CN101217765A - A remote communication means for mobile Internet protocol analysis devices - Google Patents
A remote communication means for mobile Internet protocol analysis devices Download PDFInfo
- Publication number
- CN101217765A CN101217765A CNA2008100191643A CN200810019164A CN101217765A CN 101217765 A CN101217765 A CN 101217765A CN A2008100191643 A CNA2008100191643 A CN A2008100191643A CN 200810019164 A CN200810019164 A CN 200810019164A CN 101217765 A CN101217765 A CN 101217765A
- Authority
- CN
- China
- Prior art keywords
- analytical equipment
- supervision center
- controlled object
- sends
- supervision
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a communication method used for a piece of mobile internet protocol analysis equipment, which is used for effective and safety communication between a monitoring center and the analysis equipment. The remote communication method detailedly comprises the following steps that: (1) the monitoring center is connected with the analysis equipment, and an identify certification is achieved for the monitoring center and the analysis equipment so as to consult the encryption key of communication content subsequently; (2) the monitoring center sends various instruction request to the analysis equipment; (3) the analysis equipment responses the instruction request of the monitoring center and sends the instruction request response to the monitoring center; (4) the analysis equipment sends an activity event report of a controlled object to the monitoring center timely; (6) the monitoring center sends a connection release inform to the analysis equipment and initiates the release of a monitoring interface connection, the analysis equipment releases corresponding resources, and the monitoring process is ended.
Description
Technical field
The invention belongs to the mobile network security fields, relate to a kind of communication means, specifically is a kind of communication means that is used for the Mobile Internet Protocol analytical equipment.
Background technology
Along with the popularization of GPRS/CDMA technology, the application of mobile Internet is developed rapidly.Utilize the user of surfing Internet with cell phone significantly to increase.Thereupon, utilize the network crime problem of mobile Internet to highlight and reveal to come, injure the stable of nation's security and society, but its content monitoring is a blind spot in the network supervision always.If realize effective interception of grouped data between mobile radio communication and Internet the Internet, analysis-reduction goes out the original communication content, and can review the source of information accurately, will do effective supervision to the movable content with mobile Internet of mobile subscriber.Mobile network's safety monitoring system is made up of supervision center and protocal analysis equipment, between PCF and PDSN, data traffic under the situation that does not influence the mobile network communication performance between bypass PCF and the PDSN is also monitored the mobile subscriber's Packet data service in the PCF range of management, and Packet data service comprises multimedia message, Email, web page browsing, the networking telephone etc.The instruction at protocal analysis equipment taking in charge center by the parsing of using layer protocol such as agreements such as WAP, MMS, SMTP being restored the original contents of telex network, and reports supervision center with User Activity incident and Content of Communication.Supervision center sends various instructions to analytical equipment, obtains the active state of controlled object and data business content and with its demonstration.How supervision center is carried out communicating by letter of effective and safe with the Mobile Internet Protocol analytical equipment and is also become one of mobile network's safety monitoring system important content.
Summary of the invention
Technical problem: the object of the present invention is to provide a kind of communication means that is used for the Mobile Internet Protocol analytical equipment, be used for carrying out communicating by letter of effective and safe between supervision center and the analytical equipment.
Technical scheme: the communication means of the Mobile Internet Protocol analytical equipment that the present invention proposes adopts ASN.1 coding and the supervision interface protocol with platform independence, adopts the server/customer end pattern based on ICP/IP protocol of point-to-multipoint between supervision center and the analytical equipment.Analytical equipment initiatively is connected to supervision center as networking client, and the instruction of taking in charge center reports controlled object life event and data content.Supervision center is as the real-time control of webserver realization to each analytical equipment.Communication interface adopts two-way authentication and encipherment protection to guarantee reliability of data transmission and confidentiality.
Of the present invention and the communication means Mobile Internet Protocol analytical equipment comprises following content:
The first step: supervision center and analytical equipment connect, and both sides are carried out authentication, consult the encryption key of back Content of Communication;
Second step: supervision center sends 4 types of instruction request to analytical equipment: set controlled object, and the cancellation controlled object, inquiry controlled object parameter, controlled object lists;
The 3rd step: analytical equipment is responded the instruction request of supervision center, sends 4 types of instruction request to supervision center and replys: set controlled object and reply, the cancellation controlled object is replied, and inquiry controlled object parameter is replied, and controlled object lists replys;
The 4th step: analytical equipment regularly sends 8 types of life events reports of controlled object to supervision center: reach the standard grade, roll off the production line, multimedia message transmitting-receiving incident, web page browsing incident, Email send incident, Email receives incident, voip communications incident, mobile flow medium broadcast event;
The 5th step: analytical equipment regularly sends the data content report of controlled object to supervision center;
The 6th step: supervision center sends to connect to analytical equipment and discharges notice, initiates the release that the supervision interface connects.
Be provided with timer in described supervision center and the analytical equipment:, then handle with the request failure when analytical equipment does not have response in setting-up time; Whether supervision center has fault at setting cycle interscan interface link; Analytical equipment is provided with timer, is used for regularly uploading life event or intercepted data to supervision center.
Adopt the server/customer end pattern based on ICP/IP protocol of point-to-multipoint between supervision center and the analytical equipment, a supervision center can manage with many analytical equipments communicates by letter.
Beneficial effect: the invention provides a kind of communication means that is used for the Mobile Internet Protocol analytical equipment, be used for communicating between supervision center and the analytical equipment.Adopt two-way authentication and cipher mode to communicate between supervision center and the analytical equipment, guaranteed the reliability and security of system.The remote supervisory of grouping data services such as analytical equipment to supervision center, realizes that all mobile phone users in the coverage are reached the standard grade, rolled off the production line with institutionalized mobile subscriber's life event and communication data safe transmission under the situation that does not influence the 3G network communication performance, multimedia message, Email, online and Internet video.
Description of drawings
Fig. 1 is the application scenarios figure of communication means of the present invention;
Fig. 2 is the flow chart of communication means of the present invention;
Fig. 3 is that supervision center is connected with analytical equipment and sets up process flow diagram;
Fig. 4 is authentication field generating principle figure in the verification process;
Fig. 5 is key K c generating principle figure in the verification process;
Fig. 6 is acknowledgement field generating principle figure in the verification process;
Fig. 7 be in the verification process supervision center to the information encryption flow chart of analytical equipment.
Embodiment
Elaborate below in conjunction with the specific implementation of accompanying drawing to this communication means.
Fig. 1 is an application scenarios figure of communication means of the present invention, is used for the real time communication between supervision center and the analytical equipment, and interface protocol adopts the supervision interface protocol.Supervision center is initiated to connect to analytical equipment by the supervision interface, transmits various instruction request; Analytical equipment realizes the monitoring of mobile Internet Packet data service with the supervision center that is sent to of the life event of controlled object and communication data safety.
Fig. 2 is the flow chart of communication means of the present invention, specifically may further comprise the steps: supervision center communicates by supervision interface and analytical equipment, and concrete steps are as follows:
(1) supervision center is set up long-range the connection with analytical equipment, and both sides are carried out authentication, consults the encryption key of back Content of Communication.Step is as follows:
1.1) supervision center sends connection request to analytical equipment, request connects with analytical equipment.
1.2) analytical equipment receives the supervision center connection request, and supervision center is carried out authentication, and send connection request to supervision center and reply.
1.3) the supervision center connection request that receives analytical equipment replys, and carries out authentication to sending this analytical equipment of replying.
(2) supervision center sends various instruction request to analytical equipment.4 types of instruction request: set controlled object, the cancellation controlled object, inquiry controlled object parameter, controlled object lists.
2.1) set the controlled object request, be used to set monitored target mobile user, and set the monitored agreement of this controlled object;
2.2) request of cancellation controlled object, be used to cancel monitored target mobile user, and cancel the monitored agreement of this controlled object;
2.3) inquiry controlled object parameter, the monitoring protocol parameter that is used to inquire about the target to be monitored mobile subscriber;
2.4) controlled object lists, and is used for all current online controlled objects of vlan query protocol VLAN analytical equipment.
(3) analytical equipment is responded the instruction request of supervision center, sends instruction request to supervision center and replys.4 types of instruction request are replied: set controlled object and reply, the cancellation controlled object is replied, and inquiry controlled object parameter is replied, and controlled object lists replys.In the request-reply frame, comprise the instruction request execution result.If carry out failure, then need indicate failure cause.
(4) analytical equipment regularly sends the life event report of controlled object to supervision center.8 types of life events report: reach the standard grade, roll off the production line, MMS incident, WAP incident, SMTP incident, POP3 incident, VOIP incident, RSTP incident.
(5) analytical equipment regularly sends the data content report of controlled object to supervision center.
(6) supervision center sends to connect to analytical equipment and discharges notice, initiates the release that the supervision interface connects.
Fig. 3 is that supervision center is connected with analytical equipment and sets up process flow diagram, is ensuring communication safety property, needs authenticate both sides' identity in supervision center and analytical equipment connect process, and consults the intercommunication encryption key, and concrete steps are as follows:
(1) supervision center sends connection request to analytical equipment, need provide authentication needed information in the connection request.
1.1) supervision center is identified for preventing the SQN group alias of the SQN sequence number of Replay Attack, supervision center produces random number RA ND;
1.2) supervision center according to supervision center key K i, insert password Password and the SQN sequence number generates authentication field through SHA-1 (SHA) digest algorithm.
1.3) supervision center is encapsulated in above information to send to analytical equipment in the association request frame with supervision center sign, analytical equipment sign.
(2) analytical equipment authenticates the supervision center identity according to connectivity request message, and responds the connection request of supervision center.Concrete steps are as follows:
2.1) analytical equipment determines the key K i of supervision center and insert password Password according to the supervision center in connection request sign, the SQN group number is determined the SQN sequence number, adopts the method the same with supervision center to calculate authentication field and compares with authentication field in the connection request.If identical, then the authentication of supervision center is passed through, otherwise authentication is not passed through.
2.2) if the authentication of supervision center is not passed through, analytical equipment sends the connection request response to supervision center, points out the authentification failure reason.
2.3) if the authentication of supervision center is passed through, analytical equipment adopts the SHA-1 method the same with supervision center to calculate encryption key Kc according to supervision center key K i, random number RA ND, SQN sequence number; And calculate acknowledgement field according to Kc, random number RA ND and SQN sequence number with the same method.Analytical equipment sends the connection request response to supervision center, comprises acknowledgement field.
(3) supervision center receives the connection request response of analytical equipment, and the analytical equipment identity that sends the connection request response is authenticated.
3.1) supervision center uses the method calculating acknowledgement field identical with analytical equipment, and compare with the acknowledgement field in the connection request response message, if identical, then the authentication of analytical equipment is passed through; If different, then the authentication of analytical equipment is not passed through.
3.2) if authentication is passed through to analytical equipment, then adopt with analytical equipment and calculate encryption key Kc with quadrat method, the successful connection of supervision interface.
3.3) if authentication is not passed through to analytical equipment, supervision center is initiated to connect and discharged, cancellation is connected with analytical equipment.
The secret data Ki of described sign supervision center identity is meant: length is fixed as the only table registration word that only is stored in supervision center and analytical equipment of 128 bits;
Described access pin Password is meant: length is fixed as the access password of 128 bits, is stored in supervision center and the analytical equipment, and Password needs just can come into force in supervision center and analytical equipment change simultaneously;
Described sequence number SQN is meant: length is fixed as the sequence number of 32 bits, is used for preventing replay attack and safeguards jointly in supervision center and analytical equipment.
Described random number RA ND is meant: produce and send to analytical equipment by supervision center, be used for supervision center and analytical equipment and produce encryption key Kc simultaneously, supervision center and analytical equipment are not stored RAND, but supervision center needs random number and produces function, and the length of RAND is fixed as 56 bits;
Described encryption key Kc is meant:, be used for the information that transmits between supervision center and the analytical equipment is encrypted through the secure hash algorithm (sha) result calculated by Ki, RAND and SQN.
Described SHA-1 algorithm is meant: by American National Standard and technological associations (NIST) and American National security bureau (NSA) design, and become a kind of message digest algorithm (American National Standard: FIPS PUB 180-1), be one of present widely used hashing algorithm of guaranteeing the complete unanimity of message transmission of American National Standard.
Fig. 4,5,6 is respectively the generating principle figure of authentication field in the verification process, encryption key Kc, acknowledgement field.
In verification process, hashing algorithm safe in utilization (SHA-1) calculates authentication field, Kc, acknowledgement field respectively.The unified 512Bits length that adopts of the input parameter of SHA-1 algorithm, output parameter length is 160bits.Message after head and the tail are connected according to the order of sequence to each parameter is earlier filled, and forms the byte stream of 448Bits, and the highest order of filling bit string is filled with 1, and all the other bits are filled with 0; After representing the message original length with 64Bits again and it being added in message, form the input parameter of the byte stream of 512Bits as the SHA-1 algorithm.For example: when calculating authentication field, Ki (128Bits), Password (128Bits), the series connection of SQN (32Bits) head and the tail and Ki are in upper byte, the highest-order bit that afterbody is filled 160Bits is that ' 1 ' all the other bits are ' 0 ', afterbody message length 64Bits is ' 00,000,000 00,000,000 00,000,000 00,000,000 00,000,000 00,000,000 00,000,001 00100000 ', and expression original message length is 288Bits; During calculating K c, Ki, RAND and SQN connect from beginning to end; When calculating acknowledgement field, Kc, RAND and SQN connect from beginning to end.
Fig. 7 is the encryption flow figure of transmission data between supervision center and the analytical equipment in the verification process.Supervision center uses opposite process to be decrypted.For guaranteeing the reliability and the fail safe of system, instruction request, instruction request are replied and are connected to discharge to notify and do not adopt the cipher mode transmission, other message frames adopt the AES cipher mode to transmit, and encrypt/decrypt adopts the Kc that consults in the supervision interface connection procedure as encryption key.AES has 128,192,256 3 kinds of key lengths, and using length here is 192 key, and the Kc that SHA-1 produces is 160 bits, so Bit0~Bit31 is filled in after the Kc as encryption key.Supervision center to the information of analytical equipment encrypted and the deciphering process, with the information from the analytical equipment to the supervision center encrypted and the deciphering process identical.
For the those skilled in the art in present technique field, within the protection range that the various conspicuous change of under the situation of spirit that does not deviate from the method for the invention and claim scope it being carried out is all being invented.
Claims (3)
1. remote communication method that is used for the Mobile Internet Protocol analytical equipment is characterized in that this remote communication method specifically may further comprise the steps:
The first step: supervision center and analytical equipment connect, and both sides are carried out authentication, consult the encryption key of back Content of Communication;
Second step: supervision center sends 4 types of instruction request to analytical equipment: set controlled object, and the cancellation controlled object, inquiry controlled object parameter, controlled object lists;
The 3rd step: analytical equipment is responded the instruction request of supervision center, sends 4 types of instruction request to supervision center and replys: set controlled object and reply, the cancellation controlled object is replied, and inquiry controlled object parameter is replied, and controlled object lists replys;
The 4th step: analytical equipment regularly sends 8 types of life events reports of controlled object to supervision center: reach the standard grade, roll off the production line, multimedia message transmitting-receiving incident, web page browsing incident, Email send incident, Email receives incident, voip communications incident, mobile flow medium broadcast event;
The 5th step: analytical equipment regularly sends the data content report of controlled object to supervision center;
The 6th step: supervision center sends to connect to analytical equipment and discharges notice, initiates the release that the supervision interface connects.
2. the remote communication method of Mobile Internet Protocol analytical equipment according to claim 1 is characterized in that being provided with in described supervision center and the analytical equipment timer: when analytical equipment does not have response in setting-up time, then handle with the request failure; Whether supervision center has fault at setting cycle interscan interface link; Analytical equipment is provided with timer, is used for regularly uploading life event or intercepted data to supervision center.
3. the remote communication method of Mobile Internet Protocol analytical equipment according to claim 1, it is characterized in that adopting between supervision center and the analytical equipment server/customer end pattern based on ICP/IP protocol of point-to-multipoint, a supervision center can manage with many analytical equipments communicates by letter.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100191643A CN101217765A (en) | 2008-01-15 | 2008-01-15 | A remote communication means for mobile Internet protocol analysis devices |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100191643A CN101217765A (en) | 2008-01-15 | 2008-01-15 | A remote communication means for mobile Internet protocol analysis devices |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101217765A true CN101217765A (en) | 2008-07-09 |
Family
ID=39624113
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008100191643A Pending CN101217765A (en) | 2008-01-15 | 2008-01-15 | A remote communication means for mobile Internet protocol analysis devices |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101217765A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103595722A (en) * | 2013-11-18 | 2014-02-19 | 北京锐安科技有限公司 | Data postback method and device in network safety |
| CN108810859A (en) * | 2018-05-20 | 2018-11-13 | 陈将 | A kind of Bluetooth smart watch sound control method and system based on encryption function |
-
2008
- 2008-01-15 CN CNA2008100191643A patent/CN101217765A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103595722A (en) * | 2013-11-18 | 2014-02-19 | 北京锐安科技有限公司 | Data postback method and device in network safety |
| CN103595722B (en) * | 2013-11-18 | 2017-02-22 | 北京锐安科技有限公司 | Data postback method and device in network safety |
| CN108810859A (en) * | 2018-05-20 | 2018-11-13 | 陈将 | A kind of Bluetooth smart watch sound control method and system based on encryption function |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Shen et al. | Secure key establishment for device-to-device communications | |
| EP2437469B1 (en) | Method and apparatus for establishing a security association | |
| Saxena et al. | EasySMS: A protocol for end-to-end secure transmission of SMS | |
| KR101492179B1 (en) | Method and system for establishing secure connection between user terminals | |
| US20070086590A1 (en) | Method and apparatus for establishing a security association | |
| CN102045210B (en) | End-to-end session key consultation method and system for supporting lawful interception | |
| CN101242274B (en) | Method for guaranteeing non-duplicate message SN and preventing from re-play attack and mobile terminal | |
| Bali et al. | Lightweight authentication for MQTT to improve the security of IoT communication | |
| CN101478388B (en) | Multi-stage security mobile IPSec access authentication method | |
| Cao et al. | LPPA: Lightweight privacy‐preservation access authentication scheme for massive devices in fifth Generation (5G) cellular networks | |
| CN104683343A (en) | Method for rapidly logging WiFi hotspot by terminal | |
| WO2012024905A1 (en) | Method, terminal and ggsn for encrypting and decrypting data in mobile communication network | |
| CN101136741A (en) | Multicast key management method and central node used for the same | |
| CN102006298A (en) | Method and device for realizing load sharing of access gateway | |
| CN107104888B (en) | Safe instant messaging method | |
| Zhou et al. | A hybrid authentication protocol for LTE/LTE-A network | |
| Park et al. | Survey for secure IoT group communication | |
| CN101217765A (en) | A remote communication means for mobile Internet protocol analysis devices | |
| CN101022330A (en) | Method and module for raising key management authorized information security | |
| CN101123538B (en) | Remote encryption and supervision method for communication interfaces of wireless local network | |
| Ma et al. | The improvement of wireless LAN security authentication mechanism based on Kerberos | |
| CN103401682A (en) | Method and equipment for processing cipher suite | |
| Oniga et al. | Application-level authentication and encryption atop bluetooth stack for sensitive data communication | |
| Zhu et al. | A Research on the Authentication Scheme For 5G Network Based on Double Ratchet Algorithm | |
| CN110650016B (en) | Method for realizing network data security of AC/DC control protection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20080709 |