The authentication of voice communication, mandate, bookkeeping methods in a kind of radio packet network
Technical field
The invention belongs to the network security technology field, is authentication, the mandate of voice communication on the radio packet network, a kind of implementation method of book keeping operation.
Background technology
Development along with broadband wireless access technologys such as Wi-Fi, WiMax, and the maturation of voice communication technology VoIP (Voice over IP) on the IP network, realize that by packet network the carrier-class speech business becomes possibility, this just must relate to the problem how services such as authentication, mandate, book keeping operation are provided for these speech businesses.Document [1] " Wi-Fi and WiMax Open Standard forBroadband ", www.tropos.com.Yet, Intemet is different from communication network, it is not the network of a special use, different user terminals may belong to different service provider ISP (Intemet Service Provider), and also can't guarantee between the different ISP to trust each other fully, so must provide a kind of novel mechanism to realize between user and the ISP, the mutual authentication between ISP and the ISP.In addition, for voice communication, hope can reduce the time of call proceeding as far as possible, so the process of authentication should be simple as much as possible fast.
Summary of the invention
The object of the present invention is to provide a kind of authentication, mandate, bookkeeping methods of voice communication in radio packet network.It is by introducing novel mechanism such as authorization message download, message registration signature, can reduce the time of call proceeding effectively and guarantee the fail safe and the reasonability of call meters.
The present invention is based upon on the packet network of wireless access, and network is made up of functional entitys such as travelling carriage (IP mobile telephone, personal digital assistant, notebook computer etc.), base station, cable access router, 3A servers.Network can be divided into wireless access network, wired core net and three levels of wired backbone.Wherein, travelling carriage connects the base station by wireless mode, and the base station is connected to cable access router, thereby have access to the line core net, realize the Speech Communication in the metropolitan area, between city and city, link to each other by wired backbone network, thus the Speech Communication between the realization different cities.One or many 3A servers are all arranged on each wired core net, be responsible for writing down and safeguarding the authorization message of all one's respective area travelling carriages.See Fig. 1.
The present invention is authentication, the mandate of voice communication on the radio packet network, a kind of implementation method of book keeping operation.Each travelling carriage all has a pair of and public and private key apparatus bound, and PKI is recorded on the local 3A server of this travelling carriage, when mobile platform started or switching, can carry out authentication to its local 3A server, the method of authentication is to produce a random number by local 3A server, travelling carriage is with this random number of encrypted private key and pass to local 3A server, local 3A server contrasts with the random number that oneself produces with the PKI deciphering back of this travelling carriage, thereby judge the identity of travelling carriage, if authentication is passed through, local 3A server can download to base station, the current place of travelling carriage to the authorization message of this travelling carriage, comprises the PKI of this travelling carriage and current remaining sum etc. in the authorization message; When travelling carriage need be conversed, at first must be by the authentication of base station, authentication method is identical with the authentication method of above-mentioned 3A server, after the conversation beginning and finishing, travelling carriage must send to the base station and have the message registration data of oneself signing, this signed data comprises that the conversation with the travelling carriage encrypted private key begins, finish, duration etc., the correctness of base station certifying signature is also handed to local 3A server to correct signed data, local 3A server is preserved the signature record, for nonlocal travelling carriage, be responsible for notifying the local 3A server of travelling carriage to begin or stop chargeing by local 3A server, the message registration that contains travelling carriage signature is just as to the foundation of travelling carriage collection cost with handle the evidence of interest conflicts between the different service provider, behind end of conversation, the local 3A server of travelling carriage can be the up-to-date current affiliated base station of balance amount information notice travelling carriage of this travelling carriage.
The present invention is authentication, the mandate of voice communication on the radio packet network, a kind of method of book keeping operation, and its implementation is as follows:
Each travelling carriage also has a pair of public and private key with apparatus bound simultaneously except having a unique device flag symbol (telephone number) when equipment dispatches from the factory.When travelling carriage adds network at first, it need arrive and register corresponding information on the 3A server in local, the information of registration comprises the COS that device flag symbol, PKI, the application of travelling carriage are opened etc., 3A server in local also keeps the current balance amount information of each local travelling carriage in addition, current location information, and message registration information.The private key of travelling carriage is stored in travelling carriage inside, and as the foundation of travelling carriage authentication, private key must secret be deposited, and can not disclose.
When travelling carriage becomes open state or travelling carriage when a sub-district switches to another sub-district from off-mode, it need send to on-site base station and add network requests, local 3A server will be got in touch after receiving this request in the base station, notify it to have the travelling carriage request to add network, whether local 3A server is judged this travelling carriage by the device flag symbol of travelling carriage is local travelling carriage, if not local travelling carriage, local 3A server just is transmitted to joining request of travelling carriage the 3A server in this travelling carriage local.After local 3A server is received joining request of travelling carriage, produce a random number, it is included in sends to travelling carriage in the authentication request message then.After travelling carriage is received authentication request message, use the random number in the encrypted private key authentication request message of oneself, and the result is included in the local 3A server that sends to it in the authentication answer message.Local 3A server is replied the random number that comprises in the message with the PKI decrypted authentication of this travelling carriage, and compare with the random number of previous own generation, if two numbers are identical, the authentication of this travelling carriage is passed through, local 3A server will pass to the current affiliated base station of travelling carriage to the authorization message of travelling carriage, and (authorization message comprises the device flag symbol of travelling carriage, PKI, the COS that application is opened, remaining sum etc.), notify the original affiliated base station of travelling carriage to remove the relevant information of this travelling carriage simultaneously, and the current location record of this travelling carriage in the new database more, after the authorization message that travelling carriage local 3A server sends was received in the base station, the notice travelling carriage added the network success; If after the deciphering of local 3A server, find that two random numbers are inequality, the then authentication of travelling carriage failure, travelling carriage can not add network.
After travelling carriage adds network, just can enjoy the voice service that packet network provides, when a travelling carriage sends or receives call request, its needs at first the authentication by the base station, method is similar to the authentication of local 3A server to travelling carriage, the database of base station retrieval oneself, search the authority record that has or not this conversation travelling carriage, if do not find, the base station can notify travelling carriage corresponding mistake, travelling carriage need again to the 3A server of local, to authenticate and authorization message download to current under the base station, if respective record has been found in the base station, just produce a random number, it is included in sends to travelling carriage in the authentication request message then.After travelling carriage is received authentication request message,, and the result is included in the authentication answer message sends to the base station with the random number in the oneself encrypted private key authentication request message.The random number that comprises in the message is replied with the PKI decrypted authentication of this travelling carriage in the base station, and compares with the previous random number that oneself produces, if two numbers are identical, the authentication of this travelling carriage is passed through, and the call proceeding process continues; If two numbers are different, the then authentication of travelling carriage failure, the corresponding mistake of base station notice travelling carriage, travelling carriage is little can be conversed.When the conversation beginning, travelling carriage is signed the time started of this conversation and is sent to the base station with private key, the base station is deciphered this signature and is checked the accuracy of the conversation time started that travelling carriage is assert, if the conversation time started that travelling carriage is assert is identical with the conversation time started that the base station is assert, then signature verification is passed through, and the base station just is included in the signed data of travelling carriage in the initial notification message that charges and sends to local 3A server; If the conversation time started that travelling carriage is assert is different with the conversation time started that the base station is assert, then signature verification is not passed through, and the base station just cuts off conversation and the corresponding mistake of reporting of mobile station.After local 3A server is received the initial notice of the charging of sending the base station, preserve this signature record, local then 3A server judges according to the device flag symbol of travelling carriage whether this travelling carriage is nonlocal travelling carriage, for nonlocal travelling carriage, local 3A server can be to the local of the travelling carriage 3A server forwards initial notification message that charges.The local 3A server of travelling carriage begins this call meters for travelling carriage after receiving the initial notice of chargeing, and replys the initial affirmation of chargeing to base station, the current place of travelling carriage.When end of conversation, travelling carriage is signed the beginning of this conversation, termination and duration and is sent to the base station with private key, the base station is deciphered this signature and is checked the accuracy of conversation beginning, termination and duration that travelling carriage is assert, if the time of calculating and writing down with the base station is consistent, checking is passed through so, this call meters success, base station just are included in the signed data of travelling carriage to charge and stop sending in the notification message local 3A server; If the air time that travelling carriage is assert is different with the air time that the base station is assert, then signature verification is not passed through, and corresponding mistake can be reported to travelling carriage in the base station, and travelling carriage must recomputate the corresponding time and sign, otherwise network can not stop to charge.After local 3A server receives that the charging of sending the base station stops notice, preserve this signature record, local then 3A server judges according to the device flag symbol of travelling carriage whether this travelling carriage is nonlocal travelling carriage, for nonlocal travelling carriage, local 3A server can charge to the local of travelling carriage 3A server forwards and stop notification message.After the local 3A server of travelling carriage receives the termination notice of chargeing, stop this call meters for travelling carriage, and, comprised the up-to-date balance amount information after travelling carriage is conversed through this in this message to base station, the current place of travelling carriage answer charging terminate-ack message.
Local 3A server by preserve thereon the message registration that contains the travelling carriage signature to all locals the travelling carriage in its compass of competency collect cost of the phone call, other places 3A server also can be by the message registration that contains the travelling carriage signature preserved and the local 3A server contact of travelling carriage, thereby collects the cost of the phone call of roaming mobile stations.After having only nonlocal 3A server to show to contain the message registration of travelling carriage signature, the local service provider just can pay nonlocal service provider corresponding expense.Therefore utilize the signed data of travelling carriage, can prevent the deception of nonlocal service provider the local service provider.
Relatively the present invention and traditional online authentication, mandate, accounting method of packet radio, we obviously as can be seen the present invention have the following advantages:
1. authorization message is downloaded to base station, the current place of travelling carriage, thereby reduced the load of server and the connecting time of voice communication on the core net effectively.
2. utilize the digital signature technology of travelling carriage, make travelling carriage be responsible for, thereby reasonably collect cost of the phone call factum.
3. utilize the private key of the travelling carriage signature of conversing, can prevent the mutual deception between the different 3A servers (Internet Service Provider).
Description of drawings
Fig. 1 is the radio packet network topology diagram.
The flow chart of authentication when Fig. 2 is mobile platform started or handover.
Fig. 3 is an authentication that the voice conversation process is experienced, mandate, record keeping flow chart.
Embodiment
Among Fig. 2, the concrete steps of authentication are as follows when its mobile platform started or handover:
Step S2.1: when after the mobile platform started or when switching to another sub-district, the base station is sent and is joined request under the sub-district;
Step S2.2: the base station is transmitted to local 3A server with joining request of travelling carriage;
Step S2.3: after local 3A server receives and joins request, judge whether the travelling carriage that request networks is local travelling carriage, if the local 3A server that then local 3A server is exactly a travelling carriage enters step S2.5, otherwise, enter step S2.4;
Step S2.4: local 3A server is transmitted to joining request of travelling carriage the 3A server in travelling carriage local;
Step S2.5: local 3A server sends authentication request message to travelling carriage, has comprised a random number that local 3A server produces in this message;
Step S2.6: travelling carriage is received authentication request message, with the private key of oneself random number in the message is encrypted, and sends authentication answer message to local 3A server;
Step S2.7: local 3A server is received authentication answer message, PKI with this travelling carriage is decrypted the random number that comprises in the message, and before compared for random number that this conversation produces with book server, if two numbers are identical, this travelling carriage authentication is passed through so, enter S2.9, otherwise, S2.8 entered;
Step S2.8: the authentication of local 3A server notification travelling carriage is not passed through, and failure networks;
Step S2.9: the authorization message record of relevant this travelling carriage was removed in the base station under 3A server notification travelling carriage in local was original;
Step S2.10: local 3A server will ask the authorization message of the travelling carriage of adding to be delivered to the current affiliated base station of travelling carriage;
Step S2.11: the authorization message of this travelling carriage is preserved in the base station, and the notice travelling carriage adds the network success.
Among Fig. 3, the concrete steps of the authentication that its voice conversation process is experienced, mandate, record keeping are as follows:
Step S3.1: travelling carriage sends or receives voice call request, uses voice service to the place base station requests;
Step S3.2: the base station searching database, search the relative recording of this travelling carriage;
Step S3.3: if relative recording has been found in the base station, enter S3.5, otherwise, enter S3.4;
Step S3.4: mistake appears in base station notice travelling carriage, and type of error is no authentication information record;
Step S3.5: the base station sends authentication request message to travelling carriage, has comprised a random number that the base station produces in this message;
Step S3.6: travelling carriage is received authentication request message, with the private key of oneself random number in the message is encrypted, and sends authentication answer message to the base station;
Step S3.7: authentication answer message is received in the base station, PKI with this travelling carriage is decrypted the random number that comprises in the message, and compare for random number that this conversation produces with the base station, if two numbers are identical and the travelling carriage remaining sum is enough, this travelling carriage authentication is passed through so, enter S3.9, otherwise, S3.8 entered;
Step S3.8: mistake appears in base station notice travelling carriage, and type of error is the authentication failure;
Step S3.9: base station notice travelling carriage authentication is passed through, and continues the call proceeding process;
Step S3.10: voice call begins, and travelling carriage was signed with the private key of oneself to the conversation time started, and the result is sent to the base station;
Step S3.11: the accuracy of base station certifying signature is decrypted signature with the PKI of travelling carriage, and judges whether the conversation time started that travelling carriage sends is truly legal;
Step S3.12: if the signature of travelling carriage enters S3.14 by the checking of base station, otherwise, enter S3.13;
Step S3.13: the base station cuts off conversation, and mistake appears in the notice travelling carriage, and type of error travelling carriage signature is illegal;
Step S3.14: the base station notifies local 3A server to begin to charge, and the signature of travelling carriage is sent to local 3A server;
Step S3.15: local 3A server is received the initial notice of the charging of sending the base station, preserves the signature record of travelling carriage, as the foundation of charging to travelling carriage in the future;
Step S3.16: local 3A server judges whether the conversation travelling carriage is nonlocal travelling carriage, if, enter S3.17, otherwise, S3.18 entered;
Step S3.17: the local 3A server of local this travelling carriage of 3A server notification begins to charge for this conversation, and the signature of travelling carriage is sent to travelling carriage local 3A server, the accuracy of travelling carriage local 3A server authentication signature, and be call meters;
Step S3.18: travelling carriage local 3A server sends the initial affirmation of chargeing to base station, the current place of travelling carriage;
Step S3.19: behind end of conversation, travelling carriage is signed with private key to information such as time started of this conversation, concluding time, duration, and the result is sent to the base station;
Step S3.20: the accuracy of base station certifying signature is decrypted signature with the PKI of travelling carriage, and judges whether conversation beginning, end, duration that travelling carriage calculates be authentic and valid;
Step S3.21: if the signature of travelling carriage enters S3.24 by the checking of base station, otherwise, enter S3.22;
Step S3.22: base station notice travelling carriage signature verification makes mistakes;
Step S3.23: travelling carriage is received error notification, recomputates this conversation beginning, end, the signature of duration, and tells the base station result, enters S3.20;
Step S3.24: base station notice travelling carriage signature verification is passed through, this call meters success;
Step S3.25: the base station notifies local 3A server to stop chargeing, and the signature of travelling carriage is sent to local 3A server;
Step S3.26: local 3A server receives that the charging of sending the base station stops notice, preserves the signature record of travelling carriage, as the foundation of charging to travelling carriage in the future;
Step S3.27: local 3A server judges whether the conversation travelling carriage is nonlocal travelling carriage, if, enter S3.28, otherwise, S3.29 entered;
Step S3.28: the local 3A server of local this travelling carriage of 3A server notification charges for this termination of a call, and the signature of travelling carriage sent to travelling carriage local 3A server, the accuracy of travelling carriage local 3A server authentication signature, and stop call meters;
Step S3.29: travelling carriage local 3A server sends the charging terminate-ack to base station, the current place of travelling carriage, and the current balance amount information of travelling carriage is informed the current affiliated base station of travelling carriage.