CN101420413B

CN101420413B - Session cipher negotiating method, authentication server and network appliance

Info

Publication number: CN101420413B
Application number: CN2007100310648A
Authority: CN
Inventors: 金洪波; 刘经及; 朱贤; 李朋; 吕晓雨
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2007-10-25
Filing date: 2007-10-25
Publication date: 2012-11-07
Anticipated expiration: 2027-10-25
Also published as: CN101420413A

Abstract

The present invention discloses a session key negotiating method which is applied in P2P network and comprises the following steps: receiving an authentication request from a session request entity; authenticating the session request entity and session request target entity, and generating a session key of the session request entity and the session request target entity if the authenticating is successful; and returning a authentication response carrying the session key to an authentication request entity. The invention also discloses an authentication server, a conversation request entity, a session target entity and a P2P network. A session key negotiating mechanism with the advantages of centralization, safety and easy management is provided.

Description

Session cipher negotiating method, certificate server and the network equipment

Technical field

The present invention relates to network communications technology field, be specifically related to a kind of conversation request entity, certificate server, session target entity, P2P network and session cipher negotiating method.

Background technology

Peer-to-peer network (P2P:peer-to-peer) technology is a focus of present international computing network technical field research, has more and more obtained people's approval.The P2P network provides a kind of method of resource-sharing; In the P2P network environment, up to ten thousand computers connected to one another all are in reciprocity status before the one-tenth, when every main frame both possibly be resource requestor (Client); It also possibly be resource provider (Server); Can make response to the request of other computers, resource and service are provided voluntarily, so each node in the peer-to-peer network can be referred to as the Peer peer node.

P2P was the cover agreement relevant with SIP, and it uses the P2P technology to resolve the target (Resource) of SIP request, and sip message transmission and other services relevant with SIP are provided, and the Internet engineering duty group (IETF) has been set up P2P working group on February 8th, 2007.The P2P technology can be used to support multiple application; And possibly become the core protocol of many network systems; Some telecommunication apparatus begin to pay close attention to the P2P technology; And it is conducted a research, the typical application of P2P comprises P2P VOIP, core net etc., it might become a key protocol in following telecommunications core network.

With reference to figure 1; It is a kind of typical structure sketch map based on the P2P network of Session Initiation Protocol of prior art; Each peer node that comprises interconnection penetrates node (STUN peer F) etc. like user agent's node (Proxy peer E), redirection node (Redirect peer R), via node (Relay peer Q), voice service node (VM peer S), agent node (Proxy peer P), gateway node (Gateway peer G), fire compartment wall.

In above-mentioned P2P network system based on Session Initiation Protocol; In order to guarantee system safety, need set up corresponding security mechanisms, for this reason; At [] I-D.lowekamp-P2P-dsip-security] in the draft, proposed a kind of in the P2P network based on the authentication mechanism end to end of sharing key.Each entity in the P2P network (node, user, resource) obtains a shared key (shared secret) in advance through the outer mechanism of band (through the outer transfer approach of P2P network, like Advise By Wire, oral passing on, mail transmission etc.).When certain entity is initiated message; The value that each field of message (from/to/contact/date/call-id/cseq/message-body) utilize is shared key and the generation of HMAC-SHA1 algorithm is as Identity authentication header field, and in the Identity-info header field, is with algorithm parameter.The algorithm parameter that obtains in shared key that the message receiver utilization is known in advance and the Identity-info header field recomputates each field of message; If the value of calculating is the same with the value of Identity header field band, then checking is passed through, after checking is passed through; Message receiver is replied response message; Generate Identity and Identity header field through same method, initial message originator is also through same method validation response message, and session interaction of session both sides is accomplished.

Above-mentioned at [] I-D.lowekamp-P2PSIP-dsip-security] security mechanism stipulated in the draft; In small-scale network environment, possesses certain feasibility; But under large-scale network environment, through transmitting with outer mechanism and distributing that to share key be that dangerous also being not easy realized.

Summary of the invention

In view of this, embodiment of the invention technical problem to be solved is, the session cipher negotiating method in a kind of P2P of being applied to network is provided, and is implemented in concentrated, safe, manageable session key agreement mechanism is provided in the P2P network.

In order to solve the problems of the technologies described above, the embodiment of the invention has proposed a kind of session cipher negotiating method, is applied to comprise in the P2P network:

Reception is from the authentication request of conversation request entity;

Conversation request entity and session target entity are carried out authentication, if authentication success then generates the session key of said conversation request entity and said session target entity;

Return the authentication response that carries said session key to said authentication request entity.

Correspondingly, the embodiment of the invention has also proposed a kind of certificate server, comprising:

The authentication request receiving element is used to receive the authentication request from the conversation request entity;

Authentication ' unit; Be used for after said authentication request receiving element receives said authentication request; Said conversation request entity and session target entity are carried out authentication, after authentication is passed through, generate the session key of said conversation request entity and said session target entity;

The authentication response transmitting element is used for sending the authentication response that carries session key to said conversation request entity.

Correspondingly, the invention allows for a kind of conversation request entity, comprising:

The authentication request unit is used for to its transmission authentication request of authentication service;

The authentication response receiving element is used to receive the authentication response that comes from said certificate server;

The session key acquiring unit is used for obtaining said session key from said authentication response;

The conversation request unit is used for sending the conversation request that carries authentication information to the session target entity.

Correspondingly, the present invention proposes a kind of session target entity, comprising:

Detecting unit is used to detect the conversation request that comes from the conversation request entity and whether carries authentication information;

Session key agreement obtains the unit, is used in said detection when the conversation request that comes from the conversation request entity carries authentication information, with said conversation request entity interaction information, to obtain said session key.

Correspondingly, the present invention proposes a kind of signature agent entity, comprising:

Detecting unit is used to detect the signature services request that comes from the conversation request entity and whether carries authentication information;

The session key acquiring unit is used in said detection when the signature services request that comes from the conversation request entity carries authentication information, with said conversation request entity interaction information, to obtain session key;

The bill generation unit is used for generating based on said session key the signature bill of corresponding said signature services request;

Transmitting element is used for sending said signature bill to said conversation request entity.

Further, the invention allows for a kind of P2P network, it is characterized in that, said P2P network comprises the conversation request entity, session target entity and certificate server, wherein:

The conversation request entity; Be used for sending authentication request to said certificate server; And after receiving the authentication response that comes from said certificate server, from said authentication response, obtain session key, and be used for sending the conversation request that carries authentication information to said session target entity.

Certificate server; Be used for after receiving the said authentication request that comes from said conversation request entity; Said conversation request entity and said session target entity are carried out authentication; After authentication is passed through, generate the session key of said conversation request entity and said session target entity, and be used for sending the authentication response that carries said session key to said conversation request entity;

The session target entity is used for when detecting the conversation request that comes from said conversation request entity and carry authentication information, with said conversation request entity interaction information, to obtain said session key.

Embodiment of the present invention embodiment; In the P2P network, increase certificate server; Through said certificate server conversation request entity and session target entity are carried out authentication, after authentication is passed through, generate the session key of conversation request entity and session target entity; Said conversation request entity and said session target entity carry out session based on this session key; In the P2P network, guaranteed the fail safe of session key agreement process, realized in the P2P network, providing concentrated, safe, manageable session key agreement mechanism.

Description of drawings

Fig. 1 is a kind of typical structure sketch map of the P2P network of prior art;

Fig. 2 is that a kind of P2P network of the embodiment of the invention is formed sketch map;

Fig. 3 is the composition sketch map of a kind of certificate server of the embodiment of the invention;

Fig. 4 is the composition sketch map of a kind of conversation request entity of the embodiment of the invention;

Fig. 5 is the composition sketch map of a kind of session target entity of the embodiment of the invention;

Fig. 6 is the composition sketch map of a kind of agent entity of signing of the embodiment of the invention;

Fig. 7 is the session key agreement schematic flow sheet of the embodiment of the invention;

Fig. 8 is that the P2P node of the embodiment of the invention adds schematic flow sheet;

Fig. 9 is that user of the present invention registers the first embodiment schematic flow sheet;

Figure 10 is that user of the present invention registers the second embodiment schematic flow sheet;

Figure 11 is the call flow sketch map of the embodiment of the invention;

Figure 12 is the service registry schematic flow sheet of the embodiment of the invention;

Figure 13 is the user applies value-added service schematic flow sheet of the embodiment of the invention;

Figure 14 is the VM voice service calling message schematic flow sheet of the embodiment of the invention;

Figure 15 is the called schematic flow sheet of listening to of the VM voice service of the embodiment of the invention.

Embodiment

The following embodiment of the invention the P2P network that will describe be P2P network based on Session Initiation Protocol; The technical staff in present technique field should be understood that it only is a kind of concrete implementation, and even realizes that based on other existing new agreement that possibly occur in the future the described P2P network of the embodiment of the invention all should belong to protection range of the presently claimed invention.In order to make technical scheme of the present invention and advantage clearer, the embodiment of the invention is further elaborated below in conjunction with the accompanying drawing embodiment that develops simultaneously.

With reference to figure 2, for a kind of P2P network of the embodiment of the invention is formed sketch map.As shown in the figure, said P2P network mainly comprises conversation request entity 32, session target entity 33 and certificate server 31, wherein:

Conversation request entity 32; Be used for sending authentication request to said certificate server 31; And after receiving the authentication response that comes from said certificate server 31; From said authentication response, obtain session key, and be used for sending the conversation request that carries authentication information to said session target entity 33.

Certificate server 31; Be used for after receiving the said authentication request that comes from said conversation request entity 32; Said conversation request entity 32 and said session target entity 33 are carried out authentication; After authentication is passed through, generate the session key of said conversation request entity 32 and said session target entity 33, and be used for sending the authentication response that carries said session key to said conversation request entity 32.

Session target entity 33 is used for when detecting the conversation request that comes from said conversation request entity 32 and carry authentication information, with said conversation request entity interaction information, to obtain said session key.

With reference to figure 3, be the composition sketch map of a kind of certificate server of the embodiment of the invention.Said certificate server mainly comprises:

Authentication request receiving element 311 is used to receive the authentication request from conversation request entity 32.

, carry conversation request entity identification information and session target entity identification information in the said authentication request here, wherein said identification information is used for the node at P2P network unique identification P2P.During concrete the realization, said authentication request message message comprises following information:

IDa||IDb||N

-IDa: conversation request entity identification information

-IDb: conversation request entity identification information

-N: random number or sequence number, be used to identify this authentication request, need comprise this number in the authentication response message that returns, be used for preventing message repeating transmission (implication of this number of subsequent message is identical).

Authentication ' unit 312; Be used for after said authentication request receiving element receives said authentication request; Said conversation request entity and session target entity are carried out authentication, after authentication is passed through, generate the session key of said conversation request entity and said session target entity.

During practical implementation, carry conversation request entity identification information and session target entity identification information in the said authentication request, said authentication ' unit 312 mainly comprises:

Identification information obtaining unit 3121 is used for obtaining said conversation request entity identification information and session target entity identification information from said authentication request receiving element 311 received authentication request.

Authentication performance element 3122; Be used for judging according to said conversation request entity identification information, said session target entity identification information whether said conversation request entity 32 and said session target entity 33 are registered P2P entity; If judged result, then generates the session key of said conversation request entity 32 and said session target entity 33 for being.

During practical implementation, in said certificate server, preserve the shared key of each P2P entity identification information of belonging to this certificate server and corresponding certificate server and P2P entity here.Concrete judge when whether said conversation request entity 32 is registered P2P entity; Through searching the conversation request entity identification information (IDa) of whether preserving the conversation request entity in the certificate server; Confirm whether the conversation request entity is registered P2P entity; In like manner; Through searching the session target entity identification information (IDb) of whether preserving the session target entity in the certificate server; Confirm whether the session target entity is registered P2P entity, have only when said authentication performance element 3122 confirms that said conversation request entities 32 and said session target entity 33 all belong to registered P2P entity that authentication performance element 3122 just can distribute the session key of corresponding said conversation request entity 32 and said session target entity 33.

Authentication bill generation unit 3123 is used for generating the first authentication bill with the shared key with said conversation request entity 32, and is used for generating the second authentication bill with the shared key with said session target entity 33.

Here, during practical implementation, the said first authentication bill is following:

E _Ka[Ks||IDb||N||T||L]

-Ks: the session key of conversation request entity and session target entity

-IDb: session target entity identification information

-N: random number or sequence number are used for the response of ID authentication server to the conversation request entity

-T: timestamp

-L: the session key term of validity

-E _KaExpression is encrypted [Ks||IDb||N||T||L] with the shared key K a of conversation request entity and certificate server

The said second authentication bill is following:

E _Kb[Ks||IDa||T||L]

-Ks: the session key of conversation request entity and session target entity

-IDa: conversation request entity identification information

-T: timestamp

-L: the session key term of validity

-E _KbExpression is encrypted [Ks||IDb||N||T||L] with the shared key K b of session target entity and certificate server

Authentication response transmitting element 313 is used for sending the authentication response that carries session key to said conversation request entity 32.

, carried said first authentication bill and the said second authentication bill in the said authentication response here, when specifically realizing, said authentication is corresponding to comprise following information:

E _Ka[Ks||IDb||N||T||L]||E _Kb[Ks||IDa||T||L]

-E _KaThe first authentication bill that [Ks||IDb||N||T||L] describes for preamble

-E _KbThe second authentication bill that [Ks||IDa||T||L] describes for preamble

With reference to figure 4, be the composition sketch map of a kind of conversation request entity of the embodiment of the invention.Said conversation request entity mainly comprises:

Authentication request unit 321 is used for sending authentication request to certificate server 31.

Here, said authentication request is identical with the preamble description, does not repeat them here.

Authentication response receiving element 322 is used to receive the authentication response that comes from said certificate server 31.

Here, said authentication response is identical with the preamble description, does not repeat them here.

Session key acquiring unit 323 is used for obtaining said session key from said authentication response.

Here, when specifically realizing, said session key acquiring unit 323 is deciphered the said first authentication bill E with the shared key K a with said certificate server _Ka[Ks||IDb||N||T||L] obtains session key Ks, simultaneously, can obtain session target entity identification IDb, random number N, time stamp T and session vital values L.

Conversation request unit 324 is used for sending the conversation request that carries authentication information to the session target entity.

Here, said authentication information is following:

IdentityA||Identity-info

The authentication header field that generates for each field of IdentityA wherein with session key Ks encryption session request message; Carry Ks among the Identity-info and encrypt the AES information of using when generating IdentityA, which kind of algorithm employed when promptly informing that through the Identity-info header field session target entity Ks encrypts generation IdentityA is.

With reference to figure 5, be the composition sketch map of a kind of session target entity of the embodiment of the invention.Said session target entity mainly comprises:

Detecting unit 331 is used to detect the conversation request that comes from the conversation request entity and whether carries authentication information.

Here; When detecting unit 331 detects conversation request from said conversation request entity for not carrying authentication information; When also promptly not carrying IdentityA authentication header field, will directly refuse this conversation request and inform that in the refusal response its conversation request of conversation request entity is unaccepted former because do not carry IdentityA authentication header field.

Session key agreement obtains unit 332, is used for when said detecting unit 331 detects said conversation request with session key, with said conversation request entity interaction information, to obtain said session key.

Here; When detecting unit 331 detects when carrying IdentityA authentication header field in the conversation request from said conversation request entity; From conversation request, obtain AES information in the entrained Identity-info header field; Since this moment session target entity and do not know the decruption key Ks corresponding with IdentityA authentication header field, so session key agreement acquisition unit 332 will with session request entity interactive information, obtain the second authentication bill; And then obtain session key Ks according to the session target entity 33 and the shared key K b deciphering of said certificate server 31, detailed process will have below and describe in further detail.

With reference to figure 2, for the integrity protection of resource further is provided in the P2P network, the embodiment of the invention also provides with believable signature agent entity as the resource trusted node of signing.Said signature agent entity 34 is used for after receiving the signature services request with said session key that comes from said conversation request entity 32; With said conversation request entity 32 interactive information; Obtain session key; Generation is to the signature bill of the services request of should signing, and returns this signature bill to said conversation request entity 32.

Here; Session key between said conversation request entity 32 and the said signature agent entity 34 and the session key between described request entity 32 and the said session target entity 33 are identical; The conversation request that is sent to said session target entity 33 with said conversation request entity 32 is similar, and said conversation request entity 32 is sent to the signature services request of said signature agent entity 34 and carries following authentication information information:

IdentityA||Identity-info

The authentication header field of IdentityA wherein for generating with each field contents of session key Ks ciphering signature request message; Carry Ks among the Identity-info and encrypt the AES information of using when generating IdentityA, which kind of algorithm employed when promptly informing that through the Identity-info header field signature agent entity Ks encrypts generation IdentityA is.

Similar with the principle of obtaining session key Ks with said session target entity 33 through obtaining the second authentication bills and decipher this second authentication bill from said conversation request entity 32; When needs are introduced the session of said signature agent entity 34; Said conversation request entity 32 is sent to the signature agent entity identification information (IDc) that further carries said signature agent entity 34 in the conversation request of said certificate server 31; And then said certificate server 31 is through searching the signature agent entity identification information (IDc) of whether preserving signature agent entity 34; Confirm whether signature agent entity 34 is registered P2P entity; And then generate the 3rd authentication bill; And in authentication response, further carrying the 3rd authentication bill, said signature agent entity 34 obtains said the 3rd authentication bill and deciphers the 3rd authentication bill to obtain session key Ks from said conversation request entity.Generally speaking, between said signature agent entity 34 and the said certificate server 31 key agreement mechanism be to realize that based on rivest, shamir, adelman when specifically realizing, said the 3rd authentication bill is following:

Ticket _ac＝EKRas[H(EKUc[Ks||IDa||T||L])]

-Ks: the session key of conversation request entity and signature agent entity

-IDa: conversation request entity identification information

-T: timestamp

-L: the session key term of validity

-EKUc representes the public key encryption [Ks||IDa||T||L] with signature agent entity c

-EKRas [H (EKUc [Ks||IDa||T||L)] expression is with the private key signature of certificate server AS (EKUc [Ks||IDa||T||L)

Said signature agent entity 34 is after receiving the signature services request that carries IdentityA||Identity-info, from the 3rd authentication bill Ticket of said conversation request entity 32 acquisitions _AcAnd decipher the 3rd authentication bill; To obtain said session key Ks; And then, accomplish identity legitimacy checking, and the log-on message signature of conversation request entity 32 is generated the Identity header field with self private key to conversation request entity 32 with the algorithm that identified in the Identity-info header field and session key Ks deciphering IdentityA; And with the position of going up Identity-info header field identity certificate, user's registration message, Identity header field and Identity-info header field three parts constitute Resource Ticket resource signature bill.During concrete the realization,, be the composition sketch map of a kind of agent entity of signing of the embodiment of the invention with reference to figure 6.Signature agent entity 34 according to the invention comprises:

Detecting unit 341 is used to detect the signature services request that comes from the conversation request entity and whether carries authentication information.

Session key acquiring unit 342 is used in said detection when the signature services request that comes from the conversation request entity carries authentication information, with said conversation request entity interaction information, to obtain session key.

Bill generation unit 343 is used for generating based on said session key the signature bill of corresponding said signature services request.

Transmitting element 344 is used for returning this signature bill to said conversation request entity.

With reference to figure 7, be the session key agreement schematic flow sheet of the embodiment of the invention.This session key agreement flow process is mainly the process of communication interaction between conversation request entity, certificate server and the session target entity; The key of P2P node is preserved and managed to certificate server; Such key is the shared key of each P2P node and certificate server in the present embodiment, and particular flow sheet is explained as follows:

Step s50101, the conversation request entity sends authentication request to certificate server.

IDa||IDb||N

-IDa: conversation request entity identification information

-IDb: conversation request entity identification information

Step s50102; Certificate server carries out authentication to conversation request entity and session target entity; After authentication is passed through; Generate the session key of said conversation request entity and said session target entity, and encrypt said session key to generate the first authentication bill, encrypt said session key to generate the second authentication bill to share key K b to share key K a.

Here; Said shared key K a is the shared key of said conversation request entity and said certificate server; Said shared key K b is the shared key of said session target entity and said certificate server; During practical implementation, in said certificate server, preserve the shared key of each P2P entity identification information of belonging to this certificate server and corresponding certificate server and P2P entity.Said certificate server carries out authentication to said conversation request entity: through searching the conversation request entity identification information (IDa) of whether preserving the conversation request entity in the certificate server; Confirm whether the conversation request entity is registered P2P entity; In like manner; Through searching the session target entity identification information (IDb) of whether preserving the session target entity in the certificate server; Confirm whether the session target entity is registered P2P entity; Have only when definite said conversation request entity and said session target entity all belong to registered P2P entity, certificate server just can distribute the session key Ks of corresponding said conversation request entity and said session target entity.

During practical implementation, the said first authentication bill is following:

E _Ka[Ks||IDb||N||T||L]

-Ks: the session key of conversation request entity and session target entity

-IDb: session target entity identification information

-T: timestamp

-L: the session key term of validity

The said second authentication bill is following:

E _Kb[Ks||IDa||T||L]

-Ks: the session key of conversation request entity and session target entity

-IDa: conversation request entity identification information

-T: timestamp

-L: the session key term of validity

S50103, certificate server sends authentication response to said conversation request entity, and said authentication response carries following information:

E _Ka[Ks||IDb||N||T||L]||E _Kb[Ks||IDa||T||L]

Wherein:

S50104 after the conversation request entity receives said authentication response, deciphers the said first authentication bill E to share key K a _Ka[Ks||IDb||N||T||L] obtains session key Ks.

Here; Decipher the said first authentication bill, when obtaining session key Ks, also will obtain session target entity identification IDb, random number N, time stamp T and session vital values L; Wherein, can confirm the session target identity of entity through obtaining session target entity identification IDb.

Step s50105, said conversation request entity send the conversation request that carries authentication information to said session target entity.Said authentication information is following:

IdentityA||Identity-info

The authentication header field of IdentityA wherein for generating with session key Ks encryption session request content; Carry Ks among the Identity-info and encrypt the AES information of using when generating IdentityA, which kind of algorithm employed when promptly informing that through the Identity-info header field session target entity Ks encrypts generation IdentityA is.

Step s50106, said session target entity detection is sent bill to said session target entity and is obtained request when the conversation request from said conversation request entity carries said authentication information.

Here, when specifically realizing, carry bill through the Subscribe subscribe message and obtain request content.

Step s50107, said conversation request entity receive after bill from said session target entity obtains request, send the said second authentication bill to said conversation request entity.

When specifically realizing, carry the said second authentication bill here, through the Notify notice message.

Subscribe message (Subscribe)/notice message (Notify) is that the SIP working group of internet engineering task group (IETF) is through expanding basic session initiation protocol; The event notification mechanism standard of dialogue-based startup agreement has been proposed; The embodiment of the invention realizes the subscription and the announcement of authentication bill based on this event notification mechanism; When occurring subscribe message (Subscribe)/notice message (Notify) in this paper subsequent descriptions, its functional purpose is identical or similar.Those skilled in the art should clear and definite said step s50105, said step s50106 and said step s50107 have realized that on the whole the conversation request that will encrypt with session key Ks and the authentication bill that carries session key Ks inform the session target entity; For this reason; Under the prerequisite that realizes this basic purpose, other implementations also belong to the protection range of requirement of the present invention certainly.

S50108, the session target entity is deciphered the second authentication bill to share key K b, obtains session key.

Here; Decipher the said second authentication bill; Obtain session key Ks simultaneously; Also can obtain conversation request entity identification IDa, time stamp T and session vital values L, wherein can make the session target entity believe that the said second authentication bill is to send to the conversation request entity after the certificate server checking conversation request entity identities through obtaining conversation request entity identification IDa, being clear and definite also, said conversation request entity is the P2P entity through the certificate server authentication.

S50109, session target entity send to the conversation request entity and confirm response (Identity).

Here, said affirmation response is the message that Ks encrypts also for carrying the Identity header field, has guaranteed security of conversation.

With reference to figure 8, be that the P2P node of the embodiment of the invention adds schematic flow sheet.In present embodiment, node E is the conversation request entity, and request adds the P2P network; Node D is the session target entity, is responsible for node E is added registration, and AS is a certificate server; Present embodiment is described to be that a P2P entity adds the process that is registered to the P2P network, is described in detail below.

Step s50201, node E sends the Register register requirement to node G.

Step s50202, node G find that node E does not belong to the P2P entity of self being responsible for registering, and returns 302 redirect messages to node E.

To inform in said 302 redirect messages node E should to which P2P entity requests registration here.

Step s50203, node E sends the Register register requirement to node D.

Step s50204, node D sends the unverified response of 401Unathorized to node E, informs that node E is with the authentication billing information to register next time again.

Step s50205, node E sends authentication request to node D, and said authentication request is carried following information:

IDe||IDd||N

-IDe: the identification information of node E

-IDd: the identification information of node D

-N: random number or sequence number, be used to identify this authentication request, need comprise this number in the authentication response message that returns, be used to prevent the message repeating transmission

Step s50206; Certificate server carries out authentication to node E and node D; After authentication is passed through; Generate the session key Ks of node E and node D, and encrypt said session key Ks to generate the first authentication bill, encrypt said session key to generate the second authentication bill to share key K d to share key K e

E _Ke[Ks||IDd||N||T||L]

-Ks: the session key of node E and node D

-IDd: the identification information of node D

-T: timestamp

-L: the session key term of validity

-E _KeExpression is encrypted [Ks||IDd||N||T||L] with the shared key K e of node E and certificate server

The said second authentication bill is following:

E _Kd[Ks||IDe||T||L]

-Ks: the session key of node E and node D

-IDe: the identification information of node D

-T: timestamp

-L: the session key term of validity

-E _KdExpression is encrypted [Ks||IDe||N||T||L] with the shared key K d of node D and certificate server

Step s50207, certificate server sends authentication response to node E, and said authentication response carries following information:

E _Ke[Ks||IDd||N||T||L]||E _Kd[Ks||IDe||T||L]

Wherein:

-E _KeThe first authentication bill that [Ks||IDd||N||T||L] describes for preamble

-E _KdThe second authentication bill that [Ks||IDe||T||L] describes for preamble

Step s50208, node E deciphers the first authentication bill to share key K e, obtains session key Ks.

Step s50209, node E send the Register register requirement that carries IdentityE to node D.

Step s50210, node D sends Subscribe subscribe message, the acquisition request second authentication bill (EKd [KS||IDe||T||L]) to node E.

Step s50211, node E send the Notify notice message that carries the said second authentication bill (EKd [Ks||IDe||T||L]) to node D.

Step s50212, node D deciphers the second authentication bill to share key K d, obtains session key Ks, and with session key Ks deciphering IdentityE, obtains the content of register requirement, the adding register requirement of recipient node E.

Step s50213, node D send the adding that carries IdentityD to node E and confirm response 200OK, and expression node D allows node E to add, and node E receives and confirms response 200OK, can verify node D identity according to IdentityD.

Step s50214, node D sends Register IdentityD message to node E, and routing iinformation is informed node E, and node E receives Register IdentityD message, can verify node D identity according to IdentityD.

Step s50215, node E send to node D and confirm response 200OK IdentityD.

With reference to figure 9, be that user of the present invention registers the first embodiment schematic flow sheet.In the present embodiment, user A is the conversation request entity, and request registration adds the P2P network; Node P is the session target entity; Be responsible for user A is added registration, AS is a certificate server, and the described user of being of present embodiment adds the process that is registered to the P2P network; In order to prevent the modification of malicious node to registration resource; Introduced the credible signature of third party service broker entity in this flow process and done the integrity protection that resource is signed, node C is said signature service broker entity in the present embodiment, carries out the present embodiment flow process below and is described in detail.

Step s50301, user A sends the Register request to node E, and the preservation node of resource is searched in request.

Step s50302, node E find it self is not the resource preservation node of user A, send 302 redirect messages to user A, and the indication user should send the Register request to whom next time.

Step s50303, user A send the Register request according to the indication of 302 redirect messages of node E to node G, and the preservation node of resource is searched in request.

Step s50304, node G still find it self is not the resource preservation node of user A, send 302 redirect messages to user A, and the indication user should send the Register request to whom next time.

Step s50305, user A send the Register request according to the indication of 302 redirect messages of node G to node P, and the preservation node of resource is searched in request.

Step s50306, the resource that user A self is preserved in node P discovery, promptly therefore node P confirms response 200OK to user A transmission for being responsible for the node of user A registration.

Step s50307, user A sends the Register request to node C, and the preservation node of resource is searched in request.

Step s50308, the resource that user A self is preserved in node C discovery, promptly node A is for self being responsible for the user of the service of signing, and node C sends to user A and confirms response 200OK.

Step s50309, user A sends authentication request to certificate server, and said authentication request is carried following information:

IDa||IDp||IDc||N

-IDa: the identification information of user A

-IDP: the identification information of node P

-IDc: the identification information of node C

Step s50310; Certificate server carries out authentication to user A, node P and node C; After authentication is passed through, generate the session key Ks of user A and node P, node C, and encrypt said session key Ks to generate the first authentication bill to share key K a; Encrypt said session key to generate the second authentication bill to share key K p, generate the 3rd authentication bill based on asymmetric key mechanisms.

E _Ka[Ks||IDp||N||T||L]

-Ks: the session key of user A and node P, node C

-IDp: the identification information of node P

-T: timestamp

-L: the session key term of validity

-E _KaExpression is encrypted [Ks||IDp||N||T||L] with the shared key K a of user and certificate server

The said second authentication bill is following:

E _Kp[Ks||IDa||T||L]

-Ks: the session key of user A and node P, node C

-IDa: the identification information of user A

-T: timestamp

-L: the session key term of validity

-E _KpExpression is encrypted [Ks||IDa||T||L] with the shared key K p of node P and certificate server

Ticket _ac＝EKRas[H(EKUc[Ks||IDa||T||L])]

-Ks: the session key of conversation request entity and session target entity

-IDa: conversation request entity identification information

-T: timestamp

-L: the session key term of validity

-EKUc representes the public key encryption [Ks||IDa||T||L] with signature agent entity node C

Step s50311, user A deciphers the said first authentication bill to share key K a, obtains session key Ks.

Step s50312, user A sends the signature services request that carries IdentityA to node C, carries the user's registration information (object that need signature protection) of user A to node P in the signature services request.

Step s50313, node C sends Subscribe subscribe message, acquisition request the 3rd authentication bill (Ticket to user A _Ac=EKRas [H (EKUc [Ks||IDa||T||L])]).

Step s50314, user A send the Notify notice message that carries said the 3rd authentication bill (EKd [Ks||IDe||T||L]) to node C.

Step s50315; Node C deciphers said the 3rd authentication bill, obtains session key Ks, and with session key Ks deciphering IdentityA; Completion to user A identity legitimacy checking; And with self private key user's registration information signature is generated the Identity header field, and with the position of going up Identity-info header field identity certificate, user's registration message, Identity header field and Identity-info header field three parts constitute Resource Ticket resource signature bill.

Step s50316, node C sends the affirmation response 200OK that carries Resource Ticket resource signature bill to user A, and wherein Resource Ticket is included in tunnel style and confirms in the response 200OK message.

Step s50317, user A send the register requirement that carries IdentityA and Resource Ticket to node P.

Step s50318, node P sends Subscribe subscribe message, the acquisition request second authentication bill E to user A _Kp[Ks||IDa||T||L]).

Step s50319, user A send to node P and carry the said second authentication bill (E _Kp[Ks||IDa||T||L]) the Notify notice message.

Step s50320, node P deciphers the said second authentication bill to share key K p, obtains session key Ks, and with session key Ks deciphering IdentityA, obtains the content of register requirement, accepts the adding register requirement of user A.

Step s50321, node P send to user A and confirm response 200OK IdentityP.

With reference to Figure 10, be that user of the present invention registers the second embodiment schematic flow sheet.The difference that present embodiment and user of the present invention register first embodiment is that user A query resource preservation node through its agent node E realization, carries out the present embodiment flow process below and is described in detail.

Step s50401, user A sends the Register request to node E, and the preservation node of resource is searched in request.

Step s50402, node E find it self is not the resource preservation node of user A, so proxy user A asks to search the preservation node of resource to node G transmission Register request.

Step s50403, node G still find it self is not the resource preservation node of user A, send 302 redirect messages to node E, and instructs node E should send the Register request to whom next time.

Step s50404, node E send the Register request according to the indication of 302 redirect messages of node G to node P, and the preservation node of resource is searched in request.

Step s50405, the resource that user A self is preserved in node P discovery, promptly therefore node P confirms response 200OK to node E transmission for being responsible for the node of user A registration.

Step s50406, node E send to user A and confirm response 200OK.

Step s50407, user A sends the Register request to node E, and request is searched resource and is preserved node.

Step s50408, user A sends the Register request to node C, and the preservation node of resource is searched in request.

Step s50409, the resource that user A self is preserved in node C discovery, promptly node A is for self being responsible for the user of the service of signing, and node C sends to user A and confirms response 200OK.

Step s50410, node E will be transmitted to user A from the affirmation response 200OK of node C.

Step s50411, user A sends authentication request to certificate server, and said authentication request is carried following information:

IDa||IDp||IDc||N

-IDa: the identification information of user A

-IDP: the identification information of node P

-IDc: the identification information of node C

Step s50412; Certificate server carries out authentication to user A, node P and node C; After authentication is passed through, generate the session key Ks of user A and node P, node C, and encrypt said session key Ks to generate the first authentication bill to share key K a; Encrypt said session key to generate the second authentication bill to share key K p, generate the 3rd authentication bill based on asymmetric key mechanisms.

E _Ka[Ks||IDp||N||T||L]

-Ks: the session key of user A and node P, node C

-IDp: the identification information of node P

-T: timestamp

-L: the session key term of validity

The said second authentication bill is following:

E _Kp[Ks||IDa||T||L]

-Ks: the session key of user A and node P, node C

-IDa: the identification information of user A

-T: timestamp

-L: the session key term of validity

-E _KpExpression is encrypted [Ks||IDa||T||L] Ticket with the shared key K p of node P and certificate server _Ac=EKRas [H (EKUc [Ks||IDa||T||L])]

-Ks: the session key of conversation request entity and session target entity

-IDa: conversation request entity identification information

-T: timestamp

-L: the session key term of validity

Step s50413, user A deciphers the said first authentication bill to share key K a, obtains session key Ks.

Step s50414, user A sends the signature services request that carries IdentityA to node C, carries the user's registration information (object that need signature protection) of user A to node P in the signature services request.

Step s50415, node C sends Subscribe subscribe message, acquisition request the 3rd authentication bill (Ticket to user A _Ac=EKRas [H (EKUc [Ks||IDa||T||L])]).

Step s50416, user A send the Notify notice message that carries said the 3rd authentication bill (EKd [Ks||IDe||T||L]) to node C.

Step s50417; Node C deciphers said the 3rd authentication bill, obtains session key Ks, and with session key Ks deciphering IdentityA; Completion to user A identity legitimacy checking; And with self private key user's registration information signature is generated the Identity header field, and with the position of going up Identity-info header field identity certificate, user's registration message, Identity header field and Identity-info header field three parts constitute Resource Ticket resource signature bill.

Step s50418, node C sends the affirmation response 200OK that carries Resource Ticket resource signature bill to user A, and wherein Resource Ticket is included in tunnel style and confirms in the response 200OK message.

Step s50419, user A send the register requirement that carries IdentityA and Resource Ticket to node P.

Step s50420, node P sends Subscribe subscribe message, the acquisition request second authentication bill E to user A _Kp[Ks||IDa||T||L]).

Step s50421, user A send to node P and carry the said second authentication bill (E _Kp[Ks||IDa||T||L]) the Notify notice message.

Step s50422, node P deciphers the said second authentication bill to share key K p, obtains session key Ks, and with session key Ks deciphering IdentityA, obtains the content of register requirement, accepts the adding register requirement of user A.

Step s50423, node P send to user A and confirm response 200OK IdentityP.

With reference to Figure 11, be the call flow sketch map of the embodiment of the invention.The call flow of the embodiment of the invention and user's register flow path of the present invention are similar; Two kinds of flow processs are arranged equally, i.e. the mode be responsible for by agent node of the mode be responsible for by self of inquiry session destination node (similar) and inquiry session node (similar) with the second embodiment flow process of user's registration of the present invention of corresponding Figure 10 with the first embodiment flow process of user's registration of the present invention of corresponding diagram 9.The call flow of the embodiment of the invention is the process of setting up of session after a certain user initiates the inquiry session object and inquiring session object in the P2P network.Present embodiment is that the mode of being responsible for agent node is an example, and the call flow of the embodiment of the invention is described, and specifies as follows:

Step s50501, user A sends Register request, requesting query session object to agent node E.

Step s50502, the inquiry session object of agent node E proxy user A sends Register request, requesting query session object to node P.

Step s50503, node P find it self is not the session object that user A institute will inquire about, and send 302 redirect messages to node E, and the indication user should send Register to whom next time to be asked.

Step s50504, agent node E send Register request, requesting query session object according to the indication of 302 redirect messages of node P to node R.

Step s50505; Node R find self to save as the agent node of the session object user C that will inquire about; Therefore send to agent node E and confirm response 200OK, in this affirmations response 200OK, carry the Resource Ticket resource that also need carry the validity that is used to represent user C registration resource and integrality outside the Contact header field bill of signing.

Step s50506, node E transmits the said affirmation response 200OK that carries Contact header field and ResourceTicket resource signature bill to user A.

Step s50507, user A verifies the validity and the integrality of the registration resource of user C according to Resource Ticket.

Step s50508, user A sends authentication request to certificate server, and said authentication request is carried following information:

IDa||IDc||N

-IDa: the identification information of user A

-IDc: the identification information of user C

Step s50509; Certificate server carries out authentication to user A and user C; After authentication is passed through; Generate the session key Ks of user A and user C, and encrypt said session key Ks to generate the first authentication bill, encrypt said session key to generate the second authentication bill to share key K c to share key K a

E _Ka[Ks||IDc||N||T||L]

-Ks: the session key of user A and user C

-IDc: the identification information of user C

-T: timestamp

-L: the session key term of validity

-E _KaExpression is encrypted [Ks||IDc||N||T||L] with the shared key K a of user A and certificate server

The said second authentication bill is following:

E _Kc[Ks||IDa||T||L]

-Ks: the session key of user A and user C

-IDa: the identification information of user A

-T: timestamp

-L: the session key term of validity

-E _KcExpression is encrypted [Ks||IDa||T||L] with the shared key K d of node D and certificate server

Step s50510, user A deciphers the said first authentication bill to share key K a, obtains session key Ks.

Step s50511, user A send the Invite call request that carries IdentityA to user C.

Step s50512, user C sends Subscribe subscribe message, the acquisition request second authentication bill (E to user A _Kc[Ks||IDa||T||L]).

Step s50513, user A send to user C and carry the said second authentication bill (E _Kc[Ks||IDa||T||L]) the Notify notice message.

Step s50514, user C deciphers the said second authentication bill (E to share key K c _Kc[Ks||IDa||T||L]), obtaining session key Ks, and with session key Ks deciphering IdentityA, accomplish to user A the identity legitimacy checking.

Step s50515, user C sends 180 ALERTING messages to user A.

Step s50516, user C send the 200OK response that carries IdentityC to user A.

Step s50517, user A send the ACK that carries IdentityA to user C and confirm response.

Step s50518, user A and user C carry out session.

Step s50519, conversation end, user C is end session initiatively, sends the Bye conversation end message that carries IdentityC to user A.

Step s50520, user A send the 200OK that carries IdentityA to user C and confirm response.

With reference to Figure 11, the service registry schematic flow sheet of the embodiment of the invention.In the present embodiment, VM service node S is the node that the tone information service is provided, and node R is elaborated for being responsible for preserving the node of information on services below:

Step s50601, the VM service node sends the Register request to node F.

Step s50602, node F finds self not preserve the information on services of corresponding said VM service node S, sends 302 redirect messages to said VM service node S, indicates said VM service node should send the Register request to whom next time.

Step s50603, said VM service node S send the Register request according to the indication of 302 redirect messages of node F to node R.

Step s50604, node R is sent 401 registration reject message to said VM service node S, and it is unaccepted former because the Identity authentication header is not carried in the Register request to tell said VM service node S to register.

Step s50605, said VM service node S sends authentication request to certificate server, and said authentication request is carried following information:

IDs||IDr||N

The identification information of-IDs:VM service node S

-IDr: the identification information of node R

Step s50606; Certificate server carries out authentication to VM service node S and node R, after authentication is passed through, generates the session key Ks of VM service node S and node R; Generate the first authentication bill based on shared secret key encryption Ks, and generate the second authentication bill to share key K r encryption Ks.

EKUs[Ks||IDr||N||T||L])]

The session key of-Ks:VM service node S and node R

-IDr: the identification information of node R

-EKUs representes with the public key encryption of VM service node S [Ks||IDr||N||T||L])]

The said second authentication bill is constructed as follows:

E _Kr[Ks||IDs||T||L]

The session key of-Ks:VM service node S and node R

-IDr: the identification information of node R

-T: timestamp

-L: the session key term of validity

Step s50607, VM service node S decipher the said first authentication bill (EKUs [Ks||IDr||N||T||L])]), obtain session key Ks.

Step s50608, VM service node S send the Register request that carries IdentityS to node R.

Step s50609, node R is sent Subscribe subscribe message, the acquisition request second authentication bill (E to VM service node S _Kc[Ks||IDa||T||L]).

Step s50610, VM service node S send to node R and carry the said second authentication bill (E _Kr[Ks||IDs||T||L]) the Notify notice message.

Step s50611, node R is deciphered the said second authentication bill (E to share key K r _Kr[Ks||IDs||T||L]), obtaining session key Ks, and, accomplish to the identity legitimacy checking of VM service node S and according to the content after the deciphering and accomplish service registry VM service node S with session key Ks deciphering IdentityS.

Step s50612, node R is sent the 200OK that carries IdentityR to VM service node S and is confirmed response.

With reference to Figure 13, be the user applies value-added service schematic flow sheet of the embodiment of the invention.User A is for needing the client of application value-added service in the present embodiment, and node P is for being responsible for preserving the node that the registered user can use the information of those value-added services, and node C is signature service broker entity, specifies as follows:

Step s50701, user A sends the Register request to node E, and request is searched and is responsible for preserving the node that the registered user can use the information of those value-added services.

Step s50702, node E find it self is not to be responsible for preserving the node that the registered user can use the information of those value-added services, send 302 redirect messages to user A, and the indication user should send the Register request to whom next time.

Step s50703, user A send the Register request according to the indication of 302 redirect messages of node E to node G, and request is searched and is responsible for preserving the node that the registered user can use the information of those value-added services.

Step s50704, node G still find it self is not to be responsible for preserving the node that the registered user can use the information of those value-added services, send 302 redirect messages to user A, and the indication user should send the Register request to whom next time.

Step s50705, user A send the Register request according to the indication of 302 redirect messages of node G to node P, and request is searched and is responsible for preserving the node that the registered user can use the information of those value-added services.。

Step s50706, node P find therefore to send to user A and confirm response 200OK from as being responsible for preserving the node that the registered user can use the information of those value-added services.

Step s50707, user A sends the Register request to node C, and the preservation node of resource is searched in request.

Step s50708, the resource that user A self is preserved in node C discovery, promptly node A is for self being responsible for the user of the service of signing, and node C sends to user A and confirms response 200OK.

Step s50709, user A sends authentication request to certificate server, and said authentication request is carried following information:

IDa||IDp||IDc||N

-IDa: the identification information of user A

-IDP: the identification information of node P

-IDc: the identification information of node C

Step s50710; Certificate server carries out authentication to user A, node P and node C; After authentication is passed through, generate the session key Ks of user A and node P, node C, and encrypt said session key Ks to generate the first authentication bill to share key K a; Encrypt said session key to generate the second authentication bill to share key K p, generate the 3rd authentication bill based on asymmetric key mechanisms.

E _Ka[Ks||IDp||N||T||L||P]

-Ks: the session key of user A and node P, node C

-IDp: the identification information of node P

-T: timestamp

-L: the session key term of validity

-P: the expression user can use those value-added services

The said second authentication bill is following:

E _Kp[Ks||IDa||T||L]

-Ks: the session key of user A and node P, node C

-IDa: the identification information of user A

-T: timestamp

-L: the session key term of validity

-Ks: the session key of conversation request entity and session target entity

-IDa: conversation request entity identification information

-T: timestamp

-L: the session key term of validity

Step s50711, user A deciphers the said first authentication bill to share key K a, obtains session key Ks.

Step s50712, user A sends the signature services request that carries IdentityA to node C, carries the user's registration information (object that need signature protection) of user A to node P in the signature services request.

Step s50713, node C sends Subscribe subscribe message, acquisition request the 3rd authentication bill (Ticket to user A _Ac=EKRas [H (EKUc [Ks||IDa||T||L])]).

Step s50714, user A send the Notify notice message that carries said the 3rd authentication bill (EKd [Ks||IDe||T||L]) to node C.

Step s50715; Node C deciphers said the 3rd authentication bill, obtains session key Ks, and with session key Ks deciphering IdentityA; Completion to user A identity legitimacy checking; And with self private key user's registration information signature is generated the Identity header field, and with the position of going up Identity-info header field identity certificate, user's registration message, Identity header field and Identity-info header field three parts constitute Resource Ticket resource signature bill.

Step s50716, node C sends the affirmation response 200OK that carries Resource Ticket resource signature bill to user A, and wherein Resource Ticket is included in tunnel style and confirms in the response 200OK message.

Step s50717, user A sends the Register request that carries IdentityA and Resource Ticket to node P, application value-added service service.

Step s50718, node P sends Subscribe subscribe message, the acquisition request second authentication bill E to user A _Kp[Ks||IDa||T||L]).

Step s50719, user A send to node P and carry the said second authentication bill (E _Kp[Ks||IDa||T||L]) the Notify notice message.

Step s50720; Node P deciphers the said second authentication bill to share key K p; Obtain session key Ks, and, obtain the content of Register request with session key Ks deciphering IdentityA; Accept the value-added service application request of the adding of user A, for user A provides corresponding value-added service service.

Step s50721, node P send to user A and confirm response 200OK IdentityP.

With reference to Figure 14, the VM voice service calling message schematic flow sheet of the embodiment of the invention.Present embodiment has been described calling subscriber A and has been called out called subscriber C, and when user C was not online, calling subscriber A was the process of user C tone information through the service of VM tone information.

Step s50801, user A sends the Register request to node E, and session object is searched in request.

Step s50802, the inquiry session object of node E proxy user A sends Register request, requesting query session object to node P.

Step s50803, node P find it self is not the session object that user A institute will inquire about, and send 302 redirect messages to node E, and the indication user should send Register to whom next time to be asked.

Step s50804, node E send Register request, requesting query session object according to the indication of 302 redirect messages of node P to node R.

Step s50805; Node R is found the agent node from the session object user C that will inquire about as institute, but user C is not online at this moment, therefore; Send 404 responses to node E, tell user A can select to use the tone information service message to be provided as user C through node E.

Step s50806, node E is transmitted to user A with 404 responses.

Step s50807, user A select to be user C message through tone information, send the Register request to node E.

Step s50808 searches the VM service node through the voice service search algorithm.

Step s50809, inquire VM service node S after, node E sends the 200OK response to user A.

Step s50810, user A sends authentication request to certificate server, and said authentication request is carried following information:

IDa||IDc||IDs||N

-IDa: the identification information of user A

-IDc: the identification information of user C

The identification information of-IDs:VM service node S

Step s50811, certificate server carries out authentication to user A, user C and VM service node, after authentication is passed through, generates the first authentication bill, the second authentication bill and the 3rd authentication bill.

Eka[Ks1||Ks2||IDs||IDc||N||T||L]

-Ks1: the session key of user A and VM service node S

-Ks2: the session key of user A and user C is used for the message information of encrypting user A to user C

The identification information of-IDs:VM service node S

-IDc: the identification information of user C

-T: timestamp

-L: the session key term of validity

-E _KaExpression is encrypted [Ks1||Ks2||IDs||IDc||N||T||L] with the shared key K a of user A and certificate server

The said second authentication bill is following:

Eks[Ks1||IDa||T||L]

-Ks1: the session key of user A and VM service node S

-IDa: the identification information of user A

-T: timestamp

-L: the session key term of validity

-E _KsExpression is encrypted [Ks1||IDa||T||L] with the shared key K s of VM service node S and certificate server

Said the 3rd authentication bill is following:

Ekc[Ks2||IDa||T||L]

-Ks2: the session key of user A and user C

-IDa: the identification information of user A

-T: timestamp

-L: the session key term of validity

-E _KcExpression is encrypted [Ks1||IDa||T||L] with the shared key K s of user C and certificate server

Step s50812, user A deciphers the said first authentication bill to share key K a, and the session key Ks1 and the user A that obtain user A and VM service node S are used to encrypt the session key Ks2 to the message information of user C.

Step s50813, user A send the Invite conversation request that carries IdentityA to VM service node S.

Step s50814, VM service node S sends Subscribe subscribe message, the acquisition request second authentication bill (Ticket to user A _As=Eks [Ks1||IDa||T||L]).

Step s50815, user A send to VM service node S and carry the said second authentication bill (Ticket _As=Eks [Ks1||IDa||T||L]) Notify notice message.

Step s50816, VM service node S decipher the said second authentication bill, obtain the shared key K s1 of user A and VM service node S, and with Ks1 deciphering IdentityA, obtain the conversation request content.

Step s50817, VM service node S send the 200OK response that carries IdentityS to user A.

Step s50818, user A send the ACK that carries IdentityA and the 3rd authentication bill Ekc [Ks2||IDa||T||L] to VM service node S.

Step s50819, user A and VM service node S carry out session, and for user C carries out tone information, said tone information is encrypted with said session key Ks2.

Step s50820, initiatively on-hook of user A, message finishes, and sends the Bye that carries IdentityA to VM service node S and confirms response.

Step s50821, VM service node S send the 200OK response of carrying IdentityS to user A.

With reference to Figure 15, be the called schematic flow sheet of listening to of VM voice service of the embodiment of the invention.Present embodiment has been described called subscriber C and has been listened to the process from the tone information of user A through the service of VM tone information.

Step s50901, user C sends the request of Register register update to node E.

Step s50902, service broker's node of node E proxy user C inquiring user C sends the Register request to node R.

Step s50903, node R is service broker's node of user C, sends the 200OK response of carrying Resource Ticket to node E.

Step s50904, node E transmit the 200OK response of carrying Resource Ticket to user C.Said Resource Ticket carries the information that user C can use those value-added services, act as in the present embodiment to inform that user C can use tone information professional.

Step s50905, user C sends the Register request to node E.

Step s50906 searches the VM service node through the voice service search algorithm.

Step s50907, inquire VM service node S after, node E sends the 200OK response to user C.

Step s50908, user C sends authentication request to certificate server, and said authentication request is carried following information:

IDc||IDs||N

-IDc: the identification information of user C

The identification information of-IDs:VM service node S

Step s50909, certificate server carries out authentication to user C and VM service node S, after authentication is passed through, generates the first authentication bill, the second authentication bill.

Ekc[Ks||IDs||N||T||L]

-Ks: the session key of user C and VM service node S

The identification information of-IDs:VM service node S

-T: timestamp

-L: the session key term of validity

-Ekc representes with shared key K a encryption [Ks||IDs||N||T||L] said second authentication bill of user A and certificate server following:

Eks[Ks||IDc||T||L]

-Ks: the session key of user C and VM service node S

-IDc: the identification information of user C

-T: timestamp

-L: the session key term of validity

-Eks representes to encrypt [Ks||IDc||T||L] with the shared key K s of VM service node S and certificate server

Step s50910, user C deciphers the said first authentication bill to share key K c, obtains the session key Kc of user C and VM service node S.

Step s50911, user C send the Invite conversation request that carries IdentityC and Resource Ticket to VM service node S.

Step s50912, VM service node S sends Subscribe subscribe message, the acquisition request second authentication bill (Ticket to user A _Cs=Eks [Ks||IDc||T||L]).

Step s50913, user A send to VM service node S and carry the said second authentication bill (Ticket _Cs=Eks [Ks||IDc||T||L]) Notify notice message.

Step s50914, VM service node S decipher the said second authentication bill, obtain the session key Ks of user C and VM service node S, and with Ks deciphering IdentityA, obtain the conversation request content.

Step s50915, VM service node S send to user C and carry IdentityS and Ticket _AcThe 200OK response of (Ekc [Ks2||IDa||T||L]), said Ticket _Ac(Ekc [Ks2||IDa||T||L]) carries user A and is used to encrypt to the session key Ks2's of the message of user C.

Step s50916, user C send the ACK that carries IdentityC to VM service node S.

Step s50917, user C with the said Ticket of shared secret key decryption of certificate server _Ac(Ekc [Ks2||IDa||T||L]) obtains session key Ks2, and user C and VM service node S carry out session, deciphers and listen to user A tone information with session key Ks2.

Step s50918, initiatively on-hook of user C, message finishes, and sends the Bye that carries IdentityC to VM service node S and confirms response.

Step s50919, VM service node S send the 200OK response of carrying IdentityS to user C.

The above only is a preferred implementation of the present invention; Should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; Can also make some improvement and retouching, these improvement and retouching also should be regarded as protection scope of the present invention.

Claims

1. a session cipher negotiating method is characterized in that, is applied to comprise in the P2P network:

Certificate server receives the authentication request from the conversation request entity, comprises conversation request entity identification information and session target entity identification information in this authentication request;

Certificate server carries out authentication to said conversation request entity, said session target entity respectively according to said conversation request entity identification information, said session target entity identification information;

If authentication is passed through; Then generate the session key of said conversation request entity and said session target entity; The said session key of shared secret key encryption with certificate server and said conversation request entity; Generate the first authentication bill of respective session request entity,, generate the second authentication bill of respective session target entity with the said session key of shared secret key encryption of certificate server and said session target entity;

Certificate server returns the authentication response that carries said session key to said conversation request entity.

2. the method for claim 1 is characterized in that, also comprises:

Session target entity and session request entity interactive information are to obtain said session key.

3. method as claimed in claim 2 is characterized in that, said session target entity and session request entity interactive information comprise with the step that obtains said session key:

Said conversation request entity is used and the said first authentication bill of the shared secret key decryption of certificate server, to obtain said session key.

4. method as claimed in claim 2 is characterized in that, comprises the said second authentication bill in the said authentication response, and said session target entity and session request entity interactive information comprise with the step that obtains said session key:

The conversation request entity sends the conversation request that carries authentication information to the session target entity;

After the session target entity receives said conversation request, with said conversation request entity interaction information, to obtain the said second authentication bill;

The session target entity is used and the said second authentication bill of the shared secret key decryption of said certificate server, to obtain said session key.

5. a session cipher negotiating method is characterized in that, is applied to comprise in the P2P network:

Certificate server receives the authentication request from the conversation request entity, comprises conversation request entity identification information, session target entity identification information and signature agent entity identification information in the said authentication request;

Certificate server carries out authentication to said conversation request entity, session target entity, signature agent entity sign respectively according to said conversation request entity identification information, session target entity identification information, signature agent entity identification information;

If authentication is passed through; Then generate the session key of corresponding said conversation request entity and said session target entity; Generate the session key of corresponding said conversation request entity and said signature agent entity; With the session key of certificate server, generate the 3rd authentication bill of respective session request entity with said corresponding said conversation request entity of the shared secret key encryption of said conversation request entity and said session target entity;

With the session key of certificate server, generate the 4th authentication bill of respective session target entity with said corresponding said conversation request entity of the shared secret key encryption of said session target entity and said session target entity;

Encrypt the session key of said conversation request entity of said correspondence and said signature agent entity, generate the 5th authentication bill of corresponding signature agent entity;

6. method as claimed in claim 5 is characterized in that, also comprises:

Session target entity and session request entity interactive information are to obtain the session key of said conversation request entity and said session target entity.

7. method as claimed in claim 6; It is characterized in that; After said conversation request entity receives said authentication response, according to said the 3rd authentication bill of the shared secret key decryption of said certificate server, to obtain the session key of said conversation request entity and said session target entity.

8. method as claimed in claim 7; It is characterized in that; Comprise said the 5th authentication bill in the said authentication response; In said session target entity and session request entity interactive information, further comprise before the step with the session key that obtains said conversation request entity and said session target entity:

Said conversation request entity sends the signature request message that carries authentication information to said signature agent entity;

After said signature agent entity receives said signature request message, with said conversation request entity interaction information, to obtain said the 5th authentication bill;

Said signature agent entity is deciphered said the 5th authentication bill, to obtain the session key of said conversation request entity of said correspondence and said signature agent entity, deciphers said authentication information with this session key, generates the signature bill to said signature request message;

Said signature agent entity returns said signature bill to said conversation request entity.

9. method as claimed in claim 8; It is characterized in that; Carry said the 4th authentication bill in the said authentication response, said session target entity and session request entity interactive information comprise with the step of the session key that obtains said conversation request entity and said session target entity:

The conversation request entity sends the conversation request information that carries said signature bill and authentication information to the session target entity;

After the session target entity receives said conversation request message, with said conversation request entity interaction information, to obtain the authentication bill of said respective session target entity;

The session target entity is used and said the 4th authentication bill of the shared secret key decryption of said certificate server, to obtain the session key of said conversation request entity of said correspondence and said session target entity.

10. a certificate server is characterized in that, comprising:

The authentication request receiving element is used to receive the authentication request from the conversation request entity, comprises conversation request entity identification information and session target entity identification information in this authentication request;

Authentication ' unit is used for after said authentication request receiving element receives authentication request, said conversation request entity and session target entity being carried out authentication; After authentication is passed through, generate the session key of said conversation request entity and said session target entity, this authentication ' unit comprises:

Identification information obtaining unit is used for obtaining said conversation request entity identification information and session target entity identification information from the received authentication request of said authentication request receiving element;

The authentication performance element; Be used for judging according to said conversation request entity identification information, said session target entity identification information whether said conversation request entity and said session target entity are registered entity; If judged result is for being then to generate the session key of said conversation request entity and said session target entity;

Authentication bill generation unit is used to the said session key of shared secret key encryption with said conversation request entity, generates the authentication bill of respective session request entity; Use the said session key of shared secret key encryption with said session target entity, generate the authentication bill of respective session target entity;