CN101499904A - Method, apparatus and system for safe interface call - Google Patents

Method, apparatus and system for safe interface call Download PDF

Info

Publication number
CN101499904A
CN101499904A CN 200810007068 CN200810007068A CN101499904A CN 101499904 A CN101499904 A CN 101499904A CN 200810007068 CN200810007068 CN 200810007068 CN 200810007068 A CN200810007068 A CN 200810007068A CN 101499904 A CN101499904 A CN 101499904A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
user
application
authentication
interface
information
Prior art date
Application number
CN 200810007068
Other languages
Chinese (zh)
Inventor
彭程晖
李波杰
梁文亮
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/16Service discovery or service management, e.g. service location protocol [SLP] or Web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Abstract

The invention relates to a safe interface calling method in the technical field of communication, which comprises the following steps: an interface receives an interface calling request message which carries user business identifier and user identity information and is sent by an application; according to the received user identity information, the user business identifier which is carried in the interface calling request message is validated, if the validation is passed, authentication of the user business identifier is determined as successful; and if failed, the authentication of the user business identifier is determined as failed. The invention further provides a safe interface calling device and a safe interface calling system. The embodiment of the invention realizes the authentication of the user business identifier in an interface calling process, thus effectively guaranteeing the security of interface calling.

Description

一种安全接口调用方法、装置及系统 Calling the security interface method, apparatus and system for

技术领域 FIELD

本发明涉及通信技术领域,尤其涉及一种安全接口调用方法、装置及系统。 The present invention relates to communication technologies, and particularly to a method of calling the security interface, device and system.

背景技术 Background technique

通用业务接口(USI, Universal Services Interface)系统是微波接入全3求互通i仑i云(WiMAX , Worldwide Interoperability Microwave Access Forum)网络将业务能力开放给网内或网外应用服务器的接口。 Universal Service Interface (USI, Universal Services Interface) system is a full open microwave access request interworking i 3 i cloud Lun (WiMAX, Worldwide Interoperability Microwave Access Forum) network service capability to the interface-net or web application server. 通过调用USI 提供的业务能力接口,应用开发针对WiMAX接入用户的业务将变的更简单, 并可以更加方便的为WiMAX接入用户提供个性化的服务。 By calling the operational capacity interfaces, application development USI service provided for users of WiMAX access will become easier, more convenient and can provide personalized services to the WiMAX access users. WiMAX网络通过USI系统开放的能力包括服务质量(QoS, Quality of Service)、计费、位置服务等。 WiMAX network capacity USI open system including quality of service (QoS, Quality of Service), billing, location services.

在应用访问USI系统时,需要携带用户的身份标识参数,WiMAX网络可以根据该身份标识参数查询到操作的用户; 一般这个标识是WiMAX网络分配给用户的,用于提供给第三方系统,令第三方系统调用WiMAX网络提供的USI接口时标识操作的对象(用户),本发明称该标识为WiMAX网络提供给用户的业务标识,简称用户业务标识。 USI system at the time of application access, users need to carry identity parameters, the user can query the WiMAX network based on the identity of the operating parameters; this logo is generally assigned to the user's WiMAX network to provide to third-party systems, Decree object (user) identifies when the operating system call USI tripartite WiMAX network interfaces provided by the present invention is referred to identification WiMAX network service provided to the user identifier, referred to as user service identifier. WiMAX网络可以根据该用户业务标识查询到应用需要操作的用户,从而可以对该用户进行应用请求的操作。 WiMAX network can query according to the user service identifier to the user application to be operated, the operation can be applied to the user request.

一般情况下,用户和应用之间是进行应用层交互,因此用户业务标识也是由用户提供给应用服务器,应用服务器通过用户提供的业务标识调用USI接口,完成特定的业务逻辑,比如位置信息查询、计费等。 Generally, between the user and the application is an application layer interaction, the user is provided to the service identifier of the application server, the application server calls the interface via the USI service identifier provided by the user, to complete the specific business logic, such as location information query by the user, billing.

在实现现有技术的过程中,发明人发现上述操作流程存在如下问题:在应用调用USI接口时,网络没有对用户提供给应用的业务标识进行认证,也没有对应用对用户的操作(即对应用的接口调用)进行认证的过程, 比如用户有可能提供其他用户的业务标识给应用,或应用服务器(来自非网络信任域)提供的用户业务标识没有经过用户授权,并调用了没有经过用户授权的接口(如对用户的扣费接口),因此现有的USI访问机制存在安全问题。 In the implementation of the prior art, the inventors found that the above-described operation flow following problems: when the application calls USI interface, a network user without the service identifier to the application for authentication, which the user does not operate the application (i.e. interface calls the application) authentication process, such as the user it is possible to provide other users of the service identifier to the application, or application server (from non-network trusted domain) user service identifier provided without user authorization, and calls not authorized users interfaces (such as the user's deductions Interface), therefore security problems existing USI access mechanism.

本文所述的应用包括业务提供商或应用提供商。 Herein includes application service provider, or application provider. 发明内容 SUMMARY

本发明实施例提供一种安全接口调用方法、装置及系统,通过在接口调用过程中对用户业务标识进行认证,有效保证了接口调用的安全。 Example embodiments provide a secure call method, apparatus and system of the present invention, an interface, to authenticate the user by the service identifier during the call interface, effectively guarantee the safety interface call.

本发明实施例是通过以下技术方案实现的: 本发明实施例提供一种安全接口调用方法,包括: Embodiment of the present invention is achieved by the following technical solution: a method invocation interfaces to provide a safe embodiment of the present invention, comprising:

接口接收到应用发送的携带有用户业务标识和用户身份信息的接口调用请求消息; Received by the interface carries user traffic interface call identifier and the user identity information request message sent by the application;

根据所述接收的用户身份信息对所述用户业务标识进行认证。 Authenticating the user according to the service identifier of the user identity information received. 本发明实施例提供一种用户终端,包括: Embodiment of the present invention provides a user terminal, comprising:

用户身份信息生成单元,用于根据用户终端与网络的共享密钥或利用共享密钥派生出的密钥计算生成用户身份信息; 信息交互单元,用于与应用设备交互信息; User identity information generation means for calculating a user identity information to generate the user terminal or a network shared key using the shared key derived key; information exchange means, the information for interactive application device;

认证信息上报单元,用于在所述与应用设备交互的信息中上报包括用户业务标识及用户身份信息的认证相关信息。 Authentication information reporting unit configured to report the authentication information comprising a user identifier and service information in a user identity information of the device to interact with the application.

本发明实施例提供一种应用服务器,包括: Embodiment of the present invention provides an application server, comprising:

认证信息接收单元,用于接收用户终端上报的包含用户业务标识及用户身份信息的认证相关信息; Authentication information receiving unit, the authentication information comprising a user service identifier and the user identity information reported by the UE is received;

^接口调用单元,用于才艮据所述用户业务标识调用相关4^口,并在接口调用请求消息中携带所述接收的用户业务标识及用户身份信息。 ^ Unit interface calls, only for the user service identifier according Gen calls ^ relevant port 4, and the message carries the user service identifier and the user identity information received in the request interface calls.

本发明实施例提供一种接口调用认证系统,包括: Embodiment of the present invention provides a call interface to the authentication system, comprising:

接收单元,用于接收携带有用户业务标识及用户身份信息的接口调用请求消息; Receiving means for receiving a user service identifier carries the user identity and the interface call information request message;

用户业务标识认证单元,用于根据所述接收的用户身份信息对所述用户 User service identifier authentication unit, according to the received user identity information of the user

业务标识进行认证。 Business identity authentication.

应用认证单元,用于对应用的身份及应用的接口调用进行认证。 Application authentication unit for the identity of the calling application interfaces and applications for certification.

本发明实施例提供一种安全接口调用系统,包括: Embodiment of the present invention to provide a safety system interface calls, comprising:

应用服务器,用于在接口调用请求消息中携带用户业务标识及用户身份信息,将所述接口调用请求消息发送给所述接口调用认证系统; Application servers for carrying user service identifier and the user identity information in the interface call request message, the interface call request message to the authentication system interface call;

接口调用认证系统,用于根据所述接口调用请求消息中的用户身份信息对所述用户业务标识进fiS人证。 Interface call authentication system, according to user identity information request message to the interface call into the service identifier of the user fiS witnesses.

由上述本发明实施例提供的技术方案可以看出,本发明实施例通过在接口调用过程中携带用户业务标识和用户身份信息,根据该用户身份信息对用户业务标识进行认证,有效保证了接口调用的安全。 Technical solutions provided by the embodiments of the present invention can be seen, the embodiments of the service identifier carries the user identification information and user interface calls the process of the present invention, according to the user identity information to authenticate the user service identifier, the interface calls to ensure effective safety.

附图说明 BRIEF DESCRIPTION

图1为本发明实施方式一所述安全接口调用方法流程图; The embodiment of FIG. 1 a flowchart of a method embodiment of calling the security interface of the present invention;

图2为本发明实施方式一对用户业务标识进行认证流程图; FIG 2 is a pair of users identity authentication service flowchart of an embodiment the invention;

图3为本发明实施方式二所述安全接口调用方法流程图; Figure 3 embodiment the two interface calls security flowchart of a method embodiment of the present invention;

图4为本发明实施例一安全接口调用操作流程图; Figure 4 a flowchart illustrating operation of calling the security interface embodiment of the present invention;

图5为本发明实施例二安全接口调用操作流程图; 5 flowchart of the operation of embodiment two interface calls the security of the present invention;

图6为本发明实施方式四所述用户终端模块示意图; 6 is a schematic embodiment of the module of the present invention, four user terminal;

图7为本发明实施方式五所述应用服务器模块示意图; 7 schematically the five application server module embodiment of the present invention;

图8为本发明实施方式六所述接口调用^人证系统才莫块示意图。 8 embodiment the six embodiment of the present invention ^ witnesses interface calls only Mo system block schematic. 具体实施方式 detailed description

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。 Below in conjunction with the accompanying drawings of the present invention in embodiments, the technical solutions in the embodiments of the present invention are clearly and completely described, obviously, the described embodiments are merely part of embodiments of the present invention rather than all embodiments. 基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。 Based on the embodiments of the present invention, all other embodiments of ordinary skill in the art without any creative effort shall fall within the scope of the present invention.

本发明实施例通过在应用调用接口时在接口调用请求消息中携带用户业务标识和用户身份信息,使得网络可以根据该用户身份信息对用户业务标识进行认证。 Embodiment of the present invention by the call interface in the application interface call request message carries the user identifier and the user identity information service, so that the network may authenticate the user service identifier according to the user identity information. 另外,为了实现对应用进行认证,在应用调用接口时可以同时携带应用身份信息,网络可以根据该应用的身份信息和用户配置策略信息对应用进行认证。 Also, in order for the application for certification, when the application calls the interface can carry application identity information at the same time, you can configure network policy information for application authentication based on user identity information and the application.

下面以对USI接口的调用为例对本发明的实施方案进行详细描述,本领域技术人员可知,本发明实施例的方案并不局限于USl接口调用。 Below USI interface call to an example embodiment of the present invention will be described in detail, those skilled in the art that the solutions of the embodiments of the present invention is not limited USl interface calls.

本发明实施方式一提供一种安全接口调用方法,如图1所示,包括如下步 An embodiment of the present invention to provide a safe method calls the interface, as shown in FIG. 1, comprising the following steps

骤: Step:

步骤1:用户终端在登入网络的认证过程中,用户终端和网络产生共享密 Step 1: the user terminal in the network sign-authentication process, the user terminal and the network generates the shared secret

钥; key;

以产生USI相关密钥为例,基于^人证过程用户终端和网络产生USI相关密钥,具体USI相关密钥可以按照以下方式派生:在认证成功情况下,用户终端和网络(一般为AAA服务器)产生主会话密钥(MSK, Master Session Key) /扩展主会话密钥(EMSK, Extended Master Session Key),用户终端以及网络可以按照规定的方式,利用MSK/EMSK派生出共享密钥,即USI 相关密钥(USI-RK),具体USI-RK的派生可以举例如下: USI related key to produce an example, based on ^ witnesses produced during user terminal and the network related key USI, USI specifically related key can be derived as follows: In the case where authentication is successful, the user terminal and a network (typically the AAA server ) generate a master session key (MSK, master session key) / extended master session key (EMSK, extended master session key), the user terminal and the network can be according to a predetermined manner, using the MSK / EMSK shared derived key, i.e. USI associated keys (USI-RK), USI-RK specific derivatives may be exemplified as follows:

USI-RK = hash (EMSK);或者USI-RK = hash (MSK);或者USI-RK = hash (EMSK+MSK); USI-RK = hash (EMSK); or USI-RK = hash (MSK); or USI-RK = hash (EMSK + MSK);

9其中hash为任意哈希函数,也可以为其它函数,或者与MSK/EMSK直接相等。 9 wherein an arbitrary hash hash function may be a function of other, directly or equal to the MSK / EMSK.

网络保存用户终端的网络身份如NAI、用户业务标识和用户IP地址、网络与用户终端的共享密钥等信息。 Save network user terminal network status information, such as NAI, user service identifier and user IP address, shared key network and user terminals.

步骤2:用户终端与应用进行应用层交互,应用获取用户身份信息及用户业务标识。 Step 2: The user terminal application layer interacts with the application, and application user identity information acquiring user service identifier.

根据应用业务逻辑(如应用需要访问USI接口系统),应用需要向用户终端请求用户业务标识和用户身份信息,或者是用户终端主动向应用上报用户业务标识和用户身份信息。 The business logic of the application (e.g., application needs to access USI interface system), applications need to request user service identifier and the user identity information to a user terminal or user terminal reports the active application information to user service identifier and the user identity.

所述用户业务标识可以为URI (Uniform Resource Identifiers,通用资源标识符,如IETF rfc2396中定义)才各式,由用户名(username )和域名(realm)两部分组成,用户名部分为了保护用户隐私可以为一串字符串,域名部分标识了用户的归属网络,应用可以根据用户业务标识中的域名部分来判断用户归属的网络服务提供商和其提供的USI系统地址。 The user service identifier may be a URI (Uniform Resource Identifiers, Universal Resource Identifier, as defined in IETF rfc2396) was kinds, by a username (username) and a domain name (The realm) composed of two parts, the user name part to protect user privacy string may be a string, part of the domain name identifies the user's home network, the application may be determined according to the domain name portion of the user service identifier in the user's home network service provider and provides the USI address system. 用户业务标识由用户的归属网络提供商分配,并且在归属网络(如用户归属AAA服务器)中保存有用户业务标识以及用户业务标识与网络接入标识(Network Access Identifier , NAI)之间的对应关系。 User service identifier assigned by the user's home network provider and the home network (e.g., user home AAA server) is stored in corresponding relationship between the user service identifier and the user service identifier and a network access identifier (Network Access Identifier, NAI) .

所述用户身份信息用于网络对用户的业务标识进行认证,可以包括用户数字签名和/或IP地址信息。 The user identity information for the user's network service identifier for authentication, digital signatures may include user and / or the IP address information.

所述的用户数字签名为:利用用户终端与网络的共享密钥计算生成的, 用户终端和网络计算所述用户数字签名时使用一致的算法(如MD5摘要算法)。 The digital signature of the user: the user terminal generates a shared key calculated in the network, a user terminal and a network using a consistent calculation of the user digital signature algorithm (such as MD5 digest algorithm). 计算时还可以输入用户业务标识或者是应用层参数。 Calculation can have input user service identifier or application layer parameters.

也可以根据应用的标识及用户终端与网络的共享密钥派生出该应用专用 Terminal may derive the shared key of the network application based on the application-specific user identifier and

的密钥,利用该派生出的应用专用的密钥来计算该应用专用的用户身份信白、当用户身份信息是用户数字签名时,可以将该用户数字签名包含在用户业务标识中,如包含在用户业务标识的用户名中,这样可以不用单独的参数传递用户身4分信息。 Key, using the application-specific key is derived to calculate the user's application-specific white letter, when the user information is a user identity when a digital signature, a digital signature may comprise the user identifier in the user service, such as those containing user name in the user service identifier, so that the parameters can not separate the transfer of user information body 4 minutes.

步骤3:应用调用USI接口,在接口调用请求消息中携带用户业务标识和用户身份信息,请求对用户业务标识进行认证; Step 3: The application calls USI interface carries the user identifier and a user service identity information in the interface call request message, requesting for user identity authentication service;

所述接口调用请求消息中还可以携带应用的标识(使用应用专用的密钥计算用户身份信息的情形)以及需要的应用层参数(计算用户身份信息时包含应用层参数的情形)。 The call request identifying the interface (the case of the application-specific key is calculated using the user identity information) and an application layer parameters (situation parameters comprising the application layer user identity information in the calculation) may also need to carry a message application.

所述USI接口可以是USI系统提供的专门用于对用户业务标识进行认证的接口,也可以为一般的业务调用接口。 The USI USI interface may be provided specifically for the system interface authenticating user service identifier, service may be a general call interface.

通过两种接口进行业务标识认证的不同之处在于:所述专门的接口通过消息类型标识让USI系统对用户业务标识进行i/a正,并通过专门的返回消息通知应用认证结果;而所述一般的业务调用接口在业务调用时是通过一个标志位(即在调用请求相关消息中增加一个标识)让USI系统对用户业务标识进行认证,并随业务调用的访问消息返回认证结果。 The service identifier differs from the authentication performed by two interfaces wherein: the special interface USI system allows for user service identifier i / a n by the message type identifier, and returns through a special application authentication result notification message; whereas the general business call interface when the service is invoked by a flag (that is, the call request related message, add a logo) USI system so that the user service identity authentication and access business news with the call returns an authentication result. 两种都要求消息中携带用户的业务标识及用户身份信息。 Both are required to identify business and user identity information carried in the user's message.

步骤4:网络根据应用提供的用户身份信息对用户业务标识进行认证; Step 4: service network authenticates a user based on the user identity identifier of the information providing application;

网纟各对用户业务标识的i人i正可以由用户业务标识^^正单元完成,该iU正单元可以位于USI系统内部,或者位于USI系统外部(如位于AAA中),对此本发明实施例不做限定,认证单元的部署位置并不影响本发明的实施,本实施方式中以认证系统位于USI系统内部为例进行说明。 Each human i Si network to the user service identifier i n n unit may be performed by the user service identifier ^^, the unit may be located inside iU n USI system, or at USI external systems (such as in the AAA), this embodiment of the present invention embodiment is not limited to the deployment location of the authentication unit does not affect the embodiment of the present invention, the present embodiment to the authentication system located within USI system as an example.

USI系统对其进行^人证的具体流程如图2所示,包括: USI system ^ witnesses its specific processes shown in Figure 2, comprising:

步骤21: USI系统获取用户业务标识和用户身份信息; Step 21: USI system to obtain user service identifier and user identity information;

若USI没有获取到所述用户业务标识和用户身份信息,则USI系统可以返回认证失败消息给应用,可以在该认证失败消息中携带失败原因的信息(如缺少用户业务标识的认证信息)。 If the user is not acquired USI service identifier and the user identity information, the USI system may return an authentication failure message to the application, can fail information carried reason for the failure (such as lack of user authentication information service identifier) ​​in the authentication.

若USI系统获取到所述用户业务标识和用户身份信息,则执行步骤22; 可选地包括获取应用的标识和应用层参数。 If the system acquires USI service to the user identifier and the user identity information, executing step 22; alternatively includes obtaining identification parameters of the application and the application layer.

步骤22:在USI系统获取了上述用户业务标识和用户身份信息后,根据用户业务标识或者IP地址信息(如果包含)检查用户终端是否在USI系统注册; Step 22: After obtaining the service identifier and said user identity information USI user system, according to the user identifier or IP address of the service information (if included) to check whether the user terminal is registered in the system USI;

USI系统要求用户终端在接入网络时向USI系统注册,用户终端向USI系统注册时USI系统保存用户的网络身份如NAI、用户业务标识、用户IP地址以及网络与用户终端的共享密钥。 USI system requires the user terminal to register with the access network during system USI, USI system saves network identity of the user, such as the NAI, a user identification service, the user network IP address and the shared key of the user terminal when the user terminal registers to the USI system.

若USI系统确定用户终端没有注册,则可以返回认证失败消息给应用,可以在该认证失败消息中携带失败原因的信息。 If the system determines that the user terminal USI is not registered, an authentication failure message may be returned to the application, the information carried in the message failure reason may fail in the authentication.

若USI系统确定用户终端已经注册,则执行步骤23; If the system determines that the user terminal has USI registered, step 23 is executed;

步骤23: USI系统根据用户身份信息对用户业务标识进行认证; Step 23: USI system to authenticate the user service identifier based on user identity information;

所述USI系统将用户身份信息和用户业务标识,可选的还包括应用的标识和应用层参数,发送给用户业务标识认证单元要求进行用户业务标识认证, 认证过程包括: The USI system user identity information and the user service identifier, optionally further comprising identifying an application and the application layer parameters to the user identity authentication service unit requires user authentication service identifier, the authentication process comprising:

如果用户身份信息是用户数字签名,则认证单元根据用户业务标识或是IP地址(如果包含)查询到注册信息中的共享密钥,通过共享密钥或利用共享密钥派生出的应用的专用密钥(认证单元才艮据与用户终端相同的算法计算得到)使用预先设定的与用户终端一致的算法,包含与用户终端相同的参数,计算出用户数字签名,将计算得到的用户数字签名与接口调用请求消息中携带的用户数字签名比较,如果一致,则表示用户业务标识认证通过,否则iU正失败; If the user identity information is a user of the digital signature, the authentication service unit according to the user identifier or IP address (if included) applied to the shared key query registration information, derived by using the shared key or shared secret private key of key (authentication unit according to the user terminal before Gen same calculation algorithm) used consistent with the user terminal preset algorithm, contains the same parameters as the user terminal, user digital signature is calculated, the user of the digital signature calculated interface call request message carries the user's digital signature comparison, if agreed, then the user identity authentication service, or iU positive failure;

如果用户身份信息为IP地址,则直接利用接口调用中的用户IP地址作为索引,在注册信息中查找到该IP地址对应的用户业务标识,与接口调用中携带的用户业务标识进行比较,或以接口调用中携带的用户业务标识作为索 If the user identity information for the IP address, the direct use of the user interface's IP address in the call as an index, find the user service identifies the IP address corresponding to the user service identifier, and the interface call carried in the comparison in the registration information, or to user interface calls carried as a cable service identification

12引,在注册信息中查找到对应的IP地址,与接口调用中携带的IP地址进行比 12 lead, find the corresponding IP address, and interface calls carried in the IP address in the registration information for comparison

较,如果一致则认证通过,否则认证失败; The more, if agreed by the authentication, or authentication failure;

如果用户身份信息同时包含用户数字签名和IP地址信息,则进行上述的两个认证过程。 If the user identity information contains user digital signatures and IP address information, the above-mentioned two certification process. 任何一个认证不通过,则表明i/v证失败,两个认证均通过, 则表明认证成功。 Any authentication is not passed, it means that i / v authentication fails, two certification have passed, it indicates that the authentication is successful.

若上述认证通过,则可以返回认证成功消息给应用。 If the authentication is passed, the authentication success message may be returned to the application.

步骤5:认证通过后,应用可以保存用户应用层标识和用户业务标识的对应关系,这样无需每次都请求USI系统进行用户的业务标识认证。 Step 5: After authentication, the application may save the corresponding relationship between the user identifier and an application layer user service identifier, so that every request USI system without user identity authentication service.

可选的,如果用户业务标识认证通过,并且使用的是应用的专用密钥来计算用户数字签名,则USI将应用的专用密钥发送给应用,应用利用该专用密钥作为与用户终端通信的共享密钥,对应用与用户终端之间的消息或数据进行保护。 Alternatively, if the user authentication service identifier, and the private key is used to compute a user application digital signature, the private key to be applied USI sent to the application, as the application using the private key of the user terminal communication shared key, messages or data between the application and the user terminal protected.

上述过程实现了应用调用USI接口时对用户业务标识的认证,在实际操作中为了进一步保证安全性,可以在对用户业务标识进行认证的同时对应用进^亍^人"i正,如实施方式二所述。 The above process to achieve the same time authenticating a user service identity, in order to further ensure security, can authenticate the user service identifier when the application calls USI interface actual operation i n the application into ^ right foot ^ "and, as in Embodiment the two.

实施方式二,与实施方式一的区别在于,在应用调用USI接口时携带用户业务标识和用户身份信息的同时,还携带应用身份信息,USI系统对用户业务标识的认i正过程同实施方式一所述,此处不再赘述,USI系统可以才艮据应用身份信息及用户策略数据配置信息对应用进行认证。 Embodiment Mode 2 Embodiment a distinction that carries user service identifier and the user identity information when the application calls USI interface while also carries application identity information, USI system recognize i n process user service identifier with the first embodiment the not repeat them here, USI system can only Burgundy, according to the application and user identity information policy data configuration information for the application for certification. 所述对应用的认证包括网络对应用身份的认证和对应用对用户的操作的认证(即对应用的接口调用的认证)。 The application includes a network authentication identity authentication of the application and the application operating on the user authentication (i.e. the authentication application interface call). 如图3所示,具体包括如下步骤: As shown in FIG 3, includes the following steps:

步骤31:应用调用USI接口时携带用户业务标识和用户身份信息,以及应用身份信息; Carries user service identification information and user identity, application identity and application information call USI interfaces; Step 31:

步骤32:网络根据应用身份信息对应用身份进行认证; Step 32: Network identity authenticating the application based on application identification information;

所述网络对应用身份进行认证是指,网络提供商验证是否允许这个应用 The network identity of the application authentication means that the network provider to verify whether to allow the application

13调用网络提供的接口,具体认证过程为: 13 call interface provided by the network, specific certification process:

应用在调用接口时需要携带应用的身份信息,用于USI系统确认应用的身份,只有经过与网络运营商进行签约后运行访问USI系统的应用提供商才可以访问USI接口。 Applied when required to carry identity information call interface application for USI system to confirm the identity of the application, and only after post-contract with the network operator running the Access application provider USI system can access the USI interface. 对应用身份的认证技术属于现有技术,本发明实施例不啦文限定,例如可以采用证书或是共享密钥的公知认证技术进行身份认证。 Identity authentication technology application belong to the prior art, embodiments of the invention it is not defined here, for example, using well-known techniques authentication certificates or shared keys for authentication.

应用身份认证通过后执行步骤33,否则,返回认证失败消息给应用,可以在该认证失败消息中携带失败原因的信息; After application identity authentication is passed to step 33, otherwise it returns an authentication failure message to the application, it can fail information carried in the authentication failure reason;

步骤33:网络根据应用提供的用户身份信息对用户业务标识进行认证; 对用户业务标识的具体认证过程同实施方式一中所述,此处不再赘述。 Step 33: Network service identifier to authenticate users based on user identity information provided by the application; specific user authentication process with the service identifier in the first embodiment, is not repeated here. 在对用户业务标识^人证成功后#1行步骤34,否则返回i人i正失败消息给应用,可以在该认证失败消息中携带失败原因的信息。 In the user service identifier witnesses ^ 1 line step after the success of # 34, otherwise i i n person failure message to the application, can fail information carried reasons for the failure of the authentication. 步骤34: USI系统对应用的接口调用进行认证; Step 34: USI interface call system for authenticating the application;

在上述应用身份认证及用户业务标识认证成功后,还需要对是否允许应用调用这个特定的接口对某个特定的用户终端进行操作执行用户层面的认证。 After application of the above authentication and user identity authentication business success, but also whether to allow the application to call this particular interface to a specific user terminal being operable to execute user-level authentication. 即应用调用接口对用户终端的操作还需要经过用户终端的允许,需要进行用户层的鉴权。 That application calls the interface operation of the user terminal after the user terminal also needs permission requires user authentication layer. 可以通过查询用户终端的配置策略实现,所述的用户终端配置策略可以保存在USI系统内或是AAA服务器上或者独立布置服务器(用户策略服务器),如果用户配置策略信息不在USI系统内,则USI系统要与AAA 服务器或是用户终端配置策略服务器进行消息交互,利用用户业务标识或者是用户NAI进行索引,通过消息(XCAP或是HTTP get消息)获取用户终端的配置策略数据,用于确定是否允许应用对用户终端的操作。 Can be achieved by configuring the policy to query the user terminal, the user terminal configuration policy may be stored on the system or USI server or AAA server arranged separately (user policy server), if the user policy information is not disposed within the USI system, the USI AAA server system to be configured with a policy server or a user terminal exchange messages by the user or user service identifier NAI index, obtaining configuration data of the user terminal by the policy message (or an XCAP message HTTP get) for determining whether to allow application operating on a user terminal. 若认证通过,则返回认证成功消息给应用;若认证失败,则返回认证失败消息给应用。 If authenticated, the authentication success message is returned to the application; if the authentication fails, the failure message is returned to the application.

上述过程实现了应用调用USI接口时,网络对用户业务标识的认证以及对应用的认证,保证了接口调用的安全性。 During the implementation of the above-mentioned application calls USI interface, network authentication service user identification and authentication of applications to ensure the security interface calls.

下面以具体的实施例对本发明实施方式进行详细i兑明。 The following specific examples in detail next i against the embodiment of the present invention. 实施例一,该实施例的应用场景为:用户A是WiMAX网络用户,同时也是付费视频应用B用户,应用B可以调用用户A归属的WiMAX网络的USI接口;用户A在应用B上观看付费视频,并通过WiMAX网络的帐户进行扣费,应用B通过WiMAX网络提供的USI预扣费接口进行扣费,在应用B调用USI预扣费接口时需要对用户A的业务标识进行认证,如图4所示,具体流程包括: First embodiment, the application scenario of this embodiment is as follows: User A is a WiMAX network users, but also paid video application user B, the application B can call the USI interface user A belongs WiMAX network; a user A to watch premium videos on the application B , and the account deductions WiMAX network, the application B provided by the pre-deduction WiMAX network interface USI deductions, the need for service identifier authenticates the user a when the application B calls the interface USI pre deductions, 4 , the specific process comprises:

41、 用户A登入WiMAX网络后,向USI系统发起注册; 注册信息包括:用户网络身份信息,如NAI、用户的IP地址、用户业务标 41, the user A signed WiMAX network, the system initiates a registration to the USI; registration information comprises: a network user identity information, such as NAI, IP address of the user, the user service standard

识、以及网络与用户的共享密钥信息;USI记录用户A的注册信息,返回用户A注册成功消息; Knowledge, and the user's network and the shared key information; registration information of the USI recording the user A, the user A returns the registration success message;

42、 用户A与应用B进行应用层交互,用户A请求应用B上的一段付费视频,并提供用户身份信息及用户业务标识,要求使用网络代扣费的方式进行扣费; 42, the user A and the application B application layer interaction, the user A requests the application section B paid video, and to provide user identity information and user service identifier, using the network mode requires withholding fee deductions performed;

43、 应用B携带该用户业务标识及用户身份信息向用户A归属网络USI系统发起用户预扣费请求,请求USI系统对用户业务标识进行认证(若该调用的接口为一般的业务调用接口,则在该请求消息中一并携带要求USI系统对用户业务标识进4iS人i正的标志位信息); 43, the application B carries the user identifier and the user identity information service initiated by a user request to the user pre-chargeback USI A home network system, the system requests the user service identifier USI authentication (the interface if the call is a service call interface in general, the together with the request message carries system requirements USI 4iS human user service identifier into the flag information n i);

44 、 USI系统对应用身份进行认证,应用身份认证通过后对用户业务标识进行认证; 44, USI system application identity authentication, identity authentication is passed to the application user service identity authentication;

若应用身份认证失败,在直接返回认证失败消息,不执行对用户业务标识的认证过程。 If the application authentication fails, the direct return an authentication failure message, do not perform the authentication process for the user service identification. 若应用身份认证成功,则对用户业务标识进行认证,认证失败,则返回i^〖正失败响应纟会应用B; If the application authentication is successful, the user authentication service identification, authentication fails, the failure i ^ 〖positive response Si will return to Application B;

45、 若用户业务标识认证成功,则USI系统向帐务系统转发预扣费请求消白、. 45, if the user service identifier authentication is successful, then the pre-deduction USI transponder accounting request message to the White system.

46、 账务系统向USI系统返回响应消息; 46, billing system returns a response message to the USI system;

账务系统可根据用户余额情况返回响应消息,如果用户余额不够扣费, The accounting system may return the user balances response message, if the user is not enough balance deductions,

15则返回失败响应,并携带原因,如费用不足;如果扣费成功,则返回成功响应。 15 failed to return a response, and carrying a reason, such as insufficient cost; if the chargeback is successful, a success response is returned.

47、 USI系统将从账务系统收到的响应消息转发给应用B; 47, the response message from the USI system accounting system to forwarding the received application B;

48、 若应用B接收到的是成功响应消息,则应用B开始向用户A播放视频。 48, if the application B receives the success response message, then the application B to the user A starts to play the video.

上述实施例实现了应用调用USI接口过程中对用户业务标识进行认证,提高了接口调用的安全性。 The above-described embodiments enable the application calls the interface USI service process identifier to the user authentication, improves security interface call.

实施例二,该实施例的应用场景为:用户A是WiMAX网络用户,同时也是即时消息应用B用户,即时消息应用B可以调用用户A归属的WiMAX网络的USI接口;用户A在即时消息应用B上注册其用户业务标识,并允许用户A在其没有登入即时消息应用B时,将好友发送给他的即时消息通过WiMAX网络提供的消息服务器接口发送给用户A,在应用B调用消息服务器接口过程中需要对用户业务标识及应用B进行认证,如图5所示,具体流程如下: Embodiment 2 application scenario of this embodiment is as follows: User A is a WiMAX network users, but also an instant messaging application user B, the instant message application B can call the USI interface user A belongs WiMAX network; a user A the application B in the instant messaging registered on its user service identifier and allows the user a in its not logged instant messaging application B, will send a friend to give him instant messaging messaging server WiMAX network interface provided to the user a by calling the message server interface process in the application B needs to be performed for user authentication service identifier and the application B, as shown in FIG. 5, the specific process is as follows:

51、 用户A登入WiMAX网络后,向USI系统发起注册; 注册信息包括:用户网络身份信息(如NAI) 、 IP地址、用户业务标识、 51, the user A signed WiMAX network, the system initiates a registration to the USI; registration information includes: the user network identification information (e.g., NAI), IP address, user service identifier,

以及网络与用户的共享密钥等信息;USI记录用户A的注册信息,返回用户A 注册成功消息; And a network shared key of the user information and the like; the USI registration information of the user A is recorded, the user A returns the registration success message;

52、 用户A与即时消息应用B进行应用层交互,用户A注册用户身份信息及业务标识到即时消息应用B; 52, A user with an instant messaging application B application layer interaction, the user A registered user identity information and service identifier to an instant messaging application B;

53、 即时消息应用B向用户A归属的USI地址发起用户业务标识i人i正i青求消息,携带用户A的用户身份信息和用户A提供的用户业务标识; 53, an instant messaging application B belongs to the user A USI address of the originating user service identifier i i n i people seeking green message carrying the user service identifier user identity information and user A user A is provided;

所述用户身份信息包括用户数字签名和/或用户IP地址信息。 The user information includes a user identity and a digital signature / or user IP address information.

54、 USI系统收到请求认证用户业务标识的请求消息后,先对应用B的身份进行认证,认证通过后根据用户身份信息(如数字签名)对用户业务标识进行认证,如果认证通过,则返回认证成功消息给即时消息应用B;如果前一认证失败,则不执行后续的认证,且任何一个认证不通过,则返回认证失败消息给即时消息应用B ,且不再执行后续的操作。 54, the USI message requests the authentication system receives the user service request identifier, the application B first performs identity authentication service authenticates user identification according to the user identity authentication information (e.g., digital signatures), if the authentication is passed is returned authentication success message to the instant message application B; if the previous authentication fails, subsequent authentication is not performed, and the authentication is not passed any one of the authentication failure message is returned to the instant message application B, and no longer perform subsequent operations.

上述认证通过后,USI系统还可以根据用户配置策略对应用B是否允许对用户A进行操作进行筌权(用户层面),即对应用B的接口调用进行认证。 After the above-described authentication, the USI system may also be configured according to the policy of the user whether to allow the application B to the user A performs operations Quan rights (User Plane), i.e. the interface of the application B to authenticate calls. 认i正完成后,返回^人i正响应消息纟会应用B,若i人i正成功,则返回i人i正成功消息纟会应用B,若认证失败,则返回认证失败消息给应用B。 After recognition i n finished, return ^ people i n response message Si will be the application B, if i people i n successful, i people i n success message to Si will be the application B is returned, if the authentication fails, it returns a failure message to the application B .

55、 认证通过后,即时消息应用B将用户A的业务标识与用户A的应用层标识绑定,完成上述操作后用户A退出即时消息应用B,即时消息应用B上用户A为离线状态; 55, after the authentication, an instant message application service application layer identifier B of the user A and the user A identifies the binding, after the completion of the operation of the user A to exit B instant messaging application, instant messaging application, the user B is offline, A;

56、 即时消息应用B在用户A离线状态下,收到用户A好友发送给用户A的即时消息,即时消息应用B4艮据用户A设置在即时消息应用B上的策略调用USI的消息接口进行消息转发(所述用户配置策略为用户预先配置,所述策略可以为用户A没有在应用B登录时,即离线时,好友发送的消息通过USI接口发送到用户A的WiMAX终端),在消息中携带用户A的业务标识; 56, the application B in the instant messaging user A offline, user A receives an instant message sent to the user A's friends, B4 Gen instant messaging application according to the policy of the user A calls USI disposed on the instant messaging application message interface message B forwarding (when the user configuration for a user pre-configured policy, the policy may be a user a is not logged in the application B, i.e. offline, the message sent by friends USI interface to the user terminal a, WiMAX), carried in the message a service user identifier;

57、 USI收到消息接口调用消息后,对即时消息应用B进行身份认证及接口调用认证,即检查用户A的配置策略,验证是否允许应用B发送消息给用户A,验证通过后将所述调用消息转发给消息服务器,由消息服务器转发消息给用户A; 57, after receiving the message USI interface call message, instant message application for authentication and B interface call authentication, i.e. the user A configuration policy checks to verify the application B is allowed to send messages to the user A, after verification by the calling message to the server message, forwarding the message to the user A by the message server;

在USI转发所述消息前,USI可以根据存储的用户业务标识与NAI的对应关系,将用户业务标识替换为用户的NAI地址,再将消息转发给消息服务器; Before forwarding the message USI, USI according to the corresponding relationship stored in the user service identifier NAI of the user service identifier NAI of the user replaced with the address, and then forwards the message to the message server;

58、 消息转发成功后,USI系统返回响应消息给即时消息应用B。 58, the message forwarding success, USI system returns a response message to the instant messaging application B. 本实施例实现了接口调用过程中对用户业务标识及应用接口调用的认 The present embodiment implements the interface to recognize the calling procedure and user service identifier of the application interface call

证,有效保证了接口调用的安全性。 Cards, effectively ensuring the security of interface calls.

本发明实施方式三提供一种安全接口调用系统,包括应用服务器及接口调用i人i正系统。 Three embodiments of the present invention to provide a safety system interface calls, comprising an application server and an interface to call people i n i system.

17所述应用服务器用于在接口调用请求消息中携带用户业务标识及用户身份信息,将所述接口调用请求消息发送给所述接口调用认证系统; The application server 17 is used to carry user service identifier and the user identity information in the interface call request message, the interface call request message to the authentication system interface call;

进一步的,本发明实施例中,所述应用服务器还可用于在与用户终端进行交互时获取用户身份信息及用户业务标识,并在调用接口时,在接口调用请求消息中携带所述用户业务标识及用户身份信息。 Further, embodiments of the present invention, the application server may also be configured to obtain user identity information and user service identifier when interacting with the user terminal, and when the call interface, the message carries a user interface service invocation request identifier and user identity information.

本发明实施例中,所述用户身份信息包括用户数字签名和/或用户IP地址信息。 Embodiment of the present invention, the user information includes a user identity and a digital signature / or user IP address information. 进一步的,所述接口调用请求消息中可选地携带应用身份信息。 Further, the optional interface call request message carries the application identity information.

所述接口调用认证系统用于获取所述应用服务器提供的用户身份信息及 The interface call authentication system used to obtain user identity information and the application server

用户业务标识,利用所述用户身份信息对用户业务标识进行认证; User service identifier, using the user identity information to authenticate the user service identifier;

可选地所述接口调用认证系统从应用服务器中获取的信息还包含应用身份信息、应用的标识和应用层参数。 Alternatively, the interface call authentication system obtains information from the application server further includes application identification information, the application identifier and application layer parameters. 可选地对应用身份及应用的接口调用进行认证。 Optionally, the identity of the calling application interfaces and applications for certification.

所述利用用户身份信息对用于业务标识进行认证的过程包括:若用户身份信息包含用户数字签名,则网络根据接收的用户业务标识或是用户IP地址查找到用户终端与网络的共享密钥,利用该共享密钥或利用共享密钥派生出的密钥使用与用户终端一致的算法计算用户数字签名,与所述接收的用户数字签名进行比较, 一致则表示用户业务标识认证通过,否则表示用户业务才示i。 The process of using the user identity information for authenticating the service identifier comprises: if the user information includes user identity digital signature, then the network finds the user terminal and the network of the shared key according to the received user service identifier or IP address of the user, shared key by using the user or calculated using a digital signature key shared derived key with the user terminal using the same algorithm, the user of the received digital signature and comparison, the same identifier indicates a user authentication service, the user indicates otherwise business was shown i. ^人i正失^L; I ^ al ^ L n lost;

若用户身份信息包含用户IP地址,则利用所述IP地址作为索引,在注册信息中查找到该IP地址对应的用户业务标识,与所述接口调用中携带的用户业务标识进行比较;或以接口调用请求消息中携带的用户业务标识作为索引,在注册信息中查找到对应的IP地址,与接口调用请求消息中携带的IP地址进行比较,如果一致则表示用户业务标识^人证通过,否则表示用户业务标识认证失败。 If the user identity information includes user IP address, using the IP address as an index to find the IP address corresponding to the user service identifier in the registration information, carried in a user interface calls the service identifier is compared; or interfaces user service invocation request message carries the identifier as an index to find the registration information to the corresponding IP address, and interface call requesting an IP address carried in the message, and if it means a consistent user service identifier ^ witnesses by, or that business user identity authentication fails.

若既包含用户数字签名又包含用户IP地址信息,则需执行上述两种认证。 If both the user and the digital signature contains the user IP address information, you need to perform both authentication.

本发明实施例通过在接口调用过程中携带用户业务标识和用户身份信息,根据该用户身份信息对用户业务标识进行认证,有效保证了接口调用的安全。 Example by carrying the user service identifier and the user identity information during the call interface of the present invention, the user identity information to authenticate the user according to the service identifier, effectively guarantee the safety interface call.

本发明实施方式四提供一种用户终端,如图6所示为该用户终端的模块示意图,所述用户终端用于在与应用进行交互时上报用户身份信息及用户业务标识。 Four embodiments of the present invention provides a user terminal 6 for a schematic view of the module of the user terminal, the user terminal is adapted to report the user identity information and user service identifier when interacting with an application.

其设置有: Which is provided with:

用户身份信息生成单元,用于根据用户终端与网络的共享密钥或利用共享密钥派生出的密钥计算生成用户身份信息。 User identity information generating unit according to a user terminal or a shared network key is calculated using the user identity information to generate the shared key derived key. 计算时还可以输入用户的业务标识或者是应用层参数。 Calculation can have a user enter a service identifier or application layer parameters.

本发明实施例中,所述计算生成的用户身份信息为用户数字签名。 Embodiment of the present invention, the calculation of the generated user identity information for the user digital signature.

信息交互单元,用于与应用设备交互信息; Information exchanging unit configured to exchange information with the application device;

认证信息上报单元,用于在所述与应用设备交互的信息中上报包括用户业务标识及用户身份信息的认证相关信息。 Authentication information reporting unit configured to report the authentication information comprising a user identifier and service information in a user identity information of the device to interact with the application.

本发明实施例中,所述上报的用户身份信息可以包括用户数字签名和/或用户IP地址信息。 Embodiment of the present invention, the information reported by the user may include a user identity and a digital signature / or user IP address information.

本发明实施例中,用户终端在与应用服务器交互过程中上报包括用户业务标识及用户身份信息的认证相关信息,有利于后续在接口调用过程中使用该用户身份信息对用户业务标识进行认证,有效保证了接口调用的安全。 Embodiments of the present invention, the user terminal reports the authentication information comprises a user service identifier and the user identity information at an application server interaction with in favor of a subsequent use of the user identity information during the call interface to a user service identity authentication, effective to ensure the security interface calls.

本发明实施方式五提供一种应用服务器,如图7所示为该应用服务器的模块示意图,所述应用服务器用于在与用户终端进行交互时获取用户身份信息及用户业务标识,并在调用接口时,在接口调用请求消息中携带所述用户业务标识及用户身份信息,请求对用户业务标识进行认证; Five embodiments of the present invention provides an application server, application server, as shown for module shown in Scheme 7, the application server is configured to obtain user identity information and user service identifier when interacting with the user terminal, and call interface when carrying the user service identifier and the user identity information in the interface call request message, requesting for user identity authentication service;

其设置有: Which is provided with:

19认证信息接收单元,用于接收用户终端上报的包含用户业务标识及用户 Authentication information receiving unit 19, a user service identity and a user comprising receiving a user terminal reported by

身份信息的认证相关信息; Authentication information identity information;

本发明实施例中,所述认证相关信息中还可以携带有应用的标识和应用层参数以及应用身份信息。 Embodiment of the present invention, the authentication information may also carry the application identifier and application layer parameters and the application identification information.

接口调用单元,用于根据所述用户业务标识调用相关4妻口,并在接口调 Interface call means for calling relevant wife port 4 according to the user service identifier, and adjust the interface

用请求消息中携带所述接收的用户业务标识及用户身份信息; With the request message carries the user service identifier and the received user identity information;

本发明实施例中,所述接口调用请求消息中可选地携带应用身份信息、 Embodiments of the present invention, the optional interface call request message carries the application identity information,

应用的标识和/或应用层参数。 Identification of the application and / or application layer parameters. 其设置有: Which is provided with:

标志位设置单元,用于在接口调用请求消息中设置请求对用户业务标识进4亍iU正的才示志4立。 Flag setting means for setting a message requesting for user service identifier into the right foot iU 4 shows only a positive stand 4 Chi interface invocation request.

本发明实施例中,应用服务器在调用接口时,在接口调用请求消息中携带所述用户业务标识及用户身份信息,请求对用户业务标识进行认证,以使得接口可以根据该用户身份信息对用户业务标识进行认证,有效保证了接口调用的安全。 Embodiment, the application server when the call interface, carrying the user service identifier and the user identity information stored in the interface call request message, requesting for user identity authentication service embodiment of the present invention, so that the user interface information service according to the user identity identity authentication, effectively ensure the security interface calls.

本发明实施方式六提供一种接口调用认证系统,如图8所示为该4妄口调用认证系统的模块示意图,其用于获取所述应用服务器提供的用户身份信息及用户业务标识,利用所述用户身份信息对用户业务标识进行认证; Six embodiment of the present invention provides a call interface to the authentication system, for a schematic view of the module shown in FIG. 8 4 authentication system call jump FIG port, which is configured to obtain user identity information and user service identifier of the application server, using the said user identity information to a user service identity authentication;

可选地所述接口调用认证系统从应用服务器中获取的信息还可包含应用身份信息、应用的标识和应用层参数。 Alternatively, the interface call from the application authentication system obtains server information may also include application identification information, the application identifier and application layer parameters. 可选地该接口调用认证系统对应用的身份及应用的接口调用进行认证。 Alternatively, the interface call interface call authentication system for identity applications and applications for certification.

其设置有: Which is provided with:

接收单元,用于接收携带有用户业务标识及用户身份信息的接口调用请求消息; Receiving means for receiving a user service identifier carries the user identity and the interface call information request message;

本发明实施例中,所述用户身份信息包括用户数字签名和/或用户IP地址信息; Embodiment of the present invention, the user information includes a user identity and a digital signature / or user IP address information;

本发明实施例中,所述接口调用请求消息中可选地包括应用身份信息、 应用的标识和应用层参数中的一种或多种。 Embodiment of the present invention, the interface call request message optionally includes the application identification information, and one or more application layer parameters identified in the application.

用户业务标识认证单元,用于根据所述接收的用户身份信息对用户业务标、"i只进4ti/a正。 User service identifier authentication unit, according to the received user identity information of the user service standard, "i-only 4ti / a n.

若用户身份信息包含用户数字签名,则网络根据接收的用户业务标识或是用户IP地址查找到用户终端与网络的共享密钥,利用该共享密钥或利用共享密钥派生出的密钥使用与用户终端一致的算法计算用户数字签名,与所述接收的用户数字签名进行比较, 一致则表示用户业务标识认证通过,否则表示用户业务标识认证失败; If the user identity information comprises a digital signature the user, the network lookup service according to the received user identifier or IP address of the user to the user terminal and the network of the shared key, the shared key by using the shared key or a key derived using consistent user terminal user a digital signature algorithm, and the user of the digital signature received is compared, the same identifier indicates a user authentication service, or that a user service identity authentication fails;

若用户身份信息包含用户IP地址,则利用所述IP地址作为索引,在注册信息中查找到该IP地址对应的用户业务标识,与所述接口调用中携带的用户业务标识进行比较;或以接口调用请求消息中携带的用户业务标识作为索引,在注册信息中查找到对应的IP地址,与接口调用请求消息中携带的IP地址进行比4交,如果一致则表示用户业务标识认i正通过,否则表示用户业务标识认证失败。 If the user identity information includes user IP address, using the IP address as an index to find the IP address corresponding to the user service identifier in the registration information, carried in a user interface calls the service identifier is compared; or interfaces user service identifier invocation request message carries as an index, to find in the registration information to the IP address of the corresponding IP address, the interface call request message carried in the four cross-over, if the same indicates user service identifier recognize i is through, otherwise, it indicates user service identity authentication fails.

若既包含用户数字签名又包含用户IP地址信息,则需执行上述两种认证。 If both the user and the digital signature contains the user IP address information, you need to perform both authentication.

还可以设置有: Also be provided with:

应用认证单元,用于对应用的身份及应用的接口调用进行认证。 Application authentication unit for the identity of the calling application interfaces and applications for certification. 本发明实施例中,所述应用认证单元根据认证通过的用户业务标识获耳又用户配置策略,根据所述配置策略判断是否允许所述应用的接口调用,若允许,则接口调用认证通过,若不允许,则接口调用认证失败。 Embodiments of the present invention, the application according to the user authentication unit is eligible ear authentication service identifier and the user configuration policy The policy determines whether to allow the configuration of the application interface call, if allowed, the authentication interface calls, if is not allowed, the interface call authentication fails.

本发明实施例中,所述应用认证单元根据所述接收的应用身份信息对应用的身^分进行认证。 Embodiment of the present invention, the application authentication unit of the application sub-body ^ identity authentication information according to the received application. 该接口调用认证系统还可以设置有专门的用户业务标识认证接口,应用设备调用该接口可以实现对用户业务标识的i人证。 The interface calls the authentication system may also set up a dedicated business user identification and authentication interface, applications call the interface can be achieved i witnesses user services identity. 所述接口调用^人证系统可以为USI系统,也可以为其他能够实现该功能的系统,本发明实施例不做限定。 The system interface calls ^ witnesses USI system may, also be possible to realize other functions of the system, not limited in embodiments of the present invention.

综上所述,本发明实施例通过在接口调用过程中对用户业务标识进行认证,有效保证了接口调用的安全。 In summary, embodiments of the present invention will authenticate the user service identifier during the call interface, effectively guarantee the safety interface call.

在USI接口调用时可以提高WiMAX用户使用USI业务的安全性,进一步保i正了USI系统部署到运营网络中的安全性。 When USI interface call can improve the security of WiMAX users USI service, to further ensure i n the USI system deployed to security operations in the network.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机 Those of ordinary skill in the art may understand that the above embodiments of the method steps may be all or part by a program instructing relevant hardware, the program may be stored in a computer

可读存储介质中,该程序在执行时,包括如下步骤: Readable storage medium, the program is executed, comprising the steps of:

接口接收到应用发送的携带有用户业务标识和用户身份信息的接口调用 Interface interface call is received applications sent by carrying the user service identifier and user identity information

请求消息; Request message;

根据所述接收的用户身份信息对所述用户业务标识进行认证。 Authenticating the user according to the service identifier of the user identity information received. 上述提到的存储介质可以是可读存储器,磁盘或光盘等。 The storage medium may be a readable memory, a magnetic or optical disk. 以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。 Above, the present invention is merely preferred specific embodiments, but the scope of the present invention is not limited thereto, any skilled in the art in the art within the scope of the invention disclosed can be easily thought of the changes or Alternatively, it shall fall within the protection scope of the present invention. 因此,本发明的保护范围应该以权利要求的保护范围为准。 Accordingly, the scope of the present invention should be defined by the scope of the claims.

Claims (19)

  1. 1、一种安全接口调用方法,其特征在于,包括:接口接收到应用发送的携带有用户业务标识和用户身份信息的接口调用请求消息;根据所述接收的用户身份信息对所述用户业务标识进行认证。 1, a secure method call interface, the method comprising: receiving an interface to the application sent by the calling user interfaces carries the service identification information and the user identity request message; The user identity information of the received service identification of the user authentication.
  2. 2、 如权利要求1所述的方法,其特征在于,所述用户身份信息包括下述任意一种或多种:用户数字签名、用户IP地址信息;所述用户数字签名是利用用户终端与网络的共享密钥或利用所述共享密钥派生出的密钥计算产生的。 2. The method as claimed in claim 1, wherein the user identity information comprises any one or more of the following: a user digital signature, user IP address information; digital signature of the user is using the user terminal and the network computing a shared key generated using the key or the shared key is derived.
  3. 3、 如权利要求2所述的方法,其特征在于,所述用户数字签名包含在用户业务标识中。 3. The method as claimed in claim 2, wherein said digital user signature contained in the user service ID.
  4. 4、 如权利要求1或2所述的方法,其特征在于,所述用户业务标识和用户身份信息由用户终端在与应用进行应用层交互时上报给应用。 4. The method of claim 1 or claim 2, wherein the user service identifier and the user identity information when the user equipment to the application interact with the application by the user application layer.
  5. 5、 如权利要求2所述的方法,其特征在于,所述根据所述接收的用户身份信息对所述用户业务标识进行认证的步骤包括:若用户身份信息包含用户数字签名,则网络根据接收的用户业务标识或是用户IP地址查找到用户终端与网络的共享密钥,利用该共享密钥或利用共享密钥派生出的密钥使用与用户终端一致的算法计算用户数字签名,与所述接收的用户数字签名进行比较, 一致则表示用户业务标识认证通过,否则表示用户业务标识H〖正失败;若用户身份信息包含用户IP地址信息,则利用所述IP地址作为索引,在注册信息中查找到该IP地址对应的用户业务标识,与所述接口调用中携带的用户业务标识进行比较;或以接口调用请求消息中携带的用户业务标识作为索引,在注册信息中查找到对应的IP地址,与接口调用请求消息中携带的IP地址进行比较,如果 5. The method of claim 2, wherein said step of user identity information according to the received authentication identifier of the user service comprising: a user if the user identity information comprises a digital signature, the network in accordance with the received the user service identifier or IP address of the user finds the user terminal and the network of the shared key, the shared key by using the user or calculated using a digital signature key shared derived key with the user terminal using the same algorithm, and the receiving a digital user signature is compared, the same identifier indicates a user authentication service, or that a user service identifier H n 〖failure; if the user information includes user identification information of the IP address, using the IP address as the index, in the registration information find the IP address corresponding to a user service identifier carried in the call with the interface comparing user service identifier; or interface call request message carries the user traffic identifier as an index to find the corresponding IP address in the registration information , IP address, and the message carries the interface call requesting to compare, if 致则表示用户业务标识认证通过,否则表示用户业务标识认证失败。 Cause it means that the user identity authentication service, or that a user service identity authentication fails.
  6. 6、 如权利要求1或5所述的方法,其特征在于,用户业务标识^人证通过后,还包括:应用将该用户业务标识与应用层标识绑定。 6. The method as claimed in claim 1 or 5, characterized in that, after the user service identifier ^ by witnesses, further comprising: application service identifier and the user application layer identifier binding.
  7. 7、 如权利要求5所述的方法,其特征在于,如果用户业务标识认证通过,并且使用的是共享密钥派生出的密钥来计算用户数字签名,在用户业务标识^人证通过后,还包括:将所述共享密钥派生的密钥发送给应用,作为应用与用户终端通信的专用共享密钥,对应用与用户终端之间的消息或数据进行保护。 7. The method as claimed in claim 5, wherein, if the service identifier of the user authentication and key derivation using a shared key to calculate a user's digital signature, after the user service identifier ^ by witnesses, further comprising: a key derived the shared key to the application, as the private key shared with the user terminal communication application, messages or data between the application and the user terminal protected.
  8. 8、 如权利要求1或2所述的方法,其特征在于,所述接口调用请求消息中还携带有应用身份信息。 8. A method as claimed in claim 1 or 2, wherein the interface call request message further carries the application identity information.
  9. 9、 如权利要求8所述的方法,其特征在于,接口接收到应用发送的携带有用户业务标识和用户身份信息的接口调用请求消息之后,根据所述接收的用户身份信息对所述用户业务标识进行^人证之前,还包括:网络提供商根据应用身份信息验证应用身份,确定允许所述应用调用所述接口。 9. A method as claimed in claim 8, characterized in that, after receiving the interface application sent by the calling user interfaces carries the service identification information and the user identity request message, according to the received user identity information of the user service ^ performed prior to identifying witnesses, further comprising: a network provider in accordance with the application identification information verifying the identity of the application, allowing the application to determine the call interface.
  10. 10、 如权利要求1或2所述的方法,其特征在于,根据所述接收的用户身份信息对所述用户业务标识进行认证,且认证通过后,还包括对应用的4妻口调用进行认证的步骤,所述对应用的接口调用进行认证的步骤具体包括:根据认证通过的用户业务标识获取用户配置策略;根据所述配置策略判断是否允许所述应用的接口调用,若允许,则接口调用认证成功,若不允许,则接口调用^人证失败。 10. A method as claimed in claim 1 or 2, characterized in that, to authenticate the user service identifier according to the received user identity information, and after the authentication, further comprising four ports wife calling application authenticating step, the step of authenticating said application interface call comprises: obtaining user configuration policy based on the user authentication service identifier; in accordance with the configuration policy determines whether to allow the application interface call, if allowed, the interface calls authentication is successful, if not possible, then the interface calls ^ witnesses failed.
  11. 11、 如权利要求1所述的方法,其特征在于,所述接口调用请求消息中携带有表示请求对用户业务标识进行认证的标志位。 11. The method as claimed in claim 1, wherein the interface call request message carries flag bit representing a request for authentication of the user service identifier.
  12. 12、 一种用户终端,其特征在于,包括:用户身份信息生成单元,用于根据用户终端与网络的共享密钥或利用共享密钥派生出的密钥计算生成用户身份信息; 信息交互单元,用于与应用设备交互信息;认证信息上报单元,用于在所述与应用设备交互的信息中上报包括用户业务标识及用户身份信息的认证相关信息。 12. A user terminal, characterized by comprising: user identity information generating means, a terminal or a shared network key calculation generates user identity information with the shared derived key according to the user key; information exchange means, application of the device and for exchanging information; authentication information reporting unit configured to report the authentication information comprising a user identifier and service information in a user identity information of the device to interact with the application.
  13. 13、 一种应用服务器,其特征在于,包括:认证信息接收单元,用于接收用户终端上报的包含用户业务标识及用户身份信息的认证相关信息;接口调用单元,用于根据所述用户业务标识调用相关接口,并在接口调用请求消息中携带所述接收的用户业务标识及用户身份信息。 13, an application server, characterized by comprising: an authentication information receiving unit, the authentication information comprising a user service identifier and the user identity information reported by the UE is received; call the interface unit, according to the user identifier for service call related interfaces, and the message carries the user service identifier and the user identity information received in the request interface calls.
  14. 14、 如权利要求13所述的应用服务器,其特征在于,所述接口调用请求消息中还携带有表明应用服务器身份的应用身份信息、应用的标识和/或应用层参数。 14, the application server as claimed in claim 13, wherein the interface call request message further carries an identity of the application indicates that the application server identity information, identification of the application and / or application layer parameters.
  15. 15、 如权利要求13或14所述的应用服务器,其特征在于,还包括: 标志位设置单元,用于在接口调用请求消息中设置请求对用户业务标识进4亍i人ii的才示志4立。 15. The application server of claim 13 or claim 14, characterized in that, further comprising: flag setting means for the setting in the interface call request message into a request for a user service identifier i right foot 4 illustrates only the person ii Zhi 4 legislation.
  16. 16、 一种接口调用认证系统,其特征在于,包括:接收单元,用于接收携带有用户业务标识及用户身份信息的接口调用请求消息;用户业务标识认证单元,用于根据所述接收的用户身份信息对所述用户业务标识进行认证。 16. An interface call authentication system characterized by comprising: receiving means for receiving a user service interface call carries identification information and user identity request message; user identity authentication service unit, according to a user for said received identity information of the user identity authentication service.
  17. 17、 如权利要求16所述的接口调用认证系统,其特征在于,还包括: 应用认证单元,用于对应用的身份及应用的接口调用进行认证。 17, authentication system interface call as claimed in claim 16, characterized in that, further comprising: authentication application unit for the application interface call identity and authentication applications.
  18. 18、 一种安全接口调用系统,其特征在于,包括:应用服务器,用于在接口调用请求消息中携带用户业务标识及用户身份信息,将所述接口调用请求消息发送给所述接口调用认证系统;接口调用认证系统,用于根据所述接口调用请求消息中的用户身份信息对所述用户业务标识进行认证。 18, calling the security interface system, characterized by comprising: an application server, an interface for the service invocation request message carries the user identifier and the user identity information, the interface call request message to the authentication system calling the interface ; interface calls authentication system for performing authentication of the user interface call request identifying the service user identity information message in accordance with.
  19. 19、如权利要求18所述的系统,其特征在于,所述接口调用认证系统还用于对应用身份及应用的接口调用进行认证。 19. The system according to claim 18, wherein said system further authentication interface call interface call for the application and application identity authentication.
CN 200810007068 2008-02-01 2008-02-01 Method, apparatus and system for safe interface call CN101499904A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200810007068 CN101499904A (en) 2008-02-01 2008-02-01 Method, apparatus and system for safe interface call

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 200810007068 CN101499904A (en) 2008-02-01 2008-02-01 Method, apparatus and system for safe interface call
PCT/CN2009/070177 WO2009097778A1 (en) 2008-02-01 2009-01-16 A method, device and system for calling the security interface

Publications (1)

Publication Number Publication Date
CN101499904A true true CN101499904A (en) 2009-08-05

Family

ID=40946797

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200810007068 CN101499904A (en) 2008-02-01 2008-02-01 Method, apparatus and system for safe interface call

Country Status (2)

Country Link
CN (1) CN101499904A (en)
WO (1) WO2009097778A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102779071A (en) * 2012-06-14 2012-11-14 华为技术有限公司 Method, device and system for calling software interface
CN105721163A (en) * 2009-08-11 2016-06-29 中兴通讯股份有限公司 System and method for accessing visited service provider
WO2017129008A1 (en) * 2016-01-29 2017-08-03 广州广电运通金融电子股份有限公司 Application authentication method and apparatus for linux system based financial self-service device

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1905191B1 (en) * 2005-07-20 2014-09-03 Verimatrix, Inc. Network user authentication system and method
CN1731723A (en) * 2005-08-19 2006-02-08 上海林果科技有限公司 Electron/handset token dynamic password identification system
US20070143830A1 (en) * 2005-12-20 2007-06-21 International Business Machines Corporation Method, apparatus and system for preventing unauthorized access to password-protected system
CN1889430A (en) * 2006-06-21 2007-01-03 南京联创网络科技有限公司 Safety identification control method based on 802.1 X terminal wideband switching-in
CN100574193C (en) * 2006-10-31 2009-12-23 华为技术有限公司 Method and system for switching third party landing and third party website and service server
CN101102192A (en) * 2007-07-18 2008-01-09 北京飞天诚信科技有限公司 Authentication device, method and system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105721163A (en) * 2009-08-11 2016-06-29 中兴通讯股份有限公司 System and method for accessing visited service provider
CN102779071A (en) * 2012-06-14 2012-11-14 华为技术有限公司 Method, device and system for calling software interface
WO2017129008A1 (en) * 2016-01-29 2017-08-03 广州广电运通金融电子股份有限公司 Application authentication method and apparatus for linux system based financial self-service device

Also Published As

Publication number Publication date Type
WO2009097778A1 (en) 2009-08-13 application

Similar Documents

Publication Publication Date Title
US7562221B2 (en) Authentication method and apparatus utilizing proof-of-authentication module
US20120297187A1 (en) Trusted Mobile Device Based Security
US20110004753A1 (en) Certificate generating/distributing system,certificate generating/distributing method and certificate generating/distributing program
US20110067095A1 (en) Method and apparatus for trusted authentication and logon
US20120150742A1 (en) System and Method for Authenticating Transactions Through a Mobile Device
US6996716B1 (en) Dual-tier security architecture for inter-domain environments
US20040117623A1 (en) Methods and apparatus for secure data communication links
US20120284786A1 (en) System and method for providing access credentials
US20100082977A1 (en) SIP Signaling Without Constant Re-Authentication
US7823192B1 (en) Application-to-application security in enterprise security services
US20070250904A1 (en) Privacy protection system
US6993652B2 (en) Method and system for providing client privacy when requesting content from a public server
US20080134311A1 (en) Authentication delegation based on re-verification of cryptographic evidence
US20100122333A1 (en) Method and system for providing a federated authentication service with gradual expiration of credentials
US20040199768A1 (en) System and method for enabling enterprise application security
US7350074B2 (en) Peer-to-peer authentication and authorization
US20120023568A1 (en) Method and Apparatus for Trusted Federated Identity Management and Data Access Authorization
US20080098457A1 (en) Identity controlled data center
US8776204B2 (en) Secure dynamic authority delegation
US20140156531A1 (en) System and Method for Authenticating Transactions Through a Mobile Device
US20040073801A1 (en) Methods and systems for flexible delegation
US8353016B1 (en) Secure portable store for security skins and authentication information
US20050144463A1 (en) Single sign-on secure service access
US20080301785A1 (en) Systems, methods and computer program products for providing additional authentication beyond user equipment authentication in an ims network
US20140075513A1 (en) Device token protocol for authorization and persistent authentication shared across applications

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C12 Rejection of an application for a patent