CN100373845C - Method of authenticating and authorizing terminal in conversation initiating protocol network - Google Patents
Method of authenticating and authorizing terminal in conversation initiating protocol network Download PDFInfo
- Publication number
- CN100373845C CN100373845C CNB021116067A CN02111606A CN100373845C CN 100373845 C CN100373845 C CN 100373845C CN B021116067 A CNB021116067 A CN B021116067A CN 02111606 A CN02111606 A CN 02111606A CN 100373845 C CN100373845 C CN 100373845C
- Authority
- CN
- China
- Prior art keywords
- terminal
- authentication
- request message
- server
- header fields
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention provides a method for certifying and authenticating terminal terminals in conversation initiating protocol networks, which comprises the following steps: the terminal initiates a registration request message and registers to the registration server through a proxy server; whether the request message contains the certification head field is judged; the terminal is certified according to the associated information in the message; whether the verification is passed is judged, if the verification is passed, the random parameter value in the request message is used as the shared secret between the proxy server and the terminal. The present invention solves the problem of the shared secret between the proxy server and the terminal, and the shared secret between the terminal and the registration server is the code of the account number applied by the terminal user, so that the terminal certification from the proxy server and the registration server is realized. The present invention is based on the abstract certification mechanism, and is simple and feasible.
Description
Technical field
The invention belongs to network communication field, say exactly, be a kind of in conversation initiating protocol network to terminal authenticate, the method for authentication, especially relate to acting server in the conversation initiating protocol network to terminal authenticate, the method for authentication.
Background technology
Among Session initiation Protocol (the SIP-Session Initiation Protocol) rfc2543.txt by the Internet engineering duty group (The Internet Engineering Task Force) issue, set forth several authentication mechanisms commonly used in Session Initiation Protocol for the 113rd page to the 118th page, mainly contained Basic Authentication (Basic Authentication), digest authentication (Digest Authentication) and PGP authentication (pretty good privacy Authentication) three kinds of mechanism; Basic Authentication mechanism is too simple, is easy to attack; PGP mechanism is too complicated, possible in theory, but realize going up relatively difficulty; The digest authentication mechanism can not only be realized stronger authentication function, and is easy to realize, therefore, in Session initiation Protocol, the digest authentication mechanism is preferably used in suggestion.In fact, the characteristics in the http protocol have been inherited based on the authentication framework of digest authentication in the Session initiation Protocol.
Among the HTTP(Hypertext Transport Protocol) authentication rfc2617.txt by the Internet engineering duty group (The Internet Engineering Task Force) issue, the 6th page to the 19th page specific implementation process of having set forth digest authentication mechanism in http protocol wherein, mainly this prerequisite of shared secret must be arranged based on the client and server end, and adopt challenge-credential thought, following several steps is arranged:
1. when server end is received the request message that client sends, if do not authenticate header fields in this request message, or the information that comprises in the authentication header fields is not right, then this server provides 401 " Unauthorized " response, and comprises corresponding challenge information in the WWW-Authenticate of response message header fields.
2. after client is received 401 " Unauthorized " response, at first reach the secret of sharing with server end and obtain corresponding credential according to above-mentioned challenge information, again initiate a request message then, and in the authentication header fields of this message, comprise above-mentioned credential information.
3. after server end is received this request message, verify above-mentioned credential information,, then realized the authentication of server end client if checking is passed through according to corresponding challenge information and with the secret that client is shared.
In addition, acting server is similar to the above process to the process that client authenticates.
At present, the authentication to terminal can be finished by registration server in conversation initiating protocol network.At this moment, registration server and terminal are shared a secret (being the account number cipher that the terminal use applies for), when terminal power on and by the REGISTER request message when registration server is registered, generally adopt digest mechanism to realize the authentication of registration server to this terminal.But, because the terminal use generally is the terminal use under certain acting server, if this acting server does not authenticate terminal, and only finish corresponding verification process by registration server, then Wei Zhuan terminal can gratis be used acting server, and this is that telecom operators do not wish not allow occurrence yet.Therefore, in conversation initiating protocol network, only by registration server come to terminal authenticate, authentication is not enough.
For these reasons, just require acting server that the terminal use in its administration territory is carried out authentication.In fact, acting server is similar to registration server to the framework thought that terminal authenticates, and all adopts the digest authentication mechanism.But, different with registration server is: the secret that acting server and terminal are shared can not be account number cipher or other configurable passwords of this terminal use's application, otherwise, when terminal when the administration territory of local proxy server moves to the administration territory of strange land acting server, because the strange land acting server is not known above-mentioned password, thereby this terminal can not be by the local agency server to its authentication, also is that the local agency server will be looked this terminal and be the disabled user.Therefore, by the above-mentioned background technology as can be known: the problem that how to solve shared secret between acting server and the terminal rationally and effectively be realize acting server to terminal authenticate, the prerequisite of authentication is with crucial.But up to the present this problem also is not well solved.
Summary of the invention
At the problems referred to above, the technical problem to be solved in the present invention is to provide a kind of on the whole in conversation initiating protocol network terminal to be authenticated and the method for authentication, provided a kind of solution of simple possible, thereby realized authentication, the authentication of acting server terminal.
Be to realize the technical problem to be solved in the present invention, the present invention is a kind of to be authenticated terminal in conversation initiating protocol network and the method for authentication, comprising:
(1) terminal is initiated register request message, registers to registration server by acting server;
(2) registration server judges whether comprise the authentication header fields in this register request message, and maybe the credential information in this authentication header fields is not right if do not comprise the authentication header fields, changes step (4) over to, otherwise, change step (3) over to;
(3) registration server authenticates this terminal according to the credential information in the message after receiving register request message, changes step (6) over to;
(4) registration server provides response message after receiving this register request message, and comprises corresponding challenge information in the header fields of this response message;
(5) terminal obtains corresponding credential information according to challenge information, initiates register request message again, comprises parameter value and above-mentioned credential information that this terminal produces at random in this register request message header fields; Go back to step (3);
(6) judge whether authentication is passed through, if pass through, carries out next step,, judge whether the authentication number of times surpasses set point number, if surpass, changes step (8) over to, if do not surpass, goes back to step (2) if authentication is not passed through;
(7) parameter value that produces at random of this terminal by acting server and this terminal as the secret of sharing;
(8) finish.
Authentication header fields in the described step (2) includes the parameter value that this terminal produces at random.
Described step (4) comprises that specifically registration server provides " 401Unauthorized " response after receiving this register request message, and comprises corresponding challenge information in the WWW-Authenticate of response message header fields.
In the described step (5), the described parameter value that produces at random is the cnonce value.
In the above-mentioned step, described authentication number of times is set at 3.
In the above-mentioned step, when terminal when the administration territory of local proxy server is transferred to the administration territory of strange land acting server, this terminal will be registered to the local registration server by local acting server.Still can solve the problem of shared secret between terminal and the local acting server with said method, thereby realize the authentication of local registration server and local acting server this terminal.
The present invention solves the problem of shared secret between acting server and the terminal, thereby realization acting server and registration server are to the authentication of terminal.At this moment, terminal and registration server shared secret---be the account number cipher that the terminal use applies for, in addition, acting server and registration server all adopt the digest authentication mechanism to the authentication of terminal.The present invention solves the problem of shared secret between acting server and the terminal effectively, this be realize acting server to terminal authenticate, the prerequisite of authentication is with crucial.Thereby realized authentication, the authentication of acting server to terminal, and provide on the whole a kind of in conversation initiating protocol network to terminal authenticate, the method for authentication.
Description of drawings
Fig. 1 is the flow chart that terminal is carried out authentication in conversation initiating protocol network of the present invention.
Embodiment
The present invention supposes known terminal and registration server shared secret---be the account number cipher that the terminal use applies for, in addition, acting server and registration server all adopt the digest authentication mechanism to the authentication of terminal; Be described as follows with reference to figure 1:
Terminal is initiated register request message, registers to registration server by acting server; If have the authentication header fields in request message, then registration server needs the credential information in the authentication header fields is verified after receiving this request message.If checking is passed through, then registration server loopback " 200OK " response, acting server and terminal are after receiving this response, with the random parameter cnonce value in the former request message as the shared secret between them, thereby in ensuing SIP message related to calls, acting server can authenticate this terminal, authentication; Otherwise, just change next step.
If the credential information that does not comprise in request message in authentication header fields or this field is not right, then registration server provides " 401Unauthorized " response after receiving this request message, and comprises corresponding challenge information in the WWW-Authenticate of response message header fields.
After terminal is received " 401Unauthorized " response, at first reach the secret of sharing with registration server and obtain corresponding credential according to the challenge information in this response message, again initiate a registration request then, and in the authentication header fields of request message, comprise a parameter (such as the cnonce value) and an above-mentioned credential information that produces at random.
After registration server is received this request message, the credential information in the Authorization header fields is verified.If checking is passed through, then registration server loopback " 200OK response ", acting server and terminal are after receiving this response, with the random parameter value in the request message as the shared secret between them, thereby in the SIP message related to calls afterwards, acting server can authenticate this terminal, authentication.
If checking is not passed through, in order to prevent ceaselessly checking repeatedly, need verify the judgement of number of times, if the checking number of times〉3, just finish this request message; If checking number of times<=3 can be carried out above-mentioned steps again again.
When terminal when the administration territory of local proxy server moves to the administration territory of strange land acting server, this terminal will be registered to the local registration server by local acting server.Can solve the problem of shared secret between terminal and the local acting server with said method the present invention, thereby realize the authentication of local registration server and local acting server this terminal.
Claims (6)
1. one kind authenticates terminal in conversation initiating protocol network and the method for authentication, it is characterized in that:
(1) terminal is initiated register request message, registers to registration server by acting server;
(2) registration server judges whether comprise the authentication header fields in this register request message, if the credential information that does not comprise in authentication header fields or the authentication header fields is not right, changes step (4) over to, otherwise, change step (3) over to;
(3) registration server authenticates this terminal according to the credential information in the message after receiving register request message, changes step (6) over to;
(4) registration server provides response message after receiving this register request message, and comprises corresponding challenge information in the header fields of this response message;
(5) terminal obtains corresponding credential information according to challenge information, initiates register request message again, comprises parameter value and above-mentioned credential information that this terminal produces at random in this register request message header fields; Go back to step (3);
(6) judge whether authentication is passed through, if pass through, carries out next step,, judge whether the authentication number of times surpasses set point number, if surpass, changes step (8) over to, if do not surpass, goes back to step (2) if authentication is not passed through;
(7) parameter value that produces at random of this terminal by acting server and this terminal as the secret of sharing;
(8) finish.
2. according to claim 1 terminal is authenticated and the method for authentication, it is characterized in that: the authentication header fields in the described step (2) includes the parameter value that this terminal produces at random.
3. according to claim 1 terminal is authenticated and the method for authentication, it is characterized in that: described step (4) specifically comprises, registration server provides " 401Unauthorized " response after receiving this register request message, and comprises corresponding challenge information in the WWW-Authenticate of response message header fields.
4. according to claim 1 terminal is authenticated and the method for authentication, it is characterized in that: in the described step (5), the described parameter value that produces at random is the cnonce value.
5. according to claim 1 terminal is authenticated and the method for authentication, it is characterized in that: the authentication number of times of described setting is 3.
6. according to claim 1 terminal is authenticated and the method for authentication, it is characterized in that: when terminal when the administration territory of local proxy server is transferred to the administration territory of strange land acting server, this terminal will be registered to the local registration server by local acting server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB021116067A CN100373845C (en) | 2002-05-02 | 2002-05-02 | Method of authenticating and authorizing terminal in conversation initiating protocol network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB021116067A CN100373845C (en) | 2002-05-02 | 2002-05-02 | Method of authenticating and authorizing terminal in conversation initiating protocol network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1455544A CN1455544A (en) | 2003-11-12 |
| CN100373845C true CN100373845C (en) | 2008-03-05 |
Family
ID=29256834
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB021116067A Expired - Fee Related CN100373845C (en) | 2002-05-02 | 2002-05-02 | Method of authenticating and authorizing terminal in conversation initiating protocol network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100373845C (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005242543A (en) * | 2004-02-25 | 2005-09-08 | Sony Corp | Information processing method, information processor, and computer program |
| CN1822599B (en) * | 2005-02-16 | 2010-06-23 | 中兴通讯股份有限公司 | Detecting method of terminal online state of meeting sponsered protocol server |
| CN100444686C (en) * | 2005-04-21 | 2008-12-17 | 中国科学院计算技术研究所 | Speech communication call connection signalling protocol in radio packet network |
| US7681031B2 (en) * | 2005-06-28 | 2010-03-16 | Intel Corporation | Method and apparatus to provide authentication code |
| CN101272240B (en) * | 2007-03-21 | 2013-01-23 | 华为技术有限公司 | Conversation cryptographic key generation method, system and communication equipment |
| CN101321136B (en) * | 2007-06-05 | 2012-08-08 | 华为技术有限公司 | Transmission-receiving proxy method for conversation initial protocol message and corresponding processor |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO1992003000A1 (en) * | 1990-08-02 | 1992-02-20 | Bell Communications Research, Inc. | Method for secure time-stamping of digital documents |
| US5991291A (en) * | 1995-12-19 | 1999-11-23 | Sony Corporation | Server of a computer network telephone system |
| WO2001024444A2 (en) * | 1999-09-28 | 2001-04-05 | Thomson Licensing S.A. | System and method for initializing a simple network management protocol (snmp) agent |
| WO2001035294A1 (en) * | 1999-11-05 | 2001-05-17 | Mci Worldcom, Inc. | Combining internet protocols for session setup, teardown, authentication, authorization, and accounting using the differentiated services model |
| CN1345498A (en) * | 1999-02-11 | 2002-04-17 | 诺基亚网络有限公司 | Authentication method |
-
2002
- 2002-05-02 CN CNB021116067A patent/CN100373845C/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO1992003000A1 (en) * | 1990-08-02 | 1992-02-20 | Bell Communications Research, Inc. | Method for secure time-stamping of digital documents |
| US5991291A (en) * | 1995-12-19 | 1999-11-23 | Sony Corporation | Server of a computer network telephone system |
| CN1345498A (en) * | 1999-02-11 | 2002-04-17 | 诺基亚网络有限公司 | Authentication method |
| WO2001024444A2 (en) * | 1999-09-28 | 2001-04-05 | Thomson Licensing S.A. | System and method for initializing a simple network management protocol (snmp) agent |
| WO2001035294A1 (en) * | 1999-11-05 | 2001-05-17 | Mci Worldcom, Inc. | Combining internet protocols for session setup, teardown, authentication, authorization, and accounting using the differentiated services model |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1455544A (en) | 2003-11-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| ES2397063T3 (en) | Authentication for IP application protocols based on 3GPP IMS procedures | |
| CN111327582B (en) | Authorization method, device and system based on OAuth protocol | |
| CN1697552B (en) | Techniques for performing server user proxy authentication using SIP (session initiation protocol) messages | |
| US8613058B2 (en) | Systems, methods and computer program products for providing additional authentication beyond user equipment authentication in an IMS network | |
| CA2463286C (en) | Multi-factor authentication system | |
| US6892308B1 (en) | Internet protocol telephony security architecture | |
| CN102196426B (en) | Method, device and system for accessing IMS (IP multimedia subsystem) network | |
| KR20050012900A (en) | Method and system for registering and automatically retrieving digital-certificates in voice over internet protocol(VOIP) communications | |
| WO2003030464A1 (en) | A method for pc client security authentication | |
| CN1716953B (en) | Method for identifying conversation initial protocol | |
| US20030097584A1 (en) | SIP-level confidentiality protection | |
| CN112261022A (en) | Security authentication method based on API gateway | |
| EP2809042A1 (en) | Method for authenticate a user associated to a user agent implemented over SIP protocol | |
| CN100373845C (en) | Method of authenticating and authorizing terminal in conversation initiating protocol network | |
| KR101016277B1 (en) | Method and apparatus for sip registering and establishing sip session with enhanced security | |
| EP1639782B1 (en) | Method for distributing passwords | |
| CN102065069B (en) | Method and system for authenticating identity and device | |
| WO2004112345A1 (en) | Method and apparatuses for bootstrapping a local authorisation system in ip networks | |
| Melnikov et al. | A protocol for remotely managing sieve scripts | |
| WO2009124587A1 (en) | Service reporting | |
| Guillet et al. | SIP authentication based on HOTP | |
| US20160191254A1 (en) | Authentication infrastructure for ip phones of a proprietary toip system by an open eap-tls system | |
| CN106487741B (en) | Authentication method, authentication terminal and authentication system based on IMS network | |
| JP2003085140A (en) | Client authenticating method | |
| CN113489765A (en) | Method and system for video exchange identity authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CB03 | Change of inventor or designer information |
Inventor after: Chen Chao Inventor after: Guo Xiujie Inventor after: Huang Yanying Inventor after: Huang Yuxian Inventor after: Lu Xianju Inventor after: Yang Chenyang Inventor before: Dai Yuning Inventor before: Liu Zhiqiang |
|
| CB03 | Change of inventor or designer information | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20171020 Address after: 071000 372 new North Street, Shibei District, Hebei, Baoding Co-patentee after: Guo Xiujie Patentee after: Chen Chao Co-patentee after: Huang Yanying Co-patentee after: Huang Yuxian Co-patentee after: Lu Xianju Co-patentee after: Yang Chenyang Address before: 518057 Department of law, Zhongxing building, South Science and technology road, Nanshan District hi tech Industrial Park, Shenzhen Patentee before: ZTE Corporation |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080305 Termination date: 20180502 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |