A kind of verifying SMS and reliable sorted transmission method based on the cryptographic technique that identifies
Technical field
The invention belongs to networking technology area, specifically a kind of cryptographic technique based on sign authenticates and realizes the method that reliability classification transmits to the short message transmit leg.Short message comprises SMS, instant messaging QQ, MSN etc.
Background technology
Along with radio communication and Internet development, SMS, QQ, MSN etc. have become the important means of communication of people, and SMS and MSN etc. are merging intercommunication gradually.Also produced many problems thus, one of them serious problem is spreading unchecked of refuse messages.Medium as an information propagation, there is not the effective supervision method, must bring a lot of harmful informations, bring harm to society, during SARS wreaks havoc, there are a lot of unfounded rumours to propagate the expectation that extensively exceeds people of the fast propagation face of its propagation velocity by note, therefore must set up one tightly, short message filtering platform efficiently, guarantee that harmful information is in time tackled.Operator also indicates one after another with the harmful note of technological means containment, makes great efforts to create lasting, orderly, a healthy development environment into the development of short message service.
Along with the fast development of mobile network and intelligent mobile phone platform, spread in the mobile network thereby information virus has begun to login cell phone platform, and SMS is the important channel that virus is propagated.Ensure mobile phone mobile network's information security, the note flow that elimination mobile phone worm-type virus is brought takies the harmful of mobile network resource, safeguards that the mobile phone mobile network moves safely and efficiently, has also become the problem that mobile operator is badly in need of solving.
On the other hand, many useful notes are handled as refuse messages again, and economic life is brought adverse influence.In order to solve the problem of refuse messages, prior art mainly is to go to realize that normally used method has by using the filtering short message system in aggregation gateway:
1. filter: by default, the user is provided with filtering rule, from modes such as user behavior learning rules, sets up the filtering rule storehouse, such as by keyword search.Thereby to receiving that note is categorized as refuse messages and non-refuse messages according to rule.
2. blacklist: do not accept to reject from the note on the blacklist or according to the virus base feature.
3. white list: only accept from the note on the white list.
Because new website and service provider that the diversity of content of short message, form and every day constantly occur adopt the filtering junk short messages technology of above technology all can not realize right-on short-message classified.Thereby making some useful notes be used as filtering junk short messages has fallen.On the other hand, because all processing all will focus in aggregation gateway, the disposal ability that the per second of processing center is required is very high, in festivals or holidays or note peak period, just has and handles too late situation, causes normal note to stop up or can not receive.
In order to guarantee reliably sending to of short message, reduce the pressure that the short message aggregation gateway focuses on, the cryptographic technique that the present invention is based on sign is carried out digital signature identification, assurance can realize distributed treatment based on this method simultaneously to the reliability classification of registered user's short message in the processing of short message, alleviated the processing pressure of aggregation gateway, efficient and reliability that classification is handled have been improved, simultaneously, a kind of good business model and management mode have been realized, professional most important to many companies.Below just based on the sign the cryptographic technique background do simple introduction.
In order to solve the shortcoming of traditional asymmetric cipher key system, notion (IBC) based on the cryptographic system of sign has been proposed at Israel scientist Shamir in 1984.In the system based on sign, each entity has a sign.This sign can be any significant character string.But with not being both of conventional public-key system maximum, in the system based on sign, the sign of entity itself is exactly the public-key cryptography of entity.Because sign itself is exactly the PKI of entity, this type systematic just no longer relies on certificate and certificate management system such as PKI, thereby has greatly simplified the complexity of administrator password system.Digital signature and proof procedure based on sign are as follows:
● cryptocenter's generation system parameter (comprising disclosed system parameters and master key).
● the user applies cryptographic service.The user to cryptocenter authenticate own after, the disclosed system parameters of cryptocenter, master key and user ID are calculated and are distributed signature private key corresponding to user ID.
● the message that transmit leg is signed to needs with (obtaining from cryptocenter) signature private key and the system parameters computing of signing obtains digital signature.Transmit leg will be sent to the recipient with digital signature by signature information;
● receive debit's certifying signature, promptly use the sign of transmit leg, the signature of being verified transmit leg by signature information of system parameters and statement.
When cryptocenter is honesty, if the recipient just can illustrate following substantial problem to originating party digital signature authentication success:
(1) this e-file is that originating party by signer is sent really, and source electronic document is in this sender.
(2) e-file received of recipient is not distorted in transmission, has kept the integrality of data, because the signature back can both be found any change of electronic signature.
Below all can be referring to prior art 1 ISO.Information technology-Security techniques-Digital signatures with appendix-Part3:Discrete logarithm based mechanisms.ISO-14888-3.
Summary of the invention
The objective of the invention is to provides a kind of method for authenticating user identity efficiently at the short message transmit leg, and then realize a kind of short message reliability classification method for conveying, this method can simply efficiently also solve the Verify Your Identity questions of short message transmit leg reliably, and then solves the accurate classification problem of a class short message.Simultaneously in the processing of short message, can realize distributed treatment, alleviate the processing pressure of aggregation gateway, improve efficient and reliability that classification is handled, simultaneously, realize a kind of good business model and management mode based on this method.
The objective of the invention is by adopting cryptographic technique based on sign to realize, its core concept be with based on the cryptographic applications of sign in short-message classified field.Comprise following part: the first user applies service process; The second signature process that sends SMS message; The 3rd signature verification/short-message classified process; Can also comprise the renewal process of the 4th sign blacklist.There are three elements in system: cryptocenter, the expansion of client signature, the expansion of short message service server certifying signature.Cryptocenter comprises master key according to the sign signature algorithm generation system parameter of selecting.This process and the concrete sign signature algorithm of selecting relevant (example is seen concrete enforcement part).Client's (comprise two class clients: personal user and user agent) carries out authentication to cryptocenter.The basic identification that the clear and definite user of this process (1) uses; (2) the checking user has this sign really; (3) generate the private key that respective user identifies; (4) user installation private key and client signature expansion software.Detailed process is the user applies service process of face as follows.After the client applies for serving successfully, i.e. the private key of available acquisition and sign software send the short message (detailed process the signature of face send SMS message process) as follows of signature.Short message service server uses server authentication signature expansion software (this software can openly be downloaded from the cryptocenter website) certifying signature if short message bears the signature when receiving user's short message.If signature is effectively thought that then this short message is not common short message, thereby this short message is placed directly into user's inbox.If SMS signature is invalid or no name, then short message will enter the short message filtering program and filter, and its classification results depends on filtering rule, has uncertainty (can be classified as normal short message, also may be judged as junk short message).By this working of an invention, the short message that the service of user's request for utilization sends will be categorized as effective short message exactly, will be guaranteed to be placed in the inbox that receives the user, not handle and can not be used as junk short message.
Technical scheme of the present invention specifically comprises: the user applies service process; The signature process that sends SMS message; Signature verification/short-message classified process; It is characterized in that:
1) user applies service process
1. the user to cryptocenter with represent own identity, legal, effective sign applies for the registration of, said cryptocenter is the cryptocenter based on identification technology,
2. cryptocenter authenticates user's application, determine its sign that provides legal, effectively after, with the basic identification of this sign as this user,
3. after authentification of user passed through, cryptocenter determined the user ID that this user is complete, comprised at least three parts: the basic identification that cryptocenter's system banner, when authentication use and service valid expiration date,
4. cryptocenter generates the private key of the complete user ID of respective user and provides client software to the user according to sign signature algorithm of selecting and system parameters,
5. the user is installed to private key and the client software that cryptocenter provides on mobile phone terminal or the computer,
2) the signature process that sends SMS message
1. the definite content information that will sign
2. the signature algorithm of setting in private key for user that provides by cryptocenter and the client software generates signature to the content information that will sign,
3. the short message of signature is with in assembling, will add user's complete user ID and signing messages in short message at least, comprises by signature contents and determines method, and signature algorithm and signature result send SMS message then,
3) signature verification/short-message classified process
After the user receives short message, judge whether it is the short message of band signature, the short message that bears the signature carried out following processing:
1. obtain signature user's complete user ID and signing messages, comprise by signature contents and determine method, signature algorithm and signature result,
2. service for checking credentials valid expiration date, if the service term of validity expires, certifying signature not then, and treat this short message with the short message way of unsigning,
3. determine by signature contents, and adopt based on the cryptographic technique certifying signature that identifies,
If 4. certifying signature success, this short message will not carry out short message filtering as effective short message processing.
Of the present invention being further characterized in that when the short message that bears the signature handled verifies that this user ID whether in the sign blacklist, as in blacklist, then handles as junk short message.
Further feature of the present invention also is to carry out short message filtering according to common short message and handle do not pass through the short message of checking with the short message of signature, the short message that surpasses the service term of validity, signature validity.
The present invention can also comprise the renewal process that identifies blacklist, it is characterized in that:
1) user thinks that certain envelope is a junk short message by the short message of signature authentication, will put in order the envelope short message and send to cryptocenter, reports this short message,
Whether 2) cryptocenter verifies by after the authenticity of the signature of report short message, and user ID is piped off according to the rule decision.
Put it briefly, the present invention authenticates by the short message transmit leg that adopts identification cipher technology to realize that the large user measures, thereby realizes the accurate classification of a class short message, closely realizes the reliable delivery to such short message.Owing to used cryptographic technique based on sign, remove signature from, tested the certification authentication process of label, remove needed huge cost of conventional P KI technology and complex management from, thereby can support mass users; And in the processing of short message, can realize distributed treatment based on this method, alleviate the processing pressure of aggregation gateway, improve efficient and reliability that classification is handled, simultaneously, realize a kind of good business model and management mode.Have that method is simple, easy to implement, work accurately, reliable, efficient is high, be convenient to advantage such as large tracts of land popularization.
Description of drawings
The present invention has following accompanying drawing
Fig. 1 system configuration schematic diagram
Fig. 2 signature process schematic diagram that sends SMS message
Fig. 3 signature verification/short-message classified process schematic diagram
Fig. 4 user software program schematic diagram
Embodiment
Core of the present invention is to use the cryptographic technique based on sign, information transmission, information agency, information is accepted to realize based on the signature of certain rule and is tested label, thereby can realize clear and definite effectively class validation to information.Owing to used cryptographic technique based on sign, removed signature from, tested the certification authentication process of label, removed needed huge cost of conventional P KI technology and complex management from, thereby can support mass users, and simple, easy-to-use, accurate, efficient, be convenient to large tracts of land and promote.Be example below with the short message, narrate concrete execution mode:
Fig. 1 is an invention system configuration schematic diagram, user herein, both can be the sender, also can be the addressee, it can also be agency side, comprise individual, company, group, ISP, also comprise sms center, aggregation gateway etc., the user comprises anti-virus software supplier (such as Rising, promise shield etc.) simultaneously.
Method of the present invention comprises:
1) user applies service process
A. authentification of user.System supports two class users, and two kinds of different authentication modes are promptly arranged:
● personal user: the short message that the individual will sign and send from one's own short message address.Such user uses the short message address to identify as essential part, and the short message address comprises cell-phone number or MSN address or QQ number etc.Such user's application will be carried out user's authentication earlier, to determine its ownership to statement short message address, it can be any authentication method, as long as can confirm this user have this short message address (such as, can adopt " a kind of authentication method of public network secure communication service user identity of the cryptographic technique based on sign " (patent No. 200510077335.4) to authenticate).
● signature proxy user: such user short message that other trustees send of can signing.Such user can use the character string such as the exabyte of agreement, server name, and IP addresses etc. are as essential part sign (being not limited to certain short message address).Such user can use stronger authentication mode: as contract in writing, and electronic contract etc.
B. after the user passes through authentification of user, determine complete user ID.Complete user ID comprises at least three parts: the system banner system parameters of unique definite cryptocenter (this sign can), the basic identification that uses in authenticating step A and service valid expiration date.The service term of validity comprises the expiration time of service at least, generally also comprises the time started.Integrated user id also can comprise other information, as country name, and city name, exabyte, department's name, name, information such as ID card No..
C. generate the private key of the complete user ID of respective user.Generate the private key method and be decided by concrete sign signature algorithm, as available prior art 1 described algorithm and method.
D. the user obtains and installs private key.The method of obtaining with authenticating of private key is relevant.If adopt the authentication method in " a kind of authentication method of public network secure communication service user identity of the cryptographic technique based on sign "; then behind the protection password encryption of private key by user's setting when authenticating, the user downloads and installs from the website of cryptocenter.If adopt artificial checking, then private key can use the artificial safe transfer of physical medium such as usb key.User's private key file comprises the complete user ID of private key correspondence.
E. the user obtains and installs client software.Client software can openly be downloaded from the website of cryptocenter.Client software comprises the SMS signature function at least referring to Fig. 4.
2) the signature process that sends SMS message is referring to Fig. 2
A. determine signature contents.The user can sign and put in order envelope short message, some part of the short message of also can signing: preceding 12 bytes that add short message as basic short message head.
B. use private key and the signature algorithm in the client software installed to generate signature.System is not limited to certain sign signature algorithm, as available prior art 1 described algorithm and method.
C. the short message of signature is with in assembling.At least need to add two information in the short message:
1) user's complete user ID (at least three parts: system banner, the sign of using at authenticating step and service valid expiration date); 2) signing messages (comprise by signature contents and determine method, signature algorithm and signature result).These information and short message original text are assembled transmission together, multiple assembling mode can be arranged, send such as short message header field mode with expansion.
3) signature verification/short-message classified process is referring to Fig. 3
A. to the short message of no name, with the processing of classifying of normal filtration mode.To the short message that bears the signature:
B. obtain signature user's complete user ID and signing messages.
C. whether checking sign is in the sign blacklist.This blacklist mainly is to be used to prevent the user of some application service by authentication, sends junk short message to other users in the mode of being with authentication.Operation is seen in the maintenance of this blacklist: sign blacklist renewal process.
D. service for checking credentials valid expiration date, if the service term of validity expires, certifying signature not then, and treat this short message with the short message way of unsigning enters the processing of classifying of normal filtration mode.
E. determine signature contents.
F. certifying signature.The user comprises personal user and Short Message Service provider, receive short message after, the service extension software of personal user's client software or short message service server judges whether it is the short message of band signature.Short Message Service merchant might not apply for that private key could use the partial function of this service.After Short Message Service merchant only need download and install short message service server certifying signature expansion software (this be disclose Downloadable), just can verify short message based on the signature that identifies.Since adopt cryptographic technique based on sign, no certification authentication process, thus accelerate signature-verification process, and then support mass users.
If G. certifying signature success is then treated with normal short message, do not enter filter.If signature verification failure, then log.
4) renewal process of sign blacklist.Safeguard that the sign blacklist mainly is in order to prevent that the individual user from sending junk short message by application verifying SMS and reliability classification passing service.
If A. the user thinks that certain envelope is a junk short message by the short message of signature authentication, then will report this short message (send whole envelope short message and report the sender) to cryptocenter's assigned address that service is provided.
Whether B. cryptocenter verifies by after the authenticity of the signature of report short message, and user ID is piped off according to the rule decision.
Below be a specific embodiment of the present invention:
Cryptocenter of the present invention adopts based on the cryptographic technique of sign to set up, and (1) will determine to use the sign signature algorithm, as the IBS-2 algorithm in the prior art 1; (2) generation system parameter (comprising master key).Example is seen appendix in the technology 1.
The user applies service process.At first, the user will apply for the registration of to cryptocenter, the personal user generally with oneself short message address as sign, other users can be with one's own legal sign as sign-on ID, such as IP address, domain name etc., also short message address, cryptocenter can adopt any authentication registration method, CN1697379 disclosed " a kind of authentication method of public network secure communication service user identity of the cryptographic technique based on sign " for example, carry out authentication registration, if can valid certificates this be designated this user and have.For example, MSN user Lee three, the abc.com of company (this user does not have the Short Message Service Gateway of oneself), note ISP user soohu.com (but allograph), the cellphone subscriber opens five, sms center, the aggregation gateway branch is clipped to cryptocenter and goes to apply for the registration of, the personal user is generally with oneself cell-phone number, MSN sign or wait for QQ number as identifying, other users can be with one's own legal sign as sign-on ID (such as the IP address, domain name etc., also cell-phone number, MSN sign etc.), Lee three identifies myibe@hotmail.com as sign with the MSN of oneself, go to apply for the registration of to cryptocenter based on identification technology, this cryptocenter confirms that this short message address has for user Li Sansuo, this cryptocenter generates Lee three private key according to Lee three sign, and relevant software is handed down to Lee three, Lee three installs relevant software and private key.Same process, same process, ISP user soohu.com just obtains oneself private key and related software with the domain name www.soohu.com of oneself as being identified to cryptocenter's application, and finishes the installation of software and private key.The cellphone subscriber can download private key, software be installed by getting online without being tethered to a cable or by manual service application installation, other users analogize.
The process of transmitting of signature short message.User Lee three opens 5 1269898118 notes for the personal mobile phone user with the MSN address myibe@hotmail.com. of oneself, and in order to allow Short Message Service Gateway can confirm what Lee of validated user really three of this envelope letter sent, three pairs of letters of Lee carry out digital signature.The signature contents of supposing prior agreement is preceding 12 bytes of short message content, the Li Santong cryptocenter that associates obtains installed software, extract the basic letter head that will send SMS message earlier and reach preceding 12 bytes as the content (also can arrange other signature contents) that will sign, sign to wanting signature contents with the private key of oneself then, sign (electronics short message address) and other information that may need (as the service term of validity) combinations in some way (such as the mode with expansion short message head) with digital signature and Lee three send to together with the short message text and open five.
Short message is tested label/assorting process.Lee three short message arrives first sms center, sms center is owing to register in cryptocenter, obtain private key of oneself and software with signature verification function, after sms center is received Lee three signature short message, at first extract sign and the signature that is combined in the short message, according to this sign and system's PKI parameter certifying signature, if be proved to be successful then prove that this short message is Lee three transmissions; If unsuccessful, illustrate not to be what Lee three sent.If by signature contents is whole short message, then effectively signature has guaranteed that electronics short message textual content is complete, is not distorted.Validated user Lee three sends through being confirmed to be in short message service center, and short message service center passes to the center of converging with this information as validated user, converge the center feedback and directly be handed down to and open five, and can tell open five this be that Lee three sends.Owing to adopt cryptographic system based on sign, can authenticate rapidly between any two registered users, do not need will exchange certificate as conventional P KI cryptosystem is prior, do not need to safeguard huge certificate management system.Because this outstanding feature makes and can support mass users based on the verifying SMS technology of sign, and more convenient on management and operation flow process, allow all think that the user of usefulness can both be convenient to use.
Because this method has effectively solved the verifying SMS difficult problem of large user's amount, again in conjunction with certain rule, just can effectively realize the classification and the classification transmission of short message, arrange to use the user of identification cipher technology signature in advance such as us, the short message that sends is effective short message (only on a blacklist), because digital signature technology can solve Verify Your Identity questions, again in conjunction with the blacklist principle, just can distinguish non-junk short message efficiently, thereby realize the classification transmission of short message, solve the classification and identification of anti-junk short message software.
On the above-described verifying SMS of cryptographic technique and the basis of reliable sorted transmission method based on sign, the present invention has provided following further embodiment:
When the short message that bears the signature was handled, whether the sign of verifying this user in the sign blacklist, as in blacklist, was then handled as junk short message;
To not passing through the short message of checking, carry out short message filtering according to common short message and handle with the short message of signature, the short message that surpasses the service term of validity, signature validity;
The present invention can also comprise the renewal process that identifies blacklist: the user thinks that certain envelope is a junk short message by the short message of signature authentication, can send to cryptocenter with putting in order the envelope short message, reports this short message; After the authenticity of the signature of cryptocenter's checking quilt report short message, determine according to known rule whether by the report short message is junk short message, and determine whether its user ID is piped off.
Said cryptographic technique and the methods, algorithm etc. that generate PKI, private key based on sign of the present invention all can be referring to prior art 1:ISO.Information technology-Securitytechniques-Digital signatures with appendix-Part 3:Discretelogarithm based mechanisms.ISO-14888-3, and 2006