HK40091441A - Information transmission method, device, electronic equipment, software program and storage medium - Google Patents

Description

Information transmission methods, devices, electronic equipment, software programs and storage media

Technical Field

This invention relates to information transmission technology in computer networks, and more particularly to information transmission methods, devices, electronic equipment, software programs, and storage media.

Background Technology

In related technologies, the User Datagram Protocol (UDP) is a connectionless transport layer protocol. Quick UDP Internet Connections (QUIC) is a protocol that uses UDP for multiple concurrent transmissions. In the QUIC protocol, the client and server need to go through multiple handshake processes before establishing a connection, generating server configuration information. These technologies suffer from drawbacks such as increased network latency and increased risk of data leakage in multi-cluster, multi-machine, and multi-process scenarios.

Summary of the Invention

In view of this, embodiments of the present invention provide an information transmission method, apparatus, electronic device, software program, and storage medium, which can reduce the round-trip latency of data transmission in multi-cluster, multi-machine, and multi-process scenarios in QUIC scenarios, and also reduce the risk of data transmission leakage in QUIC scenarios.

The technical solution of this invention is implemented as follows:

This invention provides an information transmission method, including:

The server receives the initial client handshake data transmitted by the client;

The server parses the initial client handshake data to obtain the source address token and server configuration identification information, wherein the source address token carries the timestamp used when the server configuration was generated;

Based on the source address token and server configuration identification information, server configuration parameters are generated, and the target server configuration information is found based on the server configuration parameters.

When the target server configuration information can be found, the server configuration identification information is verified to obtain the verification result of the server configuration identification information.

Based on the verification result of the server configuration identification information, a connection is established between the server and the client, and information is transmitted through the connection.

This invention also provides an information transmission device, comprising:

The information transmission module is used by the server to receive the initial client handshake data transmitted by the client.

The information processing module is used by the server to parse the initial client handshake data to obtain the source address token and server configuration identification information, wherein the source address token carries a timestamp used by the server configuration device when it was generated;

The information processing module is used to generate server configuration parameters based on the source address token and server configuration identification information, and to search for target server configuration information based on the server configuration parameters.

The information processing module is used to verify the server configuration identification information when the target server configuration information can be found, and to obtain the verification result of the server configuration identification information.

The information processing module is used to establish a connection between the server and the client based on the verification result of the server configuration identification information, and to transmit information through the connection.

In the above scheme,

The information processing module is used to verify the timestamp used when the server configuration device generates the configuration information when the target server configuration information cannot be found.

The information processing module is used to restore the original target server configuration information when the timestamp used by the server configuration device during generation is valid, and obtain the original target server configuration information.

The information processing module is used to verify the original target server configuration information and establish a connection between the server and the client based on the verification result of the original server configuration information.

In the above scheme,

The information processing module is used to configure a key string for the source address token;

The information processing module is used to generate a symmetric key based on the key string when the server parses the initial client handshake data, so as to encrypt the source address token using the symmetric key.

In the above scheme,

The information processing module is used to configure the content of the server configuration parameters according to the usage scenarios of the server and the client, wherein the server configuration parameters include: server key information, version information, validity period information, and generation algorithm information;

The information processing module is used to adjust the update cycle of the server configuration parameters based on the usage scenarios of the server and the client.

In the above scheme,

The information processing module is used to configure the update cycle of the server configuration parameters to 24 hours when the usage scenario of the server and the client is an adaptive scenario, wherein the start time of the update cycle of the server configuration parameters is 00:00 of each natural day.

In the above scheme,

The information processing module is used to configure the effective time of the server configuration parameters when the security index of the usage scenario of the server and the client is less than or equal to the security threshold.

The information processing module is used to configure the server configuration parameter update cycle for the server configuration parameters when the security index of the usage scenario of the server and the client is greater than the security threshold.

In the above scheme,

The information processing module is used to respond to the connection request between the server and the client, and generate server configuration parameters based on the source address token and server configuration identification information;

The information processing module is used to, when different processes of the server need to obtain the target server configuration information, use one process to search for the target server configuration information based on the server configuration parameters, and share the target server configuration information among different processes of the server.

In the above scheme,

The information processing module is used when the type of the information is User Datagram Protocol (UDP) traffic information.

The information processing module is used to obtain the target domain name and port information by parsing the corresponding User Datagram Protocol.

The information processing module is used to obtain the target Internet Protocol address corresponding to the target domain name by sending query information to the Domain Name System; and to send the target Internet Protocol address, port information and traffic information corresponding to the target domain name to the corresponding server.

The server performs transmission processing on the target traffic information.

In the above scheme,

The information processing module is used to determine the identification information of the target user when the information type is cloud server information;

The information processing module is used to determine the data source cluster that matches the identification information based on the cloud server network;

The information processing module is used to store cloud server historical records that match the target user in the cloud server according to the data source cluster.

This invention also provides an electronic device, the electronic device comprising:

Memory, used to store executable instructions;

A processor, used to implement a preceding information transmission method when executing executable instructions stored in the memory.

This invention also provides a computer-readable storage medium storing executable instructions, which, when executed by a processor, implement a preceding information transmission method.

The embodiments of the present invention have the following beneficial effects:

This invention embodiment receives preliminary client handshake data transmitted by a client from a server. The server parses the preliminary client handshake data to obtain a source address token and server configuration identification information. The source address token carries a timestamp used when the server configuration was generated. Based on the source address token and server configuration identification information, server configuration parameters are generated, and target server configuration information is searched based on these parameters. When the target server configuration information is found, the server configuration identification information is verified to obtain a verification result. Based on the verification result, a connection is established between the server and the client, and information is transmitted through this connection. This reduces round-trip latency for data transmission in various scenarios within a QUIC environment, improves information transmission efficiency, reduces the risk of data transmission leakage in QUIC environments, and ensures data transmission security.

Attached Figure Description

Figure 1 is a schematic diagram of the application environment of the information transmission method provided in an embodiment of the present invention;

Figure 2 is a schematic diagram of the composition structure of the information transmission device provided in an embodiment of the present invention;

Figure 3 is a schematic diagram of an optional information transmission method provided in an embodiment of the present invention;

Figure 4 shows an optional method for generating SCFG during information transmission in an embodiment of the present invention;

Figure 5 shows an optional method for generating SCFG during information transmission in an embodiment of the present invention;

Figure 6 is a schematic diagram of the 0RTT principle in an embodiment of the present invention;

Figure 7 is a schematic diagram of server configuration information generation in an embodiment of the present invention;

Figure 8 is a schematic diagram of a scenario of the information transmission method in an embodiment of the present invention;

Figure 9 is a schematic diagram of an optional information transmission method provided in an embodiment of the present invention.

Detailed Implementation

To make the objectives, technical solutions, and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings. The described embodiments should not be regarded as limitations on the present invention. All other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

In the following description, references are made to “some embodiments,” which describe a subset of all possible embodiments. However, it is understood that “some embodiments” may be the same subset or different subsets of all possible embodiments and may be combined with each other without conflict.

Before providing a further detailed description of the embodiments of the present invention, the nouns and terms involved in the embodiments of the present invention will be explained, and the nouns and terms involved in the embodiments of the present invention shall be interpreted as follows.

1) In response to, used to indicate the conditions or states on which the operation performed depends. When the conditions or states on which it depends are met, one or more operations performed may be performed in real time or with a set delay. Unless otherwise specified, there is no restriction on the order in which the multiple operations are performed.

2) Based on, used to indicate the conditions or states on which the operation is performed depends. When the conditions or states on which it depends are met, one or more operations can be performed in real time or with a set delay. Unless otherwise specified, there is no restriction on the order in which the multiple operations are performed.

3) Cloud technology refers to a hosting technology that unifies hardware, software, and network resources within a wide area network (WAN) or local area network (LAN) to achieve data computation, storage, processing, and sharing. It encompasses network technologies, information technologies, integration technologies, management platform technologies, and application technologies based on cloud computing business models. These technologies can form resource pools, allowing for flexible and convenient on-demand use. Cloud computing technology will become a crucial support. Backend services of technical network systems require substantial computing and storage resources, such as video websites, image websites, and many portal websites. With the rapid development and application of the internet industry, every item may have its own identification mark in the future, requiring data to be transmitted to backend systems for logical processing. Data at different levels will be processed separately, and various industry data will require robust system support, which can only be achieved through cloud computing.

4) Cloud gaming: This refers to games that run on cloud server devices. The game screen rendered by the cloud device is encoded and transmitted to the user terminal via the network. The user terminal decodes the encoded file and renders it on the display screen. Thus, users do not need to install the game locally, but only need to establish a communication network connection with the cloud to complete the game interaction process.

5) Cloud security refers to the collective term for security software, hardware, users, organizations, and security cloud platforms based on cloud computing business models. Cloud security integrates emerging technologies and concepts such as parallel processing, grid computing, and the identification of unknown virus behavior. Through a large network of clients, it monitors abnormal software behavior on the network, obtains the latest information on Trojans and malware on the internet, sends it to the server for automatic analysis and processing, and then distributes solutions for viruses and Trojans to each client.

6) Salt value: The salt value is a random value. During user registration, the system uses it to generate a random value by combining it with the user's password. This value is called the salt value, commonly known as the salting value.

7) TGW is a type of gateway product, a system that enables unified access across multiple networks, forwards external network requests, and supports automatic load balancing. TGW provides free services to developers. Applications based on the HTTP protocol can connect directly, while applications based on other proprietary protocols only require minor modifications for quick integration. TGW automatically handles domain name resolution; after connecting to TGW, applications can provide services and access the network using domain names. Furthermore, TGW supports weighted load balancing on the backend, eliminating the need for applications to worry about load balancing. In different business scenarios, TGW refers to a Layer 4 gateway in CLB applications and can be understood as an LVS (Linux Virtual Server) in CDN applications.

Figure 1 is a schematic diagram of the application scenario of the information transmission method provided in the embodiment of the present invention. Referring to Figure 1, the embodiment of the present invention provides a system including a server and a client for transmitting information after connection. The hardware or software implementation of the information transmission device is the same as that in Figure 2 and will be described in detail later. The server can be in the form of a distributed server cluster and may include: a load balancer, which acts as the front-end machine of the entire cluster and is responsible for sending client requests to a group of servers for execution, while the client perceives them as coming from a single IP address (VIP); a server pool, which is a group of servers that actually execute client requests; and shared storage, which provides a shared storage area for the server pool, making it easy for the server pool to provide the same service.

Based on the above description, in the usage scenario shown in Figure 1, server 200 can also be a cloud server (Cloud Virtual Machine, CVM) that can provide secure and reliable elastic computing services and can also provide different instance types to meet specific user needs. The terminals (including terminals 10-1 and 10-2) are equipped with corresponding clients capable of performing different functions. These clients (including terminals 10-1 and 10-2) obtain different information from the corresponding cloud server 200 via network 300 and can deploy different services on the cloud server. The terminals connect to server 200 via network 300, which can be a wide area network (WAN), a local area network (LAN), or a combination of both, using a wireless link for data transmission. The cloud server instances provide different combinations of CPU, memory, storage, and network, storing user business data on the cloud server's hard drive. The cloud server, acting as the server, first receives initial client handshake data (establishing a connection via QUIC). The server parses this initial handshake data to obtain a source address token and server configuration identification information. The source address token carries a timestamp used when the server configuration was generated. Based on the source address token and server configuration identification information, server configuration parameters are generated, and the target server configuration information is searched based on these parameters. When the target server configuration information is found, the server configuration identification information is verified to obtain a verification result. Based on the verification result, a connection is established between the server and the client, and information is transmitted through this connection.

The structure of the information transmission device according to an embodiment of the present invention will be described in detail below. The information transmission device can be implemented in various forms, such as terminals with network management functions, such as smartphones, tablets, and desktop computers, or servers with network management functions. Figure 2 is a schematic diagram of the composition structure of the information transmission device provided in an embodiment of the present invention. It should be understood that Figure 2 only shows an exemplary structure of the information transmission device and not the entire structure. Some or all of the structures shown in Figure 2 can be implemented as needed.

The information transmission device provided in this embodiment of the invention includes at least one processor 201, a memory 202, a user interface 203, and at least one network interface 204. The various components in the information transmission device 20 are coupled together via a bus system 205. It can be understood that the bus system 205 is used to realize the connection and communication between these components. In addition to a data bus, the bus system 205 also includes a power bus, a control bus, and a status signal bus. However, for clarity, all buses are labeled as bus system 205 in FIG. 2.

The user interface 203 may include a monitor, keyboard, mouse, trackball, click wheel, buttons, touchpad, or touch screen.

It is understood that memory 202 can be volatile memory or non-volatile memory, or both. In this embodiment of the invention, memory 202 is capable of storing data to support the operation of a terminal (such as terminal 10-1). Examples of this data include any computer programs used to operate on the terminal (such as terminal 10-1), such as operating systems and applications. The operating system includes various system programs, such as the framework layer, core library layer, driver layer, etc., used to implement various basic services and handle hardware-based tasks. Applications can include various applications.

In some embodiments, the information transmission device provided in this invention can be implemented in hardware. For example, the information transmission device provided in this invention can be a processor in the form of a hardware decoding processor, which is programmed to execute the information transmission method provided in this invention. For instance, the processor in the form of a hardware decoding processor can be one or more application-specific integrated circuits (ASICs), DSPs, programmable logic devices (PLDs), complex programmable logic devices (CPLDs), field-programmable gate arrays (FPGAs), or other electronic components.

The information transmission device provided in this embodiment of the invention is implemented in software. The information transmission device provided in this embodiment of the invention can be directly embodied as a combination of software modules executed by the processor 201. The software modules can be located in a storage medium, which is located in the memory 202. The processor 201 reads the executable instructions included in the software modules in the memory 202 and combines them with necessary hardware (e.g., including the processor 201 and other components connected to the bus 205) to complete the information transmission method provided in this embodiment of the invention.

For example, Figure 2 shows an information transmission device 2020 stored in memory 202, which can be software in the form of programs and plug-ins, and includes the following software modules: information transmission module 2081 and authentication module 2082. When the software modules in the information transmission device 2020 are read into RAM and executed by processor 201, the information transmission method provided by the embodiments of the present invention will be implemented. The functions of each software module will be described below with reference to the information transmission device 2020 shown in Figure 2.

The information transmission module 2081 is used for the server to receive the initial client handshake data transmitted by the client.

The information processing module 2082 is used by the server to parse the initial client handshake data to obtain the source address token and server configuration identification information, wherein the source address token carries a timestamp used by the server configuration device when it was generated.

The information processing module 2082 is used to generate server configuration parameters based on the source address token and server configuration identification information, and to search for target server configuration information based on the server configuration parameters.

The information processing module 2082 is used to verify the server configuration identification information when the target server configuration information can be found, and to obtain the verification result of the server configuration identification information.

The information processing module 2082 is used to establish a connection between the server and the client based on the verification result of the server configuration identification information, and to transmit information through the connection.

According to the facial image adjustment device shown in Figure 2, in one aspect of this application, a computer program product or computer program is also provided, which includes computer instructions stored in a computer-readable storage medium. A processor of a computer device reads the computer instructions from the computer-readable storage medium and executes the computer instructions, causing the computer device to perform various alternative implementations of the information transmission method described above, including different embodiments and combinations thereof.

In some embodiments, the computer-readable storage medium may be a memory such as FRAM, ROM, PROM, EPROM, EEPROM, flash memory, magnetic surface memory, optical disk, or CD-ROM; or it may be a variety of devices including one or any combination of the above-mentioned memories.

The information transmission method provided by the embodiments of the present invention will be described in conjunction with the exemplary application and implementation of the information transmission device provided in the embodiments of the present invention. As can be understood from the above, the information transmission method provided by the embodiments of the present invention can be provided by various types of devices with information transmission functions, such as information management servers or server clusters.

Continuing with the usage environment shown in Figure 1 and the information transmission device 20 shown in Figure 2, the information transmission method provided by the embodiments of the present invention will be described first. Before introducing the information transmission method provided by this application, the information transmission process in the prior art will be introduced. Referring to Figure 3, Figure 3 shows an optional method for generating SCFG during information transmission in the embodiments of the present invention. A centralized service is established as a configuration (SCFG Server Config) generation system. A central system periodically updates the SCFG, and all machines in the cluster obtain the SCFG by requesting its central system. In this way, the SCFG of all machines can be completely consistent. However, the drawbacks of this method are: it requires the development and maintenance of additional modules, which increases the architectural cost of the server cluster; it also introduces a single point of risk, which can easily lead to information leakage and low system stability; and finally, it increases network latency, which worsens the user experience.

Referring to Figure 4, which illustrates an optional method for generating SCFG during information transmission in this embodiment of the invention, the method includes: 1) Using a Layer 4 TGW gateway load balancing strategy and employing IP hash routing, multiple requests from the same client (IP identifier) are forwarded to the same Layer 7 security gateway machine (STGW Security Tencent Gateway). STGW is responsible for supporting Layer 7 network HTTPS protocol to achieve unified access across multiple networks, forwarding external network requests, and supporting automatic load balancing. The IP routing mechanism in STGW does not require SCFG synchronization between machines. 2) The SCFG of each STGW machine is generated in batches by the master process (Master process) at startup, providing multiple SCFGs for each worker process (Worker process). This mechanism ensures that the SCFGs between multiple processes are synchronized. However, this method only solves the problem of multiple machines and multiple processes in a single cluster and is not suitable for multi-cluster, multi-machine, multi-process scenarios. Furthermore, a single machine in the cluster is prone to becoming a hotspot, increasing the risk of system downtime.

Of course, for certain fixed information transmission needs, the SCFG can remain unchanged, but if the key is lost, it will cause information leakage.

To overcome the above defects, refer to Figure 5, which is an optional flowchart of the information transmission method provided by an embodiment of the present invention. It can be understood that the steps shown in Figure 5 can be performed by various electronic devices running information transmission devices, such as servers or server clusters with application process data transmission functions, or cloud servers. The steps shown in Figure 5 will be described below.

Step 501: The server receives the initial client handshake data transmitted by the client.

In some embodiments of the present invention, a connection needs to be established before the server and client can transmit information. When establishing a connection via the User Datagram Protocol (UDP), UDP traffic is a connectionless, unreliable datagram transmission protocol. UDP traffic only transmits the datagrams to be sent to the network and receives datagrams from the network, without establishing a connection with the remote UDP module. UDP provides services to user network applications, such as Network File System (NFS) and Simple Network Management Protocol (SNMP). UDP preserves the message boundaries defined by the application; it neither joins messages from two applications together nor splits messages from one application into multiple parts. In some embodiments of the present invention, when using Quick UDP Internet Connections (QUIC) for information transmission, as an emerging transport layer protocol, QUIC has many advantages such as low connection establishment overhead, headless blocking, support for connection migration, and/or implementation in user space. The Hypertext Transfer Protocol (HTTP) 3.0, based on QUIC, is becoming the next-generation Internet protocol. As third-party payment platforms involve more and more types of businesses, QUIC can adapt to various types of information transmission environments, such as payments, insurance, funds, stocks, mini-games, and/or blockchain. Different business scenarios have different requirements for information transmission, such as payment information requiring low latency, and different network conditions also have different adaptation requirements for information transmission, all of which QUIC can adapt to.

The initial connection establishment between a client device and a server device involves two phases. The first phase involves the client device sending an initial client handshake message (inchoate client hello, or CHLO message, or C_i_hello message) and waiting to receive a rejection message (S_reject message). This phase is called the C_i_hello phase. The second phase involves the client device sending a full client handshake message (full client hello, or C_hello message) and waiting to receive an encrypted server handshake message (SHLO message, or S_hello message). This phase is called the C_hello phase. The connection establishment process between the client and server devices during this initial connection establishment can be called the 1-RTT process. The 1-RTT process includes the C_i_hello phase and the C_hello phase. When the client and server devices are not establishing a connection for the first time, the connection establishment process can be called the 0-RTT process (0RTT means that the first data packet in the communication between the two parties can carry valid business data). The 0-RTT process starts directly from the C_hello phase. The phase in which encrypted packets are transmitted between the client device and the server device after a connection is established can be called the session phase.

In this process, Round-Trip Time (RTT) is an important performance indicator in computer networks. It represents the total time elapsed from the moment the sender begins sending data until the sender receives an acknowledgment from the receiver (the receiver can immediately send an acknowledgment after receiving the data). Typically, the delay consists of four parts: transmission delay, propagation delay, queuing delay, and processing delay.

(1) Transmission delay: Transmission delay is the time required for a node to send a data packet to the transmission medium, that is, the time required from the start of sending the first bit of the packet to the completion of sending the last bit. Obviously, transmission delay is inversely proportional to the transmission rate of the network interface/channel and directly proportional to the length of the data packet.

(2) Propagation Delay: Propagation delay is the time required for an electromagnetic wave to travel a certain distance in a channel. Propagation delay is independent of the channel's transmission rate but depends on the length of the transmission medium and the propagation speed of a signal in that physical form within the medium. For example, the propagation speed of electromagnetic waves in free space is the speed of light, which is 3 × ^10⁵ km/s. The propagation speed of electromagnetic waves in network transmission media is slightly lower than their propagation speed in free space; the propagation speed in copper wire is approximately 2.3 × ^10⁵ km/s, and in optical fiber it is approximately 2.0 × ^10⁵ km/s.

(3) Queuing delay: Queuing delay is the time it takes for a packet to queue in the buffer queue of a network node. The length of queuing delay mainly depends on the current network traffic. When the network traffic is high, the queuing time is long. In extreme cases, when network congestion causes packet loss, the queuing delay of that node can be considered infinite. In addition, in networks with priority algorithms, queuing delay also depends on the data priority and the node's queue scheduling algorithm.

(4) Processing delay: Processing delay is the time spent on necessary processing during the storage and forwarding process of packets at intermediate nodes. These processes include extracting the packet header, performing error checking, addressing packets, and routing.

Referring to Figure 6, which is a schematic diagram of the 0RTT principle in an embodiment of the present invention, the client sends an InitCHLO to the server for the initial connection establishment. The server will inevitably respond with a REJ, which contains an SCFG. The client will cache this SCFG. Here, the SCFG contains an asymmetric public key used to negotiate the 0RTT symmetric public key. Afterwards, the client sends a Full CHLO (which may carry request data) to the server, and the two ends complete the symmetric key negotiation and begin normal communication.

When establishing a new chain, the client can skip the Initial CHLO exchange process and directly initiate a Full CHLO (which can carry request data, i.e., early data) to the server. Both ends use their respective cached SCFGs and the information in the Full CHLO to calculate the symmetric key and process the request and response. However, as shown in Figure 6, the 0RTT principle requires that, for server cluster environments, different QUIC servers must have the same SCFG; for single-machine server environments, different QUIC processes must have the same SCFG; and for single-process environments, timely updating of the SCFG to ensure that each full handshake connection obtains an unexpired SCFG is necessary for 0RTT. However, in practice, the SCFG is randomly generated by each process, and the access architecture in the environment is generally multi-cluster, multi-machine, and multi-process, resulting in a low 0RTT ratio and increased information transmission latency.

Step 502: The server parses the initial client handshake data to obtain the source address token and server configuration identification information, wherein the source address token carries the timestamp used when the server configuration was generated.

In the information transmission method provided in this application, the source address token carries a timestamp used when the server configuration was generated. The source address token is a source address token previously provided by the server, as shown in Table 1.

Table 1

scfg gtm(8B) IP address (16B) Timestamp (8B) Reserve (24B) salt(12B)

As shown in Table 1, scfg gtm represents the timestamp used when SCFG is generated, IP address represents the client IP address, Timestamp represents the timestamp when the source address token (STK Source-AddressToken) is generated, Reserve is a reserved field, and salt represents the salt value.

In some embodiments of the present invention, a key string can also be configured for the source address token; when the server parses the initial client handshake data, a symmetric key is generated based on the key string to encrypt the source address token using the symmetric key. The key string supports multiple rotations (up to 8). A symmetric key can be generated based on the AES128 algorithm using the configured key string. Thus, when sending the STK shown in Table 1, it can be achieved by sending the encrypted byte sequence of the fields shown in Table 1, avoiding data leakage during information transmission.

Meanwhile, when STK is transmitted in encrypted form, the first key context can be used for encryption. When decrypting STK, attempts are made sequentially according to the key context. The loop breaks as soon as one key succeeds. STK is considered decryption failed only if all keys fail to decrypt. This reduces the chance of STK being maliciously cracked during encrypted transmission.

Step 503: The server generates server configuration parameters based on the source address token and server configuration identification information, and searches for target server configuration information based on the server configuration parameters.

In some embodiments of the present invention, the content of the server configuration parameters is configured according to the usage scenarios of the server and the client, wherein the server configuration parameters include: server key information, version information, validity period information, and generation algorithm information; and the update cycle of the server configuration parameters is adjusted based on the usage scenarios of the server and the client.

In some embodiments of the present invention, the parameter composition of the server configuration information SCFG can be referred to Table 2:

Table 2

In the SCFG parameter composition shown in Table 2, PREFIX is fixed as "SCFG"; KEXS indicates the key exchange algorithm used, such as C255 or P256; AEAD indicates the authentication encryption algorithm, such as AESG or S20P; PLAN indicates the plaintext algorithm type, which is an internal business-defined type; EXPY indicates the SCFG expiration time; Versions indicates the set of QUIC versions supported by the current server; GTM indicates the timestamp used to generate this SCFG; SNI indicates the service server domain name corresponding to this SCFG, which can be NULL.

In some embodiments of the present invention, the update cycle of the server configuration parameters is adjusted based on the usage scenarios of the server and the client, including:

When the usage scenario of the server and the client is an adaptive scenario, the update cycle of the server configuration parameters is configured to 24 hours, wherein the start time of the update cycle of the server configuration parameters is 0:00 of each natural day. Therefore, for ordinary application scenarios, the 0RTT ratio can be increased from less than 10% in related technologies to 85%+ (taking the CLB application scenario as an example).

In some embodiments of the present invention, the update cycle of the server configuration parameters is adjusted based on the usage scenarios of the server and the client, including:

When the security index of the usage scenario for both the server and the client is less than or equal to the security threshold, the server configuration parameters are configured with an effective duration; when the security index of the usage scenario for both the server and the client is greater than the security threshold, the server configuration parameters are configured with an update cycle. Therefore, for security-insensitive application scenarios (use scenarios where the security index is less than or equal to the security threshold), the 0RTT ratio can be increased to 100%. It should be noted that in some optional embodiments of this application, when the security index is less than or equal to the security threshold, it indicates that the usage scenario of the server and client is in a low security requirement. Therefore, a long SCFG validity period (e.g., 3*24 hours) and a long SCFG update cycle (e.g., 3*24 hours) can be configured simultaneously. When the security index is greater than the security threshold, it indicates that the usage scenario of the server and client is in a high security requirement. Therefore, a short SCFG validity period (e.g., 1*24 hours) and a short SCFG update cycle (e.g., 1*24 hours) can be configured simultaneously. The security threshold used can be fixed according to the usage scenario, or it can be updated in the security threshold list at fixed time intervals. This application does not specifically limit this.

In some embodiments of the present invention, server configuration parameters are generated based on the source address token and server configuration identification information, and target server configuration information is searched based on the server configuration parameters. This can be achieved in the following ways:

In response to the connection request between the server and the client, server configuration parameters are generated based on the source address token and server configuration identification information. When different processes of the server need to obtain the target server configuration information, one process searches for the target server configuration information based on the server configuration parameters, and the target server configuration information is shared among different processes of the server. Referring to Figure 7, which is a schematic diagram of server configuration information generation in this embodiment, as shown in Figure 7, a 128-bit digest information can be generated using the HMAC algorithm based on the SCFG parameters and the configured SCFG key. Different regions of the digest information are then extracted to generate sub-TAG information for the SCFG. In this process, the SCFG only needs to be generated in response to the connection request between the server and the client. Simultaneously, SCFG is shared between processes, with each SCFG generated by only one process, effectively improving the sharing efficiency of SCFG, avoiding the need for multiple processes to generate SCFGs, thus avoiding the formation of hot servers, reducing system load, and decreasing the probability of server/cloud server (or server cluster) downtime, ensuring smooth system operation.

Step 504: When the server can find the target server configuration information, it verifies the server configuration identifier information and obtains the verification result of the server configuration identifier information.

Step 505: Based on the verification result of the server configuration identification information, the server establishes a connection between the server and the client, and transmits information through the connection.

In some embodiments of the present invention, when the target server configuration information cannot be found, the timestamp used when the server configuration device generates the configuration is verified; when the timestamp used when the server configuration device generates the configuration is valid, the original target server configuration information is restored to obtain the original target server configuration information; the original target server configuration information is verified, and based on the verification result of the original server configuration information, a connection between the server and the client is established.

In some embodiments of the present invention, a connection is established between the server and the client based on the verification result of the server-side configuration identification information, and information is transmitted through the connection. This can be achieved in the following ways:

When the information type is User Datagram Protocol (UDP) traffic information, the target domain name and port information are obtained by parsing the corresponding UDP; the target Internet Protocol (IP) address corresponding to the target domain name is obtained by sending a query to the Domain Name System (DNS); the target IP address, port information, and traffic information are sent to the corresponding server; the server processes the target traffic information. During this process, after receiving the S_reject message, the client device can verify the correctness and validity period of the SCFG in the S_reject message. If the verification is successful, the client device can generate its private key and public key to ensure the accurate transmission of encrypted UDP traffic information.

In some embodiments of the present invention, the source port information, source Internet Protocol address, destination Internet Protocol address, and destination port information corresponding to the User Datagram Protocol (UDP) traffic can also be determined based on the traffic auxiliary information corresponding to the UDP traffic. The source port information, source Internet Protocol address, destination Internet Protocol address, and destination port information are then sent to the corresponding proxy server via UDP. The proxy server accelerates the processing of information transmitted through the terminal to save time spent transmitting information through the proxy server.

In some embodiments of the present invention, when the information type is cloud server information, the identification information of the target user is determined; based on the cloud server network, a data source cluster matching the identification information is determined; and according to the data source cluster, the cloud server historical records matching the target user are stored in the cloud server. Thus, information transmission in the cloud server network can be processed. In the cloud server usage environment, the SCFG information in the cloud server cluster, client, and process is consistent, preventing situations where a valid SCFG cannot be found due to multi-cluster, multi-machine, and multi-process deployment. This can greatly improve the 0RTT ratio of QUIC service, reduce the CPU consumption of the signature mechanism during the 1RTT handshake negotiation process, and lower the operating cost of the cloud server.

To better illustrate the usage process of the information transmission method provided in this application, referring to Figure 8, the information transmission method provided in this application will be described using information transmission in a multi-server cluster as an example. Figure 8 is a schematic diagram of the information transmission method in an embodiment of the present invention, where the common architecture of the QUIC service is shown in Figure 8, including: information transmission in a multi-server cluster, information transmission in a multi-terminal cluster, and information transmission in a multi-process cluster. Taking information transmission in a multi-server cluster as an example, the QUIC service architecture can simultaneously support information processing of business cloud servers, instant messaging software servers, financial transaction servers, video playback software servers, short video advertising servers, online office server clusters, and e-commerce server clusters. Different business scenarios have different requirements for information transmission. For example, payment information requires low latency, and different network conditions also have different adaptation requirements for information transmission. The QUIC service architecture shown in Figure 8 can adapt to all of these. Specifically, the QUIC service architecture shown in Figure 8 requires a Cloud Load Balancer (CLB) to provide secure and fast traffic distribution services. Access traffic can be automatically distributed to multiple cloud servers in the cloud via the CLB, expanding the system's service capacity and eliminating single points of failure. The load balancer supports hundreds of millions of connections and tens of millions of concurrent connections, easily handling high-traffic access and meeting business needs. A single CLB cluster (not a single CLB instance) can handle over 120 million concurrent connections, processing up to 40Gbps of bandwidth and 6 million data packets per second. It can be applied to e-commerce websites, social platforms, and gaming businesses with daily visits exceeding tens of millions. Figure 8 shows a CLB cluster consisting of 4 physical servers, with a CLB availability of up to 99.95%. Even in extreme cases where a single CLB instance is available, it can still support over 30 million concurrent connections. Referring to Figure 9, which is an optional flowchart of the information transmission method provided in this embodiment, establishing a connection during data transmission includes the following steps:

Step 901: The server receives the CHLO packet.

Step 902: The server parses the TAG in CHLO to extract SCID and STK.

Step 903: The server determines whether the parsing was successful. If it was, proceed to step 904; otherwise, proceed to step 905.

Step 904: The server triggers STK verification.

Step 905: Server HS_ERROR, enter exception handling logic.

Step 906: The server determines whether sstk already exists in the session. If it does, proceed to step 907; otherwise, proceed to step 908.

Step 907: Server-side direct binary comparison.

Step 908: The server decrypts the STK, extracts the fields SCFG gtm, addr, and timestamp, and performs a validity check.

Step 909: The server determines that the STK verification is successful. If so, proceed to step 910; otherwise, proceed to step 911.

Step 910: The server obtains the SCFG based on the configuration and the gtm extracted from STK.

Step 911: The server records the stk verification result.

Step 912: The server obtains the CHLO verification and the results SCID/SNO/XLCT.

Step 913: The server checks if the RTT is 0. If it is, proceed to step 910; otherwise, proceed to step 911.

Step 914: The server records and generates RREJ, and enters the 1RTT handshake process.

Step 915: The server generates a SHLO, completes the 0RTT handshake, and initiates normal request communication.

In summary, the embodiments of the present invention have the following technical effects:

This invention embodiment receives preliminary client handshake data transmitted by a client from a server. The server parses the preliminary client handshake data to obtain a source address token and server configuration identification information. The source address token carries a timestamp used when the server configuration was generated. Based on the source address token and server configuration identification information, server configuration parameters are generated, and target server configuration information is searched based on these parameters. When the target server configuration information is found, the server configuration identification information is verified to obtain a verification result. Based on the verification result, a connection is established between the server and the client, and information is transmitted through this connection. This reduces round-trip latency for data transmission in various scenarios within a QUIC environment, improves information transmission efficiency, reduces the risk of data transmission leakage in QUIC environments, and ensures data transmission security.

The above description is merely an embodiment of the present invention and is not intended to limit the scope of protection of the present invention. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.

Claims (15)

1. An information transmission method, characterized in that the method comprises: The server receives the initial client handshake data transmitted by the client; The server parses the initial client handshake data to obtain the source address token and server configuration identification information, wherein the source address token carries the timestamp used when the server configuration was generated; Based on the source address token and server configuration identification information, server configuration parameters are generated, and the target server configuration information is found based on the server configuration parameters. When the target server configuration information can be found, the server configuration identification information is verified to obtain the verification result of the server configuration identification information. Based on the verification result of the server configuration identification information, a connection is established between the server and the client, and information is transmitted through the connection. 2. The method according to claim 1, characterized in that the method further comprises: When the target server configuration information cannot be found, the timestamp used when the server configuration device was generated is verified. When the timestamp used by the server configuration device during generation is valid, the original target server configuration information is restored to obtain the original target server configuration information. The original target server configuration information is verified, and based on the verification result of the original server configuration information, a connection is established between the server and the client. 3. The method according to claim 1, characterized in that the method further comprises: Configure a key string for the source address token; When the server parses the initial client handshake data, it generates a symmetric key based on the key string to encrypt the source address token using the symmetric key. 4. The method according to claim 1, characterized in that the method further comprises: Based on the usage scenarios of the server and the client, the content of the server configuration parameters is configured, wherein the server configuration parameters include: server key information, version information, validity period information, and generation algorithm information; Based on the usage scenarios of the server and the client, the update cycle of the server configuration parameters is adjusted. 5. The method according to claim 4, characterized in that, adjusting the update cycle of the server configuration parameters based on the usage scenarios of the server and the client includes: When the usage scenario of the server and the client is an adaptive scenario, the update cycle of the server configuration parameters is configured to be 24 hours, wherein the start time of the update cycle of the server configuration parameters is 00:00 of each natural day. 6. The method according to claim 4, characterized in that, adjusting the update cycle of the server configuration parameters based on the usage scenarios of the server and the client includes: When the security index of the usage scenario of the server and the client is less than or equal to the security threshold, configure the server configuration parameters for an effective time. When the security index of the usage scenario of the server and the client is greater than the security threshold, configure the server configuration parameter update cycle. 7. The method according to claim 1, characterized in that, generating server configuration parameters based on the source address token and server configuration identification information, and searching for target server configuration information based on the server configuration parameters, includes: In response to the connection request between the server and the client, server configuration parameters are generated based on the source address token and server configuration identification information; When different processes of the server need to obtain the target server configuration information, one process searches for the target server configuration information based on the server configuration parameters, and the target server configuration information is shared among different processes of the server. 8. The method according to claim 1, characterized in that, establishing a connection between the server and the client based on the verification result of the server-side configuration identifier information, and transmitting information through the connection, includes: When the type of the information is User Datagram Protocol (UDP) traffic information By parsing the corresponding User Datagram Protocol (UDP), the target domain name and port information can be obtained; By sending a query to the Domain Name System, the target Internet Protocol address corresponding to the target domain name is obtained; the target Internet Protocol address, port information, and traffic information corresponding to the target domain name are then sent to the corresponding server. The server performs transmission processing on the target traffic information. 9. The method according to claim 8, characterized in that the method further comprises: When the information type is cloud server information, the target user's identification information is determined; Based on the cloud server network, determine the data source cluster that matches the identification information; Based on the data source cluster, store the cloud server historical records that match the target user in the cloud server. 10. An information transmission device, characterized in that the device comprises: The information transmission module is used by the server to receive the initial client handshake data transmitted by the client. The information processing module is used by the server to parse the initial client handshake data to obtain the source address token and server configuration identification information, wherein the source address token carries a timestamp used by the server configuration device when it was generated; The information processing module is used to generate server configuration parameters based on the source address token and server configuration identification information, and to search for target server configuration information based on the server configuration parameters. The information processing module is used to verify the server configuration identification information when the target server configuration information can be found, and to obtain the verification result of the server configuration identification information. The information processing module is used to establish a connection between the server and the client based on the verification result of the server configuration identification information, and to transmit information through the connection. 11. The apparatus according to claim 10, characterized in that, The information processing module is used to verify the timestamp used when the server configuration device generates the configuration information when the target server configuration information cannot be found. The information processing module is used to restore the original target server configuration information when the timestamp used by the server configuration device during generation is valid, and obtain the original target server configuration information. The information processing module is used to verify the original target server configuration information and establish a connection between the server and the client based on the verification result of the original server configuration information. 12. The apparatus according to claim 10, characterized in that, The information processing module is used to respond to the connection request between the server and the client, and generate server configuration parameters based on the source address token and server configuration identification information; The information processing module is used to, when different processes of the server need to obtain the target server configuration information, use one process to search for the target server configuration information based on the server configuration parameters, and share the target server configuration information among different processes of the server. 13. A software program, characterized in that the software program comprises: Memory, used to store executable instructions; A processor, when executing executable instructions stored in the memory, implements the information transmission method according to any one of claims 1 to 9. 14. An electronic device, characterized in that the electronic device comprises: Memory, used to store executable instructions; A processor, when executing executable instructions stored in the memory, implements the information transmission method according to any one of claims 1 to 9. 15. A computer-readable storage medium storing executable instructions, characterized in that, when the executable instructions are executed by a processor, they implement the information transmission method according to any one of claims 1 to 9.