A kind of method and device of realizing the multistage authentication of PHS wireless network positioning business
Technical field
The present invention relates to a kind of implementation of wireless communication network system positioning service authentication, relate in particular to the implementation of PHS wireless network positioning business authentication.
Background technology
The location-based service business is along with the development in mobile communication technology and market becomes the focus of new business gradually, and the PHS radio local telephone network helps carrying out, promoting the wireless network location technology more and is basic location-based service value-added service owing to adopt the microcellulor technology.
Wireless network location system relates to many entities in concrete the application, as service provider SP, positioning service administrative center LSMC, location gateway GLC, GIS-Geographic Information System GIS etc.During concrete the application, be responsible for commencing business by SP service provider, and be connected the open network environment that may be present in Internet between SP and the location-based service administrative center LSMC, under such environment, if self is not protected expansion, be unsafe, diverse network is attacked, virus will constitute serious threat to the stable operation of equipment.Therefore, in order to guarantee normally carrying out of location-based service business, safety seems particularly important, and authentication provides a kind of powerful measure of safety assurance.
In order to help the development of PHS network site business, make things convenient in the business of PHS network site interconnected between each network element device and make things convenient for business function to provide, China Telecom has worked out the interface specification of each network element device in the PHS wireless network location service in succession.But only introduced the authentication mode that user identity identification, privacy of user are controlled two aspects at the positioning service authentication in the interface specification.Under present network environment, existing authentication mode is to guaranteeing that there is potential safety hazard in normally carrying out of positioning service.
Through retrieval, do not find the document and the patent of PHS wireless network positioning business authentication correlation technique at present as yet.
Summary of the invention
The purpose of this invention is to provide a kind of method and device of realizing the multistage authentication of positioning service,, and can promote the safety of positioning service to carry out with the fail safe of raising PHS wireless network positioning business.
In order to reach purpose of the present invention, the present invention not only comprises identification authentication and privacy of user authentication, but also comprises that the IP address connects authentication and/or positioning service type authentication.It is to carry out before described identification authentication step that described IP address connects authentication step, is meant that the IP address to inserting authenticates, and judges that it is whether in allowing the address realm that inserts; Described positioning service type authentication step is after described identification authentication step, carries out before the described privacy of user authentication step, is meant that the positioning service type judged in the Location Request is whether in the scope of business of permission.
According to said method of the present invention, comprise the steps:
The first step: service provider SP is initiated Location Request to positioning service administrative center LSMC, comprises the identity ID of SP and password in the Location Request and has caller and called party information;
Second step: LSMC obtains the IP address of SP;
The 3rd step: LSMC inserts the IP address and authenticates, if the 4th step was then continued in the IP address in allowing the address realm that inserts, otherwise changes step 8;
The 4th step: the SP identification, identity ID and the password of comparison SP, if compare OK then continued for the 5th step, otherwise step 8;
The 5th step: the positioning service type relatively compares the positioning service type in the Location Request, if type of service allows, then continues step 6, otherwise step 8;
The 6th step: privacy of user control is authorized, and judges the calling subscriber who initiates Location Request whether within the scope of subscriber authorisation that is positioned, if, step 7 then, otherwise step 8;
The 7th step: authentication is passed through;
The 8th step: failed authentication.
According to said method of the present invention, in described step 2, adopt TCP/IP to be connected between service provider SP and the positioning service administrative center LSMC, LSMC obtains SP from the SOCKET connection of the request of SP IP address.
According to said method of the present invention, in described step 3, after positioning service administrative center LSMC gets access to the IP address of service provider SP, judge at first whether this IP address is refusing within the IP address list scope that connects, if belong to the IP address that refusal connects, then authentification failure disconnects connection, directly changes step 8; If do not belong to the IP address that refusal connects, then whether continuation inspection belongs to the IP address that permission connects, if do not belong to the IP address range that allows connection, then failed authentication directly changes step 8; If belong to the scope that allows connection, then access authentication success continues step 4, can erect protection at the TCP/IP articulamentum like this, stops the access of illegal IP address.
According to said method of the present invention, in described step 5, the expenses standard that different positioning service types is corresponding different.
According to said method of the present invention, in described step 5, when type of service is divided into a plurality of subservice type, at first compare the positioning service type in the Location Request, if type of service allows, more sub-again positioning service type is to allow as fruit positioning service type, then continue step 6, otherwise step 8.
According to said method of the present invention, in described step 6, the own setting of user can be directly need not the Familiarity Number of password to oneself location, and the number beyond the Familiarity Number is located own, then needs to provide own preset password; According to caller that has in the positioning service request message and called party information, be that oneself locatees oneself if system is judged, then authentication is directly passed through; Otherwise check at first whether calling number belongs to the user's that is positioned Familiarity Number, if belong to Familiarity Number, then do not need the verification password, authentication is passed through; If do not belong to Familiarity Number, then continue the location password that brings in the verification Location Request, if the location password is correct, then enter step 7, authentication is passed through, otherwise enters step 8, failed authentication.
The present invention also provides a kind of device of realizing the multistage authentication of positioning service, it comprises the interface of SP of Connection Service provider and positioning service administrative center LSMC, in this interface, comprise identification authentication module, privacy of user authentication module, it is characterized in that, comprise also that in this interface the IP address connects authentication module and/or positioning service type authentication module, wherein said IP address connects authentication module and is used for the IP address of inserting is authenticated, and judges that it is whether in allowing the address realm that inserts; Described positioning service type authentication module is used for judging that the positioning service type of Location Request is whether in the scope of business that allows.
According to said apparatus of the present invention, also comprise sub-positioning service type authentication module in the described positioning service type authentication module, be used for when the positioning service type comprises a plurality of subservice type, judge that the subservice type is whether in the subservice scope that allows.
According to said apparatus of the present invention, also comprise accounting module in the described positioning service type authentication module, be used for different positioning service types is taked different Freight Basis.
The present invention connects authentication and/or two kinds of authentication means of positioning service type authentication by increased the IP address on established normative foundation, thereby strengthens the fail safe of PHS wireless network positioning business widely.This is a reason: on the one hand, because the Internet network is based on ICP/IP protocol, and also be to adopt TCP/IP to connect between each equipment of positioning service, the IP address of each equipment is fixed, therefore can pass through to limit the mode that allows limited IP address to insert, prevent that the IP of malice from connecting attack.On the other hand, positioning service is according to concrete application scenario, can be subdivided into many types of service, as inquire about transport information, the inquiry landmark information, location triggered service, inquire about other people position etc., operator is when commencing business, can be configured combination to concrete positioning service type and user, i.e. user's positioning service of allowing to carry out can be disposed, and the user can only enjoy the service that has been configured.
The present invention can provide safeguard to the safety of navigation system from connection access, identification, type identification, four aspects of privacy mandate preferably by adopting the multistage method for authenticating of this positioning service.Simultaneously, in concrete application scenario, can formulate authentication policy flexibly, reduce relevant authorizing procedure.Compared with prior art, need not increase new investment, as long as improve software, just can achieve the goal, carrying out for the location-based service service security provides strong assurance.
Description of drawings
Fig. 1 is that the present invention realizes the multistage method for authenticating realization flow of positioning service figure;
Fig. 2 is the structured flowchart that the present invention realizes the most preferred embodiment of the multistage authentication device of positioning service.
Embodiment
The present invention is described in further detail below in conjunction with accompanying drawing.
Fig. 1 is the multistage authentication realization flow of positioning service figure, and treatment step is as follows:
The first step: SP initiates Location Request.SP is as content supplier, and for the user provides concrete service, SP initiates Location Request to LSMC positioning service administrative center.
Second step: the IP address that obtains SP.Adopt TCP/IP to be connected between SP and the LSMC, LSMC can be easy to get access to the IP address of SP from SOCKET (socket) connection of request.
The 3rd step: IP address access authentication.After LSMC gets access to the IP address, judge at first whether is refusing within the IP address list scope that connects this IP address, if belong to the IP address that refusal connects, then authentification failure disconnects connection, directly changes step 8.If do not belong to the IP address that refusal connects, then whether continuation inspection belongs to the IP address that permission connects, if do not belong to the IP address range that allows connection, then failed authentication directly changes step 8.If belong to the scope that allows connection, then access authentication success continues step 4, can erect protection at the TCP/IP articulamentum like this, stops the access of illegal IP address.
The 4th step: SP identification.In the SP location request initiating, can be with sign ID and the password code of going up SP, system differentiates the identity of SP according to ID and password code, allocate legal ID and password to SP in advance if meet operator, then SP identification success continues step 5, otherwise the commentaries on classics step 8, failed authentication.
The 5th step: the positioning service type relatively.After the SP authentication is passed through, position the authentication of type of service, the Location Request each time that SP initiates should all belong to a certain positioning service type, and SP can obtain to carry out the qualification of one or more types of service, and this is distributed by operator.Operator can formulate different charging policy according to different types of service when giving the SP open service, type of service can also be divided the subservice type, so this step can continue to expand to subservice type authentication.Allow the business of carrying out if this positioning service type belongs to this SP, then the type of service authentication is passed through, and continues step 6, otherwise changes step 8, failed authentication.
The 6th step: privacy of user control is authorized.Whom each user can oneself set can directly locate and need not password (belonging to Familiarity Number) to oneself, if other people locate themselves, just need provide own preset password.In the positioning service request message, all can be with caller (initiator), called (side of being positioned) information, be that oneself locatees oneself if system is judged, then authentication is directly passed through.Otherwise check at first whether calling number belongs to the user's that is positioned Familiarity Number, if belong to Familiarity Number, then do not need the verification password, authentication is passed through.If do not belong to Familiarity Number, then continue the location password brought up in the verification Location Request, if the location password is correct, then walk step 7, authentication is passed through, otherwise step 8, failed authentication.
The 7th step: authentication is passed through.Flow process has arrived this step, illustrates that this positioning service is legal.
The 8th step: failed authentication.Illustrate that positioning service request authentication can not pass through, can return to SP to the authentication error reason by this step.
Fig. 2 is the structured flowchart that the present invention realizes the most preferred embodiment of the multistage authentication device of positioning service.The SP of Connection Service provider comprises that with the interface of positioning service administrative center LSMC the IP address is connected authentication module, identification authentication module, positioning service type authentication module, privacy of user authentication module.When SP when LSMC initiates Location Request, connect authentication module through described IP address, the IP address of inserting is authenticated, judge it whether in allowing the address realm that inserts, when in its address realm that is allowing to insert, then authentication is passed through; Next, through described identification authentication module, differentiate the identity of the SP that inserts according to the sign ID of SP and password code, when the identity of SP met operator and allocates in advance to the legal ID of SP and password, authentication was passed through; Next, through described positioning service type authentication module, judge positioning service type in the Location Request whether in the scope of business that allows, when belonging to the scope of business of permission, authentication is passed through; Next, through described privacy of user authentication module, judge whether calling number belongs to the user's that is positioned Familiarity Number, and, judge whether its password that provides is correct for the calling subscriber who does not belong in the Familiarity Number scope, if belong to Familiarity Number, then do not need the verification password, authentication is passed through.If do not belong to Familiarity Number, then continue the location password brought up in the verification Location Request, if the location password is correct, then authentication is passed through.And the Location Request of working as SP is not passed through in above-mentioned any one module, then all can failed authentication.By the authentication of above-mentioned four modules, improved the safety guarantee of navigation system widely.
In addition, in said apparatus, can also comprise sub-positioning service type authentication module in the described positioning service type authentication module, be used for when the positioning service type comprises a plurality of subservice type, judge that the subservice type is whether in the subservice scope that allows.Also comprise accounting module in the described positioning service type authentication module, be used for different positioning service types is taked different Freight Basis.
Foregoing only is an optimum implementation of the present invention, and it is not to be used for limiting the specific embodiment of the present invention, and all modification and changes of carrying out according to the main inventive concept of this method all should belong to the desired protection range of claims of the present invention.