CN1764196A - Safety grade arranging method - Google Patents
Safety grade arranging method Download PDFInfo
- Publication number
- CN1764196A CN1764196A CN 200510115263 CN200510115263A CN1764196A CN 1764196 A CN1764196 A CN 1764196A CN 200510115263 CN200510115263 CN 200510115263 CN 200510115263 A CN200510115263 A CN 200510115263A CN 1764196 A CN1764196 A CN 1764196A
- Authority
- CN
- China
- Prior art keywords
- safe class
- sent
- security
- tabulation
- sides
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 24
- 238000004891 communication Methods 0.000 claims abstract description 12
- 238000012795 verification Methods 0.000 claims description 10
- 230000004044 response Effects 0.000 abstract description 2
- 238000002592 echocardiography Methods 0.000 abstract 1
- 230000007246 mechanism Effects 0.000 description 12
- 230000008569 process Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Abstract
The invention discloses a negotiation method for security level, which comprises: sending self-selected clear security level to opposite party in second-step information of SIP by improving prior art; in the third step, creating security communication channel according to the level; fourth step, the transmitter echoes received opposite selected security level; in fifth step, the receiver checks and affirms opposite response. This invention eliminates the probable ambiguity problem, and fit to both equal and asymmetric negotiations.
Description
Technical field
The present invention is applicable to communication and information security field, is specifically related to the method for security negotiation.
Background technology
It is the basis of setting up safe lane and security service being provided that security information is consulted.Before the communication beginning, often need between the object of communication, consult the security mechanism and the algorithm that can adopt.In the increment safety service system, terminal is used the increment security service by safe class, need to consult safe class between terminal and strategic server/terminal, with affirmation system and common security protocol and the algorithm of supporting of terminal.
Proposed a kind of safe consultation method in the Session Initiation Protocol, totally five steps reached the purpose that security parameter is consulted between client/server to this method.The first step, client is sent to server with the security mechanism tabulation of its support; Second step, server is sent to client with the security mechanism tabulation of its support; In the 3rd step, client selects the security mechanism of the highest security intensity to set up both sides' secure communication channel in the common security mechanism tabulation of supporting of both sides; In the 4th step, the security mechanism tabulation that the escape way that the client utilization is opened is supported the server of receiving returns to server; In the 5th step, the tabulation that server verification client is sent is not tampered if be confirmed to be the own original list of being sent out, then consult successfully, otherwise failure.The security threat that mainly faces in negotiations process has: the assailant attempts to revise the tabulation of client secure mechanism in the message of the first step; Revise the security mechanism server list in assailant's second step; The assailant can revise request list in the message in the 4th step; The assailant attempts the security negotiation information of recovering old in the 5th step.The information of distorting in first two steps all can cause verification failure in the 4th step, therefore, in the method the 3rd step is the condition and the basis of SIP security negotiation, and it ensures that fourth, fifth step information is to transmit in a secure communications channel, thereby ensures the safety of negotiations process.
In the safe class negotiations process, may run into such situation: both sides' safe class is identical, but the specific algorithm difference that adopts.Different algorithms can reach equal security intensity, so both sides are in SIP consults in the 3rd step, and algorithm is more than one in the high safety grade that may run into that both sides support, this moment is in the 3rd step or can't determine all algorithms.
Summary of the invention
The present invention proposes a kind of safety grade arranging method, improve the success rate of consulting, avoid producing the situation of security algorithm conflict.
The present invention is the improvement to existing SIP safe consultation method, transmits the safe class of oneself selecting in the second step message of SIP, sends a clear and definite safe class to the other side; Set up secure communication channel according to this grade in the 3rd step, the selected safe class of debit that the originating party loopback of the 4th step is received; The 5th step is by the response of debit's verification and affirmation originating party.Detailed process is as follows:
Suppose that entity A and B carry out safe class and consult, A is the calling party, and B is the callee.
The first step, A is sent to B with the safe class tabulation of its support;
Second step, the tabulation that B contrast A sends, B selects the highest safe class and algorithm parameter thereof to be sent to A in the common safe class of supporting of both sides;
In the 3rd step, whether the selection of the B that the A verification is received is in oneself tabulation, if correctly then set up both sides' secure communication channel by A; Otherwise consult failure;
In the 4th step, A utilizes the escape way open that the selection of the B that receives is returned to B;
In the 5th step, the selection of the B that the B verification is sent by A if be confirmed to be the own original safe class and the algorithm parameter that are not tampered of being sent out, then consults successfully, otherwise negotiation is failed.
It is the security negotiation mechanism of widely using that the SIP safe class is consulted.The present invention improves its message, has eliminated the ambiguity problem that may run into during the SIP safe class is consulted, and this method does not need safe hypothesis to consulting both sides, can be applicable to the occasion of peer negotiation and asymmetrical negotiation.
Description of drawings
The safety grade arranging method flow chart that Fig. 1 the present invention proposes.
Embodiment
Method flow of the present invention as shown in Figure 1 supposes that entity A and B carry out safe class and consult, and A is the calling party, and B is the callee, and negotiations process specifically comprises following five steps:
The first step, A is sent to B with the safe class tabulation of its support;
Second step, the tabulation that B contrast A sends, B selects the highest safe class and algorithm parameter thereof to be sent to A in the common safe class of supporting of both sides;
In the 3rd step, whether the selection of the B that the A verification is received is in oneself tabulation, if correctly then set up both sides' secure communication channel by A; Otherwise consult failure;
In the 4th step, A utilizes the escape way open that the selection of the B that receives is returned to B;
In the 5th step, the selection of the B that the B verification is sent by A if be confirmed to be the own original safe class and the algorithm parameter that are not tampered of being sent out, then consults successfully, otherwise negotiation is failed.
In former SIP safety grade arranging method, client is set up the highest security mechanism of the common support of both sides in the 3rd step, and this moment, server side possibly can't be known concrete security protocol and algorithm configuration.Different security algorithms may reach identical security intensity with configuration, like this so that client when setting up safe lane, server end can't be known the selection of definite security mechanism.In safety grade arranging method second step of the present invention, B issues A with selected concrete safe class and algorithm parameter, and the 3rd step, both sides knew safe class and the algorithm parameter that will set up when beginning.Can not produce the situation of security algorithm conflict.
At first analyze the anti-aggressiveness that proposes machinery of consultation among the present invention.Attack and mainly comprise: distort message, safe class degradation, playback etc.This method has been set up secure communication channel in the 4th step, can think that first three step all transmits under unsafe conditions.The message in first three step all may be distorted.The first kind is a security downgrade attacks: the assailant revises the safe list of A, reduces the safe class that A supported; Or the assailant revises the safe list of B in second step, reduces the safe class that B supported, will cause the safe class of the 3rd communication channel of setting up in step by step to be lower than the safe class of both sides' statement, and this will be found in the 5th step.If the assailant has distorted message and playback stale messages and also will be found during the resulting safety level information of B verification A in the 5th step at first and second, in four steps.
In addition the majority of safety grade arranging method is attacked and potential safety hazard is derived from first three and can't confirms user identity in going on foot, and the transparent transmission of message.If can under some occasion, confirm to consult both sides' identity early, and utilize security mechanism will effectively be prevented most the attack to message protect.
Above-mentioned embodiment describes the present invention with preferred embodiment, but the example of this visualization of just lifting for the ease of understanding should not be considered to be limitation of the scope of the invention.Equally, according to the description of technical scheme of the present invention and preferred embodiment thereof, can make various possible being equal to and change or replacement, and all these changes or replacement all should belong to the protection domain of claim of the present invention.
Claims (1)
1. a safety grade arranging method is characterized in that, described method comprises following processing procedure:
Suppose that entity A and B carry out safe class and consult, A is the calling party, and B is the callee;
The first step, A is sent to B with the safe class tabulation of its support;
Second step, the tabulation that B contrast A sends, B selects the highest safe class and algorithm parameter thereof to be sent to A in the common safe class of supporting of both sides;
In the 3rd step, whether the selection of the B that the A verification is received is in oneself tabulation, if correctly then set up both sides' secure communication channel by A; Otherwise consult failure;
In the 4th step, A utilizes the escape way open that the selection of the B that receives is returned to B;
In the 5th step, the selection of the B that the B verification is sent by A if be confirmed to be the own original safe class and the algorithm parameter that are not tampered of being sent out, then consults successfully, otherwise negotiation is failed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101152638A CN100518187C (en) | 2005-11-15 | 2005-11-15 | Safety grade arranging method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101152638A CN100518187C (en) | 2005-11-15 | 2005-11-15 | Safety grade arranging method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1764196A true CN1764196A (en) | 2006-04-26 |
| CN100518187C CN100518187C (en) | 2009-07-22 |
Family
ID=36748134
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101152638A Expired - Fee Related CN100518187C (en) | 2005-11-15 | 2005-11-15 | Safety grade arranging method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100518187C (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101192922B (en) * | 2006-11-17 | 2010-05-19 | 中兴通讯股份有限公司 | A method for establishing secure channel between both communication parties |
| CN101146305B (en) * | 2006-09-13 | 2010-09-01 | 中兴通讯股份有限公司 | Configuration method of secure policy |
| CN101369987B (en) * | 2007-08-16 | 2011-09-28 | 阿里巴巴集团控股有限公司 | Method and apparatus for establishing communication channel |
| CN101471878B (en) * | 2007-12-28 | 2012-06-27 | 华为技术有限公司 | Safety routing method, network system and equipment for peer-to-peer session initiation protocol network |
| CN103139527A (en) * | 2011-12-05 | 2013-06-05 | 中国电信股份有限公司 | Parameter negotiation method in video communication, device and video communication terminal |
| CN105991558A (en) * | 2015-02-04 | 2016-10-05 | 中国移动通信集团公司 | Safety mode negotiation method, apparatus and equipment in mobile network cloudization scene |
| CN112468303A (en) * | 2020-11-17 | 2021-03-09 | 天津南大通用数据技术股份有限公司 | Method, device and storage medium for strengthening network communication security of database |
-
2005
- 2005-11-15 CN CNB2005101152638A patent/CN100518187C/en not_active Expired - Fee Related
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101146305B (en) * | 2006-09-13 | 2010-09-01 | 中兴通讯股份有限公司 | Configuration method of secure policy |
| CN101192922B (en) * | 2006-11-17 | 2010-05-19 | 中兴通讯股份有限公司 | A method for establishing secure channel between both communication parties |
| CN101369987B (en) * | 2007-08-16 | 2011-09-28 | 阿里巴巴集团控股有限公司 | Method and apparatus for establishing communication channel |
| CN101471878B (en) * | 2007-12-28 | 2012-06-27 | 华为技术有限公司 | Safety routing method, network system and equipment for peer-to-peer session initiation protocol network |
| CN103139527A (en) * | 2011-12-05 | 2013-06-05 | 中国电信股份有限公司 | Parameter negotiation method in video communication, device and video communication terminal |
| CN103139527B (en) * | 2011-12-05 | 2016-03-23 | 中国电信股份有限公司 | Parameter consultation method in video communication, device and video communication terminal |
| CN105991558A (en) * | 2015-02-04 | 2016-10-05 | 中国移动通信集团公司 | Safety mode negotiation method, apparatus and equipment in mobile network cloudization scene |
| CN105991558B (en) * | 2015-02-04 | 2019-09-17 | 中国移动通信集团公司 | Safe mode machinery of consultation, device and equipment under a kind of mobile network cloud scene |
| CN112468303A (en) * | 2020-11-17 | 2021-03-09 | 天津南大通用数据技术股份有限公司 | Method, device and storage medium for strengthening network communication security of database |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100518187C (en) | 2009-07-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1764196A (en) | Safety grade arranging method | |
| US7610622B2 (en) | Supporting options in a communication session using a TCP cookie | |
| CN1764195A (en) | Non peer-to-peer entity safety grade arranging method | |
| EP1361728A3 (en) | Peer-to-peer name resolution protocol (pnrp) security infrastructure and method | |
| KR101088852B1 (en) | System for detecting toll fraud attack for internet telephone and method for the same | |
| US7492899B2 (en) | Authentication method for media gateway | |
| EP2461524B1 (en) | Network proxy implementation method and apparatus | |
| US20120144051A1 (en) | System and method for detection of data traffic on a network | |
| CN101636968A (en) | Method for preventing denial of service attacks using transmission control protocol state transition | |
| CN112422749A (en) | Method for preventing harassment outbound based on intelligent dialogue analysis | |
| CN1852595A (en) | Method for authent ation of access of wireless communication terminal | |
| CN101795277B (en) | Flow detection method and equipment in unidirectional flow detection mode | |
| US20120060218A1 (en) | System and method for blocking sip-based abnormal traffic | |
| CN112865974A (en) | Safety protection system based on edge computing access equipment | |
| CN104601578A (en) | Recognition method and device for attack message and core device | |
| CN106888221A (en) | A kind of Secure Information Tanslation Through Netware method | |
| KR101287588B1 (en) | Security System of the SIP base VoIP service | |
| CN1881870A (en) | Method for safety communication between devices | |
| CN101043465A (en) | Dynamic host configuration protocol service managing method and system thereof | |
| CN1878335A (en) | Method of setting up calls between a calling terminal and a called terminal | |
| CN101039324A (en) | Method, system and apparatus for defending network virus | |
| CN110677424B (en) | Electric power firewall falsification addressing filtering method based on Hash algorithm | |
| CN110266477B (en) | Dynamic encryption method for UDP communication | |
| CN1672366A (en) | Modem relay aggregator device | |
| CN111131172B (en) | Method for actively calling service by intranet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090722 |