receives the information requested by the data sending end 110, and may be a server or a terminal device. For example, as shown in fig. 1, the data sender 110 is a terminal device, and the data receiver 120 is a server.

The terminal device may be hardware or software. When the terminal device is hardware, the terminal device may be various electronic devices including, but not limited to, a smart phone, a tablet computer, a smart band, a desktop computer, and the like. When the terminal device is software, the terminal device can be installed in the electronic devices listed above. It is also contemplated that the terminal device can support any type of interface to the user, such as a wearable device or the like.

The server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and can also be a cloud server for providing basic cloud computing services such as cloud service, a cloud database, cloud computing, cloud functions, cloud storage, network service, cloud communication, middleware service, domain name service, security service, big data and artificial intelligence platform and the like.

The SPA technology is a new network security technology, and refers to that before a network session is established, a responder of a network connection authenticates and authorizes a requester through a data packet sent by the requester of the network connection. The core of the SPA technology is a set of network protocols, which are completed by the interaction of a client installed on a requesting device and a server installed on a responding device. The server does not respond to any access packets in the default state, but continuously checks the content of all received packets. When a legal data packet constructed and sent by a legal client is detected, the server temporarily opens a specific connection mode according to the request information in the data packet, and allows the specific client and the server to establish an effective session. After the session is established, the server side is restored to the default state, and still does not respond to any access data packet, and the established session is not affected, so that the requester can continuously use the network resources required by the access.

It should be understood that the kinds and numbers of the data transmitting end 110 and the data receiving end 120 in fig. 1 are only illustrative, and there may be any kinds and numbers of the data transmitting end 110 and the data receiving end 120 according to implementation needs.

In the related art, although the SPA technology can prevent the unauthorized data sending end 110 and the data receiving end 120 from establishing a session connection, so as to identify and block the connection request of the attacking terminal before the session is established, the SPA technology cannot effectively identify the forged legal connection request sent by the attacking terminal, so that the data receiving end 120 and the attacking terminal establish a session connection. Based on this, the exemplary embodiments of the present disclosure provide a session connection method.

Referring to fig. 2, fig. 2 is a flowchart of a session connection method in an exemplary embodiment of the present disclosure, and a session connection method in an exemplary embodiment of the present disclosure is described below with reference to fig. 2 and taking a data sending end as an execution subject.

Step S210, sending a first data packet to a data receiving end according to the session connection request; the first data packet carries the identity information of the data sending end, so that the data receiving end carries out identity authentication of the data sending end according to the identity information and opens authentication service when the identity authentication is passed.

The session connection request is used to request to establish a session connection between the data sending end and the data receiving end, and the session connection request may be generated by an application or a system installed in the data sending end. For example, when an application a installed in a data transmitting end needs to access a port a in a data receiving end, a corresponding session connection request is generated, so that the data transmitting end transmits a first data packet to the data receiving end according to the session connection request to request for accessing the port a of the data receiving end. The session connection request may include information such as port information, application identifier, and request content of the request data receiving end.

The data sending end generates a corresponding first data packet according to the session connection request, where the first data packet at least includes identity information of the data sending end, such as information of a local area network address, a terminal identifier, a user name, a user password, and the like of the data sending end. And the data receiving end carries out identity authentication on the data sending end according to the first data packet so as to judge whether the data sending end can be connected or not.

It is understood that the first data packet may further include other data items, such as requested port information, an authentication random number, and the like, and the specific data items included in the first data packet may be flexibly set according to practical situations, which is not limited in this disclosure.

The data sending end can also perform encryption operation on the first data packet so as to send the encrypted first data packet to the data receiving end. The Encryption Algorithm for performing the Encryption operation on the first data packet includes, but is not limited to, Advanced Encryption Standard (AES), MD5Message Digest (MD5Message-Digest Algorithm), public key Encryption (RSA Algorithm), Elliptic Curve Digital Signature (ECDSA) Algorithm, and the like. The specific encryption algorithm can be flexibly selected according to the actual situation, which is not limited in the embodiment of the disclosure.

And the data receiving end decrypts and analyzes the received first data packet, if the first data packet cannot be unpacked or the type of the unpacked data packet is wrong, the data packet is discarded, if the data packet is normal after unpacking, the data information in the data packet is further analyzed so as to check whether the identity information of the data sending end carried by the first data packet is wrong or not, and an identity authentication result is obtained. For example, the data receiving end stores an identity information base of a connectable data sending end, the data receiving end can analyze the received first data packet, if the data sending end corresponding to the first data packet does not exist in the identity information base, the data sending end is not connectable, the corresponding identity authentication result is not passed, if the data sending end corresponding to the first data packet exists in the identity information base, the data sending end is connectable, and the corresponding identity authentication result is passed.

Further, if the result of the data receiving end performing identity authentication on the data sending end is that the data receiving end passes, the data receiving end opens the authentication service. The authentication service is used for receiving a second data packet of the data sending end and performing authorization authentication on the second data packet. For example, the data receiving end may be provided with a verification port, and the data receiving end may open the verification port to perform authorization and authentication on the second data packet through the verification port. For example, the verification port corresponding to the authentication service may be hidden for the data sending end, that is, any data of the data sending end is not received, or the data sending end may be discarded after receiving the data.

It should be noted that the data receiving end authenticates the second data packet only after the authentication service is opened, that is, only after the first data packet passes the authentication, so as to set a plurality of verification nodes for the data receiving end, thereby improving the security of session connection.

Step S220, obtaining rule parameter information corresponding to the session connection request, and generating a second data packet according to the rule parameter information; and the second data packet carries authorization and authentication information.

The authorization authentication information refers to information for verifying the right of the data transmitting end to access the data receiving end for the data receiving end.

The rule parameter information is used for specifying information such as information content carried by the second data packet, data format of the second data packet and the like, and the specific second data packet is generated through the rule parameter information.

The information content carried by the second data packet may specifically be information such as a data item and corresponding data item content included in the second data packet, such as an accessed port, a port security level, a random number, a timestamp, a port knock sequence, an Internet Protocol (Internet Protocol Address, abbreviated as IP) Address, and a data item content corresponding to each data item. The data format of the second data packet may specifically be information such as an arrangement manner of each data item in the second data packet, a data exchange format of the second data packet, and the data exchange format includes, but is not limited to, a JavaScript Object Notation (JSON) format, an Extensible Markup Language (XML) format, and the like.

The rule parameter information is a rule convention after the data sending end and the data receiving end negotiate, and only the data sending end trusted by the data receiving end holds the rule parameter information, which is equal to the secret key. Only the second data packet constructed according to the rule parameter information passes the verification of the data receiving end. By setting the rule parameter information, the security of the second data packet is ensured, and the attack terminal is prevented from forging the second data packet. It will be appreciated that the first data packet may also be generated in accordance with the rule parameter information.

The rule parameter information may include dynamic parameters or may include static parameters.

The static parameter refers to a parameter that does not change depending on the environment in which the second packet is transmitted. Such as the IP address, user name, etc. of the data receiving end. The dynamic parameter refers to a parameter that may be changed according to the environment in which the second packet is transmitted. For example, the dynamic parameter may be a change of a data item contained in the second data packet, such as selecting a different data item to generate the second data packet according to a difference of a port requested by the session connection request; the dynamic parameter may also be a change in the content of the data item contained in the second data packet, such as that during a first time period the content of the data item corresponding to data item a comprises content a and during a second time period the content of the data item corresponding to data item a comprises content b.

And constructing a second data packet through the rule parameter information, thereby specifying information such as content parameters, data formats and the like of the second data packet so as to send the specific second data packet to a data receiving end. The data sending end and the data receiving end can ensure the safety of the session connection by encrypting the sent request data, and can ensure the safety of the session connection by appointing the specific format and the specific content of the sent request data.

In some embodiments, the data sending end is provided with an information look-up table; the obtaining rule parameter information corresponding to the session connection request and generating a second data packet according to the rule parameter information includes: inquiring the information inquiry table according to the session connection request to obtain rule parameter information; determining a corresponding data item and data item content corresponding to the data item according to the rule parameter information; and generating a second data packet according to the data item and the data item content.

The information query table is used for storing the rule parameter information, and can query the corresponding rule parameter information according to the session connection request, so as to confirm at least one of the data format and the carried information content of the second data packet according to the rule parameter information.

Illustratively, the security level of the session connection request is confirmed to obtain rule parameter information matching the security level from the information look-up table according to the security level. The security level of the session connection request may be used to characterize the security level of the port requested to be accessed by the session connection request, and the information lookup table stores corresponding rule parameter information at different security levels.

The data receiving end can set different security levels for the corresponding ports according to the difference of the ports. The security level of each port and the rule parameter information matched with each security level are only held by the data receiving end and the data sending end trusted by the data receiving end.

Therefore, the data sending end can obtain the matched rule parameter information according to the difference of the security levels of the ports needing to be accessed so as to generate a legal second data packet. For example, when the data sending end needs to access the port a, the security level corresponding to the port a is a middle level, and the information lookup table is queried according to the security level to obtain the corresponding rule parameter information, so as to obtain the data item to be carried in the second data packet: port accessed, random number, current timestamp, port knock order, IP address. Then, the corresponding data item content is obtained through the data item, and the information content carried by the second data packet is determined according to the data item and the data item content. And meanwhile, the data format of the second data packet is obtained according to the rule parameter information, the specific arrangement mode and the data exchange format of each data item are obtained according to the data format, and finally, the legal second data packet is generated.

The rule parameter information matched with the security level is obtained according to the difference of the security level of the port to be accessed by the data sending terminal, so that the authorization authentication information carried in the second data packet can be dynamically changed, and therefore, after the attack terminal monitors the second data packet, the attack terminal cannot directly obtain the authentication logic between the data sending terminal and the data receiving terminal through the data information contained in the second data packet through analysis, further the attack terminal is prevented from imitating the second data packet, and the security of session connection is improved.

Step S230, sending the second data packet to the data receiving end, so that the data receiving end performs authorization authentication of the connection service on the authorization authentication information through the authentication service, and opens the connection service when the authorization authentication passes, so as to establish session connection with the data sending end through the connection service.

And the data sending end sends the second data packet to the data receiving end so that the data receiving end performs authorization authentication of the connection service on the authorization authentication information of the received second data packet through the authentication service when the first verification result is that the second data packet passes, namely the authentication service of the data receiving end is in an open state.

And if the result of the authorization authentication of the data receiving end to the authorization authentication information is that the data receiving end passes, the data receiving end opens the connection service. The data receiving end establishes session connection with the data sending end through connection service. It can be understood that the data receiving end can perform session connection with the data sending end only after the data sending end which passes the authentication opens the connection service, that is, the data receiving end can perform session connection with the data sending end corresponding to the second data packet only after the second data packet passes the authentication, so as to further improve the security of the session connection.

The data sending end may further perform an encryption operation on the second data packet before sending the second data packet, so as to send the encrypted second data packet to the data receiving end. The encryption algorithm of the second data packet may be consistent with the encryption algorithm of the first data packet, or may not be consistent with the encryption method of the first data packet, and the specific encryption algorithm may be flexibly selected according to the actual situation, which is not limited in the embodiment of the present disclosure.

And the data receiving end decrypts and analyzes the received second data packet, if the second data packet cannot be decrypted or the type of the decrypted data packet is wrong, the second data packet is discarded, and if the second data packet is normal after decryption, the authorization authentication information in the second data packet is further analyzed.

Illustratively, the data receiving end performs an unpacking operation on the second data packet, and verifies whether the first data packet corresponding to the second data packet passes the verification, if the first data packet does not pass the verification, or the first data packet cannot be found, or the unpacking cannot be performed, or the type of the decapsulated data packet is wrong, the second data packet is discarded. And if the first data packet passes the verification, analyzing the authorization and authentication information after the second data packet is unpacked. The data receiving end may be provided with a verification port, and authorization authentication of the connection service is performed on the authorization authentication information of the second data packet through the verification port.

And if the result of the authorization authentication is that the data transmitting end passes, namely the data transmitting end belongs to the connectable data transmitting end, opening the connection service for the data transmitting end. For example, a port requested by the data sending end is opened for the data sending end to connect, so that a session connection is established between the data sending end and the data receiving end. And if the result of the authorization authentication is that the data transmission end does not pass, namely the data transmission end does not belong to the connectable data transmission end, discarding the second data packet.

In order to prevent the data packet sent by the data sending end to the data receiving end from being monitored by the attack terminal, the data requesting the session connection is sent separately, the session connection is requested to the data receiving end through the different first data packet and the second data packet, so that the attack terminal is difficult to monitor the complete request data, the attack terminal is prevented from sending a fake request to the data receiving end after acquiring the complete request data, and the security of the session connection is improved.

In some embodiments, after said sending said second data packet to said data receiving end, said method further comprises: sending a session connection request to the data receiving end, so that when the data receiving end receives the session connection request through the connection service in an open state, session connection is established with the data sending end according to the session connection request; and sending target data to the data receiving end so that the data receiving end receives the target data according to the established session connection.

And after the preset time for sending the second data packet, the data sending end sends a session connection request to a port corresponding to the data receiving end, and if the port corresponding to the data receiving end is opened to the data sending end, the data receiving end establishes session connection with the data sending end according to the session connection request. The session connection established between the data sending end and the data receiving end may be a connection according to a File Transfer Protocol (FTP), or a connection according to a hypertext Transfer Protocol over Secure Socket Layer (HTTPS). The specific connection method can be flexibly selected according to the actual application condition, and the embodiment of the disclosure does not limit the method.

The port of the data receiving end is in a hidden state before being opened to the outside, and the data receiving end does not respond to the session connection request of the port in the hidden state. After the data receiving end opens the corresponding port to the corresponding data sending end, the data receiving end performs a corresponding response when receiving a session connection request of the data sending end to the port. For example, after the port is opened for a preset time, the data receiving end makes the port enter the hidden state again.

After the session connection is established between the data sending end and the data receiving end, the data sending end may send target data to the data receiving end, where the target data refers to data that performs signaling interaction with the data receiving end, and may be information that obtains data content from the data receiving end or information that sends data content to the data receiving end.

Referring to fig. 3, fig. 3 is a flowchart of another session connection method in the exemplary embodiment of the present disclosure, and a session connection method in the exemplary embodiment of the present disclosure is described below with reference to fig. 3, where a data receiving end is taken as an execution subject.

Step S310, receiving a first data packet sent by a data sending end; wherein, the first data packet carries the identity information of the data sending end.

The data receiving end receives a first data packet of the data sending end, and the first data packet is generated by the data sending end according to the session connection request.

The session connection request is used to request to establish a session connection between the data sending end and the data receiving end, and the session connection request may be generated by an application or a system installed in the data sending end. For example, when an application a installed in a data sending end needs to access a port a in a data receiving end, a corresponding session connection request is generated to request to access the port a of the data receiving end, where the session connection request may include information such as requested port information, a corresponding application identifier, and specific request content.

The data sending end generates a corresponding first data packet according to the session connection request, where the first data packet at least includes identity information of the data sending end, such as information of a local area network address, a terminal identifier, a user name, a user password, and the like of the data sending end. And the data receiving end carries out information verification on the data sending end according to the first data packet so as to confirm whether the data sending end can be connected or not. It is understood that the first data packet may further include other data items, such as a requested port, an authentication random number, and the like, and the specific data items included in the first data packet may be flexibly set according to practical situations, which is not limited in this disclosure.

Step S320, performing identity authentication of the data sending end according to the identity information, and if the identity authentication passes, opening an authentication service.

And the data receiving end carries out identity authentication on the data sending end, and if the result of the identity authentication is that the data sending end passes, the data receiving end opens authentication service for the data sending end. The authentication service is used for receiving a second data packet of the data sending end and performing authorization authentication on the second data packet. For example, the data receiving end may be provided with a verification port, and the data receiving end may open the verification port to perform authorization and authentication on the second data packet through the verification port. And if the result that the data receiving end does not perform identity authentication on the data transmitting end is failed, not opening the authentication service to the second data packet transmitted by the data transmitting end, namely closing the verification port.

It can be understood that the data receiving end authenticates the second data packet only after the authentication service is opened, that is, the data receiving end authenticates the second data packet corresponding to the first data packet only after the first data packet passes the authentication, so as to set a plurality of verification nodes for the data receiving end, thereby improving the security of session connection.

In some embodiments, the performing, according to the identity information, the identity authentication of the data sender includes: decrypting the first data packet according to a first preset key to obtain the identity information of the data sending end; and judging whether the identity information is correct or not according to a preset identity information base to obtain an identity authentication result.

And the data receiving end decrypts and analyzes the received first data packet according to the first preset secret key, if the first data packet cannot be decrypted or the type of the decrypted data packet is wrong, the data receiving end discards the data packet, if the data packet is normal after decryption, the data receiving end further analyzes the data information in the data packet to check whether the identity information of the data sending end carried by the first data packet is wrong or not, and an identity authentication result is obtained. For example, the data receiving end stores an identity information base of a connectable data sending end, the data receiving end can analyze the received first data packet, if the data sending end corresponding to the first data packet does not exist in the identity information base, the data sending end is not connectable, the corresponding identity authentication result is not passed, if the data sending end corresponding to the first data packet exists in the identity information base, the data sending end is connectable, and the corresponding identity authentication result is passed.

Step S330, receiving a second data packet sent by the data sending end; the second data packet is generated by the data sending end according to the rule parameter information corresponding to the session connection request, and the second data packet carries authorization authentication information.

The authorization authentication information refers to information that the data receiving end verifies the right of the data transmitting end to access the data receiving end.

The rule parameter information is used for specifying information such as information content carried by the second data packet, data format of the second data packet and the like, and the specific second data packet is generated through the rule parameter information. The information content may specifically be information such as the data items contained in the second data packet and corresponding data item content, such as the accessed ports, port security levels, random numbers, timestamps, port knock orders, IP addresses, and corresponding data item content. The data format may specifically be information such as an arrangement manner of each data item in the second data packet, a data exchange format of the second data packet, and the data exchange format includes, but is not limited to, a JavaScript object notation format, an extensible markup language format, and the like.

The rule parameter information is a rule convention after the negotiation between the data sending end and the data receiving end, only the data sending end trusted by the data receiving end holds the same key, and only the second data packet constructed according to the rule parameter information passes the verification of the data receiving end. By setting the rule parameter information, the security of the second data packet is ensured, and the attack terminal is prevented from forging the second data packet. It will be appreciated that the first data packet may also be generated in accordance with the rule parameter information.

The rule parameter information may include dynamic parameters or may include static parameters.

The static parameter refers to a parameter that does not change depending on the environment in which the second packet is transmitted, such as information such as an IP address and a user name of a data receiving end. The dynamic parameter refers to a parameter that changes according to the environment in which the second data packet is sent, for example, the dynamic parameter may be a change of a data item contained in the second data packet, such as selecting a different data item to generate the second data packet according to a difference of a port requested by the session connection request; the dynamic parameter may also be a change in the content of the data item contained in the second data packet, such as that during a first time period the content of the data item corresponding to data item a comprises content a and during a second time period the content of the data item corresponding to data item a comprises content b.

Step S340, performing authorization authentication of the connection service on the authorization authentication information through the authentication service, and if the authorization authentication passes, opening the connection service to establish a session connection with the data sending end through the connection service.

The data receiving end can open authentication service for the first data packet which passes the verification in the preset time, and the authorization authentication of the connection service is carried out on the authorization authentication information of the received second data packet through the authentication service.

And if the result of the authorization authentication of the data receiving end to the authorization authentication information is that the data receiving end passes, the data receiving end opens the connection service. And the data receiving end establishes session connection with the data sending end through connection service. It can be understood that the data receiving end can perform session connection with the data sending end only after the data sending end which passes the authentication opens the connection service, that is, the data receiving end can perform session connection with the data sending end corresponding to the second data packet only after the second data packet passes the authentication, so as to further improve the security of the session connection.

In some embodiments, the data receiving end is configured with an information checking table; the authorization authentication of the connection service according to the authorization authentication information includes: acquiring the security level of the session connection request corresponding to the second data packet; inquiring the information checking table according to the security level to obtain rule checking information; decrypting the second data packet according to a second preset key to obtain the authorization authentication information; and judging whether the authorization authentication information is correct or not according to the rule checking information.

The information check table is used for storing the rule check information, and different rule check information can be set for different ports, for example, different security levels can be set for corresponding ports according to different ports by the data receiving end, and the security level of the corresponding port and the rule check information under the corresponding security level are only held by the data receiving end and the data transmitting end trusted by the data receiving end.

The rule checking information is agreed with the data sending end to check the content parameters, the data format and other information of the second data packet according to the rule checking information, and then whether the received second data packet is sent by a trusted data receiving end can be effectively distinguished, so that the security of session connection can be ensured by encrypting the sent request data between the data sending end and the data receiving end, and the security of session connection can be ensured by agreeing on the specific format and the specific content of the sent request data.

And the data receiving end decrypts and analyzes the received second data packet according to the second preset secret key, if the second data packet cannot be unpacked or the type of the unpacked data packet is wrong, the second data packet is discarded, and if the second data packet is normal after unpacking, data information in the second data packet is further verified and analyzed.

And after the data receiving end unpacks the second data packet, acquiring the authorization authentication information in the second data packet. The information check table configured by the data receiving terminal corresponds to the information query table configured by the data sending terminal, and the data sending terminal can generate a second data packet containing correct authorization authentication information according to the information query table. Therefore, whether at least one of the data format of the authorization authentication information and the carried information content is correct or not is judged according to the rule checking information so as to carry out authorization authentication of the connection service.

For example, when the data sending end needs to access the port a, the security level corresponding to the port a is a middle level, the information check table is queried according to the security level to obtain corresponding rule check information, so as to obtain the data items to be carried in the second data packet: port accessed, random number, current timestamp, port knock order, IP address. Meanwhile, the data format of the second data packet can be obtained according to the rule checking information, and the specific arrangement mode and the data exchange format of each data item can be obtained according to the data format. And verifying the authorization authentication information of the second data packet according to the information obtained by the rule verification information, wherein if the authorization authentication information is consistent with the information corresponding to the rule verification information, the result of authorization authentication is passed, and if the authorization authentication information is inconsistent with the information corresponding to the rule verification information, the result of authorization authentication is not passed.

If the result of the authorization authentication is that the data is not passed, only the operation of discarding the data is executed, but no feedback operation is executed, so that an attacker is prevented from carrying out information collection or blasting attack from the feedback information, the application port can be effectively prevented from being scanned and detected, and the network security is improved.

And if the result of the authorization authentication is that the authentication is passed, opening the connection service and establishing session connection with the data sending end. And when the result of the authorization authentication is passed, indicating that the corresponding data transmitting terminal is the connectable data transmitting terminal. The firewall policy of the data receiving end can be updated, and the port which needs to be accessed by the data sending end is opened for the data sending end, so that the access of the legal device to the application service is opened. Therefore, the scanning and detecting actions of the application service port by an attacker can be prevented, and the safety of the system is guaranteed to the maximum extent.

Illustratively, the corresponding port may be opened for the data sending end or temporarily opened, and temporarily opened refers to opening the port within a preset time period.

The port of the data receiving end is in a hidden state before being opened to the outside, and the data receiving end does not respond to the access request of the port in the hidden state. After the data receiving end opens the corresponding port to the corresponding data sending end, the data receiving end performs corresponding response when receiving the access request of the data sending end to the port. The port may be temporarily opened to the data sending end, for example, after the port is opened for a preset time, the data receiving end makes the port enter the hidden state again.

And the data receiving end opens the authentication service to perform authorization authentication on the second data packet after the first data packet passes the verification, and further opens the connection service after the authorization authentication passes so as to perform session connection with the data receiving end through the connection service. Therefore, the data receiving end respectively authenticates the plurality of data packets of the data sending end before the connection service is opened, the connection service is opened after the authentication is passed every time, and the attack terminal is difficult to forge the plurality of data packets at the same time, so that the data receiving end can effectively identify the attack terminal, and the security of session connection is ensured.

Exemplarily, the data sending end sends a session connection request to a port corresponding to the data receiving end after sending the second data packet for a preset time, and if the port corresponding to the data receiving end is open to the data sending end, performs signaling interaction with the data sending end according to the session connection request.

Fig. 4 is a flowchart illustrating a session connection between a data transmitting end and a data receiving end according to an exemplary embodiment of the present disclosure. The session connection is established between the data sending end and the data receiving end based on the SPA technology. The following describes the procedure of the session connection method of the present disclosure with reference to fig. 4:

step S410, the data sending end generates a first data packet according to the session connection request.

The session connection request may be generated by an application or system installed in the data sender to request access to the destination port of the data receiver. The data sending end generates a first data packet according to the session connection request, wherein the first data packet at least comprises identity information of the data sending end, such as information of a local area network address, a terminal identification, a user name, a user password and the like of the data sending end.

Step S420, the data sending end sends a first data packet to the data receiving end.

The data sending end may further perform an encryption operation on the first data packet before sending the first data packet, so as to send the encrypted first data packet to the data receiving end.

And step S430, the data receiving end receives the first data packet, decrypts and verifies the first data packet to obtain an identity authentication result, and if the identity authentication result is passed, the authentication port is opened.

And the data receiving end decrypts the received first data packet, if the first data packet cannot be decrypted or the type of the decrypted data packet is wrong, the data receiving end discards the first data packet, and if the data packet is normal after decryption, further verifies the data information in the data packet so as to check whether the identity information of the data sending end carried by the first data packet is wrong or not, and obtain an identity authentication result.

And if the identity authentication result is that the second data packet passes, the data receiving end opens an authentication port for the data sending end so as to receive the second data packet of the data sending end through the authentication port and carry out authorization authentication on the second data packet.

Step S440, the data sending end obtains the rule parameter information according to the information lookup table to generate a second data packet.

The rule parameter information is used for specifying the information content and the data format carried by the second data packet. According to the difference of the security levels of the ports which need to be accessed by the data sending end, the rule parameter information matched with the security levels is obtained according to the information query table, so that the second data packet is dynamically generated.

Step S450, the data sending end sends the second data packet to the data receiving end within the preset time after the first data packet is sent.

The data sending end may further perform an encryption operation on the second data packet before sending the second data packet, so as to send the encrypted second data packet to the data receiving end. The preset time can be flexibly set according to the actual application condition, such as 5 seconds, 10 seconds and the like. The preset time may be a time agreed by the data sending end and the data receiving end, and the second data packet sent to the data receiving end within the preset time is a legal data packet. Because the process of monitoring, analyzing and forging the data packet by the attack terminal needs a lot of time, the forged data packet of the attack terminal can be effectively identified by prescribing the interval time between the sending of the first data packet and the sending of the second data packet.

And step S460, the data receiving end receives the second data packet, decrypts the second data packet, performs authorization authentication on the second data packet according to the information checking table, and opens the port which the data sending end requests to access if the result of the authorization authentication is passed.

And the data receiving end decrypts the received second data packet, if the second data packet cannot be decrypted or the type of the decrypted data packet is wrong, the second data packet is discarded, and if the second data packet is normal after decryption, the data information in the second data packet is further verified according to the information verification table so as to verify whether the authorization authentication information carried by the second data packet is wrong.

For example, the data receiving end obtains that the second data packet needs to carry a timestamp, accessed port information, and a port knock order by querying the information check table, and detects whether the data item carried in the decrypted second data packet is correct. Such as detecting whether the time stamp is correct and detecting whether the port knock sequence and the accessed port information are consistent. If the result of the authorization authentication is not passed, only the operation of discarding the data is executed, and if the result of the authorization authentication is passed, the port which requests the access is opened for the data sending end.

Step S470, the data sending end sends a session connection request to the data receiving end within a preset time after the second data packet is sent, so as to access a port corresponding to the data receiving end.

And after the preset time for sending the second data packet, the data sending end sends a session connection request to a port corresponding to the data receiving end, and if the port corresponding to the data receiving end is opened to the data sending end, signaling interaction is carried out with the data sending end according to the session connection request.

The data sending end sends the first data packet and the second data packet as request data and separately sends the request data, so that the attack terminal is difficult to monitor complete request data by separating the request data, and the attack terminal is prevented from sending a fake request to the data receiving end after obtaining the complete request data. The data receiving end opens the authentication port to perform authorization authentication on the second data packet after the first data packet passes the verification, and further opens the port which the data transmitting end requests to access after the authorization authentication passes. Therefore, the data receiving end respectively authenticates the plurality of data packets of the data sending end before opening the port requesting access, the port requesting access is opened after each authentication is passed, and the attack terminal is difficult to forge the plurality of data packets at the same time, so that the data receiving end can effectively identify the attack terminal, and the security of session connection is ensured.

It should be noted that although the various steps of the methods of the embodiments of the present disclosure are depicted in the drawings in a particular order, this does not require or imply that these steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc.

Further, the present exemplary embodiment also provides a session connection apparatus 500, which is applied to a data sending end. Referring to fig. 5, the session connection apparatus 500 includes: a first packet transmission module 510, a second packet generation module 520, and a second packet transmission module 530.

The first data packet sending module 510 is configured to send a first data packet to a data receiving end according to the session connection request; the first data packet carries the identity information of the data sending end, so that the data receiving end carries out identity authentication of the data sending end according to the identity information and opens authentication service when the identity authentication is passed.

The second data packet generating module 520 is configured to obtain rule parameter information corresponding to the session connection request, and generate a second data packet according to the rule parameter information; and the second data packet carries authorization and authentication information.

The second data packet sending module 530 is configured to send the second data packet to the data receiving end, so that the data receiving end performs authorization and authentication of the connection service on the authorization and authentication information through the authentication service, and opens the connection service when the authorization and authentication is passed, so as to establish a session connection with the data sending end through the connection service.

In some embodiments, based on the foregoing scheme, the data sending end is configured with an information lookup table, and the second packet generating module 520 may be configured to:

inquiring the information inquiry table according to the session connection request to obtain rule parameter information;

determining a corresponding data item and data item content corresponding to the data item according to the rule parameter information;

and generating a second data packet according to the data item and the data item content.

In some embodiments, based on the foregoing scheme, the second packet generation module 520 may further be configured to:

acquiring the security level of the session connection request;

and acquiring rule parameter information matched with the security level from the information lookup table.

In some embodiments, based on the foregoing scheme, the session connection apparatus 500 may further include a session connection module, and the session connection module may be configured to:

sending a session connection request to the data receiving end, so that when the data receiving end receives the session connection request through the connection service in an open state, session connection is established with the data sending end according to the session connection request;

and sending target data to the data receiving end so that the data receiving end receives the target data according to the established session connection.

Further, the present exemplary embodiment also provides a session connection apparatus 600, which is applied to a data receiving end. Referring to fig. 6, the session connection apparatus 600 includes: a first data packet receiving module 610, an identity authentication module 620, a second data packet receiving module 630 and an authorization authentication module 640.

The first data packet receiving module 610 is configured to receive a first data packet sent by a data sending end according to a session connection request; wherein, the first data packet carries the identity information of the data sending end.

The identity authentication module 620 is configured to perform identity authentication on the data sending end according to the identity information, and if the identity authentication passes, open an authentication service.

The second data packet receiving module 630 is configured to receive a second data packet sent by the data sending end; the second data packet is generated by the data sending end according to the rule parameter information corresponding to the session connection request, and the second data packet carries authorization authentication information.

The authorization authentication module 640 is configured to perform authorization authentication on the connection service according to the authorization authentication information, and if the authorization authentication passes, open the connection service to establish session connection with the data sending end through the connection service.

In some embodiments, based on the foregoing scheme, the identity authentication module 620 may be configured to:

decrypting the first data packet according to a first preset key to obtain the identity information of the data sending end;

and judging whether the identity information is correct or not according to a preset identity information base to obtain an identity authentication result.

In some embodiments, based on the foregoing solution, the data receiving end is configured with an information checking table, and the authorization authentication module 640 may be configured to:

acquiring the security level of the session connection request corresponding to the second data packet, inquiring the information check table according to the security level to obtain rule check information, and decrypting the second data packet according to a second preset key to obtain the authorization authentication information;

and judging whether the authorization authentication information is correct or not according to the rule checking information.

The details of each module of the session connection apparatus have been described in detail in the corresponding session connection method, and therefore are not described herein again.

It should be noted that although in the above detailed description several modules or units of the session connecting means are mentioned, this division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.

In addition, in the exemplary embodiments of the present disclosure, a computer storage medium capable of implementing the above method is also provided. On which a program product capable of implementing the above-described method of the present specification is stored. In some possible embodiments, aspects of the present disclosure may also be implemented in the form of a program product comprising program code for causing a terminal device to perform the steps according to various exemplary embodiments of the present disclosure described in the "exemplary methods" section above of this specification, when the program product is run on the terminal device.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).

In addition, in an exemplary embodiment of the present disclosure, an apparatus capable of implementing the session connection method is also provided. An apparatus 700 according to such an embodiment of the present disclosure is described below with reference to fig. 7. The device 700 shown in fig. 7 is only an example and should not bring any limitations to the functionality or scope of use of the embodiments of the present disclosure.

As shown in fig. 7, device 700 is embodied in a general purpose computing device. The components of device 700 may include, but are not limited to: at least one processing unit 710, at least one memory unit 720, a bus 730 connecting the various system components (including the memory unit 720 and the processing unit 710), a display unit 740.

Where the memory unit stores program code, the program code may be executed by the processing unit 710 such that the processing unit 710 performs the steps according to various exemplary embodiments of the present disclosure as described in the above-mentioned "exemplary methods" section of this specification.

The storage unit 720 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)721 and/or a cache memory unit 722, and may further include a read only memory unit (ROM) 723.

The memory unit 720 may also include programs/utilities 724 having a set (at least one) of program modules 725, such program modules 725 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.

Bus 730 may be any representation of one or more of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.

The device 700 may also communicate with one or more external devices 770 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 700, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 700 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 750. Also, the electronic device 700 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 760. As shown, the network adapter 760 communicates with the other modules of the electronic device 700 via the bus 730. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the device 700, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.

Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.

Exemplary embodiments of the present disclosure are specifically illustrated and described above. It is to be understood that the disclosure is not limited to the precise arrangements, instrumentalities, or instrumentalities described herein; on the contrary, the disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (10)

1. A session connection method is applied to a data sending end, and is characterized in that the method comprises the following steps:

sending a first data packet to a data receiving end according to the session connection request; the first data packet carries identity information of the data sending end, so that the data receiving end carries out identity authentication of the data sending end according to the identity information and opens authentication service when the identity authentication is passed;

acquiring rule parameter information corresponding to the session connection request, and generating a second data packet according to the rule parameter information; wherein, the second data packet carries authorization and authentication information;

and sending the second data packet to the data receiving end so that the data receiving end performs authorization authentication of the connection service on the authorization authentication information through the authentication service, and opening the connection service when the authorization authentication is passed so as to establish session connection with the data sending end through the connection service.

2. The method of claim 1, wherein the data sending end is configured with an information look-up table; the obtaining rule parameter information corresponding to the session connection request and generating a second data packet according to the rule parameter information includes:

inquiring the information inquiry table according to the session connection request to obtain rule parameter information;

determining a corresponding data item and data item content corresponding to the data item according to the rule parameter information;

and generating a second data packet according to the data item and the data item content.

3. The method of claim 2, wherein said querying the information lookup table according to the session connection request to obtain rule parameter information comprises:

acquiring the security level of the session connection request;

and acquiring rule parameter information matched with the security level from the information lookup table.

4. The method according to any one of claims 1 to 3, wherein after said sending the second data packet to the data receiving end, the method further comprises:

sending a session connection request to the data receiving end, so that when the data receiving end receives the session connection request through the connection service in an open state, session connection is established with the data sending end according to the session connection request;

and sending target data to the data receiving end so that the data receiving end receives the target data according to the established session connection.

5. A session connection method is applied to a data receiving end, and is characterized by comprising the following steps:

receiving a first data packet sent by a data sending end; wherein, the first data packet carries the identity information of the data sending end;

performing identity authentication of the data sending end according to the identity information, and opening an authentication service if the identity authentication passes;

receiving a second data packet sent by the data sending end; the second data packet is generated by the data sending end according to the rule parameter information corresponding to the session connection request, and the second data packet carries authorization authentication information;

and performing authorization authentication of the connection service on the authorization authentication information through the authentication service, and if the authorization authentication passes, opening the connection service to establish session connection with the data sending end through the connection service.

6. The method according to claim 5, wherein the performing identity authentication of the data sender according to the identity information includes:

decrypting the first data packet according to a first preset key to obtain the identity information of the data sending end;

and judging whether the identity information is correct or not according to a preset identity information base to obtain an identity authentication result.

7. The method of claim 5, wherein the data receiving end is configured with an information checking table; the authorization authentication of the connection service according to the authorization authentication information includes:

acquiring the security level of the session connection request corresponding to the second data packet, inquiring the information check table according to the security level to obtain rule check information, and decrypting the second data packet according to a second preset key to obtain the authorization authentication information;

and judging whether the authorization authentication information is correct or not according to the rule checking information.

8. A session connection apparatus, configured at a data sending end, the apparatus comprising:

the first data packet sending module is used for sending a first data packet to a data receiving end according to the session connection request; the first data packet carries identity information of the data sending end, so that the data receiving end carries out identity authentication of the data sending end according to the identity information and opens authentication service when the identity authentication is passed;

the second data packet generation module: the session connection request is used for acquiring rule parameter information corresponding to the session connection request and generating a second data packet according to the rule parameter information; wherein, the second data packet carries authorization and authentication information;

and the second data packet sending module is used for sending the second data packet to the data receiving end so that the data receiving end performs authorization authentication of the connection service on the authorization authentication information through the authentication service, and opens the connection service when the authorization authentication is passed so as to establish session connection with the data sending end through the connection service.

9. A session connection apparatus configured at a data receiving end, the apparatus comprising:

the first data packet receiving module is used for receiving a first data packet sent by a data sending end; wherein, the first data packet carries the identity information of the data sending end;

the identity authentication module is used for performing identity authentication of the data sending end according to the identity information, and if the identity authentication passes, an authentication service is opened;

a second data packet receiving module, configured to receive a second data packet sent by the data sending end; the second data packet is generated by the data sending end according to the rule parameter information corresponding to the session connection request, and the second data packet carries authorization authentication information;

and the authorization authentication module is used for performing authorization authentication of the connection service according to the authorization authentication information, and if the authorization authentication passes, the connection service is opened so as to establish session connection with the data sending end through the connection service.

10. An apparatus, characterized in that the apparatus comprises:

a memory and a processor;

the memory is used for storing programs executable by the computer;

the processor is configured to invoke the computer-executable program to implement the session connection establishment method according to any one of claims 1 to 4, or to implement the session connection establishment method according to any one of claims 5 to 7.

Images