CN113872974A

Movatterモバイル変換

Info

Publication number: CN113872974A
Application number: CN202111148118.5A
Authority: CN
Inventors: 张宗楚
Original assignee: Shenzhen Micropurchase Technology Co ltd
Current assignee: Shenzhen Micropurchase Technology Co ltd
Priority date: 2021-09-29
Filing date: 2021-09-29
Publication date: 2021-12-31
Anticipated expiration: 2041-09-29
Also published as: CN113872974B

Abstract

Translated fromChinese

一种网络会话加密的方法、服务器和计算机可读存储介质，客户端需要获取目标数据时，向服务器发送的服务请求中携带加密的当前令牌和当前时间戳，预先在服务器中存储客户端的加密方式，服务器通过该加密方式，对服务请求进行解密得到当前令牌和当前时间戳。服务器判断当前令牌和当前时间戳是否合法，其中，根据当前时间戳和该时间戳的上一个时间戳进行比较，确定当前时间戳是否合法，若当前令牌和当前时间戳合法，则服务器向客户端发送该目标数据。使得会话过程中进行鉴权的信息随着时间动态变化，非法者很难窃取到正确的令牌，网络会话中的信息不易破解，能够防止网络会话被假冒，提高了网络会话的安全性。技术方案容易实现和测试，实现成本低。

A method for encrypting a network session, a server and a computer-readable storage medium. When a client needs to obtain target data, a service request sent to the server carries an encrypted current token and a current timestamp, and the client's encrypted data is stored in the server in advance. method, the server decrypts the service request through this encryption method to obtain the current token and the current timestamp. The server judges whether the current token and the current timestamp are legal, wherein, according to the comparison between the current timestamp and the previous timestamp of the timestamp, to determine whether the current timestamp is legal, if the current token and the current timestamp are legal, the server sends the The client sends the target data. The authentication information during the session changes dynamically with time, it is difficult for an illegal person to steal the correct token, the information in the network session is not easy to crack, the network session can be prevented from being counterfeited, and the security of the network session is improved. The technical solution is easy to implement and test, and the implementation cost is low.

Description

Method, server and computer-readable storage medium for network session encryption

Technical Field

The present application relates to the field of communications technologies, and in particular, to a method, a server, and a computer-readable storage medium for network session encryption.

Background

A network session refers to the temporary, interactive exchange of information between two or more network communication devices. A session is established at some point in time and then ended at some later point in time.

In the process of establishing the network session, the server generates a token (token) after the user information sent by the client, such as a user name and a password, passes the authentication. The server sends the token to the client, and in the process of network session, the client sends the token when requesting target data, so that the server authenticates through the token, and if the authentication is passed, the server sends corresponding target data to the client.

However, in the network session process, if the token is acquired by the illegal client, the illegal client may acquire the target data in the server through the token, and the security of the network session is not high.

Disclosure of Invention

The technical problem that this application mainly solved is that the security of network session is not high.

According to a first aspect, there is provided in one embodiment a method of network session encryption, comprising:

receiving a service request sent by a client, wherein the service request is used for requesting to acquire target data and carries a first ciphertext;

decrypting the first ciphertext through an encryption algorithm and a key to obtain a current token and a current timestamp;

judging whether the current token and the current timestamp are legal or not, wherein the judging condition that the current timestamp is legal is as follows: the current timestamp is later than or equal to the last timestamp of the current timestamp, or the time of the current timestamp earlier than the last timestamp of the current timestamp is less than or equal to a first preset time length;

and if the current token and the current timestamp are legal, sending the target data to the client.

Optionally, before receiving the service request sent by the client, the method further includes:

receiving a session establishment request sent by a client, wherein the session establishment request comprises a second ciphertext;

decrypting the second ciphertext through an encryption algorithm and a secret key to obtain user information and an original timestamp;

authenticating the user information, determining that the user information is legal, and generating an original token;

encrypting the original token through the encryption algorithm and the key to obtain a third ciphertext;

and sending a session establishment response to the client, wherein the session establishment response carries the third ciphertext, so that the client decrypts the third ciphertext through the encryption algorithm and the key to obtain the original token, and uses the original token for authentication in a network session.

Optionally, the session establishment request further includes identification information of the encryption algorithm; before the second ciphertext is decrypted through the encryption algorithm and the key to obtain the user information and the original timestamp, the method further includes:

and acquiring the encryption algorithm according to the identification information of the encryption algorithm.

Optionally, the judging condition that the current timestamp is legal is: determining that the time length of the current timestamp later than the last timestamp of the current timestamp is less than a second preset time length, or the time length of the current timestamp earlier than the last timestamp of the current timestamp is less than or equal to a first preset time length, and sending the target data to the client;

the method further comprises the following steps:

and determining that the time length of the current timestamp later than the last timestamp of the current timestamp is greater than or equal to a second preset time length, and sending a re-authentication message to the client, wherein the re-authentication message is used for indicating the client to send the user information and the current timestamp to the server.

According to a second aspect, an embodiment provides a method of network session encryption, comprising:

acquiring a current token;

encrypting the current token and the current timestamp through an encryption algorithm and a key to obtain a first ciphertext;

sending a service request to a server, where the service request is used to request to acquire target data, the service request carries the first ciphertext, so that the server decrypts the first ciphertext through the encryption algorithm and the key to obtain the current token and the current timestamp, and determining whether the current token and the current timestamp are legal, where a condition for determining whether the current timestamp is legal is: the current timestamp is later than or equal to the last timestamp of the current timestamp, or the time of the current timestamp earlier than the last timestamp of the current timestamp is less than or equal to a first preset time length; if the current token and the current timestamp are legal, the target data is sent to a client;

and receiving the target data sent by the server.

Optionally, the obtaining the current token includes:

encrypting the user information and the original timestamp through an encryption algorithm and a key to obtain a second ciphertext;

sending a session establishment request to a server, wherein the session establishment request comprises the second ciphertext, so that the server decrypts the second ciphertext through the encryption algorithm and the secret key to obtain user information and an original timestamp, authenticates the user information, determines that the user information is legal, and generates a token; encrypting the token through the target encryption algorithm and the target key to obtain a third ciphertext;

receiving a session establishment response sent by a server, wherein the session establishment response carries the third ciphertext;

and the client decrypts the third ciphertext through the encryption algorithm and the key to obtain the current token.

Optionally, before the user information and the original timestamp are encrypted through the encryption algorithm and the key to obtain the second ciphertext, the method further includes:

determining an encryption algorithm;

the session establishment request also comprises identification information of the encryption algorithm, so that the server acquires the encryption algorithm according to the identification information of the encryption algorithm.

Optionally, the determining that the current timestamp is later than or equal to a last timestamp of the current timestamp, or that a time that the current timestamp is earlier than the last timestamp of the current timestamp is less than or equal to a first preset time duration includes:

determining that the time length of the current timestamp later than the last timestamp of the current timestamp is less than a second preset time length, or determining that the time length of the current timestamp earlier than the last timestamp of the current timestamp is less than or equal to a first preset time length;

the method further comprises the following steps:

receiving a re-authentication message sent by a server, wherein the re-authentication message is used for indicating the client to send user information and a current timestamp to the server, and the re-authentication message is sent after the server determines that the time length of the current timestamp is longer than the last timestamp of the current timestamp and is greater than or equal to a second preset time length.

According to a third aspect, there is provided in one embodiment a server comprising:

a memory for storing a program;

a processor for implementing the method according to any one of the above first aspects by executing a program stored in the memory.

According to a fourth aspect, an embodiment provides a computer readable storage medium having a program stored thereon, the program being executable by a processor to implement the method according to any of the first aspects above, as well as the method according to any of the second aspects above.

According to the network session encryption method, the server and the computer-readable storage medium of the embodiments, when the client needs to acquire the target data, the service request sent to the server carries the encrypted current token and the encrypted current timestamp, the encryption mode of the client is stored in the server in advance, and the server decrypts the service request through the encryption mode to obtain the current token and the encrypted current timestamp. The server judges whether the current token and the current timestamp are legal or not, wherein the current timestamp is determined to be legal or not by comparing the current timestamp with the last timestamp of the timestamp, and if the current token and the current timestamp are legal, the server sends the target data to the client. Therefore, whether the service request is legal or not is determined by the current token and the current timestamp together, and the timestamp has a monotone increasing characteristic, so that the timestamp carried in the service request received by the server every time is different, the information for authentication in the session process dynamically changes along with time, and has time sequence, an illegal person can hardly steal a correct token without knowing an authentication mechanism, and the illegal service request falsely using the authentication information is easy to identify, so that the network session is prevented from being counterfeited, and the security of the network session is improved. In addition, when the information in the network session is decrypted illegally, the encryption algorithm and the secret key need to be acquired at the same time, so that the information in the network session is not easy to crack, and even if an illegal person acquires the encryption algorithm and the secret key, the current token and the current timestamp are acquired through decryption, the illegal person is confused, and cannot directly acquire the current token, so that the security of the network session is improved. Moreover, the technical scheme of the embodiment is easy to realize and test, and the realization cost is low.

Drawings

Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;

fig. 2 is an interaction diagram of a method for encrypting a network session according to an embodiment of the present application;

fig. 3 is an interaction diagram of another network session encryption method according to an embodiment of the present application;

fig. 4 is an interaction diagram of another network session encryption method according to an embodiment of the present application;

fig. 5 is an interaction diagram of another network session encryption method according to an embodiment of the present application.

Detailed Description

The present application will be described in further detail below with reference to the accompanying drawings by way of specific embodiments. Wherein like elements in different embodiments are numbered with like associated elements. In the following description, numerous details are set forth in order to provide a better understanding of the present application. However, those skilled in the art will readily recognize that some of the features may be omitted or replaced with other elements, materials, methods in different instances. In some instances, certain operations related to the present application have not been shown or described in detail in order to avoid obscuring the core of the present application from excessive description, and it is not necessary for those skilled in the art to describe these operations in detail, so that they may be fully understood from the description in the specification and the general knowledge in the art.

Furthermore, the features, operations, or characteristics described in the specification may be combined in any suitable manner to form various embodiments. Also, the various steps or actions in the method descriptions may be transposed or transposed in order, as will be apparent to one of ordinary skill in the art. Thus, the various sequences in the specification and drawings are for the purpose of describing certain embodiments only and are not intended to imply a required sequence unless otherwise indicated where such sequence must be followed.

The numbering of the components as such, e.g., "first", "second", etc., is used herein only to distinguish the objects as described, and does not have any sequential or technical meaning. The term "connected" and "coupled" when used in this application, unless otherwise indicated, includes both direct and indirect connections (couplings).

First, terms referred to in the present application will be described.

Network session: refers to the temporary, interactive exchange of information between two or more network communication devices. A session is established at some point in time and then ended at some later point in time. An established network session may involve multiple messages in each direction. Sessions are typically stateful, i.e. at least one communicating party needs to maintain current state information and maintain information about the history of the session in order to be able to communicate, rather than stateless communication, where communication consists of a separate request with a response.

Token: the method is characterized in that a string of character strings is generated by one end (usually a server, which may be referred to as an S end) of a network session to serve as an original token for the other end (usually a client, which may be referred to as a C end) of the network session to request for service, when the C end logs in for the first time, the S end generates an original token, and returns the original token to the C end, and then the client only needs to take the original token to request data before, and does not need to take a user name and a password again.

A network session encryption system to which the network session encryption method provided by the present application is applicable is described below.

Referring to fig. 1, fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application, and as shown in fig. 1, a network session encryption system includes: aclient 101 and aserver 102. Theclient 101 and theserver 102 are connected via a network. An application program may be run on theclient 101 and service data may be stored on theserver 102. When theclient 101 needs to request content or a service function, a network session is established with theserver 102, theclient 101 sends a service request to theserver 102, and theserver 102 sends service data to theclient 101 according to the service request.

During the network session, theserver 102 needs to confirm that theclient 101 has the corresponding right, and then sends the corresponding service data to theclient 101. When a network session is established, theclient 101 sends user information to theserver 102, and theserver 102 generates a token after authentication and sends the token to theclient 101. In the subsequent network session interaction process, theclient 101 carries the token each time when sending a service request to theserver 102, theserver 102 authenticates the token, and after the authentication is passed, corresponding service data is sent to theclient 101.

The client can be a mobile phone, an intelligent wearable device or a tablet computer and other user equipment, and an application program and the like can be run on the client.

According to the network session encryption method provided by the embodiment of the application, when the client needs to acquire the target data, the client sends the service request to the server, the service request carries the encrypted current token and the encrypted current timestamp, the client encryption mode is stored in the server in advance, and the server decrypts the service request through the encryption mode to obtain the current token and the current timestamp. The server judges the current token and the current timestamp, determines the validity of the current token and the current timestamp, compares the current timestamp with the last timestamp of the timestamp according to the current timestamp, and accordingly determines whether the service request is legal or not, and if the service request is determined to be legal, the server sends the service data to the client. Therefore, whether the service request is legal or not is determined through the current token and the current timestamp together, and the timestamp carried in the service request received by the server each time is different due to the change of time, so that the authentication information in the session process changes along with the time, an illegal person can hardly steal a correct token without solving an authentication mechanism, the illegal service request falsely using the authentication information is easy to identify, and the security of the network session is improved.

The technical solutions provided in the present application are described in detail below with specific examples.

The first embodiment is as follows:

referring to fig. 2, fig. 2 is an interaction schematic diagram of a network session encryption method according to an embodiment of the present disclosure, where a client in the embodiment may be theclient 101 in the embodiment shown in fig. 1, and a server in the embodiment may be theserver 102 in the embodiment shown in fig. 1, and the method in the embodiment includes the following steps:

s201, the client acquires the current token.

The current token acquired by the client is generated by the server. The obtained current token can be generated and sent to the client by the server when the network session is established.

S202, the client encrypts the current token and the current timestamp through an encryption algorithm and a key to obtain a first ciphertext.

Wherein the server stores the encryption algorithm and the key in advance. Illustratively, the client is an application installed on the terminal device, and the server provides a relevant service for the application, and in the installed application, an encryption algorithm and a key may be stored in advance, and the server also stores the encryption algorithm and the key in advance. That is, the encryption algorithm and key are known to the server and the client.

Alternatively, the encryption algorithm may be a symmetric or asymmetric encryption algorithm.

Alternatively, the key may be a random number.

S203, the client sends a service request to the server.

The service request is used for requesting to acquire target data, and the service request carries a first ciphertext. The target data is service data that the server can provide.

S204, the server decrypts the first ciphertext through the encryption algorithm and the key to obtain the current token and the current timestamp.

And the server decrypts the first ciphertext through a pre-stored encryption algorithm and a pre-stored key to obtain the current token and the current timestamp.

S205, the server judges whether the current token and the current timestamp are legal.

Wherein, the judging condition that the current time stamp is legal is as follows: the current timestamp is later than or equal to the last timestamp of the current timestamp, or the time that the current timestamp is earlier than the last timestamp of the current timestamp is less than or equal to a first preset time length.

The server decrypts the service request received at the current time, and the last timestamp of the current timestamp is the timestamp obtained by the server decrypting the last received service request of the service request received at the current time.

The first preset time period is preset, and may be any time period, which is not limited in this application. For example, the network session may use a Transmission Control Protocol (TCP) for data Transmission, and packet loss or delay may occur during the network session, and the delay time is usually within 2 minutes, so that the first preset time period may be set to 2 minutes or 3 minutes in consideration of the network session delay.

In some scenarios, the communication quality is good during the network session, and the current timestamp is later than the last timestamp of the current timestamp. In other scenarios, in the network session, a situation of poor communication quality such as packet loss or delay may occur, and the current timestamp may be considered to be legal when a time that is earlier than a last timestamp of the current timestamp is less than or equal to a first preset time.

If the current token and the current timestamp are legal, the process continues to S206. If the current token and/or the current timestamp are not legal, execution continues with S207.

It should be noted that, in S205, the steps of determining whether the current token is legal and determining whether the current timestamp is legal have no sequence. Whether the current token is legal or not can be judged, and whether the current timestamp is legal or not is judged if the current token is legal; or judging whether the current timestamp is legal or not, and if the current timestamp is legal, judging whether the current token is legal or not; and whether the current token and the current timestamp are legal or not can be judged at the same time, and the method is not limited.

The method comprises the steps of judging whether a current token is legal or not, judging whether a current timestamp is legal or not if the current token is legal, and directly determining that a service request is illegal if the current token is illegal, so that the current flow is ended, target data are not sent to a client, the judgment flow is concise, and the processing speed of a server is high.

S206, the server sends the target data to the client.

And the current token and the current timestamp are legal, which is equivalent to passing the authentication, and the server sends target data to the client.

And S207, the server does not send the target data to the client.

When at least one of the current token and the current timestamp is illegal, which is equivalent to failure of authentication, the current client can be determined to be an illegal client, the server does not send corresponding target data to the client, and the next server request sent by the client is waited to be received.

In this embodiment, when the client needs to acquire the target data, the client sends a service request to the server, the service request carries the encrypted current token and the encrypted current timestamp, the encryption mode of the client is stored in the server in advance, and the server decrypts the service request through the encryption mode to obtain the current token and the current timestamp. The server judges whether the current token and the current timestamp are legal or not, wherein the current timestamp is determined to be legal or not by comparing the current timestamp with the last timestamp of the timestamp, and if the current token and the current timestamp are legal, the server sends the target data to the client. Therefore, whether the service request is legal or not is determined by the current token and the current timestamp together, and the timestamp has a monotone increasing characteristic, so that the timestamp carried in the service request received by the server every time is different, the information for authentication in the session process dynamically changes along with time, and has time sequence, an illegal person can hardly steal a correct token without knowing an authentication mechanism, and the illegal service request falsely using the authentication information is easy to identify, so that the network session is prevented from being counterfeited, and the security of the network session is improved. In addition, when the information in the network session is decrypted illegally, the encryption algorithm and the secret key need to be acquired at the same time, so that the information in the network session is not easy to crack, and even if an illegal person acquires the encryption algorithm and the secret key, the current token and the current timestamp are acquired through decryption, the illegal person is confused, and cannot directly acquire the current token, so that the security of the network session is improved. Moreover, the technical scheme of the embodiment is easy to realize and test, and the realization cost is low.

Further, if the determination result in the step S205 is that the current token and/or the current timestamp are not legal, in a possible implementation manner, the server may not perform processing, that is, the server does not send the target data to the client; in another possible implementation manner, on the basis of the embodiment shown in fig. 2, after S207, the following steps may be further included:

the server sends an authentication error notification to the client.

Wherein the authentication error notification is used for indicating that the server cannot send the corresponding target data.

In some embodiments, when the time interval between the current timestamp and the last timestamp is too long, the client needs to send the user information to the server again for authentication, i.e., the network session needs to be reestablished, for the security of the interaction. The embodiment shown in FIG. 3 will be described in detail below.

Referring to fig. 3, fig. 3 is an interaction schematic diagram of another network session encryption method provided in the embodiment of the present application, and fig. 3 is a flowchart of a judgment condition that a current timestamp is legal, based on the embodiment shown in fig. 2, further: and determining that the time length of the current timestamp later than the last timestamp of the current timestamp is less than a second preset time length, or the time length of the current timestamp earlier than the last timestamp of the current timestamp is less than or equal to a first preset time length. The method of this embodiment may further include the steps of:

s208, judging whether the time length of the current timestamp later than the last timestamp of the current timestamp is greater than or equal to a second preset time length.

If the time length of the current timestamp later than the last timestamp of the current timestamp is greater than or equal to the second preset time length, S209 continues. If the time length of the current timestamp later than the last timestamp of the current timestamp is less than the second preset time length, S207 continues to be executed.

S209, the server sends a re-authentication message to the client.

Wherein the re-authentication message is used to instruct the client to send the user information and the current timestamp to the server.

The second preset time period is preset, and may be 1 day or 7 days, and the like, which is not limited in the present application.

In this embodiment, when the interval time between the current timestamp and the last timestamp is greater than or equal to the second preset time, it may be considered that the network session is not safe enough, and the server may request the client to resend the user information and the timestamp, so that the server re-authenticates the server, and thus when the network session does not perform data interaction for a long time, the server re-authenticates the server, and the security of the network session is improved.

In some scenarios, the network session includes an establishment procedure and a network session interaction procedure, wherein the token for authentication in the network session interaction procedure may be generated by the server in the network session establishment procedure. The following describes the establishment process of the network session in detail with the embodiment shown in fig. 4.

Referring to fig. 4, fig. 4 is an interaction schematic diagram of another network session encryption method provided in the embodiment of the present application, and fig. 4 is based on the embodiment shown in fig. 2 or fig. 3, and further, S201 may be implemented by the following steps:

and S2011, the client encrypts the user information and the original timestamp through an encryption algorithm and a key to obtain a second ciphertext.

The user information is information used for authentication, and the server stores the user information of the user with authority, for example, the user information may be a user name and a password.

S2012, the client sends a session establishment request to the server.

Wherein, the session establishment request includes a second ciphertext.

S2013, the server decrypts the second ciphertext through the encryption algorithm and the secret key to obtain the user information and the original timestamp.

The server stores an original timestamp sent by the client in the network session establishment process, wherein a corresponding relationship between the original timestamp and an original token can be stored. Therefore, after the network session is established, the client sends the service request to the server for the first time, and then the server judges the validity of the current timestamp in the service request, and the last timestamp of the current timestamp is the original timestamp.

S2014, the server authenticates the user information, determines that the user information is legal, and generates an original token.

S2015, the server encrypts the original token through an encryption algorithm and a key to obtain a third ciphertext.

In a possible implementation manner, the server encrypts the original token through an encryption algorithm and a key to obtain a third ciphertext, that is, the third ciphertext is the encrypted original token.

In another possible implementation manner, the server encrypts the original token and the original timestamp through an encryption algorithm and a key to obtain a third ciphertext, that is, the third ciphertext is the encrypted original token and the encrypted original timestamp.

According to the scheme for encrypting the original token and the original timestamp, even if an illegal person obtains an encryption algorithm and a secret key, a third ciphertext is intercepted and decrypted to obtain common information of the original token and the original timestamp, the illegal person does not know that the original timestamp is stored in the third ciphertext, so that the illegal person is confused and cannot directly obtain the original token.

S2016, the server sends a session establishment response to the client.

And the session establishment response carries a third ciphertext.

And S2017, the client decrypts the third ciphertext through the encryption algorithm and the key to obtain the current token.

In the embodiment, in the network session establishment process, the establishment request sent by the client includes the original timestamp in addition to the user information for authentication, so that after the network session is established, the validity of the timestamp carried in the first service request is determined according to the comparison between the original timestamp and the timestamp carried in the first service request, so that the information for authentication in the session changes along with time, an illegal person can hardly steal a correct token without an authentication mechanism, and an illegal service request falsely using the authenticated information is easily identified, thereby improving the security of the network session. In addition, even if an illegal person acquires the encryption algorithm and the secret key and decrypts the current token and the current timestamp, the illegal person is confused and cannot directly acquire the current token, and therefore the security of the network session is improved.

In some embodiments, a plurality of encryption algorithms and identification information corresponding to the encryption algorithms may be stored in the client and the server in advance, so that one of the plurality of encryption algorithms is selected for encryption and decryption in the network session establishment and interaction process.

In one possible implementation, the client selects an encryption algorithm, and sends identification information of the encryption algorithm to the server.

In another possible implementation manner, the client carries identification information of an encryption algorithm in a session establishment request sent to the server. The identification information of the encryption algorithm can be carried in the session establishment request directly without encryption or after encryption; or the second ciphertext can be obtained by encrypting the user information and the original timestamp together. The following will explain details of the present invention by specific examples.

Referring to fig. 5, fig. 5 is an interaction schematic diagram of another network session encryption method provided in the embodiment of the present application, and fig. 5 is based on the embodiment shown in fig. 4, and further, S2011 may be implemented in the following manner:

s20111, the client encrypts the user information, the original timestamp and the identification information of the encryption algorithm through the encryption algorithm and the key to obtain a second ciphertext.

Accordingly, S2013 may be preceded by the following step S20130:

s20130, the server obtains the encryption algorithm according to the identification information of the encryption algorithm.

In this embodiment, since the client initiates the network session, and in addition, taking the client as an example of an application program, after the application program is installed in the terminal device, the encryption algorithm inherently carried in the application program is not easily updated, so when the network session is established, the client can first select one of the encryption algorithms from the multiple encryption algorithms for encryption and decryption processing in the network session. After the client selects the encryption algorithm, the identification information of the encryption algorithm is obtained, the identification information of the encryption algorithm is sent to the server, the server obtains the encryption algorithm according to the corresponding relation between the encryption algorithm and the identification information stored in the server, the encryption algorithm is used for subsequent encryption and decryption, and therefore the client and the server know the encryption algorithm.

Alternatively, the plurality of encryption algorithms may be stored in the form of an index table, and the identification information may be an index number.

In the embodiment, the corresponding relation between the encryption algorithm and the identification information is pre-stored in the client and the server, in the process of establishing the network session, the client selects one encryption algorithm and sends the identification information of the encryption algorithm to the server, and the server acquires the encryption algorithm according to the identification information, so that the encryption algorithms used by different network sessions are different, an illegal person is not easy to crack the encryption algorithm, and the security of the network session is improved.

On the basis of the above embodiment, further, the client and the server may also update the key in the network session at the same time, thereby improving the security of the network session.

In a possible implementation manner, the key may be updated in a manner of upgrading the client program. In the process of establishing a network session between a client and a server, the client needs to send the version number of a current program to the server, and the server determines a key stored in the version number of the program according to the version number of the program, so that the key is used for encryption and decryption.

In another possible implementation manner, after the server updates the key, the server sends the updated key to the client in an encrypted communication manner, so that the client performs decryption and encryption processing by using the updated key.

In this embodiment, the client and the server update the key in the network session at the same time, so that even if an illegal person acquires the key, the key can be updated in a low-cost manner, and after the key is updated, the illegal person cannot use the original key to perform a fraudulent session, thereby improving the security of the network session. In addition, the key in the network session is relatively easy to update, and the implementation mode is various and easy to implement.

Example two

The present embodiment provides a method for encrypting a network session, where the present embodiment is executed by a server, where the server may be the server shown in fig. 1, and the method of the present embodiment includes:

judging whether the current token and the current timestamp are legal or not, wherein the judging condition that the current timestamp is legal is as follows: the current timestamp is later than or equal to the last timestamp of the current timestamp, or the time of the current timestamp which is earlier than the last timestamp of the current timestamp is less than or equal to a first preset time length;

and if the current token and the current timestamp are legal, sending target data to the client.

decrypting the second ciphertext through an encryption algorithm and a key to obtain user information and an original timestamp;

encrypting the original token through an encryption algorithm and a key to obtain a third ciphertext;

and sending a session establishment response to the client, wherein the session establishment response carries a third ciphertext, so that the client decrypts the third ciphertext through an encryption algorithm and a key to obtain an original token, and authenticating by using the original token in the network session.

Optionally, the session establishment request further includes identification information of an encryption algorithm; the second ciphertext is decrypted through an encryption algorithm and a key, and before the user information and the original timestamp are obtained, the method further comprises the following steps:

Optionally, the judging condition that the current timestamp is legal is as follows: determining that the time length of the current timestamp later than the last timestamp of the current timestamp is less than a second preset time length, or the time length of the current timestamp earlier than the last timestamp of the current timestamp is less than or equal to a first preset time length, and sending target data to the client;

the method further comprises the following steps:

and determining that the time length of the current timestamp later than the last timestamp of the current timestamp is greater than or equal to a second preset time length, and sending re-authentication information to the client, wherein the re-authentication information is used for indicating the client to send the user information and the current timestamp to the server.

The principle and effect of the method of the present embodiment are similar to those of the embodiment, and are not described herein again.

EXAMPLE III

The present embodiment provides a method for encrypting a network session, where the method of the present embodiment is executed by a client, and the client may be the client shown in fig. 1, and includes:

acquiring a current token;

sending a service request to a server, wherein the service request is used for requesting to acquire target data, and the service request carries a first ciphertext, so that the server decrypts the first ciphertext through an encryption algorithm and a key to obtain a current token and a current timestamp, and judges whether the current token and the current timestamp are legal or not, wherein the judging condition that the current timestamp is legal is as follows: the current timestamp is later than or equal to the last timestamp of the current timestamp, or the time of the current timestamp which is earlier than the last timestamp of the current timestamp is less than or equal to a first preset time length; if the current token and the current timestamp are legal, target data are sent to the client;

and receiving the target data sent by the server.

Optionally, obtaining the current token includes:

sending a session establishment request to a server, wherein the session establishment request comprises a second ciphertext, so that the server decrypts the second ciphertext through an encryption algorithm and a secret key to obtain user information and an original timestamp, authenticates the user information, determines that the user information is legal, and generates a token; encrypting the token through a target encryption algorithm and a target key to obtain a third ciphertext;

receiving a session establishment response sent by the server, wherein the session establishment response carries a third ciphertext;

Optionally, before the user information and the original timestamp are encrypted by using an encryption algorithm and a key to obtain a second ciphertext, the method further includes:

determining an encryption algorithm;

Optionally, determining that the current timestamp is later than or equal to a last timestamp of the current timestamp, or that a time that the current timestamp is earlier than the last timestamp of the current timestamp is less than or equal to a first preset time duration includes:

determining that the time length of the current timestamp later than the last timestamp of the current timestamp is less than a second preset time length, or the time length of the current timestamp earlier than the last timestamp of the current timestamp is less than or equal to a first preset time length;

the method of the embodiment further comprises the following steps:

and receiving re-authentication information sent by the server, wherein the re-authentication information is used for indicating the client to send the user information and the current timestamp to the server, and the re-authentication information is sent after the server determines that the time length of the current timestamp is longer than the last timestamp of the current timestamp and is more than or equal to a second preset time length.

Example four

An embodiment of the present application provides a server, including:

a memory for storing a program;

a processor for implementing the method according to any one of the above embodiments by executing a program stored in a memory.

The implementation principle and effect of the server in this embodiment are similar to those in the embodiments, and are not described herein again.

EXAMPLE five

The embodiment of the application provides a computer readable storage medium, wherein a program is stored on the medium, and the program can be executed by a processor to realize the method in any one of the embodiment.

Those skilled in the art will appreciate that all or part of the functions of the various methods in the above embodiments may be implemented by hardware, or may be implemented by computer programs. When all or part of the functions of the above embodiments are implemented by a computer program, the program may be stored in a computer-readable storage medium, and the storage medium may include: a read only memory, a random access memory, a magnetic disk, an optical disk, a hard disk, etc., and the program is executed by a computer to realize the above functions. For example, the program may be stored in a memory of the device, and when the program in the memory is executed by the processor, all or part of the functions described above may be implemented. In addition, when all or part of the functions in the above embodiments are implemented by a computer program, the program may be stored in a storage medium such as a server, another computer, a magnetic disk, an optical disk, a flash disk, or a removable hard disk, and may be downloaded or copied to a memory of a local device, or may be version-updated in a system of the local device, and when the program in the memory is executed by a processor, all or part of the functions in the above embodiments may be implemented.

The present application has been described with reference to specific examples, which are provided only to aid understanding of the present application and are not intended to limit the present application. For a person skilled in the art to which the application pertains, several simple deductions, modifications or substitutions may be made according to the idea of the application.