[go: up one dir, main page]

CN119815581A - A peer-to-peer communication method based on ECDHE - Google Patents

A peer-to-peer communication method based on ECDHE Download PDF

Info

Publication number
CN119815581A
CN119815581A CN202510028252.3A CN202510028252A CN119815581A CN 119815581 A CN119815581 A CN 119815581A CN 202510028252 A CN202510028252 A CN 202510028252A CN 119815581 A CN119815581 A CN 119815581A
Authority
CN
China
Prior art keywords
server
client
ecdhe
key
connection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202510028252.3A
Other languages
Chinese (zh)
Inventor
杨小净
徐芳
伏西雨
杨依婷
何婧宇
黄逸飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southwest Petroleum University
Original Assignee
Southwest Petroleum University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southwest Petroleum University filed Critical Southwest Petroleum University
Priority to CN202510028252.3A priority Critical patent/CN119815581A/en
Publication of CN119815581A publication Critical patent/CN119815581A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an end-to-end communication method based on ECDHE, which belongs to the end-to-end communication method in the technical field of communication and aims to solve the technical problems of more handshake times and low data transmission efficiency when a TLS handshake is adopted to establish connection between a client and a server in the prior art. The method comprises a handshake stage, a communication stage and a termination stage, wherein during handshake, a client sends a request to a server and transmits ECDHE key pairs generated by the client in real time, after the server receives the request, if the request is refused, connection between the client and the server is refused to be established, if the request is refused, connection between the client and the server is established, TCP connection is configured to be nodealy mode, the server carries out handshake, a pair of ECDHE key pairs is taken out from a key pool and returns to the public key, and according to the returned public key and a randomly generated salt value, the two parties derive a shared key based on HDKF algorithm, complete handshake and identity authentication, establish a full duplex communication channel and mark as a session window.

Description

ECDHE-based end-to-end communication method
Technical Field
The invention belongs to the technical field of communication, relates to an end-to-end communication method, and particularly relates to an end-to-end communication method based on ECDHE.
Background
The development and application of the internet communication technology enable information to have no future, connection occurs at any time, but at the same time, the internet communication also exposes a series of safety problems, related safety technologies are required to be applied in a targeted manner, the safety and reliability of a communication system are enhanced, and a protective wall is built for information safety.
The invention patent application number 202311677386.5 also discloses a data encryption transmission method based on the transmission layer security protocol, which comprises the key steps that firstly, the secure connection between the client and the server is established through the TLS handshake protocol. In the handshake process, the two communication parties exchange digital certificates and carry out digital verification through PKI, so as to ensure the legitimacy of the identities of the two communication parties. And then, introducing two-factor authentication, and independently generating a unique symmetric key through a Diffie-Hellman key exchange protocol after the authentication of both communication parties passes, thereby realizing safe key negotiation. The data to be transmitted is obtained and segmented, and each data segment is subjected to nested encryption by using a master key to form an encrypted data packet containing nested encrypted data segments and necessary metadata. After the transmission is finished, the identity of both communication parties is verified through the password and the dynamic token, and decryption is carried out through the negotiation key.
As in the above patent application, the prior art mostly requires that a secure connection between a client and a server be established via a handshake protocol (such as TLS handshake) when data communication and transmission are performed. TLS (transport layer security protocol) is used to ensure security of network communications, HTTPS is a typical application. The TLS handshake is a key process for establishing a secure connection between a client and a server, and the handshake process is as follows:
1. client Hello:
the client initiates a request and sends a supported TLS version, an encryption algorithm list, a random number and the like;
2. server Hello:
the server selects an encryption algorithm, returns own random numbers and is attached with a digital certificate (comprising a public key);
3. key agreement:
the client generates a premaster secret key, encrypts the premaster secret key by a server public key and sends the premaster secret key to the server;
The server decrypts with the private key, and both parties calculate a session key based on the premaster secret;
4. Session encryption initiation:
Both parties switch to a symmetric encryption mode and encrypt subsequent communications using the session key.
Through the TLS handshake described above, a secure connection can be established between the client and the server. However, the TLS handshake involves several problems, namely 1. Performance overhead, TLS handshake involves multiple information exchanges and encryption computations, and is particularly stressed for high concurrency scenarios, 2. Certificate management problems, certificates may be out of date, misconfiguration or forged, 3. Downgrade attacks, attackers may induce clients and servers to use weaker encryption algorithms, 4. Depending on the CA trust hierarchy, TLS security may be compromised if CA (certificate authority) is breached.
Disclosure of Invention
The invention aims to solve the technical problems of a large number of handshakes and low data transmission efficiency when a TLS (transport layer signaling) handshaking is adopted to establish connection between a client and a server in the prior art, and provides a ECDHE-based end-to-end communication method.
The invention adopts the following technical scheme for realizing the purposes:
a ECDHE-based end-to-end communication method, comprising the steps of:
step 1, a handshake phase;
the client sends a request to the server and transmits ECDHE key pairs generated by the client in time to the public key;
after receiving the request, the server refuses to establish connection between the client and the server if the request is refused, establishes connection between the client and the server if the request is agreed, and configures TCP connection to be nodealy mode;
According to the returned public key and the randomly generated salt value, the two parties derive a shared key based on HDKF algorithm to complete handshake and identity authentication, establish a full duplex communication channel and mark as a session window;
step 2, a communication stage;
The client side and the server side jointly maintain a communication session window, and all stream information is encrypted by taking the shared key as an AES key;
Step 3, terminating the stage;
when the communication needs to be terminated, the single end sends a FIN packet to the opposite end, and the connection is terminated.
Further, in step 1, when the public key is returned, the integer representing eight bits is also included along with the public key, if the common information is transmitted, the integer returned together is null when the public key is returned, and if the important information is transmitted, the integer returned together is non-null when the public key is returned.
Further, when identity authentication is performed between both parties, public key AAD information is used as an authentication password.
Further, in step2, each segment of the data packet is dynamically unpacked by a machine learning algorithm based on a normal differential equation for non-coupling linearity.
Further, each segment of data packet includes a data packet size in the header, and each segment of data packet allows the receiving end to perform data reception by using an exact mode.
Further, in step 2, after the unexpected disconnection of the communication occurs, the client sends a request for recovering the connection to the server within a time range allowed by the server, if the server agrees to recover the connection, the request header of the client for recovering the connection is verified based on the cached session, the TCP connection is multiplexed after the verification is successful, the state before the disconnection is recovered, and the data with failed transmission is retransmitted from the buffer.
The beneficial effects of the invention are as follows:
1. In the invention, key exchange is carried out by using ECDHE encryption algorithm and HKDF derivative key are used in handshake, and both authentication and data encryption can be realized in a protocol layer, so that the handshake frequency is less and the data transmission efficiency is higher.
2. In the invention, the data packets are transmitted in a fragmented way, and each data packet header marks the transmission size, so that a protocol layer can dynamically allocate the data packet size based on MTU to cope with a complex network environment, the transmission efficiency is improved, the possibility of data loss is reduced, and in addition, the data structure is replaced by JSON by adopting stream serialization and inverse serialization, thereby avoiding the cost of data conversion.
Drawings
Fig. 1 is a schematic flow chart of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention.
Thus, all other embodiments, which can be made by one of ordinary skill in the art without undue burden from the invention, are intended to be within the scope of the invention.
The embodiment provides an end-to-end communication method based on ECDHE, which comprises the following steps:
step 1, a handshake phase;
the client sends a request to the server and simultaneously transmits ECDHE key pairs generated by the client in real time.
And if the request is agreed, the connection is established between the client and the server, and the TCP connection is configured to be nodealy mode, and meanwhile, the link time is set to be 0, so that invalid waiting is avoided.
And finally, the service end holds the hands, takes out a pair of ECDHE key pairs from the key pool and returns the public key, and according to the returned public key and the randomly generated salt value, the two parties derive the shared key based on HDKF algorithm to complete handshake and identity authentication, and establish a full duplex communication channel and mark as a session window.
When the public key is returned, the integer number representing eight bits is also included along with the public key, when the common information is transmitted, the integer number returned together is null value when the public key is returned, when the important information is transmitted, the integer number returned together is non-null value when the public key is returned, and the integer number of the non-null value can be generated through the existing algorithm.
When identity authentication is carried out on both sides (namely a client and a server), public key AAD information is used as an authentication password, namely the identity authentication is completed during handshake.
Step 2, a communication stage;
After the handshake is completed, both parties have derived that stored shared key, and all stream information is encrypted by the shared key as the AES key.
The client and the server maintain a communication session window together, and each section of data packet in the data packet is dynamically unpacked based on an MTU (maximum transmissible unit) and a current network environment by a machine learning algorithm based on a normal differential equation of non-coupling linearity so as to avoid performance overhead caused by splitting the data frame by a gateway.
Each segment of data packet should include a data packet size in the header to allow the receiving end to receive the data in exact manner, so as to ensure the data integrity and prevent the data loss.
In the data transmission process, JSON (such as HTTP POST and WebSocket data transmission) is adopted to carry out data serialization and transmission, and because the protocol library is realized by Rust, the process of converting explicit data into binary data which can be efficiently transmitted in a network is accelerated by using Google Protobuf and Apache Fury as an alternative efficient serialization method.
The network environment, if relatively unstable, may cause the connection to be accidentally disconnected, and the server and the client should maintain session state information for a period of time. After communication is accidentally disconnected, in the allowed time range of the server, once the client recovers network connection, the client sends a connection recovery request to the server, if the server agrees to recover connection, the request head of the client for recovering connection is verified based on the cached session, the TCP connection is multiplexed after verification is successful, the state before disconnection is recovered, and the data with failed transmission is retransmitted from the buffer zone.
Step 3, terminating the stage;
when the communication needs to be terminated, the single end sends a FIN packet to the opposite end, and the connection is terminated.
The embodiment is based on TCP/QUIC implementation, uses ECDHE encryption algorithm for key exchange, and can realize authentication and data encryption at protocol layer due to the use of HKDF derivative keys. Compared with the existing two protocols (WebSockets communication protocol and Matrix communication protocol), the number of handshakes in the embodiment is smaller, and the transmission efficiency is higher. Meanwhile, in the embodiment, the data packets are transmitted in a fragmented manner, and each data packet header marks the transmission size, so that the protocol layer in the embodiment can dynamically allocate the data packet size based on the MTU to cope with a complex network environment, improve the transmission efficiency and reduce the possibility of data loss. And the data structure adopts stream serialization and inverse serialization to replace JSON, so that the cost of data conversion is avoided. Meanwhile, when the high concurrency asynchronous operation based on Rust is used, stable high concurrency response can be ensured on the low-performance server.

Claims (6)

1.一种基于ECDHE的端对端通信方法,其特征在于,包括以下步骤:1. An end-to-end communication method based on ECDHE, characterized in that it comprises the following steps: 步骤1,握手阶段;Step 1, handshake phase; 客户端向服务端发送请求,并传输客户端即时生成的ECDHE密钥对公钥;The client sends a request to the server and transmits the public key of the ECDHE key pair generated by the client in real time; 服务端收到请求后,若拒绝请求,则拒绝在客户端于服务端之间建立连接;若同意请求,则在客户端于服务端之间建立连接,并配置TCP连接为nodealy模式;After receiving the request, if the server rejects the request, it will refuse to establish a connection between the client and the server; if it agrees to the request, it will establish a connection between the client and the server and configure the TCP connection to nodealy mode; 服务端后手握手,从密钥池中取出一对ECDHE密钥对并返回公钥;根据返回的公钥及随机生成的盐值,双方基于HDKF算法派生共享密钥,完成握手、身份认证,并建立起全双工通讯信道并标记为会话窗口;The server performs a handshake, takes out an ECDHE key pair from the key pool and returns the public key. Based on the returned public key and the randomly generated salt value, the two parties derive a shared key based on the HDKF algorithm, complete the handshake and identity authentication, and establish a full-duplex communication channel and mark it as a session window. 步骤2,通讯阶段;Step 2, communication phase; 客户端与服务端共同维护通讯会话窗口,且所有流式信息均通过共享密钥作为AES密钥进行加密;The client and server jointly maintain the communication session window, and all streaming information is encrypted using a shared key as an AES key; 步骤3,终止阶段;Step 3, termination phase; 需要终止通讯时,单端向对端发送FIN包,连接终止。When communication needs to be terminated, one end sends a FIN packet to the other end and the connection is terminated. 2.如权利要求1所述的一种基于ECDHE的端对端通信方法,其特征在于,步骤1中,在返回公钥时,随公钥返回的还包括代表八位的整型数;若传输的是普通信息,则返回公钥时,一并返回的整型数为空值;若传输的是重要信息,则返回公钥时,一并返回的整型数为非空值。2. An end-to-end communication method based on ECDHE as described in claim 1 is characterized in that in step 1, when returning the public key, an integer representing eight bits is also returned along with the public key; if ordinary information is transmitted, the integer returned when the public key is returned is a null value; if important information is transmitted, the integer returned when the public key is returned is a non-null value. 3.如权利要求1或2所述的一种基于ECDHE的端对端通信方法,其特征在于,在进行双方的身份认证时,以公钥AAD信息为认证口令。3. An end-to-end communication method based on ECDHE as described in claim 1 or 2, characterized in that when performing identity authentication of both parties, the public key AAD information is used as the authentication password. 4.如权利要求1所述的一种基于ECDHE的端对端通信方法,其特征在于,步骤2中,通过基于对非耦合线性的常微分方程的机器学习算法,对数据包中的每段数据包进行动态拆包。4. An end-to-end communication method based on ECDHE as described in claim 1 is characterized in that in step 2, each data packet in the data packet is dynamically unpacked by a machine learning algorithm based on uncoupled linear ordinary differential equations. 5.如权利要求4所述的一种基于ECDHE的端对端通信方法,其特征在于,每段数据包在标头中包含数据包大小,且每段数据包允许接收端使用exact方式进行数据接收。5. An end-to-end communication method based on ECDHE as described in claim 4, characterized in that each data packet contains the data packet size in the header, and each data packet allows the receiving end to receive data using an exact method. 6.如权利要求1所述的一种基于ECDHE的端对端通信方法,其特征在于,步骤2中,出现通讯意外断开后,在服务端允许的时间范围内,客户端向服务端发送恢复连接请求,若服务端同意恢复连接,则基于缓存的会话开始验证客户端恢复连接的请求头,验证成功后复用TCP连接,恢复到断连之前的状态,发送失败的数据从缓冲区重新发送。6. An end-to-end communication method based on ECDHE as described in claim 1 is characterized in that in step 2, after an unexpected communication disconnection occurs, the client sends a connection recovery request to the server within the time range allowed by the server. If the server agrees to restore the connection, the client's request header for restoring the connection starts to be verified based on the cached session. After the verification is successful, the TCP connection is reused to restore to the state before the disconnection, and the data that failed to be sent is resent from the buffer.
CN202510028252.3A 2025-01-08 2025-01-08 A peer-to-peer communication method based on ECDHE Pending CN119815581A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510028252.3A CN119815581A (en) 2025-01-08 2025-01-08 A peer-to-peer communication method based on ECDHE

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510028252.3A CN119815581A (en) 2025-01-08 2025-01-08 A peer-to-peer communication method based on ECDHE

Publications (1)

Publication Number Publication Date
CN119815581A true CN119815581A (en) 2025-04-11

Family

ID=95270094

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510028252.3A Pending CN119815581A (en) 2025-01-08 2025-01-08 A peer-to-peer communication method based on ECDHE

Country Status (1)

Country Link
CN (1) CN119815581A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161449A (en) * 2016-07-19 2016-11-23 青松智慧(北京)科技有限公司 Transmission method without key authentication and system
CN110839240A (en) * 2018-08-17 2020-02-25 阿里巴巴集团控股有限公司 Method and device for establishing connection
CN114946152A (en) * 2019-08-30 2022-08-26 康奈尔大学 Decentralized techniques for authenticating data in transport layer security and other contexts
CN116016633A (en) * 2022-12-06 2023-04-25 上海哔哩哔哩科技有限公司 Communication establishment method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161449A (en) * 2016-07-19 2016-11-23 青松智慧(北京)科技有限公司 Transmission method without key authentication and system
CN110839240A (en) * 2018-08-17 2020-02-25 阿里巴巴集团控股有限公司 Method and device for establishing connection
CN114946152A (en) * 2019-08-30 2022-08-26 康奈尔大学 Decentralized techniques for authenticating data in transport layer security and other contexts
CN116016633A (en) * 2022-12-06 2023-04-25 上海哔哩哔哩科技有限公司 Communication establishment method and system

Similar Documents

Publication Publication Date Title
US12316619B2 (en) Methods and systems for internet key exchange re-authentication optimization
US7222234B2 (en) Method for key agreement for a cryptographic secure point—to—multipoint connection
US7581100B2 (en) Key generation method for communication session encryption and authentication system
CN103929299B (en) Self-securing lightweight network message transmitting method with address as public key
CN107104977B (en) Block chain data secure transmission method based on SCTP
CN101860546A (en) A Method of Improving SSL Handshake Protocol
CN115514474B (en) A trusted access method for industrial equipment based on cloud-edge-end collaboration
CN101600204A (en) A file transfer method and system
CN115459913A (en) Quantum key cloud platform-based link transparent encryption method and system
CN112468490A (en) Authentication method for power grid terminal layer equipment access
CN105075175A (en) Method and device for establishing session key
KR20180130203A (en) APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
CN104883372B (en) A kind of data transmission method of anti-fraud and attack resistance based on mobile Ad hoc network
CN100452697C (en) Conversation key safety distributing method under wireless environment
CN101710900A (en) Method for interacting signaling safely in session ignition protocol (SIP) registration domain
CN118694518A (en) Encrypted communication method based on MQTT protocol identity authentication based on lightweight national secret SM9
CN114386020A (en) Method and system for fast secondary identity authentication based on quantum security
CN108040071B (en) Dynamic switching method for VoIP audio and video encryption key
CN117640087A (en) IPSec VPN security gateway system integrating quantum key distribution network technology
CN103986716A (en) Establishment method of SSL connection and communication method and device based on SSL connection
CN117650951B (en) IKE authentication and negotiation method based on identification cipher algorithm
CN119788327A (en) A cloud-edge collaborative secure communication system
CN119815581A (en) A peer-to-peer communication method based on ECDHE
CN117714125A (en) SSL VPN terminal authentication method and system based on user security level
KR20070006913A (en) High speed and secure connectivity to mobile nodes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination