CN100589384C - Safety interacting method for user terminal access softswitch system - Google Patents
Safety interacting method for user terminal access softswitch system Download PDFInfo
- Publication number
- CN100589384C CN100589384C CN200610011370A CN200610011370A CN100589384C CN 100589384 C CN100589384 C CN 100589384C CN 200610011370 A CN200610011370 A CN 200610011370A CN 200610011370 A CN200610011370 A CN 200610011370A CN 100589384 C CN100589384 C CN 100589384C
- Authority
- CN
- China
- Prior art keywords
- user terminal
- control point
- access control
- authentication
- parameter group
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Being applicable to soft switching system based on IP network, the disclosed method includes following steps: (1) setting up user terminal authentication security parameter group (ASPG) on user terminal, and setting up access control point ASPG on access control point; setting up user terminal authentication authorization parameter group corresponding to user terminal ASPG, and setting up access control point authentication authorization parameter group corresponding to access control point ASPG on security authentication server (SAS); (2) through access control point, user terminal is connected to soft switching core control device (SSCCD); (3) user terminal carries out authentication for system, and access control point carries out security protection for message between user terminal and SSCCD; SAS carries out security access authentication for user terminal. The invention enhances requirement of security, and reduces attack on SSCCD.
Description
Technical field
The present invention relates to the communication security field, particularly relate in the systems such as soft switch based on the IP communication network, a kind of secure interactive two-way authentication and cryptographic key distribution method of user terminal safety access system in the input field.
Background technology
Maturation along with IP mechanicss of communication such as soft switch, the voice technology of IP based network has obtained increasing application in enterprise network and public network, because the design concept of the exploration of IP network, make the Vo IP communication have some safety issues, particularly at the input field of systems such as soft switch, because network is uncontrollable, number of the account is usurped, equipment is cheated, system kidnaps, and problems such as the illegal wiretapping of communication are outstanding especially.At these safety problems; systems such as requirement terminal access soft switch authenticate user terminal; avoid disabled user's access; and need the authentication of terminal to system; avoid terminal to be kidnapped by violated system; need simultaneously communication message is carried out integrality and Confidentiality protection, guarantee the safety of Content of communciation.
At present, in the security system of communication system, there have been some security authentication processes to exist, but because the design problem of these flow processs, caused some flow processs can suffer Replay Attack or because the password negotiation problem causes the fail safe of password lower.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of safety interacting method of user terminal access softswitch system, is used to realize mutual safety certification and communication security between user terminal and the IP based network soft switchcall server.
To achieve these goals, the invention provides a kind of safety interacting method of user terminal access softswitch system, be applied to the soft switchcall server of IP based network, this system comprises at least one Soft core control appliance and access control point, a plurality of user terminal, Security Authentication Service device, it is characterized in that this method comprises the steps:
Step 1, user end certification security parameter group is set on described user terminal, access control point authentication security parameter group is set on described access control point, and setting reaches and described access control point authentication security parameter group corresponding access control point Certificate Authority parameter group with described user end certification security parameter group corresponding user terminal Certificate Authority parameter group on described Security Authentication Service device;
Step 2 accesses to described Soft core control appliance with described user terminal by described access control point;
Step 3, described user terminal is by described access control point, described Soft core control appliance, and system is authenticated, and Integrity Key, confidentiality key between exchange and the described access control point according to the authentication information that described user end certification security parameter group and system return; Described access control point according to described access control point authentication security parameter group, and described user terminal between Integrity Key, confidentiality key the message between described user terminal and the described Soft core control appliance is carried out safeguard protection; Described Security Authentication Service device is by described Soft core control appliance, described access control point, and according to described user end certification authorization parameter group, described access control point Certificate Authority parameter group described user terminal carried out safe access authentication.
The safety interacting method of described user terminal access softswitch system, wherein, the number of described user end certification security parameter group is one or more; The number of described access control point authentication security parameter group is one or more.
The safety interacting method of described user terminal access softswitch system; wherein, described each user end certification security parameter group/described each access control point authentication security parameter group comprises the parameter information of one or more modes in authentication, encryption, the integrity protection secured fashion.
The safety interacting method of described user terminal access softswitch system; wherein; in the described step 3, comprise that also the message between described access control point and the described user terminal adopts Integrity Key and confidentiality key to carry out the step of integrality and Confidentiality protection respectively.
The safety interacting method of described user terminal access softswitch system, wherein, in the described step 3, comprise that also described user terminal carries out the step of integrity verification to the registration response message that is returned by described access control point, if described registration response message is by integrity verification, described user terminal is initiated register requirement again to described access control point.
The safety interacting method of described user terminal access softswitch system; wherein; in the described step 3; comprise that also described access control point carries out the integrity protection inspection to the logon message that described user terminal sends; and after inspection is passed through, transmit the step of the message that includes one first authenticator to described Soft core control appliance.
The safety interacting method of described user terminal access softswitch system, wherein, in the described step 3, comprise that also described Soft core control appliance comes step that described user terminal is verified by more described first authenticator and one second authenticator that sends from described Security Authentication Service device be whether consistent, if described first authenticator is consistent with described second authenticator, then described user terminal is proved to be successful; If inconsistent, then to described user terminal authentication failed.
The safety interacting method of described user terminal access softswitch system; wherein; when described user terminal is proved to be successful; in the described step 3; comprise that also described access control point sends the registration that receives from described Soft core control appliance to described user terminal and responds successful message, and the successful message of this registration response is carried out the step of integrity protection.
The safety interacting method of described user terminal access softswitch system, wherein, in the described step 3, also comprise described user terminal to the successful message of this registration response differentiate, the step of integrity verification.
The safety interacting method of described user terminal access softswitch system, wherein, in the described step 3, comprise that also described Soft core control appliance sends the authentification of user success message to the Security Authentication Service device, and upgrade the step of user terminal information on the described Security Authentication Service device.
The present invention is in the IP network Solution Architecture based on Softswitch technology, user terminal and two-way authentication between the system and key distribution flow process in the input field have been proposed, adopt the present invention, user terminal can be linked into soft switchcall server by access control point SP safely, strengthened the safety of input field, satisfy the communication security requirement, its beneficial effect specifically is:
1), authentication mode more than one group is arranged between Soft core control appliance and the user terminal;
2), the signaling transmission can adopt one or both modes in confidentiality, the integrity protection dual mode to protect between access control point SP and the user terminal;
3), can realize the two-way authentication of user terminal and system;
4), in the boundary point (access control point SP) and the terminal employing confidentiality and integrity mechanism of trusted core network, at input field invalid data stream is controlled, the mechanism of dispersion has been avoided the attack of invalid data to nucleus equipment;
5), encryption key, Integrity Key generation all are to generate the risk of having avoided password to transmit in network at equipment self.Adopt multiple negotiation mechanism, adopt two kinds of algorithm combination, avoid the unstable and potential safety hazard that causes of algorithm for Confidentiality protection.
Describe the present invention below in conjunction with the drawings and specific embodiments, but not as a limitation of the invention.
Description of drawings
Fig. 1 is a flexible exchanging network input field networking schematic diagram of the present invention;
Fig. 2 is two-way authentication in the input field of the present invention and key distribution schematic flow sheet.
Embodiment
Be described in further detail below in conjunction with the enforcement of accompanying drawing technical scheme.
See also shown in Figure 1ly, described flexible exchanging network input field schematic diagram.Wherein, SS (Soft Switch) is meant Soft core control appliance 101, SP (Signing Point) is meant access control point 102, and Client is meant user terminal 103, and AUC (Authentication Center) is meant Security Authentication Service device/authentication center 104; The safety certification parameter of each functional entity that is meant dotted line 105 among Fig. 1 leaves on the Security Authentication Service device AUC 104, and communicates to connect relation between solid line 106 each functional entity of expression.
In Fig. 1, in the IP network architectural framework based on Softswitch technology, there is at least one Soft core control appliance 101; One or more access control point 102; A plurality of user terminals 103; A Security Authentication Service device 104.
Wherein, a user terminal 103 has one or more user end certification security parameter group at least, and each user end certification security parameter group provides one or more mode parameters needed information in the secured fashions such as checking/authentication, encryption, integrity protection; Each user end certification security parameter group corresponding to each user terminal 103; in Security Authentication Service device 104, all will deposit a corresponding user terminal Certificate Authority parameter group, be used for providing the needed computing information of one or more modes of the secured fashion such as checking/authentication, confidentiality, integrity protection of user terminal 103.
Wherein, an access control point 102 has one or more access control point authentication security parameter group at least, and each access control point authentication security parameter group provides one or more mode parameters needed information in the secured fashions such as checking/authentication, encryption, integrity protection; Each access control point authentication security parameter group corresponding to each access control point 102; in Security Authentication Service device 104, all will deposit a corresponding access control point Certificate Authority parameter group, be used for providing the needed computing information of one or more modes of the secured fashion such as checking/authentication, confidentiality, integrity protection of access control point 102.
In Fig. 1, according to each Certificate Authority parameter group, Security Authentication Service device 104 will be responsible for producing password and produce information, be verified/authentication code verifying by Soft core control appliance 101.
In Fig. 1; produce the system authentication word by access control point SP 102; 103 pairs of systems of user terminal Client authenticate; adopt Integrity Key and confidentiality key to carry out integrality and Confidentiality protection between access control point SP 102 and the user terminal Client 103 respectively, and the required key of information exchange that returns according to Security Authentication Service device AUC104.
See also shown in Figure 2ly, described two-way authentication and key distribution schematic flow sheet in the input field.This schematic flow sheet has mainly been described the mechanism that user terminal is verified/authenticated system, the key generting machanism between user terminal and the access control point, and message protection mechanism, and system is to the checking/authentication mechanism of user terminal.
Before user terminal registration checking/authentication, password product process began, the condition of need carrying out was default: think that access control point is the equipment of trust domain in the system.In conjunction with Fig. 1, this flow chart comprises step:
Step 200, user terminal Client 103 initiates register requirement by the agreement flow process to access control point SP 102, and normal protocol registration message, carries random number R 1 and Client ID (client identification) that user terminal Client 103 produces in the message;
Step 201, access control point SP 102 transmits user's logon message to Soft core control appliance SS 101, carries device identification SP ID (access control point identification) and the Client ID (client identification) of access control point SP 102 in the logon message;
Step 202, Soft core control appliance SS 101 does not have the user authentication information of user terminal Client 103, to authentication verification/authentication request that Security Authentication Service device AUC 104 sends user terminal Client 103, comprise Client ID and SP ID in the request;
Step 203, Security Authentication Service device AUC 104 is according to Client ID, SP ID, obtain with the shared key K c of user terminal Client 103 and with the shared key K sp of access control point SP 102, generate a random number R 2, by R2, Client ID and shared key K c etc. generate the authenticator Authenticator to user terminal Client103 together, generate the session key Kc between user terminal Client 103 and the access control point SP 102 simultaneously, sp, Kc wherein, sp is encrypted by shared key K c and Ksp respectively, at last with R2, authenticator Authenticator, session key after the encryption (Ekc (Kc, sp), Eksp (Kc, sp)) returns to Soft core control appliance SS 101 as the response of Soft core control appliance SS 101 checking/authentication request;
Step 205, access control point SP 102 returns registration response message or registration failure message to user terminal Client 103; When returning registration failure message, show and to verify/to authenticate user terminal Client 103; Comprise challenge word R2 in the parameter of response message, the session key EKc[Kc that process Kc encrypted, sp], access control point SP 102 adopts and shares the session key EKsp[Kc of key K sp to encrypting simultaneously, sp] be decrypted, obtain Kc, sp, and with this session key Kc, the parameters for authentication that 1 pair of sp and random number R are issued in the response message of user terminal Client 103 is carried out integrity protection, that is, calculate the parameters for authentication authenticator in the message and return to user terminal Client 103 with message;
Step 206, user terminal Client 103 is by sharing key K c to through the session key EKc[Kc after encrypting, sp] deciphering obtains Kc, sp, with this session key Kc, 1 couple of access control point SP of sp and random number R
Parameters for authentication in 102 messages that return is carried out integrity verification, pass through as checking, illustrate that then access control point SP 102 and network equipment are legal, and with shared key K c, the random number R 2 that client identification Client ID and access control point SP 102 return recomputates authenticator Authenticator ', again initiate register requirement to access control point SP 102, and pass through Kc, sp carries out integrity protection to message, comprise the authenticator Authenticator ' that newly calculates in the message, if 103 pairs of system/network checking/authentification failures of user terminal Client, abandon or from the 1st step, i.e. register requirement is initiated in step 200 beginning again;
Step 207, access control point SP 102 is by session key Kc, sp carries out integrity checking to message, pass through if check, then transmit user's logon message to Soft core control appliance SS 101, comprise the authenticator Authenticator ' that the user calculates, otherwise explanation user terminal Client 103 is illegal, withdraws from registration process;
Step 208, the authenticator Authenticator that authenticator Authenticator ' in the logon message that Soft core control appliance SS 101 sends access control point SP 102 and Security Authentication Service device AUC 104 send compares, user terminal Client 103 is verified/authenticates, if authenticator Authenticator ' and authenticator Authenticator are inconsistent, then show checking/authentification failure to user terminal Client103, then retransmit message or withdraw from registration process, if both unanimities, then show being proved to be successful of user terminal Client 103, return the response message that succeeds in registration to access control point SP 102;
Step 209, access control point SP 102 receives that the registration of Soft core control appliance SS 101 responds successful message, transmit the successful message of registration response to user terminal Client 103, use session key Kc simultaneously, sp protects response message, guarantee the integrality of message, access control point SP 102 notes the relevant information (Subscriber Number, address, port etc.) of this user terminal Client 103 simultaneously, and to identify this user be a validated user;
Step 210, user terminal Client 103 adopts session key Kc, sp differentiates the successful message of registration response, the integrality of the successful message of checking registration response, so far registration checking/authentication and session key agreement success, Soft core control appliance SS 101 can send user rs authentication/authentication success message to Security Authentication Service device AUC 104 simultaneously, upgrades the user terminal information on the Security Authentication Service device AUC 104.
In the present embodiment; cryptographic algorithm and integral algorithm all adopt symmetric encipherment algorithm; wherein integrity protection is to adopt two kinds of algorithms simultaneously; session key can directly obtain according to the shared key that is pre-configured on communication entity and the Security Authentication Service device, also can calculate acquisition according to sharing key and random number on this basis.
In the present embodiment, describing input field bi-directional verification/authentication and key distribution flow process in detail, to wherein relating to aspects such as signaling, only is schematic explanation, for reference.
In the present invention, the signaling security hop is finished the safety of carrying out encryption key and Integrity Key between user terminal Client, access control point SP and is generated, and has strengthened security requirement, reduces the attack to the Soft core control appliance.
Certainly; the present invention also can have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art work as can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Claims (10)
1, a kind of safety interacting method of user terminal access softswitch system, be applied to the soft switchcall server of IP based network, this system comprises at least one Soft core control appliance and access control point, a plurality of user terminal, Security Authentication Service device, it is characterized in that this method comprises the steps:
Step 1, user end certification security parameter group is set on described user terminal, access control point authentication security parameter group is set on described access control point, and setting reaches and described access control point authentication security parameter group corresponding access control point Certificate Authority parameter group with described user end certification security parameter group corresponding user terminal Certificate Authority parameter group on described Security Authentication Service device;
Step 2 accesses to described Soft core control appliance with described user terminal by described access control point;
Step 3, described user terminal is by described access control point, described Soft core control appliance, and system is authenticated, and Integrity Key, confidentiality key between exchange and the described access control point according to the authentication information that described user end certification security parameter group and system return; Described access control point according to described access control point authentication security parameter group, and described user terminal between Integrity Key, confidentiality key the message between described user terminal and the described Soft core control appliance is carried out safeguard protection; Described Security Authentication Service device is by described Soft core control appliance, described access control point, and according to described user end certification authorization parameter group, described access control point Certificate Authority parameter group described user terminal carried out safe access authentication.
2, the safety interacting method of user terminal access softswitch system according to claim 1 is characterized in that, the number of described user end certification security parameter group is one or more; The number of described access control point authentication security parameter group is one or more.
3, the safety interacting method of user terminal access softswitch system according to claim 2; it is characterized in that described each user end certification security parameter group/described each access control point authentication security parameter group comprises the parameter information of one or more modes in authentication, encryption, the integrity protection secured fashion.
4, according to the safety interacting method of claim 2 or 3 described user terminal access softswitch systems; it is characterized in that; in the described step 3, comprise that also the message between described access control point and the described user terminal adopts Integrity Key and confidentiality key to carry out the step of integrality and Confidentiality protection respectively.
5, the safety interacting method of user terminal access softswitch system according to claim 4, it is characterized in that, in the described step 3, comprise that also described user terminal carries out the step of integrity verification to the registration response message that is returned by described access control point, if described registration response message is by integrity verification, described user terminal is initiated register requirement again to described access control point.
6, the safety interacting method of user terminal access softswitch system according to claim 4; it is characterized in that; in the described step 3; comprise that also described access control point carries out the integrity protection inspection to the logon message that described user terminal sends; and after inspection is passed through, transmit the step of the message that includes one first authenticator to described Soft core control appliance.
7, the safety interacting method of user terminal access softswitch system according to claim 6, it is characterized in that, in the described step 3, comprise that also described Soft core control appliance comes step that described user terminal is verified by more described first authenticator and one second authenticator that sends from described Security Authentication Service device be whether consistent, if described first authenticator is consistent with described second authenticator, then described user terminal is proved to be successful; If inconsistent, then to described user terminal authentication failed.
8, the safety interacting method of user terminal access softswitch system according to claim 7; it is characterized in that; when described user terminal is proved to be successful; in the described step 3; comprise that also described access control point sends the registration that receives from described Soft core control appliance to described user terminal and responds successful message, and the successful message of this registration response is carried out the step of integrity protection.
9, the safety interacting method of user terminal access softswitch system according to claim 8 is characterized in that, in the described step 3, also comprise described user terminal to the successful message of this registration response differentiate, the step of integrity verification.
10, the safety interacting method of user terminal access softswitch system according to claim 8, it is characterized in that, in the described step 3, comprise that also described Soft core control appliance sends the authentification of user success message to the Security Authentication Service device, and upgrade the step of user terminal information on the described Security Authentication Service device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610011370A CN100589384C (en) | 2006-02-24 | 2006-02-24 | Safety interacting method for user terminal access softswitch system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610011370A CN100589384C (en) | 2006-02-24 | 2006-02-24 | Safety interacting method for user terminal access softswitch system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101026454A CN101026454A (en) | 2007-08-29 |
| CN100589384C true CN100589384C (en) | 2010-02-10 |
Family
ID=38744403
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200610011370A Expired - Fee Related CN100589384C (en) | 2006-02-24 | 2006-02-24 | Safety interacting method for user terminal access softswitch system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100589384C (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721153B (en) * | 2014-09-05 | 2020-03-27 | 三星Sds株式会社 | Key exchange system and method based on authentication information |
| CN110035433B (en) | 2018-01-11 | 2024-03-19 | 华为技术有限公司 | Verification method and device adopting shared secret key, public key and private key |
| CN109699031B (en) * | 2018-01-11 | 2020-03-20 | 华为技术有限公司 | Verification method and device adopting shared secret key, public key and private key |
| CN112953718A (en) * | 2019-11-26 | 2021-06-11 | 中国移动通信集团安徽有限公司 | Authentication method and device for IMS network user and call session control function entity |
-
2006
- 2006-02-24 CN CN200610011370A patent/CN100589384C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN101026454A (en) | 2007-08-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108270571B (en) | Internet of Things identity authorization system and its method based on block chain | |
| CN109728909B (en) | Identity authentication method and system based on USBKey | |
| CN101189827B (en) | Method for inclusive authentication and management of service provider, terminal and user identity module, and system and terminal device using the method | |
| CN104767731B (en) | A kind of Restful move transactions system identity certification means of defence | |
| CN101304423B (en) | Method and system for authenticating user identification | |
| JPH06223041A (en) | Rarge-area environment user certification system | |
| CN103229452A (en) | Mobile handset identification and communication authentication | |
| WO2002091662A1 (en) | Use and generation of a session key in a secure socket layer connection | |
| KR20060065863A (en) | Authentication method for a link protection in epon | |
| CN101262342A (en) | Distributed authorization and validation method, device and system | |
| CN100561919C (en) | A kind of broadband access user authentication method | |
| CN101741860A (en) | Computer remote security control method | |
| CN101272301A (en) | Safety access method of wireless metropolitan area network | |
| CN104901940A (en) | 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication | |
| CN100579012C (en) | Method for terminal user safety access soft handoff network | |
| CN111147257A (en) | Identity authentication and information confidentiality method, monitoring center and remote terminal unit | |
| CN111224784B (en) | Role separation distributed authentication and authorization method based on hardware trusted root | |
| CN101577620A (en) | Authentication method of Ethernet passive optical network (EPON) system | |
| CN112565294A (en) | Identity authentication method based on block chain electronic signature | |
| CN101192927A (en) | Authorization based on identity confidentiality and multiple authentication method | |
| CN101094063B (en) | Security interaction method for the roam terminals to access soft switching network system | |
| CN100589384C (en) | Safety interacting method for user terminal access softswitch system | |
| CN101272379A (en) | Improving method based on IEEE802.1x safety authentication protocol | |
| CN110519222A (en) | Outer net access identity authentication method and system based on disposable asymmetric key pair and key card | |
| KR101358704B1 (en) | Method of authenticating for single sign on |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100210 Termination date: 20180224 |