CN101053239A

CN101053239A - Improvement relative to safety communication

Info

Publication number: CN101053239A
Application number: CNA2005800250716A
Authority: CN
Inventors: 杰弗里·莫里斯; 埃里克·富特; 罗伯特·巴尔; 拉纳尔德·沃伯顿
Original assignee: ARMST SAFETY COMMUNICATION Ltd
Current assignee: ARMST SAFETY COMMUNICATION Ltd
Priority date: 2004-06-28
Filing date: 2005-06-28
Publication date: 2007-10-10
Also published as: JP2008508573A; AU2005256849A1; CA2572027A1; EP1769620A2; WO2006000802A3; GB0414415D0; WO2006000802A2; KR20070092196A

Abstract

A method of carrying out a secure peer-to-peer data communication, such as an e-mail communication, between a first remote party computer and a second remote party computer over a data communications medium is described. The method comprises: receiving the address details and current status of a connection to the data communications medium of each remote party computer; creating the data communication at the first remote party computer; checking the current connection status of the second remote party computer; and sending the data communication from the first remote party computer directly to the second remote party computer without any storage of the data communication en route, only when the connection status of the second remote party computer indicates that it is currently connected to the data communication medium.

Description

The improvement relevant with secure communication

Technical field

The present invention relates to the improvement relevant, specifically, but be not limited to, relate to the relevant improvement of point-to-point Email, data communication and the networking telephone (Voice over IP is called for short VoIP) with safety with secure communication.The invention further relates to a kind of method of supporting direct point-to-point communication; even can be applicable to for the protection communication network and enlarge the purpose of its IP address assignment scope and used under the situation of network address translater (Network Address Translator, be called for short NAT).Scope of the present invention also can extend to the higher level fail safe that realizes this communication system and use the network of this communication system.

Background technology

Use at needs under the situation of indirect communication, have multiple mode to can be used to transmit message by communication network.Yet itself also there are some problems in the message transmission of this form, and promptly the way itself that message copy is stored is just dangerous, and this makes the hacker have an opportunity to read these copies.A part (being described at WO 03/014955A1) can use point-to-point communication to solve in these problems.But topmost problem is that the process of setting up of this communication is very complicated in the designed in the past and solution used.The solution of introducing in this part prior art document itself is just dangerous, and very loaded down with trivial details, because wherein still need use central server to help realize communication.This just makes whole process very lengthy and tedious, and has created condition for the abuse of fail safe.

We know that encryption technology can strengthen the fail safe of the Email that need store in communication process.Yet, there is not a kind of encryption technology to be perfectly safe, in the face of protean hacking technique, itself does not provide viable option these encryption technologies.

NAT can make the common equipment that uses same address space to communicate (as connecting the Internet) of many computers.All there is a kind of shortcoming in these equipment, can have influence on point-to-point communication, just NAT is not carried out complicated configuration if this makes, point-to-point communication just can't operate as normal, and layoutprocedure has often exceeded common PC user's limit of power.Problem relevant with NAT in the point-to-point communication is described in U.S. Patent application US 2004/0064584 A1.

Summary of the invention

Therefore, need improve, specifically, need a kind of safer system said system.Simultaneously, also need a kind of simple system that concerning the user, is easy to manage and use.Specifically, need a kind of communication system, this system to need not the user and log on central server and realize point-to-point communication, or need not in the point-to-point communication process storing message on node, even interim storage.What therefore, need is a kind of " pure " Point-to-Point Communication System ideally.

One aspect of the present invention is based on a kind of like this viewpoint, being safest point-to-point for example E-mail communication, is need not carry out any message stores in unsafe conditions (any other place except source end and destination in communication path just).Thus, that is to say in transmission course that the chance that the hacker reads Email will become very little.By Email being encrypted (for example using PKI (public key infrastructure)), can reduce to the invasion risk in the transmission course minimum so that it is transmitted.

Specifically, according to a first aspect of the invention, provide a kind of and between first far-end computer and second far-end computer, realized the Point-to-Point Data communication of safety such as the method for E-mail communication by data communication medium, this method comprises: receive the address details of every far-end computer, and every far-end computer arrives the current state information of the connection of described data communication medium; On described first far-end computer, create described data communication; Check the current connection status of described second far-end computer; Only when the described second far-end computer connection status shows that current its has been connected to described data communication medium, just directly send described data communication, and in the path, any storage is not carried out in described data communication to described second far-end computer from described first far-end computer.

Should be appreciated that said term " storage " can think entire message is stored here.This storage mode can be undelegated third party a kind of chance that can illegally obtain the entire message copy is provided.Communication protocol often comprises stores the part of message (for example being divided into a plurality of groupings) temporarily.A first aspect of the present invention allows the part of message is carried out storage interim and part, can not allow the third party obtain the whole copy of the message that transmits because do like this.

Therefore, the present invention has carried out important improvement to prior art, makes and the whole piece data-message is not carried out unsafe storage the path from the source end to destination.In addition, even destination is not online, message also all the time safety the source that temporarily is stored in end, up to and destination between the point-to-point communication passage set up, so just need not in the path, described data-message to be carried out unsafe storage.

The present invention realizes that by a kind of system this system comprises the central database of storage user name and IP address thereof.But this central database is not applied to actual point-to-point communication process itself, but is used for the communicator of transmitting terminal is upgraded.The user is registered to this central database, is assigned to the particular ip address of corresponding its name.Subsequently, this registered user downloads the personal communication service end and be installed on its computer, so that point-to-point communication.No matter when, as long as used its personal communications terminal and then judge this registered user and reach the standard grade by it, described central database will have notice, and changes into User Status online from off-line.By push (push away and broadcast) mechanism, change on this state also will be issued every other user, so, need any point-to-point communication carry out in current online user with between the user on just having connected, all can know that receiving-transmitting sides all can send finishing of safety under the situation with received communication this moment.

In addition, said system has also been downloaded the component software of the control messages propagation function on the described client personal computer.These contents only are described in detail in an email message transmission embodiment subsequently, and in this embodiment, e-mail server and local electronic mail client be MicrosoftOutlook for example ^TMThe common transmitting-receiving of handling all data-messages need not any central server of user capture in this process, it is mutual perhaps to carry out Any user.In other words, described client personal computer can be controlled required point-to-point communication, and In the view of the user, this process is very simple.

Other advantages of the present invention especially transmit advantages associated with email message, also comprise having the ability that stops spam.Because all by described central database check, therefore any source of spam email all will be blocked all e-mail addresses immediately.In addition, be different from the existing email address, addressee one side's address is sightless among the present invention.

In addition, in the present invention, the realization that VoIP also can be relatively easy, because the user can learn immediately which user can carry out telephone conversation, just no matter when as long as the user reaches the standard grade, its state information just will mail to wants the user that converses with it.Realizing because VoIP connects by the Internet, is free therefore, so, is dialing long-distance and during local call, the user need not to pay in addition on standard the Internet connection charge basis.

Therefore, the present invention allows the user to receive and dispatch to belong to fully the secret commercial affairs and the personal information of individual privacy.Simultaneously, if together use with existing email, the present invention also can be used for for the existing email server provides standby system, so as to make mistakes in system, disaster and suffer physics or continue to provide service during network attack.

The objective of the invention is to, third party such as ISP will can't collect the personal information of relevant sender and business thereof from the Email of receiving, so that send advertisement or carry out other operations.In addition, the present invention need not to add in addition the e-mail server of equipment such as costliness, also need not to increase the technical support expense, and these all will reduce cost significantly.

Will tell about emphatically as following, the present invention can pass fire compartment wall, and need not to carry out extra configuration.The present invention can use as Microsoft Outlook with existing email ^TMWith Novell Groupwise ^TMSeamless combination.

When the IP address is the real IP address of receiving terminal, IP address-based point-to-point communication will be easy to realize.Yet, when having used NAT, because the identification receiving terminal that transmitting terminal can't be unique, and the possible safety function of NAT, the point-to-point communication comparison difficulty that will become as fire compartment wall.Another aspect of the present invention is exactly for solving (will be described subsequently) that this specific question designs.

Another aspect of the present invention provides a kind of communication server, be used to pass through data communication network, between first far-end computer that comprises this server and second far-end computer, realize the Point-to-Point Data communication of safety, this server comprises: receiving system is used to receive the address details of every far-end computer and every far-end computer current state information to the connection of described data communication network; Message generating module is used for setting up described data communication on described first far-end computer; Check module, be used to check the current connection status of described second far-end computer; Transport module, be used for having only when the described second far-end computer connection status shows that it has been connected to described data communication network, just directly send described data communication, and in the path, any storage is not carried out in whole data communication to described second far-end computer from described first far-end computer.

The present invention also can extend to a kind of communication system, comprising: many above-mentioned communication servers; Can be connected to the data server of described many communication servers by described data communication network, be used to receive, relatively and store the current network address of every communication server to the current state information that is connected and each communication server of described communication network, and at least a portion of these information mail to described many communication servers, make described many communication servers realize point-to-point communication each other.

According to a second aspect of the invention, a kind of communication server is provided, be used to help between first and second subscriber computers, to set up the Point-to-Point Data communication such as the E-mail communication of safety by data communication network, this server is arranged on the specific hierarchical of the server network that comprises many communication servers, this server comprises: jockey is used to make the described communication server can be connected to other communication servers on other hierarchical level in the described server network; Register device is used for many playscripts with stage directions ground subscriber computer is registered to the described communication server; Data storage device, be used to store the registration details of local user's computer of each registration, described registration details comprise the address information and the current state information that be connected of each local user's computer to described data communication network of each local user's computer; Wherein, the registration details that described jockey is used for being stored mail to higher level that described server network the is right after adjacent communication server on secondary, and the registration details that receive and store all local user's computers on the communication server that connects on the lower hierarchical level in the described hierarchical network.

Use is very obvious by the effect of the hierarchical network that transmission server is formed, and it makes the operation of messaging network become more efficient.Specifically, when because of the message transmission of high power capacity, heavy load during to being in great demand of communication network, in communication medium, adopt hierarchy will make a large amount of business obtain in this locality handling, thereby avoid unnecessary burden is applied on the whole communication system.The load of VoIP message flow is very big, and a lot of available bandwidths tend to use up.Use the distributed recording of hierarchy and address details can help, so just can not influence the performance performance of other parts in the network the specific part of data-flow-control built in communication network.The performance performance that this method is applied to VoIP communication is the most obvious, because most voip call occurs in simultaneously between the source end and destination in local geographic range.

The second aspect that the present invention showed can extend to a kind of by data communication network between first and second subscriber computers, set up safety Point-to-Point Data communication such as the method for E-mail communication, this method can be realized that this method comprises by the communication server that is positioned on the specific hierarchical in the server network that comprises many communication servers: the network that is established to the communication server on other hierarchical level in the described server network connects; Many playscripts with stage directions ground subscriber computer is registered on this communication server; Store the registration details of local user's computer of each registration, these registration details comprise the address information and the current state information that be connected of every playscript with stage directions ground subscriber computer to described data communication network of every playscript with stage directions ground subscriber computer; Wherein, above-mentioned establishment step comprises that the registration details of will be stored mail to the adjacent communication server of the higher level that is right after in the described server network on secondary, and the registration details that receive and store all local user's computers on the communication server that connects on the lower hierarchical level in the described hierarchical network.

According to a third aspect of the invention we, a kind of method is provided, be used for searching for target recipient's computer of point-to-point communication, to help between transmit leg computer and described target recipient's computer, to set up the Point-to-Point Data communication such as the E-mail communication of safety by data communication network, this method realizes in the hierarchical network of being made up of the communication server, this method comprises: send data communications requests to home server, this request comprises the sign of described target recipient's computer and the sign of described transmit leg computer; Judge whether described target recipient's computer is known for described home server; If described target recipient's computer is known for described home server, then obtain stored with the relevant details of described target recipient's computer, then these information are sent back to described transmit leg computer; If described target recipient's computer is unknown for described home server, then described request is transmitted to the adjacent communication server on secondary of next higher level in the described server network, subsequently, described adjacent communication server becomes described home server; Repeat above-mentioned judgement, obtain and transmit step, up to finding described target recipient's computer, perhaps check out the server that is positioned on the described hierarchical network highest level.

The advantage of the mode of this employing layered communication network is that the process of searching destination address is faster than prior art.Reason is that this method at first checks the address that is positioned at same local geographic range with the source end, check the address more and more far away of the more and more higher position in described hierarchical network then gradually, up to finding this address, perhaps arrive the top of described hierarchical network.In like manner, because local destination is mail in fact many communications, thereby the speed of this way is faster, and can reduce the potential administrative burden of communication server network.

A third aspect of the present invention also can extend to a kind of by data communication network between transmit leg computer and target recipient computer, set up safety point to point data communication such as the method for E-mail communication, this method for building up realizes that this method for building up comprises in comprising the hierarchical service device network of many communication servers: aforesaid ferret out recipient computer method; Described transmit leg computer is mail in the current global communication address of described target recipient's computer; Described target recipient's computer is mail in the current global communication address of described transmit leg computer; Use above-mentioned both sides' global communication address between described transmit leg and described target recipient's computer, to set up the point-to-point communication passage.

According to a forth aspect of the invention, a kind of transmission server is provided, be used between first and second subscriber computers, setting up Point-to-Point Data communication such as E-mail communication, this transmission server comprises: receiving system, be used for receiving the connection request that request is connected to described second subscriber computer from described first subscriber computer, described second subscriber computer is registered on the described transmission server; Testing fixture is used to be checked through the current connection status of the connection of described second subscriber computer; Data storage device when the current connection status of described second subscriber computer shows currently can't set up point-to-point communication with it the time, stores the details of described request as monitored item (a watch); Responding device, respond described testing fixture, when the state of described second subscriber computer changes and shows currently can set up point-to-point communication with it the time, described responding device sends message to described first subscriber computer, points out that described second subscriber computer reaches the standard grade; Wherein, the current connection state information of described second subscriber computer is made regular check on and be updated to described testing fixture, online if described second User Status of update displayed has become, then checks whether there is corresponding monitored item, if then start described responding device and send described message.

Transmission server according to fourth aspect present invention has a kind of mechanism, but monitored object recipient's connection status, and this mechanism need not to use the resource of message sender.Yet this mechanism can monitor described target recipient's connection status effectively, thereby and when the connection status change makes point-to-point communication become possibility, but the notification message transmit leg.This mode is also supported the data-message transmission, and can not store described data-message in transmittance process on potential dangerous position.

A fourth aspect of the present invention also can realize by a kind of method, described method is used for helping to set up Point-to-Point Data communication such as E-mail communication between first and second subscriber computers, and this method comprises: receive the connection request that request is connected to described second subscriber computer of local registration from described first subscriber computer; Be checked through the current connection status of the connection of described second subscriber computer; When the current connection status of described second subscriber computer shows currently can't set up point-to-point communication with it the time, the details of described request are stored as monitored item; If finding in above-mentioned checking procedure that the state of described second subscriber computer changes and shows currently can set up point-to-point communication with it, then send message to described first subscriber computer, point out that described second subscriber computer reaches the standard grade; Wherein, described inspection step comprises the current connection status of making regular check on and be updated to described second subscriber computer, and is online if described second state of user of update displayed has become, then checks whether there is corresponding monitored item, if then start described responding device and send described message.

A fifth aspect of the present invention can solve the problem of relevant NAT and fire compartment wall, with the support point point to-point communication.This principle on the one hand of the present invention is based on the mapping function of NAT and can determines by sending a series of communications (investigation), thereby know target recipient's performance, comprise the true local address of determining described recipient, although this address is normally sightless for the NAT that is positioned at far-end communication one side.In these fact-finding process, will use the Control on Communication passage, what is more important, described target recipient with its local address as data encapsulation in message, send by NAT, so just deducibility goes out the transfer function of NAT.Other fact-finding process comprises investigation result is mail to potential target recipient.

The benefit of determining the mapping function of NAT effectively is, can send the communication that suitable addressing communication (addressed communication) is marked with particular address to NAT afterwards, by NAT it is mapped to a receiving position of wanting then.In this course, NAT does not know that its mapping function is determined, so just can support direct point-to-point communication.

The another kind of method that solves relevant NAT and firewall problem is that the TCP/IP links to create UDP communication port to transmission server that use is set up comes the support point point to-point communication with this.Specifically, according to a fifth aspect of the invention, provide a kind of and between first and second subscriber computers, set up the Point-to-Point Data communication port of safety such as the method for E-mail communication passage by data communication network, wherein, the communication of described at least first subscriber computer is handled by first network address translater (NAT), and this method comprises: request is set up by the direct connection on transmission control protocol/internet protocol of having set up (TCP/IP) communication link between described first subscriber computer of a described NAT and the transmission server; First User Datagram Protoco (UDP) (UDP) port is set on described transmission server; Give described first subscriber computer by described tcp/ip communication link with the described first udp port address report; On described first subscriber computer, open second udp port; Described transmission server transmits packet from described second udp port to described first udp port by a described NAT, so that can be determined a NAT address of described second udp port; Obtain the 3rd udp port address of described second subscriber computer from described transmission server; Give described first and second subscriber computers with the udp port address notification of other subscriber computers, so that they set up safe point-to-point communication each other.

When attempting setting up point-to-point communication, penetrating NAT is very important.A fifth aspect of the present invention provides a kind of method of simple possible, can be in the point-to-point communication process penetrating NAT, even the side among the NAT is asymmetric.

A fifth aspect of the present invention also can extend to a kind of transmission server, be used to help between first and second subscriber computers, to set up the Point-to-Point Data communication port such as the E-mail communication passage of safety by data communication network, wherein, the communication of described at least first subscriber computer is handled by first network address translation (nat), described method comprises: the request receiving system is used to receive request and sets up the direct-connected request on transmission control protocol/internet protocol of having set up (TCP/IP) communication link between described first subscriber computer that passes a described NAT and the transmission server; Setting device is used for being provided with first user datagram (UDP) port on described transmission server; Annunciator is used for the address of reporting described first udp port by described first subscriber computer of described tcp/ip communication chain road direction; The packet receiving system, be used to receive the packet that second udp port that is provided with from described first subscriber computer by a described NAT mails to described first udp port, described transmission server is used for determining a NAT address of described second udp port; Deriving means is used for obtaining from described transmission server the 3rd udp port address of described second subscriber computer; Notifying device is used for giving described first and second subscriber computers with the udp port address notification of other subscriber computers, so that they set up safe point-to-point communication each other.

In the penetrating NAT process, when complicated situation occurs in firewall policy very harshness or both sides all use asymmetric NAT, at this moment, direct point-to-point connection will not realize so easily.In this case, can penetrate asymmetric NAT by setting up " puppet " point-to-point communication.Specifically, according to a sixth aspect of the invention, provide a kind of and between first and second subscriber computers, set up the pseudo-Point-to-Point Data communication port of safety such as the method for E-mail communication passage by data communication network, wherein, the communication of described two parties computer is handled by the first and second asymmetrical network address translators (NAT) respectively, described method comprises: pass the first and second asymmetric NAT separately, create transmission control protocol/internet protocol (TCP/IP) communication link of each subscriber computer to transmission server; The direct connection request that response receives, first and second User Datagram Protoco (UDP) (UDP) port is set on transmission server, and this request is to receive by described first subscriber computer that passes a described NAT and the tcp/ip communication link between the transmission server; By both sides' tcp/ip communication link separately, report the described first and second udp port addresses respectively to described first and second subscriber computers; On described first subscriber computer, open the 3rd udp port, on described second subscriber computer, open the 4th udp port; Send packet from described the 3rd udp port to described first udp port by a described NAT, send packet from described the 4th udp port to described second udp port by described the 2nd NAT, so just make described transmission server can determine a NAT address of described the 3rd udp port and the 2nd NAT address of described the 4th udp port; Be sent in the packet that described first udp port is received by described second udp port once more to the NAT address of described the 4th udp port, be sent in the packet that described second udp port is received by described first udp port once more to the NAT address of described the 3rd udp port, so, just effectively transmit packet by described transmission server, between described first and second subscriber computers, set up pseudo-point-to-point communication.

As mentioned above, this puppet point-to-point communication is transmitted message by the local transmission server of the present invention and is realized that wherein, described transmission server serves as the third side (trusted intermediary) of trusted.This mode has reduced owing to the unknown problem of bringing of transmit leg, because for the asymmetric NAT in this locality, local transmission server is always known, so, even fire compartment wall is provided with the harshest rule, also can't stop this indirect pseudo-point-to-point communication.In addition, carry out by transmission server as long as guarantee the forwarding of packet, and only data are divided into groups to carry out minimum quantitative analysis and do not store, just can reduce to the influence that this non-indirect communication passage may cause fail safe minimum as the trusted third side.

Running under the situation that fire compartment wall adopts unwise (very harsh) decoding, the present invention can set up a real point-to-point communication in one direction, and on another direction by the forwarding of local transmission server.This variation is worth, because it can reduce the influence that fail safe is caused.For example in transmitting the situation of Email, this mode has superiority, directly send Email and transmit and return affirmation.

A sixth aspect of the present invention also can extend to a kind of transmission server, be used to help between first and second subscriber computers, to set up the pseudo-Point-to-Point Data communication port such as the E-mail communication passage of safety by data communication network, wherein, the communication of described two parties computer is handled by the first and second asymmetrical network address translators (NAT) respectively, this transmission server comprises: creation apparatus, be used for passing respectively the described first and second asymmetric NAT, create transmission control protocol/internet protocol (TCP/IP) communication link from each subscriber computer to transmission server; Setting device, be used to respond the direct connection request that receives, first and second User Datagram Protoco (UDP) (UDP) port is set on described transmission server, this request by passing a described NAT described first subscriber computer and the tcp/ip communication link between the described transmission server receive; Annunciator is used for respectively the tcp/ip communication link by separately, to the address that described first and second subscriber computers are reported described first and second udp ports; Receiving system, be used to receive the packet that sends to described first udp port from the 3rd udp port on described first computer by a described NAT, and receive the packet that sends to described second udp port from the 4th udp port on described second subscriber computer by described the 2nd NAT, thereby make described transmission server can determine a NAT address of described the 3rd udp port and the 2nd NAT address of described the 4th udp port; Retransmission unit, be used for being sent in the packet that described first udp port is received once more to the NAT address of described the 4th udp port by described second udp port, and be sent in the packet that described second udp port is received once more to the NAT address of described the 3rd udp port by described first udp port, so, just transmit packet effectively by described transmission server, between described first and second subscriber computers, set up pseudo-point-to-point communication.

According to a seventh aspect of the invention, provide a kind of subscriber computer has been connected to the method that the transmission server layering connects network, be used for helping between transmit leg computer and target recipient computer, to set up point-to-point communication by data communication network, this method comprises: receive descriptor, be positioned at the present load of each the equal transmission server among a plurality of equal transmission server (peertransport servers) on the same level in the described connection network of described information description with local transmission server; Receive connection request, request is connected to described local transmission server with local user's computer; The present load amount of more described home server and other equal servers; If the load capacity of described local transmission server any one load capacity in described other equal servers, then send response, indicate it should be connected to a minimum equal server of load capacity in described other equal servers to described local user's computer; If the load capacity of described local transmission server is not any one a load capacity in described other equal servers, then receives this connection request, and upgrade the present load amount of described local transmission server.

This aspect of the present invention has solved the problem of load balancing in the communication network.By the present load amount of the home server on the specific level of record transmission server, request is set up in the point-to-point connection of always can effectively reallocating.By keeping the traffic load equilibrium, it is more efficient that network itself can become, and all will reduce to minimum to the influence that performance causes.

According to an eighth aspect of the invention, providing a kind of inserts node by the method in the network of having formed by the communication server of verifying, this network is used for setting up Point-to-Point Data communication between the subscriber computer that is registered on the described communication server, and this method comprises: user ID and password that use is received from authentication server are verified described node to described authentication server; Inform the sign of the selected communication server, described node need be connected to this communication server so that insert described network; To the selected communication server of the described authentication server request particular data relevant, so that be connected to the selected communication server with node; The shared key that receives the selected communication server particular data relevant and share by the described node and the selected communication server with node; To particular data and the global data relevant mail to the selected communication server by the selected communication server after the described shared secret key encryption with node, thereby make the selected communication server can be, thereby need not to seek checking and just described node can be inserted described network to described authentication server to the described node of described network verification.

Of the present invention this provides a kind of mode as safe as a house on the one hand, realizes hope is added the proof procedure of the new node of network.When the point-to-point communication network was wished to add in message transmission source, aforesaid way was particularly important, add this network after, the described message source of transmitting can be freely with described communication network in other members communicate.

According to a ninth aspect of the invention, provide a kind of and will be connected to the method for second delamination area of forming by interconnected transmission server node by first delamination area that interconnected transmission server node is formed, this method comprises: in each delamination area local authentication server is set, this authentication server is connected to the host node on the highest level in the delamination area separately, and is used for controlling the validation problem of one's respective area Servers-all; The host node of described first delamination area is registered to the authentication server of described second delamination area; Verify the host node of described first delamination area to the authentication server of described second delamination area; Inform the sign of lowest section point server, the host node of described first delamination area need be connected to this lowest section point server so that two delamination area are coupled together; Receive the lowest section point server of described second delamination area and described first delamination area host node shared shared data and shared key; Shared data that use is received and shared key, verify the host node of described first delamination area to the lowest section point server of described second delamination area, thereby described first and second zones are coupled together and need not to seek checking to the authentication server of described second area.

This advantage on the one hand of the present invention is, communication network (zone) separately can be coupled together, but can therefore not reduce fail safe.Simultaneously, each zone still is kept perfectly, because have only the authority of upper zone to make amendment by above-mentioned plain mode, so just can will may couple together by very huge network in the reality.This means that also the crowd who is in fully in the different tissues also might realize communication as safe as a house by P-2-P technology.

Description of drawings

Fig. 1 is the structural representation of system according to an embodiment of the invention;

Fig. 2 is the flow chart that system sets up the point-to-point communication process among Fig. 1 between two user Bob and Alice;

Fig. 3 is the flow chart of personal email server all operations method among Fig. 1;

Fig. 4 is the flow chart of " client is initiated to connect " subprogram in Fig. 3 method;

Fig. 5 is the flow chart of " message sink " subprogram among Fig. 3;

Fig. 6 is the flow chart of " Messages-Waiting transmission " subprogram among Fig. 3;

Fig. 7 is that transmission server and mail server are alternately with the flow chart of the process of the unique address of determining the target recipient;

Fig. 8 is the schematic diagram of different entities to the different application of native system;

Fig. 9 a-Fig. 9 f is a series of flow charts that TSM comes to determine target recipient's unique ip address by inquiry;

Fig. 9 g-Fig. 9 i is the schematic diagram that the investigation among Fig. 9 a-Fig. 9 f is applied to symmetrical NAT and asymmetric NAT situation;

Figure 10 is the schematic diagram of the tree-like framework all functions of second embodiment of the invention;

Figure 11 is a schematic diagram of showing the hierarchical nature of management level in the tree-like framework of Figure 10;

Figure 12 is the schematic diagram of the hierarchical nature of transmission server layer in the tree-like framework of Figure 10;

Figure 13 is the functional unit schematic diagram of a normal transmission server of transmission server layer among Figure 12;

Figure 14 is that management level adopt load balancing to handle the flow chart of new connection among Figure 10;

Figure 15 is to use the network of second embodiment among Figure 10 to set up the flow chart of the phase I of point-to-point connection procedure;

Figure 16 is to use the network of second embodiment among Figure 10 to set up the flow chart of the second stage of point-to-point connection procedure;

Figure 17 is the schematic diagram that the Kerberos know-why is applied to third embodiment of the invention;

Figure 18 is the flow chart of the key step of the 3rd embodiment in seeking the network connection procedure;

Figure 19 be registered to the centre data server detailed process and and then from the view of security network be the schematic diagram of how support point point to-point communication;

Figure 20 a is the structural representation of the father node in the hierarchical network shown in Figure 19;

Figure 20 b is the structural representation of the child node in the hierarchical network shown in Figure 19;

Figure 21 is a schematic diagram of setting up transregional link implementation procedure in the point to point call process between computer X and Y.

Embodiment

Fig. 1 has showed the system 10 of one embodiment of the invention.Preferably, this paper quotes E-mail communication and describes this embodiment.But, should be appreciated that any type of electronic communication transmission is as the networking telephone (VoIP) or funny same being suitable for of instant message transmission.In addition, although present embodiment is the communication on relevant wide area network such as the Internet in the description of this paper, the present invention also can or even realize by mobile telecommunications network at Local Area Network.

System 10 comprises two personal computers (PC) 12 and 14 that are positioned at diverse location.The one PC is that local PC 12, the two PC are far-end PC 14, and system 10 is supported between these two

computers

12 and 14 and carries out point-to-point communication.PC 12 is identical with PC 14 communication functions, therefore only need wherein one be described in detail.

In the present embodiment, the

internet gateway

18 and 20 of

PC

12 and 14 by separately is connected to the Internet 16.The internet gateway 18 that is positioned at local PC 12 places also comprises NAT 22, because local PC 12 herein is among many playscripts with stage directions ground PC 12 on the LAN 24, these PC will use local internet gateway 18.Far-end PC 14 is arranged in LAN 26, but does not have NAT, far-end PC14 to have unique IP address here at far-end PC 14.

Data server 28 also is provided among the figure, has been connected to the Internet 16.Data server 28 comprises local data base 30, stores user name 32 and IP address 34 on it, is managed by data server 28.Also store registered user's connection state information 36 in the local data base 30.The related content that these user names 32 and address 34 comprise local and far-

end PC

12 and 14 stores in the database 30 by registration process, will introduce no longer in detail as for registration process this paper, because this process is known by everybody already.Should be appreciated that data server 28 does not participate in the PC that registers such as the point-to-point communication between this locality and far-end PC 12 and 14.It just after

PC

12 and 14 has registered the state information 36 (just online still off-line) of up-to-date address information 34 and this address, upgrades the related content of

PC

12 and 14.

A plurality of transmission server mechanism (TSM) 40 also are provided among the figure, and they all are connected to the Internet 16.The point-to-point communication that these TSM 40 can be between this locality and far-

end PC

12 and 14 distributes correct address 34.Each TSM 40 is associated with a local storage 42, be used to store with each of registered

PC

12 and 14 may the relevant address information in address.Specifically, on these local storages, store the tabulation of PC sign 44 and the tabulation of the IP address 46 of correspondence.In the tabulation of IP address 46, when itself being responsible for appointment PC distribution address by TSM 40, comprise direct IP address 46 in this table.If the not responsible distribution of TSM, what then comprise in this table is the IP address (or other suitable signs) of being responsible for the TSM 40 of distribution.The operation of TSM 40 especially carrying out the operation of NAT when penetrating, will be described in detail in the back.

Each this locality and far-

end PC

12 and 14 comprise Mail Clients 50 as Microsoft Outlook ^TM, it is connected to individual mail server 52 by TCP/IP.Mail server 52 has its oneself local data memory 54, and is connected to network interface 56 equally.Mail server 52 provides in the mode of software download, and is installed by the user, so that can use point to point protocol.Mail server 52 stores the network address of data server 28, because this mail server 52 need get in touch with data server 28, so that the latter can access notice after the former reaches the standard grade.All point-to-point communications all carry out route with transparent mode by individual mail server 52, and therefore the operation to mail server 50 can not exert an influence.

Network interface 56 that uses in the present embodiment and

internet gateway

18 and 20 all are prior aries, do not need to carry out too much description.

The common operation pattern of descriptive system 10 now.The user is mail to data server 28 with its details, finish the service registry process after, download personal email server 52 and be installed in

PC

12 and 14 this locality of user.Personal email server 52 is connected to email client 50 and network interface 56, and they all have been installed on PC 12 and 14.All mail to and all will be via personal email servers 52 from the E-mail communication of email client 50.

When sending message, the user creates Email, and it is mail to personal email server 52.If target recipient online (current information by the relevant target Recipient Status of storing shows), then this email message will directly mail to target recipient PC 14.Otherwise email message will store in the formation, up to target recipient PC 14 reach the standard grade (status message of reaching the standard grade after for example receiving the renewal that data server 28 sends).

Before sending message, target recipient's true current IP address 34 is determined by TSM 40.This process will be described in detail subsequently.Yet, have only target recipient's current IP address 34 to obtain confirming after, the point-to-point communication of email message just comes into effect.

In Fig. 2, come description process 60 how to realize with quoting two user Alice 62 and Bob 64.This process 60 starts from step 66, and the personal email server 52 of Alice sends message to data server 28, notifies it to reach the standard grade, and in step 68, represents that she wants to send message to Bob 64.In step 69, data server 28 returns the current address details of Bob subsequently.The personal email server 52 of Alice uses this information to add address information for its message subsequently, and in step 70 it is encrypted, and in step 72 it is stored in this locality, waits for after Bob reaches the standard grade it is sent.

Subsequently sometime, Bob reach the standard grade (sending message in step 74 to data server 28 reaches the standard grade to represent it), and Alice this moment still online (it is online at present to represent it to send message in step 66 to data server 28), at this moment, data server 28 sends message in step 76 to all users, notifies them Bob 64 and has reached the standard grade.The message that this Bob has reached the standard grade is received by the personal email server 52 of Alice, and subsequently, E-mail stored message just can directly mail to Bob 64 in step 78.After receiving this message, in step 80, personal email server 52 these message of storage of Bob.In step 82, when the email client of Bob 50 is checked the message of sending (obtaining message),,, and mail to email client 50 in step 86 with this decrypt messages in step 84, read in step 64 for Bob.

Below with reference to Fig. 3-Fig. 6 each individual mail server 52 performed true process is described.

Fig. 3 describes the operation 90 of personal email server 52 now.Operation 90 starts from the beginning step 92 of server 52, and this will cause step 94, be established to the connection of data server (DS) 28.For e-mail server 52, the address of data server 28 is known and is stored in its local storage 54.Data server 28 provides the positional information of several TSM 40, and system 10 is if think work, then these TSM one of them must be available.Subsequently, in step 96, mail server 52 attempts being established to the connection of TSM 40.In this course, need check whether TSM 40 is online in step 98.If TSM 40 is not online, then can't connect, at this moment, in step 100, mail server 52 is considered to off-line.Process 90 will be proceeded step subsequently, reconnect to the Internet 16 in step 102, and get back to above-mentioned steps 94, be connected to DS.

On the other hand, if in step 104, TSM 40 is online, then has five kinds of available different options (state).At first, first kind of option be, if in step 106, and

PC

12 and 14 shutdown, then in step 108, process 90 finishes.Second kind of option be, forces mail server 52 to publish (log out) in step 110, and then process 90 forwards above-mentioned off-line state 100 to.The third option is, if in step 112, Mail Clients 50 attempts being connected to mail server 52, then will be in the step 114 according to the credit information of the Mail Clients 50 of canned data inspection in advance, if can accept, then allow client connect in step 116 (being described in detail) below with reference to Fig. 4.If client's credit can't be by check, then in step 118, connection will be rejected, at this moment mail server 52 or get back to presence in step 120, perhaps rolled off the production line by force, got back to step 102 then, reconnected to the Internet 106 and start-up course 90 in step 122.

The 4th kind of option (state) is that in step 124, mail server 52 is received message, and this message is offered Mail Clients 52 so that show the user.This process 124 also will be described in detail in conjunction with Fig. 5 subsequently.

Last a kind of option (state) is, and is online when mail server, will begin to send message.In step 126, at first will check message to be sent such as whether have.If do not wait message to be sent in the step 128, then process 90 finishes, and mail server 52 turns back to presence 104.If message to be sent such as existence then will be carried out " Messages-Waiting transmission " process 130, this process will be described in detail in conjunction with Fig. 6 below.After the process of executing 130, mail server 52 returns presence 104.

Fig. 4 describes " client is initiated to connect " process 116 now.This process 116 starts from step 140, receives from Mail Clients 52 (MS Outlook for example ^TM) the SMPT connection request.For the consideration of fail safe aspect, in step 142, process 116 can judge whether Mail Clients 52 is authorized to.If not, then in step 144, Authority Verification is failed, and sends message in step 146 to Mail Clients 52, to notify the user.If, then in step 148, the Authority Verification success, and in step 150, mail server 52 will be received the email message from Mail Clients 52.This is a process that comprises a plurality of stages, and the content of message will be sent (what for example at first transmit is the address of ' from ' back, is the address of ' to ' back then, next is the main part of message) successively.This process lasts till that always entire message receives.Subsequently, will check whether also have other message to need to transmit in step 152, if then carry out transmitting

step

150 and 152 once more.If in step 154, determine not have other message to need to receive, then in step 156, mail server 52 disconnections are connected with Mail Clients 50.

Before the message of receiving is handled, check in step 158 whether Mail Clients 50 has sending permission earlier.If judge that in step 160 draw Mail Clients 50 does not possess the associated rights that sends mail to the specific objective recipient, then in step 162, will can send Email message.Yet,, will obtain purpose user profile in step 164 if possess sending permission.This step comprises address information from all registered target recipients to data server 28 that ask and obtain.These data also comprise this user's public keys (not shown), and this user uses this key that message is encrypted.If just received address information in another email message recently, then this information will temporarily be stored in the buffer memory.Therefore, need to check the buffer memory (not shown), to determine before DS 28 obtains address information, whether can in buffer memory, finding this target recipient's address information.

Subsequently, will determine whether the target recipient is discernible mail user step 166 inspection.If determine to discern this user in step 168, then mail server 52 only can't send in step 170 circular mail client 50 these message, because this address is unknown for system.If determine that in step 172 can identify this target recipient is a registered user, then in step 174, use the target recipient's who had before obtained public keys that email message is encrypted, so, just can use public key infrastructure (PKI) encryption technology to carry out encrypt/decrypt.

The message of encrypting will mail to " Messages-Waiting transmission " process 130 subsequently, and this process will be described with reference to figure 6 subsequently.

Fig. 5 is described " message sink " process 124 now.When receiving email message, mail server 52 need not to land, but need be connected to the Internet 16.After step 180 is received email message, in step 182, the user will have notice, and this can realize by generate a notice reception pop-up window in step 184.The email message of receiving is stored in the memory 54, and its state is that Mail Clients as yet " does not read (taking away) ".This memory can be the hard disk of computer, but safest way be the message stores that will receive in RAM, removed up to it.Simultaneously, enter wait state in step 186, if for some reason, mail server 52 need cut out in step 188, and then the message that does not transmit will store in the semipermanent store (being generally hard disk) in step 190, and subsequently in step 192, process 124 finishes.

When in step 194, mail server 52 is received the request of reading from Mail Clients 50, and then in step 196, process 124 will judge whether Mail Clients 50 is authorized to.If not, then in step 198, the client validation failure finally causes in step 200, and Mail Clients 50 reads procedure failure.After this, will notify recipient user and Amteus (authorized party that operation monitors to whole system, the user registers thereon) in step 202.

If in step 204, Mail Clients 50 has been authorized, then will walk abreast to carry out two operations.In step 206, be stored in local recipient's private cipher key with obtaining, and, obtain the email message that does not send in step 208.In step 210, use the private cipher key that obtains that message is decrypted subsequently with attempting.If in step 212 deciphering failure, then at step 214 notice transmit leg.This process can realize to transmit leg statement transmission failure by mail server 52 send Emails.Subsequently, process 124 is proceeded, as previous client authorization authentication failed step 198, just, in step 200, Mail Clients read procedure failure.In step 202, will read procedure failure and be notified to recipient user and Amteus.

But, if in step 216, successful decryption, then Xie Mi email message will be transmitted to Mail Clients, and show the user, and just in step 218, Mail Clients reads success.Subsequently, message sink process 124 will check whether also have other message to need to transmit in step 220.If in step 222, there is not other message, then in step 192, message sink process 124 finishes.If in step 224, also have other message to need to send, then in step 226, this process turns back to the stage that client authorization is proved to be successful, and proceeds according to noted earlier then.

Fig. 6 describes " Messages-Waiting transmission " process 130 among Fig. 3 now.When in step 230, when having email message to send in the formation, need judge the state of destination in step 232.In step 234, the current state information that whether has destination in the buffer memory will be checked.If, from buffer memory, read this current state information then in step 236; If then determine not have current state information in the buffer memory, then in step 240, read this current state information, and use the state information that reads that buffer memory is upgraded from DS 28 in step 238.

In step 242, check the state information of destination, judge whether off-line of destination.If find its off-line in step 244, then message can't send, and in step 246, the message of encryption will be stored in the Messages-Waiting formation, retransmit so that attempt later.Yet, if destination is online, in step 248, the message of (on RAM or the hard disk) reading encrypted from formation, and, it is directly mail to the target recipient by point-to-point communication in step 250.How to realize that as for email message how accurate addressing and message send, and all will be described in Fig. 7 subsequently.

In step 252, will check the transmission of message.If in step 254, cause bust this for a certain reason, then enter and send error condition 256, subsequently, will continue wrongheaded type.If in the incipient stage of Messages-Waiting process of transmitting 130, for a certain reason, mail server 52 quits work in step 258, also can enter this transmission error condition 256.Send error condition 256 at this, will be in the misjudgment type, at step 260 notice Amteus.In step 262, will check whether this mistake is caused by the destination off-line.The state that this situation may occur in the purpose receiving terminal just changes.If determine the destination off-line in step 244, then will store, so that transmit later in the message of step 246 pair encryption.So just passed through Messages-Waiting transport process 130, although by process 130 self decision, and that email message is still stayed formation is medium to be sent.

Do not cause as if wrong, then determine to have other mistakes,, will check that the transmission failure is nonvolatil or provisional in step 266 in step 264 by the destination off-line.If in step 268, determine permanent transmission failure (for example this user no longer exists or Email too big), then in step 270, mail server receives that one returns message, shows that this email message can't send.If determine that in step 272 this mistake is caused by provisional failure (as connection error), then in step 242, encrypted electronic mail message will come back in the formation, and Messages-Waiting process of transmitting 130 finishes subsequently.

The result of transmission of e-mail messages if confirm that in step 274 this message sends, then for the consideration of fail safe, will delete the local replica of this Email in step 276 again.In step 260, will send to Amteus and transmit successfully notice, and, judge whether also have other email messages to need to send in the formation in step 278.If then process 130 comes back to and checks step 232, the state of the message that checks e-mails destination (target recipient) continues to carry out according to content mentioned above then.If determine not have other message to need to handle in step 280, then Messages-Waiting process of transmitting 130 finishes.

Fig. 7, describe now and TSM between operation and mutual, specifically, how to carry out the required target recipient's addressing of point-to-point communication (intended recipient addressing) with describing.

At first, should be appreciated that TSM constantly carries out its address fact-finding process, therefore no matter when, so long as email message need be mail to the target recipient, TSM will grasp the up-to-date current information relevant with target recipient address information.This investigation is undertaken by amended UDP (User Datagram Protoco (UDP)), wherein also comprises test, and this will help to set up the true directly IP network address of user.These tests can realize that NAT penetrates, and its content will be described in detail with reference to figure 9a-Fig. 9 i subsequently.

Determine and the process 274 that recipient's current IP address is issued transmit leg started from step 290 that transmit leg is received the TSM tabulation from the main TSM 40 of storage TSM tabulation.Whether in step 292, mail server 52 trials connect the TSM 40 in the tabulation subsequently, and connect successful step 294 inspection.If determine that in step 296 connection is unsuccessful, then read next TSM 40 in the tabulation, and attempt once more carry out step 292.This process lasts till in step 298 successful connection always.

After successful connection, selected TSM notifies every other TSM 40 in step 300, and it has been connected to mail server 52.This connection can be based on considering that from load balancing TSM 40 is selecting of most convenient.Subsequently, in step 302, transmit leg mail server 52 communicates with the TSM 40 that links to each other, and represents that it wishes linking objective recipient mail server 52.This target recipient is identified by user ID.To determine the IP address of this target recipient mail server 52 by TSM 40 subsequently.Subsequently, in step 304, selected TSM 40 checks its address list (local storage), judges whether it has to the direct connection of target recipient mail server 52.If possess direct connection, that is to say that it knows the unique address of recipient's mail server 52, then in step 306, transmit leg mail server 52 is mail in this address.Employed technology will be described with reference to figure 9a-Fig. 9 i subsequently when determining this address.If it does not possess unique address, then it has the address of TSM 40 at least.Therefore, in this case, in step 308, selected TSM 40 is transmitted to correct TSM40 with this inquiry, and the latter searches the address of target recipient mail server 52, then in step 306, transmit leg mail server 52 is issued in this address.

Transmit leg mail server 52 in step 310, directly connects recipient's mail server 52 after receiving the unique direct IP address of target recipient mail server 52, and in step 312, uses the Internet protocol send Email message of standard.That is to say, the send mode of this Email is identical with the mode that the Traditional IP signal post of mailing to the Internet 16 adopts, be about to this message and be divided into a plurality of groupings, be each grouping interpolation packet header separately, then these groupings are mail to the recipient by suitable path, the recipient, these groupings are reconfigured, show the target recipient then.

Figure 8 shows that the schematic diagram of user 320, its Mail Clients 50,322 and keeper's 324 different operating.In the drawings, various different operating divides into groups to show by correlation function.Specifically, user 320 carries out three groups of different correlation functions, promptly sets up operation 326, delivery operation 328 and document associative operation 330.Mail Clients 50,322 is carried out one group of mail server associative operation 332.Keeper 324 carries out one group of user's associative operation 334.The function of forming these several groups operations is described in Fig. 8, and its content is very clearly for a person skilled in the art, therefore here explains no longer in detail.

Fig. 9 a-Fig. 9 f shows and has explained six stages of the action that TSM 40 is performed, and TSM 40 carries out these and move to determine target recipient's unique ip address.Specifically, showed initial condition among Fig. 9 a, under this state, customer end A 350 is set up TCP/IP by NAT A 352 with server S 354 and is connected, and customer end B 356 is set up TCP/IP by NAT B 358 with server S 354 and is connected.This stage (being labeled as the stage 1), customer end A 350 is wanted to set up point-to-point the connection with customer end B 356.

Showed stage 2A among Fig. 9 b, customer end A 350 sends point-to-point request by NAT A 352 to server S 354.After receiving this request, server S 354 is at IP address S1 _{End 1.1s1}Open a udp port 360 on 362.Subsequently, the stage 2B that in Fig. 9 c, shows, the tcp/ip communication media 364 of server S 354 by having set up is with the address (S1:s of udp port 360 ₁) 362 issue customer end A 350.Customer end A 350 is opened its oneself udp port 366 subsequently on address A:a 368.This port address 368 is converted to A by NAT A 352 ₁: a ₁370.Although change, UDP communication port 372 is set up between customer end A 350 and server S 354.

The stage of showing in Fig. 9 d 3, server S 354 is at IP address S2:s ₂Open second udp port 376 on 378, so, it just can use similar fashion and the customer end B 356 described among Fig. 9 c to set up the UDP passage.Subsequently, the tcp/ip communication media 364 of server S 354 by having set up is with the address (S2:s of udp port 376 ₂) 378 issue customer end B 356.Customer end B 350 is opened himself udp port 380 subsequently on address B:b 382.This port address 382 is converted to B by NAT B 358 ₁: b ₁384.Although change, shown in Fig. 9 e, UDP communication port 386 is set up between customer end B 356 and server S 354.

Concrete now next 9e with the aid of pictures has wherein showed the stage 4 that is used to set up target recipient unique ip address process, now the path of realizing UDP communication between customer end A and the customer end B is made an explanation.Customer end B from the address B:b 382 of its udp port 380 to the address of server udp port 376 S2:s ₂378 send the UDP message grouping.But in server S 354, these groupings are from the udp port address B after the network switch ₁: b ₁384.In like manner, from the address S1:s of server udp port 360 ₁362 also will receive the UDP message grouping from customer end A 350.

Port address A after the server S 354 automatic network conversion in the future ₁: a ₁370 packet is transmitted to address B ₁: b ₁384, the port address B after the automatic network conversion in the future ₁: b ₁384 packet is transmitted to address A ₁: a ₁370.This just makes customer end A 350 and customer end B 356 be sure of to exist each other a direct UDP to be connected.

Fig. 9 f has showed the stage 5 of said process, and has set up the point-to-point communication of common type.Here, server S 354 is at first notified customer end A 350: customer end B 356 is being used the port address B after the network switch ₁: b ₁384 communicate.In like manner, server S 354 also can be notified customer end B: customer end A 350 is being used the port address A after the network switch ₁: a ₁370 communicate.So, but customer end A 350 and just direct communication of customer end B 356, because they all know the

address

370 and 384 after the other side's the network switch each other.But communication can be passed through udp port A:a 366 and address B ₁: b ₁UDP passage 388 between 384 carries out, or will use port address B simultaneously ₁: b ₁384 and S ₁: s ₁362, this depends on the application program (not shown) of operation on the customer end A 350.In like manner, according to the application program (not shown) of operation on the customer end B 356, communication can be passed through udp port B:b 380 and address A ₁: a ₁The 2nd UDP passage 390 between 370 carries out, or also will use port address A simultaneously ₁: a ₁370 and S ₂: s ₂378.

The common situation among Fig. 5 of having showed among Fig. 9 g is how to be applied to both sides NAT to be under the situation of symmetric form.Specifically, at stage 6A, if NAT A 352 is symmetrical NAT, then customer end B will be from the port address A after the network switch ₁: a ₁370 receive the UDP message grouping.Similarly, if NAT B 358 is symmetrical NAT, then customer end A will be from the port address B after the network switch ₁: b ₁384 receive the UDP message grouping.After detecting this UDP stream of packets, server S will have notice, and disconnect between NAT A and its first port 362 then and the connection of the UDP between NAT B and its second port 376 372, and this is a situation about describing among Fig. 9 g.Equally after this, can disconnect customer end A and B and be connected 364, but this depends on that customer end A and B go up the application program of operation with TCP between the server S 354.

Fig. 9 h has showed that the scheme among Fig. 9 g why can't be applicable to that an end NAT is asymmetrical situation.Specifically, if NAT B 358 is asymmetrical, then mail to address A after the network switch from port address B:b 382 ₁: a ₁370 UDP stream of packets will look like from B ₂: b ₂392, but still received by the 2nd UDP passage 390 by customer end A.Yet, the address A after the network switch ₁: a ₁370 mail to the address B after the network switch ₁: b ₁384 UDP stream of packets will be by NAT B 358 interceptions, because this port B ₁: b ₁384 have not been used further to the communication of customer end B 356.

Fig. 9 i has showed the solution of one embodiment of the invention when facing an end NAT is asymmetric case.Specifically, at stage 6B, the UDP stream of packets that customer end A is seen is from the address B after the network switch ₂: b ₂392, rather than the address B after the network switch ₁: b ₁384.Therefore, NAT A 352 will mail to the address B after the network switch ₁: b ₁384 UDP stream of packets is transmitted to the address B after the network switch ₂: b ₂392.Why NAT A 352 can operate like this, is because NAT B 358 has used the next address A after the network switch of NAT A 352 in this address ₁: a ₁370 send data, so this IP can pass through.In this way, even when depositing that at one end NAT is asymmetric case, also can set up two-way communication.

If NAT A 352 is asymmetric, NAT B 358 is symmetrical, then only needs to carry out opposite operation with reference to description among the figure 9i and gets final product.

If it is asymmetrical that NAT A 352 and NAT B 358 are, can't realize pure point-to-point communication so.Communication need be served as media by server S 354 and be continued or rebulid.The all visible address of NAT A 352 and NAT B 358 should be noted in the discussion above that so long as all can be used for serving as media.The mode of tackling this situation will describe in detail with reference to second embodiment subsequently.

Quote Figure 10-Figure 16 now and describe the second embodiment of the present invention.Second embodiment is similar with first embodiment in many aspects, therefore hereinafter will describe the difference between first and second embodiment emphatically.Simultaneously, aspect some that in first embodiment, just simply describe, will obtain in a second embodiment launching, to carry out complete description.

In a second embodiment, safe communication system 400 is a distributed system, and its complexity is relevant with its size.On the one hand, as shown in figure 10, its overall architecture can be thought a hierarchical tree 402.Three logical levels downward according to this from system's 400 peaks are respectively: system management layer 404, transmission server layer 406 and terminating layer 408.Be the logic function frame shown in Figure 10, it can be realized by different ways.

The top layer 404 of this hierarchical tree 402 relates to the management function of system 400.Comprise database 410 (seeing Figure 12) in the top layer 404, wherein write down all computers of the using system 400 of having the right, and whether point-to-point communication allows to set up also by top layer 404 and control.

Management level 404 are also controlled fail safe.Low layer communicate to connect the mandate that all needs to obtain management level 404 at every turn; In case authorized, then the low layer management level just can created before other connect, at arranging key each other.

According to concrete customization requirement, management level 404 also can have notice when connect creating, and the logout that will occur in low layer gets off.These incidents can comprise little of attempting network such mishap that conducts interviews.

Management level 404 also can generate the control report relevant with network operation situation, and this report is very useful for control and management system 400.

Be positioned on the bottom 408 is terminal 412.These terminals comprise " gentle words machine " (being used to dial the software of voip phone) and local electronic mail server.But terminal 412 also can comprise other forms of data communication instrument.Terminal 412 is for being installed in the key component that is used for access system 400 on the subscriber computer and carries out safety communicating method.Each terminal 412 itself all is safe, because they are positioned at user place, therefore, no matter by which kind of mode the communication information is stored on the terminal 412, fail safe that can threat data communication.

So-called " distributed " transport layer 406 is made up of a plurality of transmission servers 414, and this layer is between management level 404 and terminal 412.Simultaneously, this layer 406 is sightless for user and keeper, and it is the basic module of system 400, is used to realize the transmission of two types of communications, and promptly communicate by letter with real Point-to-Point Data with definite communication of state in the address.Terminal 412 and management level 404 can only communicate by the transmission server 414 of forming transport layer 406.This mode has simple and extendible advantage.

Figure 11 is described in detail management level 404 now.In the embodiment shown in fig. 11, management level 404 have hierarchical tree-structure, and this structure can effectively be managed the control of system 400.The distributed nature of management level shows that in Figure 11 as we can see from the figure, what be positioned at the top of hierarchy is Amteus global administration node 416, and it is positioned at the center separately.Be client-side management node 418 then, only showed a client-side management node 418 among Figure 11, it can be arranged on the computer on ground such as company and government's (not shown), and these places often wish the communication between its registered user is controlled.As shown in figure 11, be positioned at a client operation client-side management node 418 shown in Figure 11 of the specified position of client.

The layer 420 that following one deck in this hierarchy is made up of the regional management node 422 of management particular customer has been showed three particular customer among Figure 11.These regional management nodes 412 are connected to terminal 412 (EP1 is to EP3) by distributed transmission layer 406 (only by the dotted line sign).Lowermost layer 420 in these management level is provided with according to the geographic area, and as the load balancing that will describe hereinafter etc. play an important role aspect several.Similarly, in the present embodiment, also have a terminal EP4412, this terminal is directly managed by Amteus global administration node 416 by transport layer 406.

The working method of management level 404 is described below in conjunction with an embodiment.Each user who is expressed as terminal 412 is registered on the management node 416,418,422, is registered to usually on these users' the regional management node 422.Log-on message will upwards transmit along the multi-zone supervision tree, and so, each

management node

418 and 416 on the higher level all will obtain these registration details.Be stored in these management nodes 418 and the log-on message on 416 and comprise the relevant user's who collects in the registration process all details and the current running status of terminal 412.The decision that whether allows to carry out between the terminal 412 point-to-point communication is to make on the lowermost layer of this hierarchy, stores communicating pair user's registration details on it.The change of these terminal 412 state informations will be issued the management node that is positioned on the higher level subsequently.

EP (terminal) 412 is generally telephone set and/or Email User.In the embodiment shown in fig. 11, EP1 412 is arranged in the office of client in London.Its details be stored in London area management node 422 and higher level on all

management nodes

416 and 418 in.EP2 and EP3 412 are arranged in the office of client in Athens.Its details be stored in Athens area management node 422 and higher level on all

management nodes

416 and 418 in.EP4 412 is the Amteus private user, has only Amteus to discern, and therefore, 412 of EP4 are registered on the Amteus global administration node 416.

If EP2 412 wishes to communicate by letter with EP3 412, and the regional management node 422 in Athens can be discerned and wants two terminal uses 412 communicating by letter, and then this request will be handled in Athens by Athens management node 422.For purposes such as information records, details will mail to and be positioned at high-

rise management node

416 and 418, yet be positioned at the process of setting up that these high-

rise nodes

416 and 418 do not participate in expecting communication port.

If EP1 412 wishes to communicate by letter with EP2 412, he can send request to its local management node 422 that is positioned at London.Area, this London management node 422 can't be discerned EP2 412, so it is the call setup state with the status modifier of EP1, should ask then upwards to pass to client-side management node 418 along described hierarchical tree.

Client-side management node 418 can be discerned the both sides that this time call out, so it can handle this call establishment.This management node knows whether EP2 416 is in busy condition, because store up-to-date state information on it, yet although possibility is very little, this state information also may be out-of-date, and this situation will be described subsequently.If client-side management node 418 determines that EP2 416 is in busy condition, then it can notify the regional management node 422 in London, and the latter will notify EP1 412.So, this time setup requests just ends in failure.

On the other hand, client-side management node 418 can be " call setup " with the status indication of EP1 also, should ask to send to area, Athens management node 422 then downwards.Area, Athens management node 422 knows that EP2416 is in busy condition (that is to say that the state information on the client-side management node 422 is out-of-date really).In this case, it returns " having much to do " failure code to client-side management node 418, and as previously mentioned, the latter cancels this communication port subsequently and sets up request.

On the other hand, area, Athens management node 422 also can be transmitted to EP2412 with call request.Whether answer calling this time by the EP2412 decision, return appropriate responsive information along path Yuan Lu then to EP1 412.

If EP1 412 wishes to communicate by letter with EP4 412, its process and top situation are similar.In this case, initial request will upwards be sent to Amteus global administration node 416 by its regional management node 422 and client node 418 always.Amteus global administration node 416 is directly communicated by letter with EP4 412 subsequently, connects to set up this time.

Should be appreciated that the term of using above " this locality " is meant the place in the server geographic range of living in.But more strictly speaking, this term only is meant to have relative direct connection between server and the terminal, and endpoint registration is on this server, and this just makes this terminal be positioned at this locality of this server.

Figure 12, the transport layer 406 among Figure 10 in the hierarchy 402 is formed by being arranged in the interconnective transmission server 414 of this hierarchical tree structure.Each transmission server 414 all is responsible for the communications from position (terminal) 412 to the another location, and message is not stored on this path.At the top of this hierarchical tree, be provided with main transmission server 424, it links to each other with Amteus global administration node 410, and the latter is positioned at the top of managing hierarchically structure.In addition, also be provided with Hot Spare transmission server 426, the backup after breaking down with the transmission server 424 of deciding.As shown in the figure, be positioned at that the

regional transmission server

1,2 of three on one deck 430 links to each other with main transmission server 424 with 3 428 under the hierarchy.Also be connected with terminal 1.1,1.2,2.1 and 3.1 412 separately below these regional transmission servers 428.

What above-mentioned transport layer 406 was represented is a kind of dynamic structure, and its structure does not pre-determine, but by defining and some rules being set these transmission servers 414 is coupled together, in a dynamic way building network.In addition, in fact the management level 404 that are divided into another layer by function in Figure 10 are arranged in 406 layers of transmission servers, are used to set up point-to-point communication.At last, this network also is built-in with containment (securityoverlay), the fail safe that is used to improve network.In the present embodiment, this containment is embodied as a functional rule that is applicable to all nodes in the network, and just: node haves no right to communicate by letter with terminal 412, unless this node can be discerned this terminal 412.If this node self can't be discerned the identity of wanting the terminal 412 of communicating by letter, then its can upwards transmit this communication request along hierarchical tree.

Figure 13, each transmission server 414 have a client's link (up link) 430 to high-rise transmission server 414, and/or to client's link 432 (for simplicity, both are all shown in Figure 13) of managing (database) server 410.Should be noted in the discussion above that then up link 430 will be connected to management database server 410 if transmission server 414 is positioned at the top that is divided into tree, otherwise it will be connected to more high-rise transmission server 414.What be positioned at transmission server tree bottom is terminal 412, and it is described in Figure 12.Each transmission server 414 also has a down link 434, and this is that a server connects, and connects by this, is positioned at the transmission server 414 of low layer and the connection that terminal 412 can be initiated to server 414.Up link 430 on each transmission server 414 is the TCP/IP client; Down link 434 is TCP/IP server ends.

Each transmission server 414 all operates in and does not need to carry out in the environment of network address translation.Each transmission server 414 all has its oneself public ip address 436 in other words, and this address can be a dynamic assignment, also can be its oneself transmission server ID 438.These information all are stored in its local data base 440 together with the Termination ID tabulation 442 that is connected to the terminal on this specific transmission server 414, to the connection state information 444 of these terminals 412 and the authority of each terminal 414.Database server 448 reads on request and upgrades these information.The effect that is stored in terminal (user) information list on the database 440 will be described below.

Store two tabulations in the database 440, one is the tabulation 444 of current online user ID coding among the local registered user, and another is the tabulation 450 that records the local registration terminal ID coding of monitored item in the local registration terminal 412.When particular terminal 412 has connected but can not communicate, for example be in busy condition, just set a monitored item.This monitored item monitors the state of purpose terminal 412, and when it can communicate, the trigger mechanism in the monitored item will trigger an advising process.This advising process is to interested all terminals 412 of variation and transmission server 414 transmission message registered, to arriving expectation purpose terminal connection status.In addition, the variation of this state also will upwards be notified to more high-rise in the hierarchical network.

Database 440 also stores one group of public keys 451 for terminal 412.These keys are used for the encrypting messages from different terminals 412 is decrypted, and this will be described in detail subsequently.

Transmission server 414 also comprises locating module 452, is used for determining the current geographic position of transmission server 414, and heart beat monitor (heartbeat monitor) 454, is used for being checked through the connection of the different contiguous transmission servers 414 of hierarchical network.Server control module 456 and database server 448 are together managed the operation of all links, module and database.

The same with terminal, the transmission server 414 in this network must obtain management system 404 mandate of (as shown in figure 11).As previously mentioned, store the clauses and subclauses of each transmission server 414 in database 440, the authority when wherein comprising it as transmission server 414 also has user ID.

Locating module 452 can be determined the position of transmission server 414.This can realize by multiple different ways.For example, a kind of simple way is exactly with locating module 452 windowizations, so just can determine to move the current time zone of the system of this locating module.

After using heart beat monitor 454, all transmission servers 414 all send the heartbeat of rule to his father's transmission server 414 (if present).Heartbeat is a kind of signal, wherein includes and the relevant lastest imformation of the registered connection of this transmission server (loading), is used for confirming to have communication link between father, sub-transmission server 414.Using the purpose of heart beat monitor 454 is that the load balancing of system 400 is controlled.Specifically, this heartbeat message includes the current counting (usage count (usage count)) that directly is registered to the quantity of the terminal 412 on initiator (area) transmission server 414.After receiving heartbeat, each (father) transmission server 414 returns a piece of news, provides the IP address and the port list of down link, and the usage count of every other transmission server on the same level.Therefore (in Figure 12) after main transmission server 424 is received heartbeat from transmission server 414, will return the address separately and the usage count of each

regional transmission server

1 and 3 412.

Figure 14 describes the load balancing process 460 in one embodiment of the invention now.As shown in the figure, when new client (terminal 412 or lower level transmission server 414) when wanting to be connected to transmission server 414, in step 464, this transmission server 414 will be received a request, wherein comprise the heartbeat signal of new client.Subsequently, in step 466, this transmission server 414 reads self the usage count U that is stored ₁, and be positioned at same level with it and at least geographically very near the usage count U of other transmission servers 414 of (for example being positioned at same time zone) ₂, U ₃And U ₄In step 468 and 470, this transmission server is with its usage count U subsequently ₁Usage count U with other adjacent transmission transmission servers 414 in the same level ₂, U ₃And U ₄Compare.If its usage count U ₁Usage count U far above arbitrary opposite end 414 ₂, U ₃And U ₄, then send one to above-mentioned new client and reply in step 472, notify it to be connected to current transmission server 414, to carry out point-to-point communication with minimum usage count.In step 474, will disconnect with being connected of current transmission server 414 subsequently, subsequently in step 476, this load balancing process 460 finishes.Under another situation, in step 478, will accept this connection request, and read the user number counting of this client in step 480, add in the local usage count of transmission server 414 at the user number counting of step 482 then client.Subsequently, this load balancing process finishes.

Above-mentioned basic principle can be extended to the complicated algorithm of more optimizing.For example, after the transmission server 414 of receiving connection request determines can to accept this request in its level of living in and geographical position, can check whether low layer is more arranged transmission server 414 geographically therewith bar new connect approaching, and can better handle this connection.This way is more reasonable, because tree is terminal if the user is connected transmission server, does just to help to improve overall system performance like this.This is that this data flow can take very big bandwidth, but usually occurs in this locality because most point-to-point communications is a networking telephone data flow.Therefore, if data flow that can these are main all is controlled at local transmission server layer, then these data flow just can not increase the burden of whole hierarchical system 406, just system 400 are slowed down yet.

Each accepts the new transmission server 414 that connects all can give its new child user with his father's transmission server address notification.Also this new user can be connected simultaneously and be notified to his father's transmission server 414.So, this father's transmission server 414 will think that this new user connects with it.

After the successful connection, new user 412 just can send the message of following type to its transmission server 414:

● the management request

Transmission server 414 mails to his father's transmission server 414 with this request after the transport address/port 438 with himself adds in the request.

● mail to the message of continuous transmission server 414.These message will send by TCP/IP in a conventional manner, and require no special processing.

● mail to another terminal 412 and the message that is different from other transmission servers 414 of his father's transmission server 414.This message comprises the user ID of source terminal and purpose terminal.Transmission server 414 is searched this user ID in current connection user (terminal) tabulation.This tabulation is by checking that the tabulation 442 that is registered to the user on this transmission server 414 and the state 444 of these terminals create.If find this user, then may message be mail to this user by one or more low layer transmission servers 414.If fail to find this user, then this message is mail to father's transmission server 414 of this transmission server.Set 424 tops and do not find the purpose terminal yet if arrived transmission server, then send failed message to source terminal.This process realizes by sending response message from the treetop user ID to message initiation source.The data that inspection is stored in father's transmission server 414 places of each transmission server depend on the following fact: each user's log-on message all upwards passes to the father node of each node along hierarchical tree, makes the peak of hierarchical tree grasp all connection situations.Therefore, if need the user who connects all to fail to find, illustrate that then this user is not registered to this network at the top of tree 424.

Should be appreciated that,, then trial is connected to its grandfather's transmission server 414 if terminal 412 has lost the connection of its direct father's transmission server 414.This grandfather's transmission server 414 can find another to substitute connection subsequently on initial level.

On the terminating layer 408 of hierarchical network 402, each terminal 412 all has a client TCP/IP to his father's transmission server 414 to connect in Figure 10.This connection is also with visiting higher level transmission server 414 and

management server

410 and 404.

Each terminal 412 all provides the communication interface (not shown) to the user, is used to carry out for example VoIP communication.In the present embodiment, each terminal 412 is also used so-called media engine (not shown).This media engine comprises microphone, loud speaker and earphone, and audio player and phonographic recorder and video player and video recorder.This media engine also uses digital signal processing module, is used for audio file conversion between the different wave form, montage, amplification and mixing.This media engine will no longer too much be described, because the function of this media engine is very common for a person skilled in the art, need not to explain how to make up this engine.

Figure 15 and Figure 16 describe now and how to use said system 400 to set up point-to-point connection.Method 500 is the processes that can be divided into two stages, wherein, the phase I (describing), determines whether may set up the point-to-point connection of expectation between the terminal 412 of appointment in Figure 15; Second stage (describing in Figure 16) is set up point-to-point connection between source terminal 412 and purpose terminal 412.In case point-to-point connection is set up and is finished, just might use standard the Internet communication protocol, realize direct two-way communication with a kind of secured fashion between source terminal 412 and purpose terminal 412, in the present embodiment, this realizes by a special-purpose UDP channel 372.To be described above-mentioned first and second stages below.

Can set up point-to-point (P2P) between terminal 412 connects.In the present embodiment, this connection will be used to send audio frequency, Email and other forms of communication.

When a terminal use determines when another terminal use dials the voip phone calling, just need set up a new P2P at for example terminal 412 places and connect.In this stage, the originating end (source) that connects is only known the network address (targeted customer ID) of the destination that needs communication, it does not also know targeted customer's state, just whether the targeted customer is online, whether be in busy condition etc. (by its address book, perhaps, he knows that the targeted customer is recently online etc., but can't determine targeted customer's current state).

Figure 15 realizes that the method 500 of phase I starts from step 502, and source user 412 sends request to its transmission server 414, and its content is " I (user S) wishes to communicate by letter with user D ".Transmission server 414 is searched the table 442 and 444 that records the user 412 that links to each other, and then in step 506, determines whether to find user D.If find to be connected with user D 412, then check in step 508 whether this user D 412 is current available.If not, then return " failure-busy " response message in step 510, preferred, also can set a monitored item at step 512 couple this user D; At last, in step 514, user S attempts connecting once more after having waited for predetermined timeslice, and/or etc. wait order, show that the aforementioned monitored item in the current transmission server has been triggered, show that user D has entered upstate.On the other hand, if judge that in step 508 user D is current available, then in step 516, transmission server 414 is revised as " in the call establishment " state simultaneously with the state of user S and user D.Subsequently, in step 518, transmission server 414 can mail to user D with this request by being positioned at other transmission servers 414 on the lower level.At this moment, in step 520, can think that just user D finds and connects, subsequently, process 500 is proceeded, subsequently will be described in conjunction with Figure 16.

If the state of user D changes subsequently, show its current communicating, then this situation will be notified the local transmission server 414 of user D, and trigger the monitored item that is provided with for user S.Subsequently, in step 514, can notify the user S with the upstate of user D, next the phase I will restart by above-mentioned steps.As selection, also can separately or be used in combination following this mode, promptly in step 514, user S waits for a predefined timeslice, begins the process of carrying out 500 by the content among Figure 15 again then.

If learn that in step 506 judgement user D was not connected to transmission server (TS) at that time, then can continue to judge whether to exist father's transmission server 414 in step 522.If exist, then in step 524, this request will be transmitted to father TS 414.Therefore, in step 526, can think that just this father's transmission server 414 is exactly current transmission server, this process is proceeded subsequently, and current transmission server 414 is searched its registered terminals user 412 tabulations in step 504.If confirm not have father TS 414 in step 522, then in step 528, transmission server will send response message to terminal, show connection failure, and then in step 530, this process finishes.

Processing mode and the aforementioned manner of transmission server 414 when high-rise transmission server 414 is received call request is similar, and difference only is will return failed message when the user does not connect, rather than its transmitting terminal is beamed back in request.

Figure 16, the second stage to communication process 500 is described now.After being connected to user D, user D need issue user S with its current IP address and port numbers, so just can set up direct connection, and then carries out point-to-point communication.Therefore, if user D is still online and available after the calling of receiving user S, then will change its state into " call setup " in step 532.In step 534, user D sends RINGING1 message to his father's transmission server (always transmission server 414) subsequently.RINGING1 message also includes the user ID of call initiator (user S), and so, media transmission server 414 just can use and handle the identical mechanism of request time institute's employment mechanism that makes a call it is beamed back.

After receiving RINGING1 message in step 536, transmission server 414 at first makes up a UDP (User Datagram Protoco (UDP)) channel 372 in step 536.In step 540, transmission server 414 is created a RINGING2 message, wherein comprises the outside ip address and the portal number of this UDP channel, in step 540 this message is mail to terminal use D and call initiator terminal use S simultaneously then subsequently.Also include the user ID of the transmission server 414 that receives RINGING1 message in the RINGING2 message, it will be used to set up point-to-point communication.

Should be appreciated that transmission server 414 never sends RINGING1 message.Therefore, will be understood that the RINGING1 message received at the transmission server place should always directly come self terminal 412.

In step 542, terminal 412 is received RINGING2 message, and subsequently in step 544, this terminal inspection oneself has been in the call setup state.If not at this state, then in step 546, reset its opposite end to this calling, and in step 530, process 500 finishes.On the other hand, in step 548, each terminal 412 is set up a UDP passage, and in step 550, the port of beginning appointment in RINGING2 message regularly sends message.This will be the transmission server 414 nearest apart from the callee.Unless common network error takes place, otherwise most message will arrive normally all.

When the nearest transmission server 414 of distance users D is received a UDP message from each terminal 412, in step 552, this transmission server extracts the network address (may change, this situation will be described subsequently) and the port numbers of these terminals UDP channel 372 from this message.Subsequently, this transmission server 414 can send the (not shown) response message to the UDP of each terminal channel 372, wherein comprise the UDP network address and the port numbers of other terminal UDP channel,, also still can receive these message even be provided with fire compartment wall in each end.(usually, the firewall policy of end will allow this message to pass through, because initiate communication by terminal to transmission server at first).

After the packet of receiving from both sides' terminal, transmission server 414 is just known the how outside addressing of udp port number of these terminals.Subsequently, in step 554, transmission server 414 sends TALKDIRECT message to each terminal 412, tells their addresses of another terminal each other.After step 556 was received these UDP addresses, in step 556, source terminal 412 was set up a direct UDP communication port 372 that arrives the purpose terminal, and after this, these terminals 412 just can communicate each other, and subsequently, in step 530, this process 500 finishes.

As a rule, can set up this direct communication easily by said process.Yet if end has been used network address translater (NAT), and in conjunction with having implemented some firewall policy, said process will go wrong.By with reference to the method for describing among first embodiment among figure 9a-Fig. 9 i, under many situations, these problems all can be resolved.

Also will tell about a kind of method that can be applied to first and second embodiment simultaneously below in detail, also will tell about the mechanism of the various combinations of a kind of NAT of

reply

352 and 358 simultaneously.

Network address translater (NAT) 352 and 358 can be summed up as two types translation function: symmetrical and asymmetric.For symmetrical NAT, no matter what the destination of packet is, all will use same internet address and port combination.And asymmetric NAT uses different internet address/port combination to the various objectives end.Simultaneously, the reason that even now is done is not fully aware of, but it has been generally acknowledged that to do why like this and be based on a kind of like this viewpoint, promptly preferably tackles the packet from the unknown source end.

Below listed some ideas of relevant these NAT necessity:

1. when need not to use NAT, the recipient can see that each packet comes wherefrom, and can easily refuse the packet from the unknown source end as required;

2. IP address in the Internet data packet and port are easy to counterfeit.In many cases, this strict strategy of NAT also can't stop hacker's invasion.

In setting up the point-to-point communication process, fire compartment wall also can cause some problems.Common firewall policy is the rule that applies a kind of " I pay no attention to you, and you do not mentionlet alone words ".If A and B want the conversation with the other side, then must have one among A or the B will speak earlier.Another is made and replying subsequently.But, but after B is positioned at fire compartment wall, then before sending message, A can't receive the packet that A sends at B if A at first speaks.

The responsive fire compartment wall behavior meeting of appropriateness requires to install above-mentioned rule.In fact, many fire compartment walls is " no longer listen to not to him speak just the people's of speech speech earlier " with above-mentioned interpretation of rules.Attempting to create in the process of point-to-point communication passage, this behavior will cause serious problem.

The plurality of processes of Jie Shaoing can solve these situations in the above-described embodiments.At first, should be appreciated that when communicating by letter with new destination, asymmetric NAT can not open any one port usually; Usually can be initial port+1 (or 2,3 etc., with between first and second communication how many times has taken place relevant).In the present invention, when running into asymmetric NAT, the continuous several ports with using on the port address contained in the RINGING2 message overcome this possibility.

Some manufacturers point out that some fire compartment wall/NAT are provided with a kind of uPnP (UPnP) interface usually, but by the activity of this interface fire compartment wall/NAT inquire, security limitations and revision.Comprise a uPnP (not shown) interface in the embodiment of the invention, it is installed on the transmission server 414.

In some cases, owing to harsh firewall policy or because both sides are

asymmetric NAT

352 and 358, unlikely realize direct point-to-point connection.In this case, the present invention can carry out forwards by the local transmission server 414 as trusted intermediary.This mode can solve the problem that unknown sender is brought, because for the asymmetric NAT 352 in this locality and 358, local transmission server 414 is always known, and so, both just the harshest firewall rule also can't stop this indirect pseudo-point-to-point communication.In addition, because packet is to transmit by the transmission server 414 as trusted intermediary, and it analyzes on a small quantity and does not store, and therefore this indirect communication passage also will be reduced to minimum to may influencing of bringing of fail safe.

Intercept and capture under the situation of (very harsh) starting fire compartment wall, the present invention sets up a real point-to-point communication in one direction, and on another direction by the forwarding of local transmission server.This variation is worth, because it can reduce the influence that fail safe is caused.For example in transmitting email process, direct send Email and be very useful by the mode that affirmation is returned in forwarding.

A kind of system 10 is described below finds to exist in the paths

asymmetric NAT

352 and 358 or the method for harsh fire compartment wall automatically.From higher angle, when local transmission server 414 is known the udp port address of both sides' terminal 412, as the description that carry out in conjunction with Figure 16 the front, local transmission server 414 will send TALKDIRECT message to both sides' terminal, tell their addresses of opposite end each other.One side's terminal 412 attempts carrying out direct communication, and a timer (not shown) is set.If packet is directly received, it is available that then notification transmission server 414 is somebody's turn to do connection, and the termination timing device does not re-use then.Yet, if timer is reported to the police (just having exceeded predefined timeslice), and do not receive any packet, then will send the TALKTHROUGH message, show that the communication of after this mailing to target purpose terminal 412 need directly mail to home server 414 to transmission server 414 and then to distant terminal 412.Message will transmitted by the transmission server 414 that is positioned at expectation terminal 412 this locality subsequently.

System 10 begins to set up point-to-point connection before called call accepted.If this calling is not accepted, then point-to-point connection will be closed immediately.10 of systems just begin following process after calling is accepted, wherein carried out overtime/TALKTHROUGH method, and this method can cause very long delay in setting up the voice link process.It is after the user lands just received the time that this situation also appears at most calling/Emails.

In conjunction with Figure 17-Figure 20 the third embodiment of the present invention is described now.The 3rd embodiment and second embodiment are very similar, and difference only appears on some problems relevant with fail safe.Specifically, as following will telling about, the 3rd embodiment uses stronger safety system to substitute the authority 446 that is stored on each node.

Unsafe communication system of the prior art can't be used, because they can introduce harmful user in the registered user.We know that dangerous product has natural defective aspect number of users, because the user of system is many more, user profile is useful more, so just can introduce the invador, and system self damages to " welcome ".This point more similarly is the negative feedback in the control system.

The 3rd embodiment is by setting up the scope that the precautionary measures are dwindled this influence at the very start.The invador can't be removed from system 10 fully forever, stop the threat of bringing for system 10 and registered user because of its existence but can make up effective safety measure.Should be appreciated that designing a kind of idea that can remove the invador system fully will finally make the designer collapse.

Below listed the security requirement of the 3rd embodiment:

Require 1: node must be by system's 10 checkings.

Require 2: the communication on from node to the TS link must be maintained secrecy.

Require 3: client must be by checking each other (checking mutually).

Require 4: the communication that connects from the client to the client must be maintained secrecy.

Satisfy security requirement 1﹠amp; 2:

Many terms of below using are all from RFC 1510, the Kerberos verification system.Kerberos is a kind of authentication mechanism, is used to verify the identity of user and main frame, and this mechanism also is the preferred verification method among the Microsoft WindowsServer 2003.The Kerberos indentification protocol provides a kind of mechanism, is used for before both sides' connection is opened, and is providing mutual checking between the client and server or between a station server and another station server.Initial affairs occur in unsafe communication network between this agreement hypothesis client and server.This unsafe environment comprises for example the Internet, and wherein the invador can pretend client or server easily, and eavesdrops or control the communication between legitimate client and the server.

The Kerberos technology depends on the verification technique of using shared secret to a great extent.Basic notion is very simple: if a secret has only two people to know, then either party can know that this secret verifies its identity by confirming the other side.Password is encrypted to maintain secrecy by using key.Different with shared password, what communicating pair was shared is encryption key, and they use this key to verify the other side's identity.For enabling this technology, cipher key shared must be symmetrical, just uses same key in the encryption and decryption process.One square tube is crossed and is used this cipher key pair information to encrypt to prove it to know this key, and the opposing party proves and has this key by deciphering.

This basic principle can realize in following concrete mode by checking symbol (authenticator).A simple protocol that uses key to verify starts from, and someone is positioned at beyond the communication process, and wants to add communication process.For adding, this people shows the checking symbol, and its form is an information of using secret key encryption.When carrying out this agreement, the information in the checking symbol is necessary different at every turn.Otherwise, by chance eavesdrop communication other people just can reuse old checking symbol.

After receiving checking symbol, the doorkeeper is decrypted it, and can look at successful decryption, thereby learns the content of the inside.If success, then the doorkeeper knows that just the people who shows this checking symbol has correct key.Have only two people to have correct key, the doorkeeper is one of them, is other one so show the people of checking symbol.

If people outdoors wants to verify mutually that then can oppositely carry out same agreement, difference wherein is very little.The doorkeeper can extract the part of information from origin authentication symbol, it is encrypted to new checking symbol, will verify newly that subsequently symbol the people outdoors such as gives.People outdoors can decipher doorkeeper's checking symbol subsequently, and result and original contents are compared.If the two coupling, then people outdoors just knows that the doorkeeper can decipher original contents, so it must have correct key.

Showed among Figure 17 the Kerberous technology is how to use in the present invention.To use server 602, client 604 and KDC 606 here.Client 604 wishes to be connected to server 602, just earlier to KDC (KDC) 606 applications to obtain to be used to be established to the warrant (ticket) of effective connection of server 602.This warrant is used for to server 602 checking clients 604, and the former has passed through the checking of system 600.

The abbreviation of below listing will be applied in subsequently in the detailed description of safety method in the third embodiment of the invention being carried out with reference to Figure 18 and Figure 19:

TS=transmission server 414.

The combination of NODE=client and TS, it some the time be meant client, other the time

Time is meant TS, according to its specific role of when being described as NODE 608, being played the part of,

Another part title is saved, but its corresponding function is still available.

AS=authentication server 610.

The key value of KEY=generate based on the password of distributing to NODE608.

TGS=warrant grant service device 612.

608 crowds of the NODE of REALM 614=sharing A S 610.

At first, suppose that the authentication server 610 that is associated with the specific REALM 614 that comprises some NODE 608 is available.AS 610 is stored in the equivalence value of { user name, password } the binary word (doublet) of each registration NODE 608 in its local data base 616.Secondly, suppose that (as shown in figure 19) is positioned at the client that NODE_A 608 places want to be connected to network, the web page server 620 that is connected to KDC 610 by Internet-browser 618 is registered, and has got access to user name " user A " 622 and password " pwdA " 624.

The fundamental mechanism of this process is described below in conjunction with following abbreviation:

NODE_A=the have NODE 608 of user name A.

TGT_A=authorize warrant 626 to NODE_A.

Session key 628 between S_A=AS 610 and the NODE_A 608.

Shared key 630 between K_AB=NODE_A and the NODE_B.

The warrant 632 of TICKET_AB=permission NODE_A visit NODE_B.

X}K_Y=by the value X after key K _ Y encryption.

Figure 18 and Figure 19, proof procedure start from NODE_A and start, and to system's 600 checkings oneself, detailed process is as follows:

1.NODE_A 608 are connected to TS 414, and send AS_REQ 634 message (this message upwards transmits along hierarchical network usually, up to finding the TS 414 that is connected to AS 610) to the AS 610 of the REALM of its subordinate 614 associations.

2.AS 610 generate session key S_A 628, reply an AS_RESP message 636, wherein comprise TGT_A626 and S_A 628, the two is all encrypted by pwdA 624.

In order further to improve the fail safe of checking, AS 610 also can reply the TIMESTAMP (timestamp, not shown) of an encryption.This mode supposes that AS 610 receives reliable time source by NTP (Network Time Protocol) (NTP) or simple NTP connection, and when system 600 verifies, NODE 608 and AS are synchronous in time.NODE 608 needs the TIMESTAMP that AS is provided to be associated with its current Win32 time counting (tick count), and needs generate its oneself the TIMESTAMP value time calculate its new current time.

In case NODE_A 608, just supposes the title of the TS 414 that its its adding network (promptly can set up and receive voip call) of receiving that network is sent must link by checking, this target TS 414 is called NODE_B608.After having used timestamp, following step is as follows:

1. send TGS_REQ message 638 to AS 610, comprise the title of TGT_A 626 and NODE_B608 in this message.

2.AS 610 reply TGS_RESP message 640, comprise K_AB 630 (using S_A 628 to encrypt) and TICKET_AB 632 in this message.

3.NODE_A 608 extract the value of K_AB 630, calculate current TIMESTAMP value, generate its checking symbol { TIMESTAMP}K_AB to NODE_B 608.NODE_A 608 sends AP_REQ message 642 to NODE_B 608, includes { TIMESTAMP}K_AB and TICKET_AB 632 to NODE_B 608 in this message.

4. for making NODE_A 608 can be connected to NODE_B 608, NODE_B must be decrypted TICKET_AB 632, takes out K_AB 630, and { TIMESTAMP}K_AB is to check this TIMESTAMP in deciphering then.Suppose that said process completes successfully, NODE_B 608 replys AP_RESP message 644 subsequently, comprises in this message that { TIMESTAMP+1}K_AB, this can verify NODE_A 608 to NODE_B 608.

If do not stab technology service time, said process is clearly for a person skilled in the art, and therefore, the execution of above-mentioned steps no longer is described in detail when do not stab technology service time.

At this moment, NODE_A 608 is connected to (in fact, the client 604 that is positioned on the NODE_A provides service by the TS 414 that is positioned on the NODE_B 608) on the network by NODE_B 608.

The suitable subclass of of Kerberos verification system that is based on said process realizes, basic protocol, message and data structure have wherein been used once more, but difference to some extent on the function, thereby make new verification technique in the present embodiment can effectively be applied in herein the point-to-point communication process.

Satisfy security requirement 3﹠amp; 4

Following abbreviation will be applied in the middle of the description to this stage of proof procedure:

The Diffie-Hellman public keys 646 of DH_PK_A=customer end A.

The Diffie-Hellman private cipher key 648 of DH_SK_A=customer end A.

The Diffie-Hellman public keys 650 of DH_PK_B=customer end B.

The Diffie-Hellman private cipher key 652 of DH_SK_B=customer end B.

The shared key 654 that KA_C=NODE_A and NODE_C are shared.

Figure 19, want to call out the client C 604 that is positioned at NODE_C 608 places when the customer end A that is connected to network 604 that is positioned at NODE_A 608 places, present embodiment requires both sides' client 604 all to verifying each other, subsequently, the communication that directly connects in (for example point-to-point connection) arbitrarily between the two all will be encrypted by shared key K _ AC 654.

Two kinds of possible clients can be considered to use in the present embodiment to client validation.First kind is called " sensation checking (authentication by induction) ", if will between NODE_A 608 and NODE_C608, connect, then must there be a link by verifying between customer end A 604 and the client C 604, and can realizes on this link that the back of the body carries (piggy-backs) effectively.Detailed process is as follows:

1. customer end A 604 generation Diffie-Hellman (DH) keys are right, and send the message that comprises DH_PK_A 646 to client C 604.This message is by connecting the two and having transmitted by the link of verifying 656 (communication port is set up the part of agreement).

2. after receiving this message, client C 604 these message of hypothesis are sent (although client C 604 does not carry out formal checking to this source, this checking that this form is described is also relatively weaker, therefore is called " sensation checking ") by checking source.

3. client C 604 generation Diffie-Hellman (DH) keys are right, and send the message that comprises DH_PK_B 650 to customer end A 604.This message also is returned to customer end A 604 by same link 656 by checking (although also can by other possible links).

4. present, customer end A 604 and client C 604 all can independently calculate shared key K _ AC 654.The people of any intercepting and capturing DH_PK_A 646 or DH_PK_B 650 can't calculating K _ AC 654, perhaps pretends to be to be customer end A 604 or client C 604.

5. customer end A 604 and client C 604 use K_AC 654 to generate a large amount of encryption keys, are used for advanced encryption system (AES) or are used for carrying out confidential corespondence.

On the whole, " sensation checking " is not real checking, more precisely, this mode as much as to say:

" I have set up secret telephony with the side X by checking, and this people claims that he is X, although I can't confirm whether this is genuine " (however, compare with Email etc., for VoIP, the worry that this mode causes is much smaller).

Can also use AS 610 to generate can to make

customer end A

604 and 604 pairs of warrants of verifying each other 632 of client C, to implement the temporary transient expense that this operation caused in the process will be very big but set up at communication port.Therefore, by contrast, should pay the utmost attention to " sensation checking " mode.

Second kind of admissible verification mode can be implemented in Amteus system 600 outsides, but implementation process must have the participation of Amteus system 600.This mode supposes to exist the public key infrastructure (PKI) that is positioned at the outside, and these clients can be used public keys (PKE).In this case, it is RSA cryptographic algorithms that above-mentioned agreement can be expanded, and this algorithm carries out digital signature to the message that transmits between customer end A 604 and client C 604, so, just can realize powerful verification method (will not do too much description to PKI) because this has been prior art.

Present embodiment adopts low slightly but practical more " sensation checking " method of fail safe.

Authentication server duplicates (Authentication Server Replication)

In existing kerberos system, be simple more good more to the management of the safety database that is used for proof procedure, present embodiment has also adopted this principle.The feature of present embodiment is as follows:

-attempt only safeguarding static data-avoid storing any session or call related data (dynamic data just).

-safeguard a main read/write copy, be used for creating, revise and the deletion account.

-regularly primary copy is copied as a certain amount of read-only copy.

Transregional checking (Cross-realm Authentication)

Can comprise a plurality of REALM 614 in the present embodiment, will use layered mode to manage by management system 404.So just, can realize the checking (so-called " transregional checking ") between the NODE 608 in the different REALM 614.

Transregional checking result will carry on the back in the TGS system 600 of carrying the existence that (piggy-back) describe in the above effectively.If the NODE_A in the REALM_A 614 608 wishes to be connected to the NODE_B608 in the REALM_B 614, then TGS_B 638,340 has to register on the AS 610 of REALM_A 608 associations.So, to TGS_A request TGT 626, this TGT 626 will be addressed to TGS_B to obtain warrant 632 to 608 needs of NODE_A, then this warrant 632 be mail to NODE_B 608, to set up new link in step 634.

Although the mode of laminated tissues' (seeing Figure 21) is adopted in zone 614, the zone 614 of general two communications also is necessary to register on the other side, rather than only registers in one direction and get final product.

Hereinafter will be described in detail transregional authentication vs. authorization.But, before this, with reference to the description among figure 20a and the 20b, briefly introduce the safety operation of NODE in the present embodiment with at first.

As a rule, NODE 608 is set of one group of subsystem, and Figure 20 a is described its relevant subclass with Figure 20 b.Connection or link are all initiated to NODE 608 or by NODE 608.Below provide interim and do not require difference between simple connection that NODE-NODE encrypts and permanent, as to relate to encryption key 630,654 link.

Showed some NODE 608 among Figure 20 a and Figure 20 b, they comprise same subsystem (that is to say that they are different instances of same system).(Figure 20 is a main NODE a) to father NODE 608, and the data client (DC) 656 in it is connected to data server (DS) 612, and KDC 610 is in active state.Sub-NODE 608 (Figure 20 b) does not have DS and connects, so DC 656 and KDC 610 are in non-active state.Main NODE 608 handles all security request of its sub-NODE by using its fail safe service 660.

Client 604 and TS 414 use handle (handles, not shown) to communicate by letter with SS 660.Handle is connected with every or link (be each active service flow) is associated, no matter it is the client connection/link 662 to father NODE 608, or from the TS connection/link 664 of sub-NODE 608.

After NODE 608 starts, DC 656 will attempt connecting and logging on DS 658.If success, then KDC 610 also will be initialised.Client 604 it should be noted that main NODE 608 need not 610 its identity of checking to its KDC, because can't be connected to other NODE 608 (seeing below) in the same REALM 614.

As a rule, client-end subsystem can attempt being established to the link 662 (also is that so in this case, this link will be transregional, see below to main NODE 608) of father NODE 608.SS 660 accepts instruction, sets up and sends security request to father NODE 608, and handle the secure answer from father NODE 608.In case the link establishment to father NODE 608 is finished, client 604 just can be called out SS 660, so that chain circuit message is encrypted or deciphered.If client 604 is received fail safe message, then make a call to SS660; If the destination that this NODE 608 is not a message, then client 604 mails to TS 414 with message, so that transmit downwards along layer architecture, up to arriving selected purpose NODE 608, subsequently message is handled.

Sub-NODE 608 sends message to TS 414.If it is fail safe message that TS 414 judges this message, then call out SS 660; If call failure or the higher level of target in layer architecture, then TS 414 mails to client 604 with this fail safe message, so that upwards pass to father NODE 608.

When available active (being connected to DS 658) KDC 610 is arranged at NODE 608 places, because it is main NODE 608, the security request that is received from the sub-DODE at TS 414 places all will be handled by NODE 608, and no longer to more high-rise transmission.

It should be noted that the simplest implementation is to distribute some states for client 604, so that the process of setting up of link is managed.SS 660 will can callback client 604 or TS 414.Suppose highly to integrate between the subsystem, so, client 604 and TS 414 need safeguard state, so that management security request and replying.

The set (territory among the similar Windows) that aforesaid REALM 614 is one group of registered user, wherein, each user is registered to this REALM 614 (passing through the webserver usually), and be assigned to account's (not shown), this account is safeguarded by the DS 612 among this REALM 614.

Figure 21, DS (data server) 612 stores all verification msgs of specific REALM 614, and these data will can not propagate into beyond the corresponding REALM 614.Main NODE 666 is the fail safe root node of REALM 614, and security request will can be to this more high-rise transmission more than node.

For making dynamic data in layer architecture, to transmit up and down, need take some measures the sub-NODE 668 among the REALM 614 is connected to suitable father node 670 among the higher level REALM 614, the characteristics of this tree topology are only to need such link 672.Showed the solution that present embodiment provides among Figure 20 and Figure 21, the main NODE 666 of REALM A 614 allows to be connected to the father NODE 670 among the higher REALM B 614.This link 672 may exist, because set up an account in DS B 612, makes the main NODE 666 of REALM A 614 therefore just can set up this link 672 by the checking of REALM B 614.

Because link 672 is transregional links, so call data just can be delivered to REALMB 614 from REALM A 614, and are delivered to REALM C 614 downwards, and NODE X 608 initiates transregional voip call to NODE Y 608 thereby for example allow.

How now describe transregional connection by detailed scheme realizes.

Main NODE: start

Tentation data server (DS) 612 has been in service.Main NODE 666 usually to its input instruction parameter, makes it log on DS 612 DS 612 local startups, for KDC generates key 628 (auxiliary NODE uses identical parameters to start).All { user name, passwords } of providing by GUI all are the accounts who is used for logging on higher REALM 614.

1. start-up routine guiding DC (data client) 656 logs on local DS 612.

2. start-up routine calling process SecurityService::Initialise ().KDC 610 generates himself key, and shakes hands with DC 656.

3. user's input { user name, password } makes client 604 can be connected to father NODE 670 (being positioned at another REALM 614).

4. client 604 is obtained the handle of the new connection that is used for father node 656 by process SecurityService::CreateSecurityContext ().

5. client 604 calling process SecurityService::BuildAsReq () make up AS_REQ message 634, subsequently this message are mail to father NODE 670.

6. client 604 is received AS_REP message 636, and it is mail to process SecurityService::ProcessAsRep ().

7. client 604 uses the ID of the NODE of its desired connection to come calling process SecurityService::BuildTgsReq (), and so, SS (fail safe service) 660 just can make up suitable TGS_REQ message 638.This message will mail to father NODE 670 subsequently.

8. client 604 is received TGS_REP message 640, and it is mail to process SecurityService::ProcessTgsRep ().

9. at this moment, client 604 or its existing connection is revised as Link State perhaps reconnects a different father NODE 670 (but in either case, target NODE must be the NODE of appointment among the process BuildTgsReq ()).Client 604 calling process SecurityService::BuildApReq () make up AP_REQ message 642, and subsequently, client 604 mails to father NODE 670 with this message.

10. client 604 is received AP_REQ message 644, and it is mail to process SecurityService::ProcessApRes ().Call complete successfully after, SS 660 just will have the necessary security environment, to be supported in the encryption/decryption on the link 672 that is connected to father NODE 670.

Non-main NODE: start

Do not land parameter 1.NODE 608 obtain DS, so start-up routine can not guide DC 656 to log on local DS 612.

2. start-up routine calling process SecurityService::Initialise ().KDC 610 does not obtain with the parameter that generates key, and DC 656 shows that it is not connected to DS 612.

3. user's input { user name, password } makes client 604 can be connected to the father NODE (this link can be connected to main NODE 666, also can not be) in the same REALM 614.

4. client 604 gets access to the handle of the new connection of father node by process SecurityService::CreateSecurityContext ().

5. client 604 calling process SecurityService::BuildAsReq () make up AS_REQ message 634, and it is mail to father NODE.

6. client 604 is received AS_REQ message 636, and it is mail to process SecurityService::ProcessAsReq ().

7. client 604 uses the ID of the NODE 608 of its desired connection to come calling process SecurityService::BuildTgsReq (), and so SS 660 just can make up suitable TGS_REQ message 638.Subsequently, this message is addressed to father NODE.

8. client 604 is received TGS_REQ message 640, and it is mail to process SecurityService::ProcessTgsRep ().

9. at this moment, client 604 or its existing connection is revised as Link State perhaps reconnects a different father NODE (under two kinds of situations, target NODE must be the NODE 608 of appointment among the process BuildTgsReq ()).Client call process SecurityService::BuildApReq () makes up AP_REQ message 642, and subsequently, client 604 mails to father NODE 670 with this message.

10. client 604 is received AP_REP message 644, and it is mail to process SecurityService::ProcessApRes ().Call complete successfully after, SS 660 just will have the necessary security environment, with the encryption/decryption on the link of supporting to be connected to father NODE.

Main NODE: receive AS_REQ or TGS_REQ request from sub-NODE

Suppose main NODE 666 initialization, and have the KDC 610 that can accept security request.

1.TS 414 receive AS_REQ message 634 from sub-NODE 668.If this connection/link has security context (security context), then calling process SecurityService::DecryptLinkData () is decrypted this message.

2.TS 414 mail to process SecurityService::ProcessAsReq () with ASR_EQ message 634.For finishing this request, KDC 610 extracts user name from AS_REQ message 634, and uses this user name to ask to be stored in password on the DS612 (Hash is encrypted the back) (by DC 656).

3. if successfully obtain this password, then process SecurityService::ProcessAsReq () returns AS_REP message 636.(it should be noted that in the SS 660 processing request process does not need security context, and the situation when this replys with SS 660 processing is different).

4.TS the 414 sub-NODE 608 to Ceng Xiangqi transmission AS_REQ message 634 send AS_REP message 636.

If main NODE 666 receives TGS_REQ message 638, then carry out identical process (just wanting this moment the password (Hash is encrypted the back) of the NODE 608 that connects from DS 612, to obtain).

Non-main NODE: receive AS_REQ or TGS_REQ message from sub-NODE

1.TS 414 accept AS_REQ message 634 from sub-NODE 668.If this connection/link has the fail safe environment, then calling process SecurityService::DecryptLinkData () is decrypted this message 634.

2.TS 414 mail to process SecurityService::ProcessAsReq () with AS_REQ message 634, the latter returns the code of suitably makeing mistakes, and shows that active KDC 610 is current unavailable.

3.TS 414 mail to client 604 with AS_REP message 636, to pass to father NODE 670.

Main NODE or non-main NODE: receive AP_REQ

The NODE 608 of any AP_REQ of receiving message 642 must successfully handle this message or return error messages in this locality, this message upwards can not be transmitted.

1.TS 414 receive AP_REQ message 642 from sub-NODE 668.If existing fail safe environment and link can't use on this connects, then need not this message is decrypted.

2.TS 414 mail to process SecurityService::ProcessApReq () with AP_REQ message 642, the latter uses its local NODE password (non-KDC 610) to handle this message 642, generates and return suitable AP_REP message 644.If process SecurityService::ProcessApReq () calls success, then the complete safe environment just generates, is revised as Link State to the connection of sub-NODE 668.

3.TS 414 return AP_REP message 644 to sub-NODE 668.

Main NODE or non-main NODE: uncle NODE receives AS_REP or TGS_REP

If receive AS_REP message 636 or TGS_REP message 640 in the client 604 at main NODE 666 places, then main NODE 666 must be the source end of initial AS_REQ message 634 or TGS_REQ message 638, and this has carried out discussing (should not be existing fail safe environment) here in above-mentioned startup situation.

If receive that the NODE 608 of AS_REP message 636 or TGS_REP message 640 is not main NODE 666, then this request will be mail to TS 414, so that be delivered to suitable sub-NODE 668.In this case, must have the fail safe environment, and should the message of receiving be decrypted calling process SecurityService::DecryptLinkData () to the link 672 of father NODE 670.The link 672 of connexon NODE 668 can have the fail safe environment downwards, also can not have (sub-NODE 668 can mail to more high-rise KDC610 with AS_REQ and

TGS_REQ message

634 and 638, so that be connected to this NODE608).

Main NODE or non-main NODE: uncle NODE receives AP_REP

This partial content the startup stage be described.

Should be appreciated that, though in the top description with reference to several processes such as SecurityService::DecryptLinkData (), but the detailed content to these processes is not introduced, because in the time of the content of literary composition description in realization and function, it is so unimportant that the function of these processes seems, and belong to the content that those skilled in the art grasp.

The foregoing description has used push mechanism to send online registered user's last state.Yet, in other embodiments, also can use pull (draw and broadcast) mechanism, for example e-mail server is verified the people's of its mail that sends identity, and asks this people's state information to DS.Use the benefit of pull mechanism to be that it can reduce to the transport overhead of data server minimum.But the advantage of push mechanism is that this mechanism is easier to use for e-mail server.

Should be appreciated that the present invention is not limited to the foregoing description.For example, email message can be divided into a plurality of parts, then each part be encrypted respectively.Then each part is mail to transmission server separately separately.Each part will independently route to destination, and locates to decipher and reconfigure the target recipient.The benefit of doing like this is both just to have intercepted and captured and successfully deciphered the content that an email message can not leak whole envelope mail.This is to can be used to improve a kind of very effective mode that message is transmitted fail safe.Usually, can sample,, for example,, then can sample, create 1/5th email messages at per five letter places of mail text if use five TSM to obtain to be about to send the part of message to e-mail text.Other email messages also can once be sampled by per five letters, but can use the side-play amount inequality with article one email message.

Should also be clear that except that using cable network, the present invention also is applicable to cordless communication network (as using the network of WIFI).In addition, except that computer, in Point-to-Point Communication System, also can use PDA (personal digital assistant) and mobile phone as source end and destination communication equipment.

At last, those skilled in the art should also be clear that and also can use other encryption technologies that are better than PKI.

Claims

1, a kind ofly between first far-end computer and second far-end computer, realize the method for safe Point-to-Point Data communication such as E-mail communication it is characterized in that described method comprises by data communication medium:

Receive the address details of every far-end computer, and every far-end computer arrives the current state information of the connection of described data communication medium;

On described first far-end computer, create described data communication;

Check the current connection status of described second far-end computer;

Only when the described second far-end computer connection status shows that current its has been connected to described data communication medium, just directly send described data communication, and in the path, any storage is not carried out in described data communication to described second far-end computer from described first far-end computer.

2, method according to claim 1 is characterized in that, and is each when the connection status of arbitrary far-end computer changes, and all will carry out described receiving step once more.

3, method according to claim 1 is characterized in that, also comprises:

Connection state information to described second far-end computer of data server request of storing described connection state information;

Respond the described request step and carry out described receiving step.

4, according to each described method of claim 1 to 3, it is characterized in that, also comprise: the address details of described first far-end computer and the current state information that is connected to described data communication medium are provided to data server.

5, according to each described method of claim 1 to 4, it is characterized in that, also comprise: use the information relevant that described data communication is encrypted, thereby have only described second far-end computer can the communication of receiving be decrypted with described second far-end computer.

6, method according to claim 5 is characterized in that, described receiving step comprises: receive the described information relevant with described second far-end computer, be used to realize described encrypting step.

7, according to each described method of claim 1 to 6, it is characterized in that, described first far-end computer comprises the fail-safe computer of the many playscripts with stage directions ground interconnection that is positioned at described first remote location, carries out described foundation step by being different from the computer of carrying out described reception, inspection and forwarding step.

8, according to each described method of claim 1 to 7, it is characterized in that, also comprise:

Store the authority information that can one group of relevant described far-end computer communicate each other;

Check whether described first far-end computer has the right and described second far-end computer communicates;

Only when showing that described first far-end computer has the right to communicate by letter with described second far-end computer, described inspection step just carries out described forwarding step.

9, according to each described method of claim 1 to 8, it is characterized in that, also comprise: the target recipient's of described second far-end computer identity is appointed as in check in described data communication.

10, according to each described method of claim 1 to 9, it is characterized in that, also comprise: if the connection status of described second far-end computer show its current can't be by described data communication medium reception message, then after described inspection step, described data communication is stored in this locality temporarily and waits for a predetermined time interval; And then carry out described inspection step and described forwarding step.

11, according to each described method of claim 1 to 10, it is characterized in that, also comprise:

To assessing to the transmission of the data communication of described second far-end computer, as if bust this, then from described first far-end computer:

Determine the reason of bust this, carry out one of the following step according to the reason of determining then:

On described first far-end computer, generate transmission failure notification; Perhaps

Wait for a predetermined time period, and then carry out described forwarding step.

12, according to each described method of claim 1 to 11, it is characterized in that, also comprise:

Described data communication is divided into a plurality of independent data-messages;

Also comprise in the described forwarding step: send every data-message to described second far-end computer individually, improve the fail safe of described data communication process with this.

13, according to each described method of claim 1 to 12, it is characterized in that described data communications packets includes network telephone communication.

14, a kind of communication server is used for by data communication network it is characterized in that described server comprises at second far-end computer with comprise the Point-to-Point Data communication that realizes safety between first far-end computer of described server:

Receiving system is used to receive the address details of every far-end computer and every far-end computer current state information to the connection of described data communication network;

Message generating module is used for setting up described data communication on described first far-end computer;

Check module, be used to check the current connection status of described second far-end computer;

Transport module, be used for having only when the described second far-end computer connection status shows that it has been connected to described data communication network, just directly send described data communication, and in the path, any storage is not carried out in whole data communication to described second far-end computer from described first far-end computer.

15, a kind of communication system is characterized in that, comprising:

Many the communication servers as claimed in claim 14;

Data server can be connected to described many communication servers by described data communication network;

Wherein, described data server is used to receive, compares and stores the current state information that be connected of every communication server to described communication network, and the current network address information of each communication server, and the above-mentioned information of at least a portion mail to described many communication servers, make described many communication servers realize point-to-point communication each other.

16, communication system according to claim 15 is characterized in that, the centre data server is used to use User Datagram Protoco (UDP) to investigate the current address information of described many communication servers.

17, a kind of communication server, be used to help between first and second subscriber computers, to set up the Point-to-Point Data communication such as the E-mail communication of safety by data communication network, described server is arranged in the specific level of the server network that comprises many communication servers, and described server comprises:

Jockey is used to make the described communication server can be connected to other communication servers on other levels of described server network;

Register device is used for many playscripts with stage directions ground subscriber computer is registered to the described communication server;

Data storage device is used to store the registration details of local user's computer of each registration, and described registration details comprise address information and the current state information that be connected of each local user's computer to described data communication network;

The registration details that described jockey is used for being stored mail to the adjacent communication server on the last higher level of described server network, and receive and store the registration details of all local user's computers on the communication server of linking to each other on next lower level in the described hierarchical network.

18, the communication server according to claim 17, it is characterized in that, the registration details of described storage comprise the server network sign of the described communication server, the server network sign of at least one local registered user's computer, and described local user's computer is to the current state information of the connection of the described communication server.

19, according to the claim 17 or the 18 described communication servers, it is characterized in that, the registration details of described storage comprise in the described hierarchical network server network of communication server sign on the lower level, and the server network of local user's computer of registering on the communication server on described lower level sign.

According to the claim 18 or the 19 described communication servers, it is characterized in that 20, the registration details of described storage comprise the global network address of each local registered user's computer.

21, according to each described communication server of claim 17 to 20, it is characterized in that the registration details of described storage comprise the public keys of each local registered user's computer.

22, according to each described communication server of claim 17 to 21, it is characterized in that, described jockey comprises the log-on message testing fixture, be used for after the request of receiving is connected to the request of described second subscriber computer, in described data storage device, search the local log-on message of described second subscriber computer, if have the sign of described second subscriber computer in the described local data storage, then receive this request.

23, the communication server according to claim 22 is characterized in that, if described second subscriber computer is not registered in this locality, then described log-on message testing fixture guides described jockey that described request is transmitted to the contiguous communication server.

24, according to the claim 22 or the 23 described communication servers, it is characterized in that described jockey also comprises the state information testing fixture, be used for checking the state information of described data storage device registered user computer; If described second subscriber computer is registered, and its state shows that it can connect, and then described jockey is established to the communication of described second subscriber computer.

25, according to each described communication server of claim 22 to 24, it is characterized in that, described jockey be used for accept request be connected to the request of described second subscriber computer after, upgrade the state information of described second subscriber computer.

26, according to each described communication server of claim 22 to 25, it is characterized in that, described jockey be used for accept request be connected to the request of described second subscriber computer after, described first and second subscriber computers are set to the data communication state.

27, according to each described communication server of claim 17 to 26, it is characterized in that, also comprise responding device, the request that is used to request to be connected to described second subscriber computer makes up response message; Described responding device is used for described first subscriber computer is issued in the current network address of described second subscriber computer, and described second subscriber computer is issued in the current network address of described first subscriber computer.

28, the communication server according to claim 27 is characterized in that, described responding device is used for determining the global network address of described second subscriber computer.

29, the communication server according to claim 28 is characterized in that, described global network address comprises the UDP channel address.

According to each described communication server of claim 17 to 29, it is characterized in that 30, described data storage device also comprises the authority information that can one group of relevant described far-end computer communicate each other; Described server also includes the authority information that use stores and judges whether described first subscriber computer has the right and the described second subscriber computer communicating devices.

31, a kind of being used for set up the Point-to-Point Data communication of safety such as the communication system of E-mail communication by data communication network between the computer that many subscriber computers are selected, and it is characterized in that described system comprises:

Be arranged at many communication servers as claimed in claim 17 in the server network that layering connects, every communication server is represented a node in the described server network, described many subscriber computers can be connected to described server network, set up communication between the computer of selecting in described many subscriber computers so that be supported in.

32, a kind of being used for set up the Point-to-Point Data communication of safety such as the method for E-mail communication by data communication network between first and second subscriber computers, described method realizes on the communication server on the specific level in comprising the server network of many communication servers, it is characterized in that described method comprises:

But the operational network that is established to the communication server on other levels of described server network connects;

Many playscripts with stage directions ground subscriber computer is registered on the described communication server;

Store the registration details of each local registered user's computer, described registration details comprise the current state information that address information and every playscript with stage directions ground subscriber computer are connected to described data communication network;

Wherein, the registration details of will be stored that comprise described establishment step mail to the adjacent communication server on the last higher level in the described server network, and receive and store the registration details of all local user's computers of the communication server of linking to each other on next lower level in the described hierarchical network.

33, a kind of target recipient's computer method that is used for searching for point-to-point communication, be used between transmit leg computer and described target recipient's computer, setting up the Point-to-Point Data communication such as the E-mail communication of safety by data communication network, described method realizes in the hierarchical network of being made up of transmission server, it is characterized in that described method comprises:

Send data communications requests to home server, described request comprises the sign of described target recipient's computer and the sign of described transmit leg computer;

Judge whether described target recipient's computer is known for described home server;

If described target recipient's computer is known for described home server, then obtain stored with the relevant details of described target recipient's computer, then these information are mail to described transmit leg computer;

If described target recipient's computer is unknown for described home server, then described request is transmitted to the adjacent communication server on the last higher level in the described server network, subsequently, described adjacent communication server becomes described home server;

Carry out above-mentioned judgement once more, obtain and transmit step,, perhaps check out the server that is positioned at described hierarchical network top up to finding described target recipient's computer.

34, method according to claim 33, it is characterized in that, the identity of described target recipient's computer also comprises: if can't determine that perhaps the intact server that is positioned at described hierarchical network top of inspected then returns the connection failure notice to described transmit leg computer.

35, according to claim 33 or 34 described methods, it is characterized in that, also comprise:, then be checked through the state information of the connection of described target recipient's computer if determine the identity of described target recipient's computer.

36, method according to claim 35 is characterized in that, also comprises: if unavailable to the connection of described target recipient's computer, then return the connection failure notice to described transmit leg computer.

37, method according to claim 36, it is characterized in that, also comprise: wait for a predetermined time period, change to wait for contingent state, and then carry out described transmission, judge, obtain, transmit step, and the step of these steps of carrying out once more.

38, according to each described method of claim 33 to 37, it is characterized in that, described obtaining step comprises: if described target recipient is known for the described communication server, but be not to be registered in this locality, then described request is mail to be arranged on the described hierarchical network lower level, the communication server that registration has described target recipient.

According to the described method of claim 38, it is characterized in that 39, described obtaining step comprises: the network site that from target recipient's details that the home server of described target recipient's registration is stored, obtains described target recipient.

40, according to each described method of claim 33 to 39, it is characterized in that, also comprise:

Storage and execution monitoring function on described server, use so that when searching required target recipient's computer, continue, described function for monitoring comprises that the sign that will add arbitrary new computer of described home server compares with the sign of described target recipient's computer, and notifies described transmit leg computer when mating.

41, according to each described method of claim 33 to 40, it is characterized in that, also comprise: use one group of authority of storage to judge whether transmit leg has the right and required target recipient's compunication, and only in the authority of storage when allowing to carry out this communication, the described forwarding step of permission execution.

42, a kind of being used for set up the point to point data communication of safety such as the method for E-mail communication by data communication network between transmit leg computer and target recipient computer, described method for building up is realized in comprising the hierarchical service device network of many communication servers, it is characterized in that described method for building up comprises:

As each described a kind of ferret out recipient computer method in the claim 33 to 41;

Described transmit leg computer is mail in the current global communication address of described target recipient's computer;

Described target recipient's computer is mail in the current global communication address of described transmit leg computer;

Use described both sides' global communication address between described transmit leg and described target recipient's computer, to set up the point-to-point communication passage.

43, according to the described method of claim 42, it is characterized in that, further comprise:

Check whether described transmit leg computer has the right and described target recipient's computer communicates;

Only when showing that described transmit leg computer is had the right with described target recipient's compunication, described inspection step just carries out described first and second communication steps and described forwarding step.

44, according to claim 42 or 43 described methods, it is characterized in that, also comprise: between described transmit leg computer and described home server, set up first direct channel.

45, according to the described method of claim 44, it is characterized in that, on described first direct channel, carry out described second communication step.

46, according to each described method of claim 42 to 45, it is characterized in that, also comprise: between described target recipient's computer and described home server, set up second direct channel.

47, according to the described method of claim 46, it is characterized in that, on described second direct channel, carry out described first communication steps.

48, according to each described method of claim 44 to 47, it is characterized in that, set up first or second direct channel and comprise: set up the first or the 2nd UDP direct channel.

49, a kind of transmission server that is used for setting up Point-to-Point Data communication such as E-mail communication between first and second subscriber computers is characterized in that, described transmission server comprises:

Receiving system is used for receiving the connection request that request is connected to described second subscriber computer from described first subscriber computer, and described second subscriber computer is registered on the described transmission server;

Testing fixture is used to be checked through the current connection status of described second subscriber computer;

Data storage device when the current connection status of described second subscriber computer shows currently can't set up point-to-point communication with it the time, is stored the details of described request as monitored item;

Responding device responds described testing fixture, when the state of described second subscriber computer shows currently can set up point-to-point communication with it the time, sends message to described first subscriber computer, indicates described second subscriber computer to reach the standard grade;

Wherein, the current connection state information of described second subscriber computer is made regular check on and be updated to described testing fixture, online if described second User Status of update displayed has become, then checks whether there is corresponding monitored item, if exist, then start described responding device and send described message.

According to the described transmission server of claim 49, it is characterized in that 50, described data storage device is used to store the sign of described second subscriber computer and described first subscriber computer.

51, according to claim 49 or 50 described transmission servers, it is characterized in that, described receiving system is used to receive a plurality of requests that request is connected to described second subscriber computer, described data storage device is used for the details of each request are stored in the monitored item of corresponding described second subscriber computer, described responding device is used for changing into when online in the connection status of described second subscriber computer, sends message to each subscriber computer of having asked to be connected to described second subscriber computer.

According to the described transmission server of claim 49 to 51, it is characterized in that 52, described transmission server is connected to the transmission server hierarchical network.

53, according to the described transmission server of claim 52, it is characterized in that, described transmission server is used for to being positioned at the details that transmission server on the hierarchical network higher level sends its each registered user's computer connection status, described responding device is used for sending message at least one the transmission server that is positioned on the described hierarchical network higher level, indicates described second subscriber computer to reach the standard grade.

54, according to each described transmission server of claim 49 to 53, it is characterized in that,

Described data storage device is used to store a plurality of different monitored item corresponding to being registered in different user computer on the described transmission server;

Described testing fixture is used to make regular check on and upgrade the current connection status of all registered user's computers, and change into when online in any User Status of update displayed, in a plurality of monitored item of storage, check whether there is corresponding monitored item, if then trigger the message of described responding device transmission corresponding to the monitored item that is found.

According to each described transmission server of claim 49 to 54, it is characterized in that 55, described data storage device is used to store current online registration subscriber computer tabulation; Described transmission server further is included in the ray examination device, is used for checking described current online registration subscriber computer tabulation before described data storage device storage monitored item.

56, according to the described transmission server of claim 55, it is characterized in that, further comprise conversion equipment, be used for state when described registered user's computer show its oneself reach the standard grade after, the sign of the subscriber computer that monitored is write described current online registration subscriber computer tabulates.

57, a kind of method that is used to help to set up Point-to-Point Data communication such as E-mail communication between first and second subscriber computers is characterized in that, described method comprises:

Receive the connection request that request is connected to described second subscriber computer of local registration from described first subscriber computer;

Be checked through the current connection status that described second subscriber computer connects;

When the current connection status of described second subscriber computer shows currently can't set up point-to-point communication with it the time, the details of described request are stored as monitored item;

Can set up point-to-point communication with it if the state demonstration of described second subscriber computer of discovery is current in described inspection step, then send message, indicate described second subscriber computer to reach the standard grade to described first subscriber computer;

Wherein, described inspection step comprises the current connection status of making regular check on and be updated to described second subscriber computer, and is online if described second state of user of update displayed has become, then checks whether there is corresponding monitored item, if then start described responding device and send described message.

58, a kind of by data communication network between first and second subscriber computers, set up safety the Point-to-Point Data communication port such as the method for E-mail communication passage, wherein, the communication of described at least first subscriber computer is handled by first network address translater, it is characterized in that described method comprises:

Ask a direct connection on described first subscriber computer of having set up that passes described first network address translater and the tcp/ip communication link between the transmission server;

First udp port is set on described transmission server;

Give described first subscriber computer by described tcp/ip communication link with the described first udp port address report;

On described first subscriber computer, open second udp port;

Described transmission server transmits packet from described second udp port to described first udp port by described first network address translater, so that can be determined the first network address translater address of described second udp port;

Obtain the 3rd udp port address of described second subscriber computer from described transmission server;

Give described first and second subscriber computers with the udp port address notification of other subscriber computers, between them, just can set up safe point-to-point communication like this.

59, according to the described method of claim 58, it is characterized in that, further comprise: pass the tcp/ip communication link of described first network address translater establishment from described first subscriber computer to transmission server.

According to the described method of claim 59, it is characterized in that 60, described foundation step is included in to search in the transmission server network and determine to register the local transmission server of described second subscriber computer, and is connected to this this locality transmission server.

61, according to each described method of claim 58 to 60, it is characterized in that, described second subscriber computer is registered on the described transmission server, and establishes a tcp/ip communication link that passes second network address translater between the two, and described obtaining step further comprises:

The 4th udp port is set on described transmission server;

Report described the 4th udp port address by described second subscriber computer of described tcp/ip communication chain road direction;

On described second subscriber computer, open the 3rd udp port;

Send packet from described the 3rd udp port to described the 4th udp port by described second network address translater, thereby make described transmission server just can determine the second network address translater address of the 3rd udp port of described second subscriber computer.

62, according to each described method of claim 58 to 61, it is characterized in that, also comprise: described first subscriber computer changes the destination address of described second udp port into the 3rd udp port from first udp port.

According to the described method of claim 62, it is characterized in that 63, described first subscriber computer directly sends point-to-point message to the 3rd udp port of described second subscriber computer from described second udp port.

64, according to each described method of claim 58 to 63, it is characterized in that, further comprise: described second subscriber computer changes the destination address of described the 3rd udp port into described second udp port from described the 4th udp port.

According to the described method of claim 64, it is characterized in that 65, described second subscriber computer directly sends point-to-point message to second udp port of described second subscriber computer from described the 3rd udp port.

66, according to each described method of claim 58 to 65, it is characterized in that, further comprise:

After the point-to-point communication between described first and second subscriber computers is set up, detect described first udp port and whether be in non-active state;

When described first udp port is in non-active state, close described first udp port, disconnect and being connected of described first subscriber computer with this.

67, according to the described method of claim 66, it is characterized in that, further comprise: described transmission server close with described first subscriber computer between TCP/IP be connected.

68, according to each described method of claim 58 to 67, it is characterized in that, further comprise:

After the point-to-point communication between described first and second subscriber computers is set up, detect described the 4th udp port and whether be in non-active state;

When described first udp port is in non-active state, close described the 4th udp port, disconnect and being connected of described second subscriber computer with this.

69, according to the described method of claim 68, it is characterized in that, further comprise: described transmission server close with described second subscriber computer between TCP/IP be connected.

70, according to each described method of claim 58 to 69, it is characterized in that, described first or described second network address translater be the asymmetrical network address translator, thereby the udp port of corresponding various objectives end is different, described method further comprises:

The new address that is connected between record and the described asymmetrical network address translator;

Described udp port dateout is re-addressed new address into described asymmetrical network address translator.

71, a kind of being used for set up the Point-to-Point Data communication port of safety such as the transmission server of E-mail communication passage by data communication network between first and second subscriber computers, wherein the communication of described at least first subscriber computer is handled by first network address translater, it is characterized in that described method comprises:

The request receiving system is used to receive direct connection request, asks a direct connection on described first subscriber computer of having set up that passes described first network address translater and the tcp/ip communication link between the transmission server;

Setting device is used for being provided with first udp port on described transmission server;

Annunciator is used for the address of reporting described first udp port by described first subscriber computer of described tcp/ip communication chain road direction;

The packet receiving system, be used to receive the packet that second udp port that is provided with from described first subscriber computer by a described NAT mails to described first udp port, described transmission server is used for determining the first network address translater address of described second udp port;

Deriving means is used for obtaining from described transmission server the 3rd udp port address of described second subscriber computer;

Notifying device is used for giving described first and second subscriber computers with the udp port address notification of other subscriber computers, can set up safe point-to-point communication thereby make between them.

72, a kind of by data communication network between first and second subscriber computers, set up safety pseudo-Point-to-Point Data communication port such as the method for E-mail communication passage, the communication of wherein said two parties computer is handled by the first and second asymmetrical network address translators respectively, it is characterized in that described method comprises:

Pass the first and second asymmetrical network address translators separately, create the tcp/ip communication link of each subscriber computer to transmission server;

After receiving direct connection request, first and second udp ports are set on transmission server, described request is to receive by described first subscriber computer that passes a described NAT and the tcp/ip communication link between the transmission server;

By both sides' tcp/ip communication link separately, report the described first and second udp port addresses respectively to described first and second subscriber computers;

On described first subscriber computer, open the 3rd udp port, on described second subscriber computer, open the 4th udp port;

Send packet from described the 3rd udp port to described first udp port by described first network address translater, send packet from described the 4th udp port to described second udp port by described second network address translater, thereby make described transmission server can determine first network address translater address of described the 3rd udp port and the second network address translater address of described the 4th udp port;

Be sent in the packet that described first udp port is received by described second udp port once more to the network address translater address of described the 4th udp port, be sent in the packet that described second udp port is received by described first udp port once more to the network address translater address of described the 3rd udp port, thereby effectively transmit packet by described transmission server, between described first and second subscriber computers, set up pseudo-point-to-point communication.

According to the described method of claim 72, it is characterized in that 73, described forwarding step once more comprises: before sending once more, of short duration storage is carried out in the packet of receiving.

74, according to claim 72 or 73 described methods, it is characterized in that described foundation step comprises: search and definite registration have the local transmission server of described second subscriber computer in the transmission server network, and are connected to this this locality transmission server.

75, according to each described method of claim 72 to 74, it is characterized in that, further comprise: after described pseudorandom point-to-point communication is set up, described transmission server close with described first and second subscriber computers between TCP/IP be connected.

76, a kind of being used to helps to set up the pseudo-Point-to-Point Data communication port of safety such as the transmission server of E-mail communication passage by data communication network between first and second subscriber computers, the communication of wherein said two parties computer is handled by the first and second asymmetrical network address translators respectively, it is characterized in that described transmission server comprises:

Creation apparatus is used for passing respectively the described first and second asymmetrical network address translators, creates the tcp/ip communication link from each subscriber computer to transmission server;

Setting device, be used for after receiving direct connection request, first and second udp ports are set on described transmission server, and described request is passed described first network address translater and is received by tcp/ip communication link between described first subscriber computer and the described transmission server;

Annunciator is used for respectively the tcp/ip communication link by separately, to the address that described first and second subscriber computers are reported described first and second udp ports;

Receiving system, be used to receive the packet that sends to described first udp port from the 3rd udp port on described first computer by described first network address translater, and receive the packet that sends to described second udp port from the 4th udp port on described second subscriber computer by described second network address translater, thereby make described transmission server can determine first network address translater address of described the 3rd udp port and the second network address translater address of described the 4th udp port;

Retransmission unit once more, be used for being sent in the packet that described first udp port is received once more to the network address translater address of described the 4th udp port by described second udp port, and be sent in the packet that described second udp port is received once more to the network address translater address of described the 3rd udp port by described first udp port, thereby effectively transmit packet by described transmission server, between described first and second subscriber computers, set up pseudo-point-to-point communication.

77, a kind of subscriber computer is connected to the method that the transmission server layering connects network, is used for helping between transmit leg computer and target recipient computer, to set up point-to-point communication, it is characterized in that described method comprises by data communication network:

Receive descriptor, be in the present load of each transmission server at the same level in the transmission server a plurality of at the same level on the same level in the described connection network of described information description with local transmission server;

Receive connection request, request is connected to described local transmission server with local user's computer;

The present load of more described home server and each described server at the same level;

If the load capacity of described local transmission server any one load capacity in the described server at the same level then sends response to described local user's computer, indicate it should be connected to minimum one of load capacity in the described server at the same level;

If the load capacity of described local transmission server is not any one a load capacity in the described server at the same level, then accepts described connection request, and upgrade the present load amount of described local transmission server.

According to the described method of claim 77, it is characterized in that 78, the present load amount of transmission server is by being registered in the quantity decision of the subscriber computer on the described transmission server.

79, according to claim 77 or 78 described methods, it is characterized in that, also comprise: the present load amount of local transmission server is transmitted to the transmission server that is arranged on the described hierarchical network higher level.

According to the described method of claim 79, it is characterized in that 80, described forwarding step comprises current IP address and the port that sends described local transmission server.

According to claim 79 or 80 described methods, it is characterized in that 81, described forwarding step comprises: the interval with rule sends heartbeat signal, and each heartbeat signal provides the up-to-date current information about the present load amount of described local transmission server.

82, according to each described method of claim 77 to 81, it is characterized in that described receiving step comprises: the current IP address of each and the descriptor of port in the described a plurality of transmission servers at the same level of reception description.

83, according to each described method of claim 77 to 82, it is characterized in that, described receiving step comprises: regularly receive the heartbeat signal of each described transmission server at the same level, described heartbeat signal comprises the sign of described transmission server at the same level and describes the information of described transmission server present load amount at the same level.

84, according to each described method of claim 77 to 83, it is characterized in that, also comprise: the geographical position of determining described local transmission server.

85,4 described methods according to Claim 8 is characterized in that described receiving step comprises: the information that receives relevant each described transmission server at the same level geographical position.

86,4 or 85 described methods according to Claim 8 is characterized in that described geographical location information comprises the time-zone information of relevant this locality or transmission server at the same level.

87,5 or 86 described methods according to Claim 8 is characterized in that described comparison step comprises: more described home server and be positioned at the present load amount of each server at the same level of same geographic location with described local user;

If the load capacity of described local transmission server any load capacity in the described server at the same level of same geographical location, then described forwarding step comprises to described local user's computer transmission response, indicates it should be connected to the transmission server at the same level that its geographical location of living in has the minimum load amount.

88, according to each described method of claim 77 to 87, it is characterized in that described forwarding step comprises: send the mailing address that is positioned at the father's transmission server on the adjacent and higher level of described connection network to described local transmission server.

89, according to each described method of claim 77 to 88, it is characterized in that, further comprise:

Obtain and assess and be connected to described local transmission server and be arranged in the load capacity that described layering connects all the sub-transmission servers on the network lower level;

The present load amount of more described home server and each child servers;

If the load capacity of described local transmission server much larger than the load capacity of arbitrary child servers, then sends response to described local user's computer, indicate it should be connected to child servers with minimum load amount.

90,9 described methods according to Claim 8 is characterized in that, also comprise: determine the geographical position of described local transmission server, and described obtaining step comprises: the information that receives the geographical position of relevant each sub-transmission server.

91, according to the described method of claim 90, it is characterized in that, also comprise: described geographical location information comprises the time-zone information of described this locality or sub-transmission server.

92, according to claim 90 or 91 described methods, it is characterized in that described appraisal procedure comprises: more described home server and be positioned at the present load amount of each child servers in same geographical position with described local user;

If the load capacity of described local transmission server is much larger than the load capacity of the arbitrary child servers of described local user's computer geographical location of living in, then described forwarding step comprises: send response to described local user's computer, indicate it should be connected to the sub-transmission server with minimum load amount that is positioned at same geographical location with it.

93, a kind of with the method for node access by the network of forming by the communication server of checking, described network is used for setting up Point-to-Point Data communication between the subscriber computer that is registered on the described communication server, it is characterized in that described method comprises:

User ID and password that use is received from authentication server are verified described node to described authentication server;

Reception notification wherein comprises the sign of the selected communication server, and described node need be connected to this communication server to insert described network;

To the described authentication server request and the selected communication server special data relevant, so that be connected to the selected communication server with node;

Receive the special data relevant with node with the selected communication server, and by described node and the shared shared key of the selected communication server;

To mail to the selected communication server by special data and the global data relevant with node after the described shared secret key encryption with the selected communication server, thereby make the selected communication server can be to the described node of described network verification, thereby need not just described node to be connected to described network to described authentication server requests verification information.

94, according to the described method of claim 93, it is characterized in that, also comprise from the selected communication server receiving the affirmation data of using after the described shared secret key encryption, make described node obtain to can be used for verifying the information of the data selected communication server.

95, according to claim 93 or 94 described methods, it is characterized in that, further comprise: described node is registered to the authentication server of described network, obtains user ID and password with this.

96, according to each described method of claim 93 to 95, it is characterized in that described notifying process comprises: the warrant that reception is used among the described request step generates warrant.

According to the described method of claim 96, it is characterized in that 97, described notifying process comprises: obtain the session key that is used in the described node among the described receiving step.

According to each described method of claim 93 to 97, it is characterized in that 98, described warrant generates warrant and described session key is encrypted by described password, and described method further comprises: decipher described warrant and generate warrant and described session key.

According to each described method of claim 96 to 98, it is characterized in that 99, the described request step comprises that the sign with the described warrant generation warrant and the selected communication server mails to described authentication server.

According to each described method of claim 93 to 99, it is characterized in that 100, described receiving step comprises the specific warrant that obtains corresponding to the selected communication server and node.

According to the described method of claim 100, it is characterized in that 101, described warrant includes the copy of described shared key.

102, according to the described method of claim 101, it is characterized in that, also comprise: the shared key that deciphering is encrypted by described session key.

103, according to each described method of claim 93 to 102, it is characterized in that, also comprise: calculate value as the timestamp of described global data.

104, according to each described method of claim 93 to 103, it is characterized in that, also comprise: the data that the selected communication server uses described shared secret key decryption to receive.

105, according to each described method of claim 93 to 104, it is characterized in that, further comprise: the validity of data is received in selected communication server checking.

106, according to claim 104 or 105 described methods, it is characterized in that, also comprise: the selected communication server sends confirmation, shows that the reception data after the deciphering are acceptable.

107, according to each described method of claim 93 to 106, it is characterized in that, also comprise: receive and use the amended verification msg of predefined mode.

108, according to the described method of claim 107, it is characterized in that, described amended authorization information is encrypted, and described method also comprises: decipher described amended authorization information.

109, a kind of method that makes first subscriber computer and second subscriber computer carry out secure communication, wherein said second subscriber computer is the part of the communication server network verified, described method is used for setting up Point-to-Point Data communication between the subscriber computer that is registered on the described communication server, it is characterized in that described method comprises:

By the described method of claim 1 to 16, described first computer is inserted described network;

On described first and second subscriber computers, create public and private cipher key;

Between described first and second subscriber computers, exchange public keys by described network;

Create the keys for encryption/decryption of sharing from the described non-shared private cipher key and the described shared public keys of described first and second subscriber computers;

Use described shared encryption key that the data-message that directly transmits by the point-to-point connection of having set up between described first and second subscriber computers is encrypted therebetween.

110, a kind ofly will be connected to the method for second delamination area of forming by interconnected transmission server node, it is characterized in that described method comprises by first delamination area that interconnected transmission server node is formed:

In each zone local authentication server is set, described authentication server is connected to the host node on the highest level in the delamination area separately, is used for controlling the one's respective area validation problem relevant with Servers-all;

The host node of described first hierarchical network is registered to the authentication server of described second delamination area;

Verify the host node of described first delamination area to the authentication server of described second delamination area;

Reception notification wherein comprises the sign of lowest section point server, and the host node of described first delamination area need be connected to this lowest section point server, so that two delamination area are coupled together;

Receive the lowest section point server and the common shared data and the shared encryption key that uses of the described first delamination area host node of described second delamination area;

Shared data that use is received and shared encryption key, verify the host node of described first delamination area to the lowest section point server of described second delamination area, thereby described first and second zones are coupled together and need not authentication server requests verification information to described second area.

111, according to the described method of claim 110, it is characterized in that, further comprise:, be used to be connected to selected lowest section point server in described second delamination area to described authentication server request and described first delamination area host node and the relevant data of the described second delamination area lowest section point server.

112, according to claim 110 or 111 described methods, it is characterized in that, further comprise: will mail to described lowest section point server by the shared data and the global data of described shared encryption keys, thereby make described lowest section point server verify described host node to described second delamination area.

According to each described method of claim 110 to 112, it is characterized in that 113, described verification step is realized by the lowest section point server of described second delamination area.

114, according to each described method of claim 110 to 113, it is characterized in that, further comprise: the host node of described second delamination area is registered on the authentication server of described first delamination area;

Verify the host node of described second delamination area to the authentication server of described first delamination area.

115, a kind of method that makes first subscriber computer that is connected to the first area of forming by transmission server and second subscriber computer that is connected to the second area of forming by transmission server carry out secure communication, be used between the subscriber computer that is registered on the described communication server, setting up Point-to-Point Data communication, it is characterized in that described method comprises:

By claim 110 to 114 first subscriber computer in the described first area is connected to the second area of being made up of transmission server;

Determine the network site of described first and second subscriber computers in interconnect area;

Use the network site of determining between described first and second subscriber computers, to set up the point-to-point communication passage;

Send ciphered data communication by the point-to-point communication passage of setting up.

According to the described method of claim 115, it is characterized in that 116, described use step comprises:

Create shared keys for encryption/decryption from the non-shared private cipher key and the shared public keys of described first and second subscriber computers;