WO2017012142A1 - Dual-connection security communication method and apparatus - Google Patents

Abstract

Disclosed are a dual-connection security communication method and apparatus. The method comprises: establishing a first network connection with a server by means of a mobile data network, and establishing a second network connection with the server by means of a WLAN; splitting a login request message sent, by a terminal, to the server into a first request data packet and a second request data packet; sending the first request data packet on the first network connection, and sending the second request data packet on the second network connection; and receiving a first answer data packet from the first network connection, receiving a second answer data packet from the second network connection, and combining the first answer data packet and the second answer data packet into a login answer message sent, by the server, to the terminal, so as to complete user login. The present solution prevents a network attacker from intercepting a complete communication message of a user in a network, thereby improving the security of login modes of the user and a server.

Description

Method and device for double connection safety communication

The present application claims priority to Chinese Patent Application No. 201510434054.3, entitled "A Method and Apparatus for Dual-Connected Secure Communication", filed on July 22, 2015, the entire contents of which are incorporated herein by reference. In this application.

Technical field

The present invention relates to the field of communications technologies, and in particular, to a method and apparatus for dual connectivity secure communication.

Background technique

With the popularization and application of mobile devices, users logging in to online servers through mobile terminals to obtain network services have become an indispensable activity in people's lives. Therefore, network security issues have received more and more attention. At present, many hackers use the loopholes of network software to obtain user account and password information through attacks on network devices such as gateways and routers, and information interception, in order to obtain benefits. The user's information has been leaked and tampered with, infringing on the user's rights and interests, and in severe cases, the user may suffer economic losses.

At present, the method of improving network security is mainly through software, and how to improve the security of the user login server by providing reliable communication is currently a blank.

Summary of the invention

The embodiment of the invention discloses a method and a device for dual-connection secure communication, which divides the communication message of the user and the server into different data packets, and the two network connections established between the terminal and the server are respectively in two Different data packets are transmitted on the connection, and different data packets received from the two connections are combined into a communication message to complete the secure communication, which can prevent the network attacker from intercepting the complete communication message of the user on the same network connection, thereby enhancing the user. Security with the server login method.

The first aspect of the embodiments of the present invention provides a method for dual-connection secure communication, which is used in a terminal device, and includes:

After receiving the server login command sent by the user, establishing a first network connection with the server through the mobile data network, through a wireless local area network (WLAN, Wireless Local Access Network) The server establishes a second network connection;

Generating a login request message sent to the server according to the server login instruction, splitting the login request message into the first request data packet and the second request data packet, and transmitting the first request data packet to the server on the first network connection, in the second Sending a second request packet to the server on the network connection;

Receiving, by the first network connection, the first response data packet sent by the server, receiving the second response data packet sent by the server from the second network connection, and combining the first response data packet and the second response data packet into the login sent by the server. Answer the message to complete the user login.

With reference to the first aspect, in a first possible implementation manner, the login response message includes a login success message or a login failure message;

After the first response data packet and the second response data packet are combined into a login response message sent by the server, the method further includes:

If the login response message sent by the server is a login failure message, the user fails to log in, disconnects the first network connection established with the server through the mobile data network, and disconnects the second network connection established with the server through the WLAN to end the user login. ;

If the login response message sent by the server is a login success message, the user logs in successfully, and disconnects the first network connection established with the server through the mobile data network to complete the user login; or

If the login response message sent by the server is a login success message, the user logs in successfully, and disconnects the second network established by the WLAN with the server to complete the user login.

In conjunction with the first aspect, in a second possible implementation, before the first network connection is established with the server by using the mobile data network, the method further includes:

Initiating network registration in the mobile data network, and if the network registration is successful, establishing a first network connection with the server through the mobile data network;

Before establishing a second network connection with the server through the WLAN, the method further includes:

The security authentication is initiated in the WLAN. If the security authentication succeeds, the second network connection is established with the server through the WLAN. Alternatively, the network registration is initiated in the mobile data network. If the network registration is successful, the second network connection is established with the server through the WLAN.

A second aspect of the embodiments of the present invention provides a method for dual-connection secure communication, which is used in a server, and includes:

Establishing a first network connection with the terminal through the mobile data network, establishing a first connection through the WLAN and the terminal Two network connections;

Receiving, by the first network connection, the first request data packet sent by the terminal, receiving the second request data packet sent by the terminal from the second network connection, and combining the first request data packet and the second request data packet, to obtain the sent by the terminal. Login request message;

Generating a login response message sent to the terminal according to the login request message, splitting the login response message into the first response data packet and the second response data packet, and transmitting the first response data packet to the terminal on the first network connection, in the second The second response packet is sent to the terminal on the network connection to complete the user login.

With reference to the second aspect, in a first possible implementation manner, the login response message includes a login success message or a login failure message;

After the step of sending the first response data packet and the second response data packet to the terminal, the method further includes:

If the login response message is a login failure message, the user fails to log in, disconnects the first network connection established with the terminal through the mobile data network, and disconnects the second network connection established with the terminal through the WLAN to end the user login;

If the login response message is a login success message, the user logs in successfully, and disconnects the first network connection established by the mobile data network with the terminal to complete the user login; or

If the login response message is a login success message, the user logs in successfully, and disconnects the second network established by the WLAN with the terminal to complete the user login.

A third aspect of the embodiments of the present invention provides a terminal device, including:

a receiving unit, configured to receive a server login instruction sent by the user;

a processing unit, configured to establish a first network connection with the server through the mobile data network, and establish a second network connection with the server through the WLAN;

The processing unit is further configured to: generate a login request message sent to the server according to the server login instruction received by the receiving unit, and split the login request message into the first request data packet and the second request data packet;

a sending unit, configured to send a first request data packet to the server on the first network connection, and send a second request data packet to the server on the second network connection;

The receiving unit is further configured to: receive, by the first network connection, a first response data packet sent by the server, and receive, by the second network connection, a second response data packet sent by the server;

The processing unit is further configured to: encapsulate the first response data packet and the second response data received by the receiving unit And the login response message sent to the server to complete the user login.

In combination with the third aspect, in a first possible implementation, the processing unit is further configured to:

If the login response message sent by the server received by the receiving unit is a login failure message, the user fails to log in, disconnects the first network connection established with the server through the mobile data network, and disconnects the second network connection established with the server through the WLAN. To end user login;

If the login response message sent by the server received by the receiving unit is a login success message, the user logs in successfully, and disconnects the first network connection established with the server through the mobile data network to complete the user login; or

If the login response message sent by the server received by the receiving unit is a login success message, the user logs in successfully, and disconnects the second network established by the WLAN and the server to complete the user login.

In combination with the third aspect, in a second possible implementation manner, the processing unit is specifically configured to:

Initiating network registration in the mobile data network, and if the network registration is successful, establishing a first network connection with the server through the mobile data network;

The security authentication is initiated in the WLAN. If the security authentication succeeds, the second network connection is established with the server through the WLAN. Alternatively, the network registration is initiated in the mobile data network. If the network registration is successful, the second network connection is established with the server through the WLAN.

A fourth aspect of the embodiments of the present invention provides a server device, including:

a processing unit, configured to establish a first network connection with the terminal through the mobile data network, and establish a second network connection with the terminal by using the WLAN;

a receiving unit, configured to receive a first request data packet sent by the terminal from the first network connection, and receive a second request data packet sent by the terminal from the second network connection;

The processing unit is further configured to: merge the first request data packet and the second request data packet received by the receiving unit to obtain a login request message sent by the terminal; and generate a login response message sent to the terminal according to the login request message, and log in The response message is split into a first response data packet and a second response data packet;

And a sending unit, configured to send a first response data packet to the terminal on the first network connection, and send a second response data packet to the terminal on the second network connection, to complete the user login.

With reference to the fourth aspect, in a first possible implementation manner, the login response message includes a login success message or a login failure message;

The processing unit is also used to:

If the login response message is a login failure message, the user fails to log in, disconnects the first network connection established with the terminal through the mobile data network, and disconnects the second network connection established with the terminal through the WLAN to end the user login;

If the login response message is a login success message, the user logs in successfully, and disconnects the first network connection established by the mobile data network with the terminal to complete the user login; or

If the login response message is a login success message, the user logs in successfully, and disconnects the second network established by the WLAN with the terminal to complete the user login.

The technical solution provided by the embodiment of the present invention is capable of establishing a first network connection with a server through a mobile data network, establishing a second network connection with the server through the WLAN, and splitting the server login request message sent by the user into the first request data packet and the second Requesting a data packet, sending the first request data packet and the second request data packet to the server through two network connections, and respectively receiving the first response data packet and the second response data packet through two network connections and merging and transmitting to the server Login response message to complete user login to the server. The solution can prevent the network attacker from intercepting the complete communication message of the user in the network device, thereby enhancing the security of the user and the server login mode.

DRAWINGS

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings to be used in the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without paying any creative work.

1 is a schematic diagram of a network for dual connectivity secure communication according to Embodiment 1 of the present invention;

2 is a schematic flowchart of a method for dual-connection secure communication according to Embodiment 1 of the present invention;

3 is a schematic flowchart of a method for dual-connection secure communication according to Embodiment 2 of the present invention;

4 is a schematic flowchart of a method for dual-connection secure communication according to Embodiment 3 of the present invention;

FIG. 5 is a schematic flowchart of a method for dual-connection secure communication according to Embodiment 4 of the present invention; FIG.

6 is a schematic flowchart of a method for dual connectivity secure communication according to Embodiment 5 of the present invention;

FIG. 7 is a schematic structural diagram of a terminal device according to Embodiment 6 of the present invention; FIG.

FIG. 8 is a schematic structural diagram of another terminal device according to Embodiment 6 of the present invention; FIG.

9 is a schematic structural diagram of a server device according to Embodiment 7 of the present invention;

FIG. 10 is a schematic structural diagram of another server device according to Embodiment 7 of the present invention.

detailed description

The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.

Each embodiment will be described below separately.

The terms "first", "second", "third" and "fourth" and the like in the specification and claims of the present invention and the above drawings are used to distinguish different objects, and are not intended to describe a specific order. Furthermore, the terms "comprises" and "comprising" and "comprising" are intended to cover a non-exclusive inclusion. For example, a process, method, system, product, or device that comprises a series of steps or units is not limited to the listed steps or units, but optionally also includes steps or units not listed, or alternatively Other steps or units inherent to these processes, methods, products or equipment.

In the process of research and development, researchers in the field found that in the current network communication, the mobile terminal communicates with the server through a network connection, for example, through WLAN or through a mobile data network to communicate with the server, the network attacker is easier to The network device tampers or forges the communication message between the user and the server by intercepting the communication message between the user and the server, thereby reducing the security of the network communication.

The embodiment of the invention provides a method and a device for dual-connection secure communication, which are used for implementing secure login of a mobile terminal to an application server, so as to prevent an attacker from stealing a complete communication message of the user in the same network, thereby leaking user information or Tampering with user information and infringing on the rights of users.

The application will present various aspects, embodiments, or features in a system that can include multiple devices, components, modules, and the like. It is to be understood and appreciated that the various systems may include additional devices, components, modules, etc. and/or may not include all of the devices, components, modules, etc. discussed in connection with the figures. This In addition, a combination of these schemes can also be used.

In the embodiment of the present invention, the "application server" and the "server" can be mixed. It should be noted that the meanings to be expressed are consistent when the difference is not emphasized.

The network architecture and the service scenario described in the embodiments of the present invention are used to more clearly illustrate the technical solutions of the embodiments of the present invention, and do not constitute a limitation of the technical solutions provided by the embodiments of the present invention. The technical solutions provided by the embodiments of the present invention are equally applicable to similar technical problems.

The embodiment of the present invention is based on the scenario of using a 3GPP network and a WLAN network. It should be noted that the solution in the embodiment of the present invention can also be applied to scenarios using other mobile communication networks and WLANs, such as HRPD of 3GPP2 and WiMAX of IEEE. The corresponding name can also be replaced by the name of the corresponding function in other wireless communication networks.

Referring first to FIG. 2, FIG. 2 is a schematic flowchart diagram of a method for dual-connection secure communication according to Embodiment 1 of the present invention. The method for dual-connection secure communication provided by the first embodiment of the present invention is used for a mobile terminal device, and the mobile terminal device supports the mobile data network and the WLAN transmission, and may include the following steps:

S101. After receiving the server login command sent by the user, establish a first network connection with the server through the mobile data network, and establish a second network connection with the server through a wireless local area network (WLAN).

After receiving the server login command sent by the user, the terminal can establish two connections (TCP or UDP connection) through the mobile data network, such as 3GPP network (WCDMA, LTE or TD-SCDMA), and the WLAN, that is, through the mobile data network. Establish a first network connection with the server, and establish a second network connection with the server through the WLAN. As shown in FIG. 1, the terminal establishes a first network connection and a second network connection with the server through the mobile data network and the WLAN, and the mobile data network transceiver and the mobile network protocol stack software are disposed in the terminal for processing the first network connection. A WLAN transceiver and WLAN protocol stack software are provided for processing the second network connection.

In the technology of the 3GPP network and the non-3GPP network (including WLAN) proposed by the 3GPP organization, the support terminal simultaneously performs network registration and authentication in the 3GPP network and the non-3GPP network, and the terminal can simultaneously perform IP stream transmission through the 3GPP network and the WLAN. The WLAN user can be authenticated and authenticated by the 3GPP network, which can also be connected to the packet data gateway of the 3GPP network. However, the current solution of the 3GPP network and the non-3GPP network integration introduced in the 3GPP system does not support establishing a network connection with the same server through the 3GPP network and the non-3GPP network.

Establishing a first network connection with the application server through the mobile data network, including establishing a first network connection with the application server through the mobile data network after the network registration is successful in the mobile data network; establishing a second network connection with the server through the WLAN, including through the WLAN After the security authentication, a second network connection is established with the server via the WLAN, or a second network connection is established with the server via the WLAN after the security authentication by the mobile data network. The first network connection and the second network connection may be a TCP/IP connection or a UDP/IP connection, identified by a transmission port number, a receiving port number, a source IP address, and a destination IP address.

In a specific implementation, after the terminal is successfully registered in the mobile data network, the first network connection can be established with the application server through the mobile data network, and the terminal can establish a second network connection with the server through the WLAN after the terminal is authenticated by the WLAN. For example, in the 3GPP system, after the terminal is powered on, the packet network registration can be initiated. The network registration process includes an authentication process, a security activation process, and establishing a packet data network connection, etc., when the terminal completes the packet network registration in the LTE network. The first network connection (TCP or UDP connection) can be established with the application server. For example, the terminal user in the WLAN first needs to pass the local security authentication of the WLAN, and then establish a second network connection (TCP or UDP connection) with the application server through the WLAN; in some scenarios where the 3GPP network and the WLAN network are fused, the WLAN The terminal in the terminal performs security authentication through the 3GPP network server, and the terminal that is securely authenticated by the 3GPP network can establish a second network connection with the application server through the WLAN.

S102. Generate a login request message sent to the server according to the server login instruction, split the login request message into the first request data packet and the second request data packet, and send the first request data packet to the server on the first network connection, where A second request packet is sent to the server on the second network connection.

After establishing a first network connection with the server through the mobile data network and establishing a second network connection with the server through the WLAN, the terminal may generate a server login request message of the user according to the server login instruction of the user, and the user login request message includes the user. Account and password information. Since the first network connection and the second network connection are different transmission connections, the data transmitted through the first network connection and through the second network connection may pass through different network devices, in order to prevent the user's login request message from being attacked by the network attacker on the network. Intercepted by a device (such as a gateway or router), the terminal can use The user's login request message is split into two data packets, which are respectively sent on the established first network connection and the second network connection. Specifically, the user's server login request message is split into the first request data packet and the first The second request packet transmits a first request packet to the server on the first network connection and a second request packet to the server on the second network connection.

S103. Receive a first response data packet sent by the server from the first network connection, receive a second response data packet sent by the server from the second network connection, and combine the first response data packet and the second response data packet into a server. The login response message to complete the user login.

Receiving, by the server, the first request data packet sent by the terminal from the first network connection, and after receiving the second request data packet sent by the terminal from the second network connection, performing the first request data packet and the second request data packet Merge to get the login request message sent by the terminal.

The login response message generated by the server according to the login request message sent by the terminal includes a login success message and a login failure message. After receiving the login request message, the server first verifies whether the user is a valid user. If the user is an invalid user (for example, the user account does not exist or the password is incorrect), the server can directly disconnect the first network connection established by the terminal through the mobile data network. And disconnecting from the second network established by the terminal through the WLAN. When the terminal receives the first network connection disconnection request sent by the server, or after the terminal sends the first request data packet and the second request data packet for more than a specified time, disconnects the first network connection, when the terminal receives Disconnect the second network connection when the second network connection disconnect request sent by the server, or after the first request packet and the second request packet are sent, exceeds the specified time; One of them ends the user login. If the server verifies that the user is a valid user, the login response message, including the login success message or the login failure message, may be generated according to the user information or other conditions, such as the total number of connections of the server, the processing capability, or the network speed. For example, if the user has a higher priority. If the server is low and the total number of connections to the server is high, the server may generate a login failure message for the user.

Similar to the method for the terminal to send the login request message, the server splits the generated login response message into the first response data packet and the second response data packet, respectively, in order to prevent the network attacker from intercepting the user message from the network. The first response data packet is sent to the terminal on the network connection, and the second response data packet is sent to the terminal on the second network connection. After the server sends the terminal, the terminal may receive the first response data packet sent by the server from the first network connection, and receive the second response data packet sent by the server on the second network connection.

After the terminal acquires the first response data packet and the second response data, the two may be merged into a login response message sent by the server. In some feasible implementation manners, if the login response message is a login failure message, the user login fails, the terminal disconnects the first network connection established with the server through the mobile data network, and disconnects the second network established by the server with the WLAN. Connect to end the user login. The disconnection may be disconnection initiated by the terminal, such as the shutdown of the TCP connection initiated by the terminal or the automatic disconnection of the UDP connection by the terminal, or the disconnection initiated by the server after sending the login failure message, such as a server initiated. The disconnection of the TCP connection; the disconnection may be disconnected immediately after receiving the login failure response message, or may be disconnected in the case of failure after multiple login attempts. If the login response message sent by the server is a login success message, the user logs in successfully, and the terminal can disconnect the first network connection established with the server through the mobile data network, or disconnect the second network connection established with the server through the WLAN, and Alternatively, the first network connection and the second network connection are kept disconnected. After the terminal completes the user login, the service data can be transmitted using the disconnected network connection. The login success message received by the terminal may be a login success message of one of the multiple user login attempts. The disconnection may be disconnection initiated by the terminal, such as the shutdown of the TCP connection initiated by the terminal or the automatic disconnection of the UDP connection by the terminal, or the disconnection initiated by the server after sending the login failure message, such as a server initiated. The closing of the TCP connection.

It can be seen that the technical solution provided by the embodiment of the present invention enables the terminal to establish a first network connection with the server through the mobile data network, establish a second network connection with the server through the WLAN, and split the login request message sent by the terminal to the server into the first request. The data packet and the second request data packet are sent to the server through the two network connections by the first request data packet and the second request data packet, respectively, and then receive the first response data packet and the second response data packet through the two network connections respectively. And merged into a login response message sent by the server to the terminal to complete the secure login of the user to the server. The solution can prevent the network attacker from intercepting the complete communication message of the user in the network device, thereby enhancing the security of the user and the server login mode.

A second embodiment of the present invention provides a dual-connection secure communication method for a mobile terminal device. Referring to FIG. 3, FIG. 3 is a schematic flowchart of a method for dual-connection secure communication according to Embodiment 2 of the present invention. Wherein, as shown in FIG. 3, the method may include the following steps:

S201. After receiving the server login command sent by the user, establish a first network connection with the server through the mobile data network, and establish a second network connection with the server through the WLAN.

After receiving the server login command sent by the user, the terminal can establish two connections (TCP or UDP connection) through the mobile data network, such as 3GPP network (WCDMA, LTE or TD-SCDMA), and the WLAN, that is, through the mobile data network. Establish a first network connection with the server, and establish a second network connection with the server through the wireless local area network WLAN.

For the detailed description of the step S201, refer to step S101 of the first embodiment, and details are not described herein again.

S202. Generate a login request message sent to the server according to the server login instruction, split the login request message into the first request data packet and the second request data packet, and send the first request data packet to the server on the first network connection, where A second request packet is sent to the server on the second network connection.

For the detailed description of the step S202, refer to the step S102 of the first embodiment, and details are not described herein again.

S203. Receive a first response data packet sent by the server from the first network connection, receive a second response data packet sent by the server from the second network connection, and combine the first response data packet and the second response data packet into a server. Login reply message.

Receiving, by the server, the first request data packet sent by the terminal from the first network connection, and after receiving the second request data packet sent by the terminal from the second network connection, performing the first request data packet and the second request data packet Merge to get the login request message sent by the terminal. After the server generates a login response message according to the login request message, similar to the method for the terminal to send the login request message, the server splits the generated login response message into the first response packet in order to prevent the network attacker from intercepting the user message from the network. And transmitting, by the second response packet, a first response data packet to the terminal on the first network connection, and transmitting the second response data packet to the terminal on the second network connection. After the server sends the terminal, the terminal may receive the first response data packet sent by the server from the first network connection, and receive the second response data packet sent by the server on the second network connection.

After obtaining the first response data packet and the second response data, the terminal may merge the two into a login response message sent by the server to complete the user login process.

S204. Determine whether the login response message is a login success message or a login failure message.

The terminal merges the first response data packet and the second response data packet into a login response message, where the login response message includes a login success message and a login failure message. If the login success message is successful, the user logs in to the server successfully, and if it is a login failure message, The user failed to log in to the server.

S205. If the login response message is a login failure message, the user fails to log in, disconnects the first network connection established with the server through the mobile data network, and disconnects the second network connection established with the server through the WLAN to end the user login.

If the login response message is a login failure message, the terminal disconnects the first network connection established with the server through the mobile data network, and disconnects the second network connection established with the server through the WLAN. The disconnection may be disconnection initiated by the terminal, such as the shutdown of the TCP connection initiated by the terminal or the automatic disconnection of the UDP connection by the terminal, or the disconnection initiated by the server after sending the login failure message, such as a server initiated. The disconnection of the TCP connection may be disconnected immediately after the terminal receives the login failure response message, or may be disconnected after the login failure message is received each time the terminal receives the multiple login attempts.

S206. If the login response message is a login success message, the user logs in successfully, disconnects the first network connection established with the server through the mobile data network, or disconnects the second network connection established with the server through the WLAN to complete the user login.

If the login response message is a login success message, disconnect the first network connection established with the server through the mobile data network, or disconnect the second network connection established with the server through the WLAN, or maintain the first network connection and the second network The connection is not broken. When the terminal completes the user login, the service data can be transmitted using the unconnected network connection. The login success message received by the terminal may be one of the multiple login attempts. The disconnection may be disconnection initiated by the terminal, such as the shutdown of the TCP connection initiated by the terminal or the automatic disconnection of the UDP connection by the terminal, or the disconnection initiated by the server after sending the login failure message, such as a server initiated. The closing of the TCP connection.

It can be seen that the technical solution provided by the embodiment of the present invention enables the terminal to establish a first network connection with the server through the mobile data network, establish a second network connection with the server through the WLAN, and split the login request message sent by the terminal to the server into the first request. The data packet and the second request data packet are sent to the server through the two network connections by the first request data packet and the second request data packet, respectively, and then receive the first response data packet and the second response data packet through the two network connections respectively. And merged into a login response message sent by the server to the terminal, according to whether the user login successfully disconnects or maintains the network connection, thereby achieving the purpose of secure login. The solution can prevent the network attacker from intercepting the complete communication message of the user in the network device, thereby enhancing the security of the user and the server login mode.

A third embodiment of the present invention provides a dual-connection secure communication method for a mobile terminal device. Referring to FIG. 4, FIG. 4 is a schematic flowchart diagram of a method for dual-connection secure communication according to Embodiment 3 of the present invention. Wherein, as shown in FIG. 4, the method may include the following steps:

S301. After receiving the server login command sent by the user, establish a first network connection with the server through the mobile data network, and establish a second network connection with the server through the WLAN.

For the specific implementation of step S301, reference may be made to step S101 of the first embodiment, and details are not described herein again.

S302. Generate a login request message sent to the server according to the server login instruction, split the login request message into the first request data packet and the second request data packet, and send the first request data packet to the server on the first network connection, where A second request packet is sent to the server on the second network connection.

For the specific implementation of step S302, refer to step S102 of the first embodiment, and details are not described herein again.

S303. When the terminal receives the first network connection disconnection request sent by the server, or after the terminal sends the first request data packet and the second request data packet for more than a specified time, disconnecting the first network connection; When the terminal receives the second network connection disconnection request sent by the server, or after the time after the first request data packet and the second request data packet are sent, the terminal disconnects the second network connection; and ends the user login.

Receiving, by the server, the first request data packet sent by the terminal from the first network connection, and after receiving the second request data packet sent by the terminal from the second network connection, performing the first request data packet and the second request data packet Merge to get the login request message sent by the terminal to the server.

After receiving the login request message, the server first verifies whether the user is a valid user. If the user is an invalid user (for example, the user account does not exist or the password is incorrect), the server can directly disconnect the first network connection established by the terminal through the mobile data network. And disconnecting the second network connection established by the terminal through the WLAN, the server may also send the invalid user indication information to the terminal before disconnecting the network connection. If the first network connection or the second network connection is a TCP connection, the server initiates the TCP connection to be closed. If the first network connection or the second network connection is a UDP connection, the server disconnects the UDP connection by itself. After receiving the TCP connection close request of the server, the terminal disconnects the TCP connection, or the terminal disconnects the UDP connection after the login request message expires. The terminal may receive invalid user indication information sent by the server before disconnecting.

Disconnecting the first network connection when the terminal receives the first network connection disconnection request sent by the server, or after the terminal sends the first request data packet and the second request data packet for more than a specified time Disconnecting the first network connection; disconnecting the second network connection when the terminal receives the second network connection disconnection request sent by the server, or after transmitting the first request packet and the second request packet for more than a specified time After disconnecting the second network connection; as long as one of the two network connections is disconnected, the user login is ended.

It can be seen that the technical solution provided by the embodiment of the present invention enables the terminal to establish a first network connection with the server through the mobile data network, establish a second network connection with the server through the WLAN, and split the login request message sent by the terminal to the server into the first request. The data packet and the second request data packet respectively send the first request data packet and the second request data packet to the server through two connections, and may disconnect the network connection before receiving the login response message sent by the server, thereby achieving secure login. the goal of. The solution can prevent the network attacker from intercepting the complete communication message of the user in the network device, thereby enhancing the security of the user and the server login mode.

A fourth embodiment of the present invention provides a dual-connection secure communication method for a server. Referring to FIG. 5, FIG. 5 is a schematic flowchart of a method for dual-connection secure communication according to Embodiment 4 of the present invention. Wherein, as shown in FIG. 5, the method may include the following steps:

S401. Establish a first network connection with the terminal through the mobile data network, and establish a second network connection with the terminal by using the WLAN.

After receiving the server login command from the user, the terminal can establish two connections (TCP or UDP connection) through the mobile data network, such as 3GPP network (WCDMA, LTE or TD-SCDMA), and the WLAN, that is, through the mobile data network. The server establishes a first network connection and establishes a second network connection with the server through the wireless local area network WLAN.

In the technology of the 3GPP network and the non-3GPP network (including WLAN) proposed by the 3GPP organization, the support terminal simultaneously performs network registration and authentication in the 3GPP network and the non-3GPP network, and the terminal can simultaneously perform IP stream transmission through the 3GPP network and the WLAN. The WLAN user can be authenticated and authenticated by the 3GPP network, which can also be connected to the packet data gateway of the 3GPP network. However, the current solution of the 3GPP network and the non-3GPP network integration introduced in the 3GPP system does not support establishing a network connection with the same server through the 3GPP network and the non-3GPP network.

The server establishes a first network connection with the terminal through the mobile data network, and the terminal establishes a first network connection with the terminal through the mobile data network after the terminal successfully registers in the mobile data network; the server establishes a second network connection with the terminal through the WLAN, including After the WLAN security certification The second network connection is established between the WLAN and the terminal, or the network registration is initiated in the mobile data network. If the network registration is successful, the second network connection is established with the server through the WLAN. The first network connection and the second network connection may be a TCP/IP connection or a UDP/IP connection, identified by a transmission port number, a receiving port number, a source IP address, and a destination IP address.

In a specific implementation, after the terminal is successfully registered in the mobile data network, the first network connection can be established with the application server through the mobile data network. Therefore, after the terminal is authenticated by the WLAN, the server can establish a second network connection with the terminal through the WLAN. For example, in the 3GPP system, after the terminal is powered on, the packet network registration can be initiated. The network registration process includes an authentication process, a security activation process, and establishing a packet data network connection, etc., when the terminal completes the packet network registration in the LTE network. The first network connection (TCP or UDP connection) can be established with the application server. For example, the terminal user in the WLAN first needs to pass the local security authentication of the WLAN, and then establish a second network connection (TCP or UDP connection) with the application server through the WLAN; in some scenarios where the 3GPP network and the WLAN network are fused, the WLAN The terminal in the terminal performs security authentication through the 3GPP network server, and the terminal that is securely authenticated by the 3GPP network can establish a second network connection with the application server through the WLAN.

S402. The first request data packet sent by the terminal is received from the first network connection, and the second request data packet sent by the terminal is received from the second network connection, and the first request data packet and the second request data packet are combined to obtain the terminal. The login request message sent.

After the server establishes a first network connection with the server through the mobile data network, and establishes a second network connection with the server through the WLAN, the terminal may generate a server login request message of the user according to the server login instruction, where the user's server login request message includes the user's Account and password information. Since the first network connection and the second network connection are different transmission connections, the data transmitted through the first network connection and through the second network connection may pass through different network devices, in order to prevent the user's login request message from being attacked by the network attacker on the network. The device (such as a gateway or a router) intercepts the user, and the terminal can split the user's login request message into two data packets, which are respectively sent on the established first network connection and the second network connection, specifically, the user's server. The login request message is split into a first request packet and a second request packet, and the first request packet is sent to the server on the first network connection, and the second request packet is sent to the server on the second network connection.

Receiving, by the server, the first request packet sent by the terminal from the first network connection, from the second After receiving the second request data packet sent by the terminal on the network connection, the first request data packet and the second request data packet are combined to obtain a login request message sent by the terminal.

S403. Generate a login response message sent to the terminal according to the login request message, split the login response message into the first response data packet and the second response data packet, and send the first response data packet to the terminal on the first network connection. The second response packet is sent to the terminal on the second network connection to complete the user login.

When the server combines the first request packet and the second request packet to obtain the login request message sent by the terminal, first verify whether the user is a valid user, and if it is an invalid user (for example, the user account does not exist or the password is incorrect), The server may directly disconnect the first network connection established by the terminal through the mobile data network and disconnect the second network connection established by the terminal through the WLAN; the server may also initiate the disconnection of the first network connection or initiate the second due to other abnormal reasons. If the network connection is disconnected, the login response message may not be sent to the terminal and the first network connection or the second network connection may be disconnected by itself. At this time, as long as one of the two network connections is disconnected, the user login is ended. If the server authenticates the user as a valid user, the login response message, including the login success message or the login failure message, may be generated according to the user information or other conditions, such as the total number of connections, processing capacity, or network speed of the server, for example, if the user has a lower priority. And if the total number of connections to the server is large, the server may generate a login failure message for the user.

Similar to the method for the terminal to send a server login request, in order to prevent the network attacker from intercepting the user message from the network, the server splits the generated login response message into a first response data packet and a second response data packet, respectively, in the first The first response data packet is sent to the terminal on the network connection, and the second response data packet is sent to the terminal on the second network connection. After the server sends the terminal, the terminal may receive the first response data packet sent by the server from the first network connection, and receive the second response data packet sent by the server on the second network connection.

In some possible implementations, if the login response message is a server login failure message, the server disconnects the first network connection established with the server through the mobile data network, and disconnects the second network connection established with the server through the WLAN. The disconnection may be a disconnection initiated by the server, such as the shutdown of the TCP connection initiated by the service or the disconnection of the UDP connection by the server, or the disconnection initiated by the terminal after receiving the login failure message, such as the terminal initiated. The closing of the TCP connection; the disconnection may be disconnected immediately after the server first sends the login failure response message, or Therefore, the disconnection after the user login failure message is sent each time the server receives the multiple user login request message. If the login response message is a login success message, the server disconnects the first network connection established with the server through the mobile data network, or disconnects the second network connection established with the server through the WLAN, or maintains the first network connection and the second The network connection is not broken. When the server sends the login success message, the service data can be transmitted through the uninterrupted network connection. The login success message sent by the server may be the login success message of one of the multiple login attempts. The disconnection may be a disconnection initiated by the server, such as the shutdown of the TCP connection initiated by the server or the automatic disconnection of the UDP connection by the server, or the disconnection initiated by the terminal after receiving the login failure message, such as the terminal initiated. The closing of the TCP connection.

It can be seen that the technical solution provided by the embodiment of the present invention enables the server to establish a first network connection with the terminal through the mobile data network, establish a second network connection with the terminal through the WLAN, and the server receives the first request data packet and the second through the two network connections respectively. The second request data packet is merged into a login request message sent by the terminal to the server, and the login response request message sent by the server to the terminal is split into a first response data packet and a second response data packet, which are respectively sent to the terminal through two network connections. To complete the secure login of the user to the server. The solution can prevent the network attacker from intercepting the complete communication message of the user in the network device, thereby enhancing the security of the user and the server login mode.

S501. Establish a first network connection with the terminal through the mobile data network, and establish a second network connection with the terminal by using the WLAN.

After receiving the server login command from the user, the terminal can establish two connections (TCP or UDP connection) through the mobile data network, such as 3GPP network (WCDMA, LTE or TD-SCDMA), and the WLAN, that is, through the mobile data network. The server establishes a first network connection and establishes a second network connection with the server through the wireless local area network WLAN.

In the technology of mobile network and WLAN convergence proposed by the 3GPP organization, the support terminal establishes two packet data network connections through the 3GPP network and the WLAN, and simultaneously performs IP stream transmission through the 3GPP network and the WLAN, and the GPP user can be provided by the 3GPP network. QoS and authentication, WLAN can also be connected to the packet data gateway of the 3GPP network.

For the detailed description of the step S501, refer to step S401 of the above embodiment 4, and details are not described herein again.

S502. Receive a first request data packet sent by the terminal from the first network connection, and connect from the second network. The second request data packet sent by the receiving terminal is connected, and the first request data packet and the second request data packet are combined to obtain a login request message sent by the terminal.

For the detailed description of the step S502, refer to step S402 of the foregoing embodiment 4, and details are not described herein again.

S503. Determine, according to the login request message, whether the user is an invalid user.

When the server merges the first request data packet and the second request data packet, the login request message sent by the terminal is obtained, where the login request message includes information such as the user's account and password, and the user is first determined to be a valid user according to the login request message. .

S504. If the user is verified as an invalid user, disconnect the first network connection established by the mobile data network with the terminal, and disconnect the second network connection established with the terminal through the WLAN to end the user login.

If the verification is invalid (for example, the user account does not exist or the password is incorrect), the server can directly disconnect the first network connection established by the terminal through the mobile data network and disconnect the second network connection established by the terminal through the WLAN, and the server can also Disconnect the network connection after sending invalid user indication information to the terminal. If the first network connection or the second network connection is a TCP connection, the server initiates the TCP connection to be closed. If the first network connection or the second network connection is a UDP connection, the server disconnects the UDP connection by itself. After receiving the TCP connection close request from the server, the terminal disconnects the TCP connection, or the terminal disconnects the UDP connection after the time after the login request message is sent to the server exceeds the specified time threshold, and the terminal may receive the connection before disconnecting. Invalid user indication sent by the server.

S505. If it is verified that the user is not an invalid user, generate a response message sent to the terminal according to the server login request message, and split the login response message into the first response data packet and the second response data packet, and connect to the first network connection. The terminal sends the first response data packet, and sends the second response data packet to the terminal on the second network connection.

When it is verified that the user is not an invalid user, the server may generate a login response message according to user information or other conditions, such as the total number of connections, processing capabilities, or network speed of the server. The login response message includes a login success message or a login failure message. For example, if the user has a lower priority and the total number of connections of the server is large, the server may generate a login failure message for the user.

Similar to the method for the terminal to send a server login request, in order to prevent the network attacker from intercepting the user message from the network, the server splits the generated login response message into the first response data packet and the second. And responding to the data packet, respectively sending a first response data packet to the terminal on the first network connection, and sending the second response data packet to the terminal on the second network connection. After the server sends the terminal, the terminal may receive the first response data packet sent by the server from the first network connection, and receive the second response data packet sent by the server on the second network connection.

S506. Determine whether the login response message is a login success message or a login failure message.

When the server sends the first response data packet to the terminal on the first network connection, and after transmitting the second response data packet to the terminal on the second network connection, it is determined whether the login response message is a login success message or a login failure message.

S507. If the login response message is a login failure message, the user fails to log in, disconnects the first network connection established with the terminal through the mobile data network, and disconnects the second network connection established with the terminal through the WLAN to end the user login.

If the login response message is a login failure message, the user fails to log in, the server disconnects the first network connection established with the terminal through the mobile data network, and disconnects the second network connection established with the terminal through the WLAN to end the user login. The disconnection may be disconnection initiated by the server, such as the shutdown of the TCP connection initiated by the server or the automatic disconnection of the UDP connection by the terminal, or the disconnection initiated by the terminal after receiving the login failure message sent by the server. For example, the disconnection of the TCP connection initiated by the terminal may be disconnected immediately after the server sends the login failure response message, or may be the login failure message sent by the server to the terminal each time the terminal attempts to log in multiple times. Disconnected.

S508. If the login response message is a login success message, the user logs in successfully, disconnects the first network connection established by the mobile data network with the terminal, or disconnects the second network established by the WLAN and the terminal to complete the user login.

If the login response message is a login success message, the user logs in successfully, the server disconnects the first network connection established with the terminal through the mobile data network, or disconnects the second network connection established with the terminal through the WLAN, or remains the first The network connection and the second network connection are not disconnected. After the server sends the user's login success message, the service data can be transmitted through the disconnected network connection. The login success message sent by the server may be the login success message sent by the server in one of the multiple login attempts of the terminal. The disconnection may be disconnection initiated by the server, such as the shutdown of the TCP connection initiated by the server or the automatic disconnection of the UDP connection by the server, or the terminal may receive the login loss. The connection initiated after the failure message is disconnected, such as the shutdown of the TCP connection initiated by the terminal.

It can be seen that the technical solution provided by the embodiment of the present invention enables the server to establish a first network connection with the terminal through the mobile data network, establish a second network connection with the terminal through the WLAN, and the server receives the first request data packet and the second through the two network connections respectively. The second request data packet is merged into a login request message sent by the terminal, and the server splits the login response request message sent to the terminal into a first response data packet and a second response data packet, which are respectively sent to the terminal through two network connections, according to Whether the invalid user and the user login successfully disconnected or maintain the network connection, thereby achieving the purpose of user secure login. The solution can prevent the network attacker from intercepting the complete communication message of the user in the network device, thereby enhancing the security of the user and the server login mode.

The sixth embodiment of the present invention provides a terminal device for implementing a dual-connection secure communication method proposed by the present invention. Referring to FIG. 7, the device a00 may include a receiving unit a10, a processing unit a20, and a transmitting unit a30.

The receiving unit a10 is configured to receive a server login instruction sent by the user;

The processing unit a20 is configured to establish a first network connection with the server through the mobile data network, and establish a second network connection with the server by using the WLAN;

The processing unit a20 is further configured to: generate a login request message sent to the server according to the server login instruction received by the receiving unit a10, and split the login request message into the first request data packet and the second request data packet;

The sending unit a30 is configured to send a first request data packet to the server on the first network connection, and send a second request data packet to the server on the second network connection;

The receiving unit a10 is further configured to: receive a first response data packet sent by the server from the first network connection, and receive a second response data packet sent by the server from the second network connection;

The processing unit a20 is further configured to combine the first response data packet and the second response data packet received by the receiving unit into a login response message sent by the server, to complete the user login.

In some possible implementations, the processing unit a20 is further configured to:

If the login response message sent by the server received by the receiving unit a10 is a login failure message, the user fails to log in, disconnects the first network connection established with the server through the mobile data network, and disconnects the server established with the server through the WLAN. Two network connections to end user login;

If the login response message sent by the server received by the receiving unit a10 is a login success message, The user successfully logs in, disconnects the first network connection established with the server through the mobile data network, to complete the user login; or

If the login response message sent by the server received by the receiving unit a10 is a login success message, the user logs in successfully, and disconnects the second network connection established with the server through the WLAN to complete the user login.

In some possible embodiments, the processing unit a20 is specifically configured to:

Initiating network registration in the mobile data network, and if the network registration is successful, establishing the first network connection with the server through the mobile data network;

The security authentication is initiated in the WLAN. If the security authentication succeeds, the second network connection is established with the server through the WLAN. Alternatively, the network registration is initiated in the mobile data network. If the network registration is successful, the second network connection is established with the server through the WLAN.

It can be seen that the technical solution provided by the embodiment of the present invention can prevent the network attacker from intercepting the complete communication message of the user in the network device, thereby enhancing the security of the user and the server login mode.

Embodiment 6 of the present invention provides another terminal device for implementing a dual connectivity secure communication method proposed by the present invention. Referring to Figure 8, the device b00 includes a processor b10, a memory b20, a bus system b30, a receiver b40, and a transmitter b50. The processor b10, the memory b20, the receiver b40 and the transmitter b50 are connected by a bus system b30 for storing instructions for executing the instructions stored in the memory b20 to control the receiver b40 to receive. Signal, and control transmitter b50 to send a signal to complete the steps in the above mobile payment method. The receiver b40 and the transmitter b50 may be the same or different physical entities.

The method steps performed by the device b00 may at least include:

After receiving the server login command sent by the user, establishing a first network connection with the server through the mobile data network, and establishing a second network connection with the server through the wireless local area network WLAN;

Generating a login request message sent to the server according to the server login instruction, splitting the login request message into the first request data packet and the second request data packet, and transmitting the first request data packet to the server on the first network connection, in the second Sending a second request packet to the server on the network connection;

Receiving, by the first network connection, the first response data packet sent by the server, receiving the second response data packet sent by the server from the second network connection, and combining the first response data packet and the second response data packet into the login sent by the server. Answer the message to complete the user login.

For the concepts, explanations, detailed descriptions and other steps related to the technical solutions provided by the embodiments of the present invention, refer to the descriptions of the foregoing methods or embodiments, and no further details are provided herein.

Embodiment 7 of the present invention provides a server device for implementing a dual-connection secure communication method proposed by the present invention. Referring to FIG. 9, the device c00 may include a processing unit c10, a receiving unit c20, and a transmitting unit c30.

The processing unit c10 is configured to establish a first network connection with the terminal by using the mobile data network, and establish a second network connection with the terminal by using the WLAN;

The receiving unit c20 is configured to receive, by the first network connection, the first request data packet sent by the terminal, and receive the second request data packet sent by the terminal from the second network connection;

The processing unit c10 is further configured to: merge the first request data packet and the second request data packet received by the receiving unit c20 to obtain a login request message sent by the terminal; and generate a login response message sent to the terminal according to the login request message, Splitting the login response message into a first response data packet and a second response data packet;

The sending unit c30 is configured to send a first response data packet to the terminal on the first network connection, and send a second response data packet to the terminal on the second network connection to complete the user login.

The login response message includes a login success message or a login failure message. In some possible implementations, the processing unit c10 is further configured to:

If the login response message is a login failure message, the user fails to log in, disconnects the first network connection established with the terminal through the mobile data network, and disconnects the second network connection established with the terminal through the WLAN to end the user login;

If the login response message is a login success message, the user logs in successfully, and disconnects the first network connection established by the mobile data network with the terminal to complete the user login; or

If the login response message is a login success message, the user logs in successfully, and disconnects the second network established by the WLAN with the terminal to complete the user login.

It can be seen that the technical solution provided by the embodiment of the present invention can prevent a network attacker from intercepting a complete communication message of the user in the network device, thereby enhancing the security of the user and the server login mode.

Embodiment 7 of the present invention provides another server device for implementing a dual connectivity secure communication method proposed by the present invention. Referring to FIG. 10, the device d00 includes a processor d10, a memory d20, Bus system d30, receiver d40 and transmitter d50. The processor d10, the memory d20, the receiver d40 and the transmitter d50 are connected by a bus system d30 for storing instructions, and the processor d10 is configured to execute the instructions stored in the memory d20 to control the receiver d40 to receive Signal, and control the transmitter d50 to send a signal to complete the steps in the above mobile payment method. The receiver d40 and the transmitter d50 may be the same or different physical entities.

The method steps performed by the device d00 may at least include:

Establishing a first network connection with the terminal through the mobile data network, and establishing a second network connection with the terminal through the WLAN;

Receiving, by the first network connection, the first request data packet sent by the terminal, receiving the second request data packet sent by the terminal from the second network connection, and combining the first request data packet and the second request data packet, to obtain the sent by the terminal. Login request message;

Generating a login response message sent to the terminal according to the login request message, splitting the login response message into the first response data packet and the second response data packet, and transmitting the first response data packet to the terminal on the first network connection, in the second The second response packet is sent to the terminal on the network connection to complete the user login.

For the concepts, explanations, detailed descriptions and other steps related to the technical solutions provided by the embodiments of the present invention, refer to the descriptions of the foregoing methods or embodiments, and no further details are provided herein.

Those of ordinary skill in the art will appreciate that various aspects of the present invention, or possible implementations of various aspects, may be embodied as a system, method, or computer program product. Furthermore, aspects of the invention, or possible implementations of various aspects, may take the form of a computer program product, which is a computer readable program code stored in a computer readable medium.

The computer readable medium can be a computer readable data medium or a computer readable storage medium. The computer readable storage medium includes, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing, such as random access memory (RAM), read only memory (ROM), Erase programmable read-only memory (EPROM or flash memory), optical fiber, portable read-only memory (CD-ROM).

The processor in the computer reads the computer readable program code stored in the computer readable medium such that the processor is capable of performing the various functional steps specified in each step of the flowchart, or a combination of steps; A device that functions as specified in each block, or combination of blocks.

The computer readable program code can execute entirely on the user's computer, partly on the user's computer, as a separate software package, partly on the user's local computer and partly on the remote computer, or entirely on the remote computer or server. carried out. It should also be noted that in some alternative implementations, the functions noted in the various steps in the flowcharts or in the blocks in the block diagrams may not occur in the order noted. For example, two steps, or two blocks, shown in succession may be executed substantially concurrently or the blocks may be executed in the reverse order.

In the several embodiments provided herein, it should be understood that the disclosed apparatus may be implemented in other ways. For example, the device embodiments described above are merely illustrative. The division of the functional units is only a logical function division. In the specific implementation, there may be other division manners, for example, multiple units may be combined into the same subsystem. Or implemented in a module, or split a unit into several unit implementations, or some implementation features can be ignored or not executed.

The method, device and device for dual-connection secure communication disclosed in the embodiments of the present invention are described in detail. The principles and embodiments of the present invention are described in the following. The description of the above embodiments is only used for To help understand the method of the present invention and its core idea; at the same time, for those skilled in the art, according to the idea of the present invention, there will be changes in specific embodiments and application scopes. It should not be construed as limiting the invention.

Claims (10)

A method for dual-connection secure communication, for a terminal device, characterized in that the method comprises: After receiving the server login command sent by the user, establishing a first network connection with the server through the mobile data network, and establishing a second network connection with the server through the wireless local area network WLAN; Generating a login request message sent to the server according to the server login instruction, splitting the login request message into a first request data packet and a second request data packet, and transmitting the information to the server on the first network connection Determining, by the first request data packet, a second request data packet to the server on the second network connection; Receiving, by the first network connection, a first response data packet sent by the server, receiving, by the second network connection, a second response data packet sent by the server, and using the first response data packet and the The second response data packet is merged into a login response message sent by the server to complete the user login. The method according to claim 1, wherein the login response message comprises a login success message or a login failure message; After the first response data packet and the second response data packet are merged into the login response message sent by the server, the method further includes: If the login response message sent by the server is a login failure message, the user fails to log in, disconnects the first network connection established with the server through the mobile data network, and disconnects the server and establishes the server through the WLAN. Second network connection to end user login; If the login response message sent by the server is a login success message, the user successfully logs in, and disconnects the first network connection established by the mobile data network with the server to complete the user login; or If the login response message sent by the server is a login success message, the user logs in successfully, and disconnects the second network connection established by the server with the server to complete the user login. The method of claim 1, wherein before the establishing a first network connection with the server via the mobile data network, the method further comprises: Initiating network registration in the mobile data network, and if the network registration is successful, passing the mobile data Establishing, by the network, the first network connection with the server; Before the establishing a second network connection with the server by using the WLAN, the method further includes: Initiating security authentication in the WLAN, if the security authentication is successful, establishing the second network connection with the server through the WLAN; or initiating network registration in the mobile data network, and if the network registration is successful, using the WLAN and the server Establishing the second network connection. A dual-connection secure communication method for a server, comprising: Establishing a first network connection with the terminal through the mobile data network, and establishing a second network connection with the terminal through the WLAN; Receiving, by the first network connection, a first request data packet sent by the terminal, receiving, by using the second network connection, a second request data packet sent by the terminal, and combining the first request data packet and the Determining a second request packet to obtain a login request message sent by the terminal; Generating a login response message sent to the terminal according to the login request message, splitting the login response message into a first response data packet and a second response data packet, and transmitting the first response to the terminal on the first network connection And in response to the data packet, sending a second response data packet to the terminal on the second network connection to complete user login. The method according to claim 4, wherein the login response message comprises a login success message or a login failure message; After the step of sending the first response data packet and the second response data packet to the terminal, the method further includes: If the login response message is a login failure message, the user fails to log in, disconnects the first network connection established by the mobile data network with the terminal, and disconnects the establishment established by the WLAN with the terminal. Second network connection to end user login; If the login response message is a login success message, the user logs in successfully, and disconnects the first network connection established by the mobile data network with the terminal to complete user login; or If the login response message is a login success message, the user logs in successfully, and disconnects the second network connection established by the WLAN with the terminal to complete the user login. A terminal device, comprising: a receiving unit, configured to receive a server login instruction sent by the user; a processing unit, configured to establish a first network connection with the server by using a mobile data network, and establish a second network connection with the server by using a WLAN; The processing unit is further configured to: generate a login request message sent to the server according to the server login instruction received by the receiving unit, and split the login request message into a first request data packet and a second request data packet; a sending unit, configured to send the first request data packet to the server on the first network connection, and send a second request data packet to the server on the second network connection; The receiving unit is further configured to receive a first response data packet sent by the server from the first network connection, and receive a second response data packet sent by the server from the second network connection; The processing unit is further configured to merge the first response data packet and the second response data packet received by the receiving unit into a login response message sent by the server, to complete user login. The device according to claim 6, wherein the processing unit is further configured to: If the login response message sent by the server received by the receiving unit is a login failure message, the user fails to log in, disconnects the first network connection established with the server through the mobile data network, and disconnects the Ending the user login by establishing a second network connection with the server through the WLAN; If the login response message sent by the server is the login success message, the user successfully logs in, and disconnects the first network connection established by the mobile data network with the server to complete the user login; or, If the login response message sent by the server received by the receiving unit is a login success message, the user logs in successfully, and disconnects the second network connection established by the server with the server to complete the user login. The device according to claim 6, wherein the processing unit is specifically configured to: Initiating network registration in the mobile data network, and if the network registration is successful, establishing the first network connection with the server through the mobile data network; Initiating security authentication in the WLAN, if the security authentication is successful, establishing the second network connection with the server through the WLAN; or initiating network registration in the mobile data network, and if the network registration is successful, using the WLAN and the server Establishing the second network connection. A server device, comprising: a processing unit, configured to establish a first network connection with the terminal through the mobile data network, and establish a second network connection with the terminal by using the WLAN; a receiving unit, configured to receive, by using the first network connection, a first request data packet sent by the terminal, and receive, by using the second network connection, a second request data packet sent by the terminal; The processing unit is further configured to merge the first request data packet and the second request data packet received by the receiving unit to obtain a login request message sent by the terminal; and, according to the login request The message generates a login response message sent to the terminal, and splits the login response message into a first response data packet and a second response data packet; And a sending unit, configured to send a first response data packet to the terminal on the first network connection, and send a second response data packet to the terminal on the second network connection to complete user login. The device according to claim 9, wherein the login response message comprises a login success message or a login failure message; The processing unit is further configured to: If the login response message is a server login failure message, the user fails to log in, disconnects the first network connection established by the mobile data network with the terminal, and disconnects the establishment of the terminal through the WLAN. Second network connection to end user login; If the login response message is a login success message, the user logs in successfully, and disconnects the first network connection established by the mobile data network with the terminal to complete user login; or If the login response message is a login success message, the user logs in successfully, and disconnects the second network connection established by the WLAN with the terminal to complete the user login.

Images