CN1992710A - Secure interactive method for user terminal accessing soft switching network - Google Patents
Secure interactive method for user terminal accessing soft switching network Download PDFInfo
- Publication number
- CN1992710A CN1992710A CN 200510130751 CN200510130751A CN1992710A CN 1992710 A CN1992710 A CN 1992710A CN 200510130751 CN200510130751 CN 200510130751 CN 200510130751 A CN200510130751 A CN 200510130751A CN 1992710 A CN1992710 A CN 1992710A
- Authority
- CN
- China
- Prior art keywords
- user terminal
- access network
- network gate
- parameter group
- broad access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to a safe communication method for accessing user terminal into soft exchange network, used in IP network system based on soft exchange, wherein said method comprises that: 1, setting user terminal identification safe parameter group on user terminal, setting wideband access network gate identification safe parameter group on wideband access network gate, setting user terminal identification authorization parameter group and wideband access network gate identification authorization parameter group on the safe identification server; 2, accessing user terminal via wideband access network gate into soft exchange corn controller; 3, identifying user terminal, and the wideband access network gate via the wideband access network gate identification safe parameter group protects the information between user terminal and soft exchange corn controller, safe identification server identifies user terminal. The invention uses several identification methods to realize bidirectional safe identification.
Description
Technical field
The present invention relates to the communication security field, particularly relate to the terminal and the system safety exchange method of a kind of enhancement mode under the security system framework that is applied in IP based network communication systems such as soft switch.
Background technology
Development along with IP mechanicss of communication such as soft switch, the voice technology of IP based network has obtained increasing application in enterprise network and public network, because the design concept of the exploration of IP network, make the Vo IP communication have some safety issues, as number of the account usurp, problem such as equipment deception, system's abduction.At these safety problems, require terminal to insert systems such as soft switch, not only need user terminal is authenticated, avoid disabled user's access, and need the authentication of terminal system, avoid terminal to be kidnapped by violated system.
At present, in the security system of communication system, there have been some security authentication processes to exist, but because the design problem of these flow processs, the password that uses between the equipment can be adopted plaintext (in the trust network) or ciphertext (in the non-trust network) transmit in network, make cipher safety have a greatly reduced quality; In addition because the selection of check post is not right, make to have potential safety hazard in the identifying procedure.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of safety interacting method of user terminal accessing soft switching network, is used to guarantee the authentication of terminal and system safety.
To achieve these goals, the invention provides a kind of safety interacting method of user terminal accessing soft switching network, be applied to IP network system based on soft switch, this network system comprises at least one Soft core control appliance and broad access network gate, a plurality of user terminal, Security Authentication Service device, it is characterized in that this method comprises the steps:
Step 1, user end certification security parameter group is set on described user terminal, at described broad access network gate broad access network gate authentication security parameter group is set, is provided with and described user end certification security parameter group corresponding user terminal Certificate Authority parameter group and the broad access network gate Certificate Authority parameter group corresponding with described broad access network gate authentication security parameter group at described Security Authentication Service device;
Step 2 accesses to described Soft core control appliance with described user terminal by described broad access network gate;
The safety interacting method of described user terminal accessing soft switching network, wherein, the number of described user end certification security parameter group is one or more; The number of described broad access network gate authentication security parameter group is one or more.
The safety interacting method of described user terminal accessing soft switching network, wherein, described each broad access network gate authentication security parameter group/described each user end certification security parameter group comprises the parameter information of one or more modes in authentication, encryption, the integrity protection secured fashion; Described each broad access network gate Certificate Authority parameter group/each user end certification authorization parameter group comprises respectively the required computing information of one or more modes in described broad access network gate/described user end certification, encryption, the integrity protection secured fashion.
The safety interacting method of described user terminal accessing soft switching network; wherein; in the described step 3, comprise that also described broad access network gate adopts the integrity protection key to carry out the step of integrity protection to the message between described user terminal and the described Soft core control appliance.
The safety interacting method of described user terminal accessing soft switching network, wherein, in the described step 3, comprise that also login request message that described Soft core control appliance sends the described user terminal of receiving carries out the step of integrity checking, if this message inspection does not pass through, then respond described broad access network gate one registration failure information, described broad access network gate is transmitted to described user terminal with this failure information; If this message inspection passes through, then send the authentication request that comprises user end certification and system authentication to described Security Authentication Service device.
The safety interacting method of described user terminal accessing soft switching network, wherein, in the described step 3, also comprise when described Soft core control appliance when described user terminal returns a registration failure/unsuccessful message, the step that described user terminal is verified the legitimacy of system.
The safety interacting method of described user terminal accessing soft switching network, wherein, described user terminal by the authentication word of relatively calculating according to described user end certification security parameter batch total with from the legitimate verification of the whether consistent mode of the system verification sign indicating number of described Soft core control appliance acquisition to system, if inconsistent, promptly system is illegal; If consistent, then by system authentication.
The safety interacting method of described user terminal accessing soft switching network wherein, after the step that described user terminal is verified the legitimacy of system, comprises that also described user terminal initiates to contain the step of the login request message of terminal identifying code again.
The safety interacting method of described user terminal accessing soft switching network, wherein, also comprise the step that the described terminal identifying code of described Security Authentication Service device verification is whether correct, if incorrect/registration failure, then described Soft core control appliance returns described user terminal one registration failure information; If correct/as to succeed in registration, then send one and be proved to be successful message to described Soft core control appliance.
The safety interacting method of described user terminal accessing soft switching network wherein, also comprises the step that described user terminal initiation login request message is finished to described user terminal, the two-way authentication of described Security Authentication Service device, is specially:
Step 110, described user terminal is initiated login request message to described broad access network gate;
Step 120, described broad access network gate receives this login request message, and forwards it to described Soft core control appliance;
Step 130, described Soft core control appliance receives and analyzes described login request message, and initiates the user end certification request to described Security Authentication Service device;
Step 140, described Security Authentication Service device generates encrypted message, and issues described Soft core control appliance by searching described user end certification authorization parameter group;
Step 150, described Soft core control appliance passes through to analyze the encrypted message generation system identifying code of described login request message and reception, and sends registration failure/unsuccessful message by described broad access network gate to described user terminal;
Step 160, whether described user terminal verification system is legal, and login request message is initiated once more to described broad access network gate in legal back;
Step 170, described Soft core control appliance receives login request message by described broad access network gate, and forwards it to described Security Authentication Service device; And
Step 180, described Security Authentication Service device authenticates described terminal use.
The present invention is in the IP network Solution Architecture based on Softswitch technology, and the user terminal safety of proposition is carried out the method for secure interactive by the broad access network gate access soft handoff network, guarantees the terminal security authentication.Adopt the present invention, user terminal can be linked into flexible exchanging network by broad access network gate safely, and its beneficial effect specifically is:
1), authentication mode more than one group is arranged between Security Authentication Service device and the user terminal;
2), the signaling transmission can adopt one or both modes in encryption, the integrity protection dual mode to protect between Soft core control appliance and the user terminal;
3), can realize the two-way authentication of user terminal and system;
4), the Security Authentication Service device inserts unique equipment of verifying as whole system, has avoided the dispersion authenticating safety to threaten;
5) it all is to generate the risk of having avoided password to transmit in network at equipment self that, encryption, Integrity Key generate.
Describe the present invention below in conjunction with the drawings and specific embodiments, but not as a limitation of the invention.
Description of drawings
Fig. 1 is the networking schematic diagram of terminal access soft handoff network of the present invention;
Fig. 2 is user terminal authentication registration of the present invention, password product process schematic diagram;
Fig. 3 initiates the schematic flow sheet that login request message is finished to user terminal, the two-way authentication of Security Authentication Service device for user terminal of the present invention.
Embodiment
Be described in further detail below in conjunction with the enforcement of accompanying drawing technical scheme.
In Fig. 1, the networking schematic diagram of terminal access soft handoff network of the present invention has been described.Wherein, SS (SoftSwitch) is meant Soft core control appliance 101, IBP (Internet Border Point) is meant broad access network gate 102, UE (User Equipment) is meant user terminal 103, and SAS (Security AuthenticationServer) is meant Security Authentication Service device 104; The safety certification parameter of each functional entity that is meant dotted line 105 among the figure leaves on the Security Authentication Service device SAS 104, and communicates to connect relation between solid line 106 each functional entity of expression.
In Fig. 1, in the IP network architectural framework based on Softswitch technology, there is at least one Soft core control appliance 101; One or more broad access network gates 102; A plurality of user terminals 103; A Security Authentication Service device 104.
Wherein, a user terminal 103 or a broad access network gate 102, have one or more authentication security parameter group at least, each authentication security parameter group provides one or more mode parameters needed information in the secured fashions such as authentication, encryption, integrity protection; Each authentication security parameter group corresponding to each user terminal 103 or each broad access network gate 102; in Security Authentication Service device 104, all will deposit the Certificate Authority parameter group of a correspondence, be used for providing the needed computing information of one or more modes of the secured fashion such as authentication, encryption, integrity protection of user terminal 103 and broad access network gate 102.
In Fig. 1, according to each Certificate Authority parameter group, Security Authentication Service device 104 will be responsible for producing password and produce information, carry out authentication code verifying.
In Fig. 2, a user terminal authentication registration of the present invention, password product process schematic diagram have been described.This schematic flow sheet has mainly been described terminal equipment and has been registered on the Soft core control appliance by broad access network gate, in the registration process, the Security Authentication Service device is to produce the relevant information that password generates between terminal and the Softswitch, and finishes the contents such as security verification to terminal.
Before user terminal authentication registration, password product process began, the condition of need carrying out is default: broad access network gate had been set up secure communication mechanism with soft switchcall server.In conjunction with Fig. 1, this flow chart comprises step:
Step 201, user terminal UE 103 initiates login request message by broad access network gate IBP 102 to Soft core control appliance SS 101, carries user terminal identification Cid, system authentication random number R 1 in login request message.
Step 202; after broad access network gate IBP 102 receives the login request message of user terminal UE 103; its mechanism by safety such as encryptions is sent to Soft core control appliance SS 101, promptly adopts the integrity protection key between broad access network gate IBP 102 and the Soft core control appliance SS 101 that message is carried out integrity protection.
Step 203 after Soft core control appliance SS 101 receives login request message, is carried out integrity checking, obtains UE sign Cid, system authentication random number R 1 and broad access network gate sign Aid by deciphering.If check and do not pass through, then respond broad access network gate IBP 102 registration failures, broad access network gate IBP 102 is transmitted to user terminal UE 103 again, withdraws from flow process.
Step 204, after Soft core control appliance SS 101 receives the login request message of user terminal UE 103, if check the words of passing through, send authentication request (comprising UE authentication and system authentication) to Security Authentication Service device SAS 104, UE sign Cid and system authentication random number R 1 are carried in this request.
Step 205, Security Authentication Service device SAS 104 searches user end certification authorization parameter group, obtains a random number R 2, password generating algorithm/method through calculating, and is sent to Soft core control appliance SS 101.
Step 206, Soft core control appliance SS 101 is according to the shared key SK cs between random number R 1, R2, password generating algorithm and the pre-assigned terminal and the soft switch of receiving from user terminal 103 and Security Authentication Service device SAS 104 respectively, generate integral algorithm key IKCS between terminal and the soft switch, cryptographic algorithm ciphering key KCS, generate random number R 3, then according to R1+SKcs+Cid+R3, the generation system identifying code.
Step 207; Soft core control appliance SS 101 returns a UE registration failure/unsuccessful message by broad access network gate IBP 102 to user terminal UE103; UE 103 initiates login request message again with indication; in this message, carry/comprise R2, R3, system verification sign indicating number and password generating algorithm; simultaneously, broad access network gate adopts the integrity protection key that message is carried out integrity protection/inspection.
Step 208, whether verification system is legal; UE 103 at first calculates an authentication word according to R1+SKcs+Cid+R3, and relatively whether it is consistent with the system verification sign indicating number that obtains from Soft core control appliance SS 101, if inconsistent, promptly system is illegal, then returns step 201; If consistent, then by system authentication, and then according to integral algorithm key IKCS, cryptographic algorithm ciphering key KCS between R1, R3 generation terminal and the soft switch.
Step 209, UE 103 initiates login request message again by broad access network gate IBP 102, comprise Cid, random number R 4 and terminal identifying code (key SK cs, random number R 2, R4 generation are shared by terminal and security centre) in the login request message, the relevant information in the login request message is carried out safe handling by relevant key.
Step 210, broad access network gate IBP 102 adopts the integrity protection key between IBP 102 and the SS 101 that message is carried out integrity protection and is transmitted to Soft core control appliance SS 101.
Step 211 after Soft core control appliance SS 101 receives login request message, is carried out integrity checking earlier, if inspection is not passed through, then sends UE registration failure message, execution in step 207 by broad access network gate IBP 102.If check and pass through, obtain comprising Cid, random number R 4 and terminal identifying code by analysis; And these message are sent to Security Authentication Service device SAS 104, this message comprises random number R 4, terminal authenticator.
Step 212, whether the identifying code of Security Authentication Service device SAS 104 verification terminals is correct, if incorrect/unsuccessful/registration failure, the return authentication failure is changeed step 207 and is carried out; If correct/as to succeed in registration, send and be proved to be successful message to Soft core control appliance SS 101.
Step 213, Soft core control appliance SS 101 sends the message that succeeds in registration to broad access network gate IBP 102.
Step 214 after broad access network gate IBP 102 receives SS 101 message, adopts the integrity protection key that message is carried out integrity protection/inspection.
Step 215, broad access network gate IBP 102 transmits registering result message to user terminal UE 103.
See also shown in Figure 3, for user terminal of the present invention is initiated the schematic flow sheet that login request message is finished to user terminal, the two-way authentication of Security Authentication Service device.In conjunction with Fig. 2, this flow process comprises the steps:
Step 380,104 couples of described terminal uses of Security Authentication Service device SAS authenticate.
In the present embodiment, cryptographic algorithm and integral algorithm all adopt symmetric encipherment algorithm, session key can directly obtain according to the shared key that is pre-configured on communication entity and the Security Authentication Service device, also can calculate acquisition according to sharing key and random number on this basis.
In the present embodiment, describe in detail user terminal how safety to wherein relating to aspect such as signaling, only be schematic explanation by the safe procedures and the method for generating cipher code of broad access network gate registration soft switch, for reference.
In the present invention, the signaling security hop is finished the function of between user terminal, soft switch control appliance safe transmission signaling capability and safety certification, realize security authentication process, and the safety generation of encryption key and Integrity Key, security requirement strengthened.
Certainly; the present invention also can have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art work as can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Claims (10)
1, a kind of safety interacting method of user terminal accessing soft switching network, be applied to IP network system based on soft switch, this network system comprises at least one Soft core control appliance and broad access network gate, a plurality of user terminal, Security Authentication Service device, it is characterized in that this method comprises the steps:
Step 1, user end certification security parameter group is set on described user terminal, at described broad access network gate broad access network gate authentication security parameter group is set, is provided with and described user end certification security parameter group corresponding user terminal Certificate Authority parameter group and the broad access network gate Certificate Authority parameter group corresponding with described broad access network gate authentication security parameter group at described Security Authentication Service device;
Step 2 accesses to described Soft core control appliance with described user terminal by described broad access network gate;
Step 3, described user terminal be by described broad access network gate, described Soft core control appliance, and according to described user end certification security parameter group system is authenticated; Described broad access network gate carries out safeguard protection according to described broad access network gate authentication security parameter group to the message between described user terminal and the described Soft core control appliance; Described Security Authentication Service device is by described Soft core control appliance, described broad access network gate, and according to described user end certification authorization parameter group, described broad access network gate Certificate Authority parameter group described user terminal authenticated.
2, the safety interacting method of user terminal accessing soft switching network according to claim 1 is characterized in that, the number of described user end certification security parameter group is one or more; The number of described broad access network gate authentication security parameter group is one or more.
3, the safety interacting method of user terminal accessing soft switching network according to claim 2, it is characterized in that described each broad access network gate authentication security parameter group/described each user end certification security parameter group comprises the parameter information of one or more modes in authentication, encryption, the integrity protection secured fashion; Described each broad access network gate Certificate Authority parameter group/each user end certification authorization parameter group comprises respectively the required computing information of one or more modes in described broad access network gate/described user end certification, encryption, the integrity protection secured fashion.
4, according to the safety interacting method of claim 2 or 3 described user terminal accessing soft switching networks; it is characterized in that; in the described step 3, comprise that also described broad access network gate adopts the integrity protection key to carry out the step of integrity protection to the message between described user terminal and the described Soft core control appliance.
5, according to the safety interacting method of claim 2 or 3 described user terminal accessing soft switching networks, it is characterized in that, in the described step 3, comprise that also login request message that described Soft core control appliance sends the described user terminal of receiving carries out the step of integrity checking, if this message inspection does not pass through, then respond described broad access network gate one registration failure information, described broad access network gate is transmitted to described user terminal with this failure information; If this message inspection passes through, then send the authentication request that comprises user end certification and system authentication to described Security Authentication Service device.
6, according to the safety interacting method of claim 2 or 3 described user terminal accessing soft switching networks, it is characterized in that, in the described step 3, also comprise when described Soft core control appliance when described user terminal returns a registration failure/unsuccessful message, the step that described user terminal is verified the legitimacy of system.
7, the safety interacting method of user terminal accessing soft switching network according to claim 6, it is characterized in that, described user terminal by the authentication word of relatively calculating according to described user end certification security parameter batch total with from the legitimate verification of the whether consistent mode of the system verification sign indicating number of described Soft core control appliance acquisition to system, if inconsistent, promptly system is illegal; If consistent, then by system authentication.
8, the safety interacting method of user terminal accessing soft switching network according to claim 6, it is characterized in that, after the step that described user terminal is verified the legitimacy of system, comprise that also described user terminal initiates to contain the step of the login request message of terminal identifying code again.
9, the safety interacting method of user terminal accessing soft switching network according to claim 8, it is characterized in that, also comprise the step that the described terminal identifying code of described Security Authentication Service device verification is whether correct, if incorrect/registration failure, then described Soft core control appliance returns described user terminal one registration failure information; If correct/as to succeed in registration, then send one and be proved to be successful message to described Soft core control appliance.
10, according to the safety interacting method of claim 2 or 3 described user terminal accessing soft switching networks, it is characterized in that, also comprise the step that described user terminal initiation login request message is finished to described user terminal, the two-way authentication of described Security Authentication Service device, be specially:
Step 110, described user terminal is initiated login request message to described broad access network gate;
Step 120, described broad access network gate receives this login request message, and forwards it to described Soft core control appliance;
Step 130, described Soft core control appliance receives and analyzes described login request message, and initiates the user end certification request to described Security Authentication Service device;
Step 140, described Security Authentication Service device generates encrypted message, and issues described Soft core control appliance by searching described user end certification authorization parameter group;
Step 150, described Soft core control appliance passes through to analyze the encrypted message generation system identifying code of described login request message and reception, and sends registration failure/unsuccessful message by described broad access network gate to described user terminal;
Step 160, whether described user terminal verification system is legal, and login request message is initiated once more to described broad access network gate in legal back;
Step 170, described Soft core control appliance receives login request message by described broad access network gate, and forwards it to described Security Authentication Service device; And
Step 180, described Security Authentication Service device authenticates described terminal use.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 200510130751 CN1992710A (en) | 2005-12-27 | 2005-12-27 | Secure interactive method for user terminal accessing soft switching network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 200510130751 CN1992710A (en) | 2005-12-27 | 2005-12-27 | Secure interactive method for user terminal accessing soft switching network |
Publications (1)
Publication Number | Publication Date |
---|---|
CN1992710A true CN1992710A (en) | 2007-07-04 |
Family
ID=38214657
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN 200510130751 Pending CN1992710A (en) | 2005-12-27 | 2005-12-27 | Secure interactive method for user terminal accessing soft switching network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN1992710A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101123652B (en) * | 2007-09-25 | 2011-07-13 | 中兴通讯股份有限公司 | Dialing access control method for private network, next-generation network and call control device |
CN103532987A (en) * | 2013-11-11 | 2014-01-22 | 国家电网公司 | Protection method and system for preventing unauthenticated computer equipment from accessing enterprise intranet |
CN108429773A (en) * | 2018-06-20 | 2018-08-21 | 中国联合网络通信集团有限公司 | Authentication method and Verification System |
CN114884762A (en) * | 2022-06-09 | 2022-08-09 | 中国联合网络通信集团有限公司 | Broadband access method, system, computer equipment and storage medium |
-
2005
- 2005-12-27 CN CN 200510130751 patent/CN1992710A/en active Pending
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101123652B (en) * | 2007-09-25 | 2011-07-13 | 中兴通讯股份有限公司 | Dialing access control method for private network, next-generation network and call control device |
CN103532987A (en) * | 2013-11-11 | 2014-01-22 | 国家电网公司 | Protection method and system for preventing unauthenticated computer equipment from accessing enterprise intranet |
CN108429773A (en) * | 2018-06-20 | 2018-08-21 | 中国联合网络通信集团有限公司 | Authentication method and Verification System |
CN108429773B (en) * | 2018-06-20 | 2020-11-10 | 中国联合网络通信集团有限公司 | Authentication method and authentication system |
CN114884762A (en) * | 2022-06-09 | 2022-08-09 | 中国联合网络通信集团有限公司 | Broadband access method, system, computer equipment and storage medium |
CN114884762B (en) * | 2022-06-09 | 2023-09-29 | 中国联合网络通信集团有限公司 | Broadband access method, system, computer equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1191696C (en) | Sefe access of movable terminal in radio local area network and secrete data communication method in radio link | |
WO2020133655A1 (en) | Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scenario | |
CN1212716C (en) | Method of sharing subscriber confirming information in different application systems of internet | |
CN1124759C (en) | Safe access method of mobile terminal to radio local area network | |
CN102217277B (en) | Method and system for token-based authentication | |
CN1191703C (en) | Safe inserting method of wide-band wireless IP system mobile terminal | |
CN104767731B (en) | A kind of Restful move transactions system identity certification means of defence | |
US20160337351A1 (en) | Authentication system | |
CN1805341A (en) | Network authentication and key allocation method across secure domains | |
CN1864384A (en) | System and method for protecting network management frames | |
CN1859096A (en) | Safety verifying system and method | |
CN1640092A (en) | System and method for providing key management protocol with client verification of authorization | |
KR20130084315A (en) | A bidirectional entity authentication method based on the credible third party | |
CN101557406A (en) | User terminal authentication method, device and system thereof | |
CN1855810A (en) | Dynamic code verificating system, method and use | |
US8504824B1 (en) | One-time rotating key for third-party authentication | |
CN1694570A (en) | Method for setting safety channel between mobile user and application server | |
CN106713279A (en) | Video terminal identity authentication system | |
CN1822541A (en) | Device and method for controlling computer access | |
CN1725687A (en) | Security identification method | |
CN1889562A (en) | Method for identifying equipment for receiving initial session protocol request information | |
CN115842680A (en) | Network identity authentication management method and system | |
CN1260909C (en) | Method for increasing radio city area network safety | |
CN1841998A (en) | Method for terminal user safety access soft handoff network | |
CN1992710A (en) | Secure interactive method for user terminal accessing soft switching network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |