CN101499904A - Method, apparatus and system for safe interface call - Google Patents

Method, apparatus and system for safe interface call Download PDF

Info

Publication number
CN101499904A
CN101499904A CN 200810007068 CN200810007068A CN101499904A CN 101499904 A CN101499904 A CN 101499904A CN 200810007068 CN200810007068 CN 200810007068 CN 200810007068 A CN200810007068 A CN 200810007068A CN 101499904 A CN101499904 A CN 101499904A
Authority
CN
China
Prior art keywords
service identification
user service
application
user
identity information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN 200810007068
Other languages
Chinese (zh)
Inventor
彭程晖
李波杰
梁文亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN 200810007068 priority Critical patent/CN101499904A/en
Publication of CN101499904A publication Critical patent/CN101499904A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/16Service discovery or service management, e.g. service location protocol [SLP] or Web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Abstract

The invention relates to a safe interface calling method in the technical field of communication, which comprises the following steps: an interface receives an interface calling request message which carries user business identifier and user identity information and is sent by an application; according to the received user identity information, the user business identifier which is carried in the interface calling request message is validated, if the validation is passed, authentication of the user business identifier is determined as successful; and if failed, the authentication of the user business identifier is determined as failed. The invention further provides a safe interface calling device and a safe interface calling system. The embodiment of the invention realizes the authentication of the user business identifier in an interface calling process, thus effectively guaranteeing the security of interface calling.

Description

A kind of safe interface call method, Apparatus and system
Technical field
The present invention relates to communication technical field, relate in particular to a kind of safe interface call method, Apparatus and system.
Background technology
General service interface (USI, Universal Services Interface) system is that micro-wave access to global intercommunication forum (WiMAX, Worldwide Interoperability Microwave AccessForum) network is with the open interface of giving in the net or netting outer application server of professional ability.By calling the professional ability interface that USI provides, application and development inserts simpler that user's business will become at WiMAX, and can be convenient insert the service that the user provides personalization for WiMAX.The WiMAX network comprises service quality (QoS, Quality of Service), charging, location-based service etc. by the ability of USI open system.
When application access USI system, need carry user's identify label parameter, the WiMAX network can be according to the user of this identify label parameter query to operation; General this sign is that the WiMAX network allocation is given the user, be used to offer the third party system, the object (user) of sign operation when making the USI interface that third party's system call WiMAX network provides, the present invention claims this to be designated the service identification that the WiMAX network offers the user, is called for short user service identification.The WiMAX network can inquire the user of application need operation according to this user service identification, thereby can carry out the operation of application request to this user.
Generally speaking, the user and use between be that to carry out application layer mutual, so user service identification also is to offer application server by the user, the service identification that application server provides by the user calls the USI interface, finish specific service logic, such as place information inquiry, charging etc.
In the process that realizes prior art, the inventor finds the aforesaid operations flow process, and there are the following problems:
When application call USI interface, network does not authenticate the service identification that the user offers application, the also process that operation (i.e. interface interchange to using) of using the user is not authenticated, might provide other users' service identification to application such as the user, or the user service identification that application server (from non-network trust territory) provides is not passed through subscriber authorisation, and called the interface (as the interface of deducting fees) that does not pass through subscriber authorisation to the user, therefore there is safety problem in existing USI access mechanism.
Application as herein described comprises service provider or application provider.
Summary of the invention
The embodiment of the invention provides a kind of safe interface call method, Apparatus and system, by in the interface interchange process user service identification being authenticated, has effectively guaranteed the safety of interface interchange.
The embodiment of the invention is achieved through the following technical solutions:
The embodiment of the invention provides a kind of safe interface call method, comprising:
Interface receives uses the interface interchange request message that carries user service identification and subscriber identity information that sends;
Subscriber identity information according to described reception authenticates described user service identification.
The embodiment of the invention provides a kind of user terminal, comprising:
The subscriber identity information generation unit is used for generating subscriber identity information according to the shared key of user terminal and network or the cipher key calculation of utilizing shared key derivation to go out;
The information interaction unit is used for and the application apparatus interactive information;
Authentication information reports the unit, is used for reporting the authentication-related information that comprises user service identification and subscriber identity information in information described and that application apparatus is mutual.
The embodiment of the invention provides a kind of application server, comprising:
The authentication information receiving element is used to receive the authentication-related information that comprises user service identification and subscriber identity information of user terminal to send up;
The interface interchange unit is used for calling relevant interface according to described user service identification, and carries the user service identification and the subscriber identity information of described reception in the interface interchange request message.
The embodiment of the invention provides a kind of interface interchange Verification System, comprising:
Receiving element is used to receive the interface interchange request message that carries user service identification and subscriber identity information;
The user service identification authentication ' unit is used for according to the subscriber identity information of described reception described user service identification being authenticated.
The application authorization unit is used for the identity of application and the interface interchange of application are authenticated.
The embodiment of the invention provides a kind of safe interface calling system, comprising:
Application server is used for carrying user service identification and subscriber identity information at the interface interchange request message, and described interface interchange request message is sent to described interface interchange Verification System;
The interface interchange Verification System is used for according to the subscriber identity information of described interface interchange request message described user service identification being authenticated.
The technical scheme that is provided by the invention described above embodiment as can be seen, the embodiment of the invention is by carrying user service identification and subscriber identity information in the interface interchange process, according to this subscriber identity information user service identification is authenticated, effectively guaranteed the safety of interface interchange.
Description of drawings
Fig. 1 is embodiment of the present invention one a described safe interface call method flow chart;
Fig. 2 carries out identifying procedure figure for a pair of user service identification of embodiment of the present invention;
Fig. 3 is embodiment of the present invention two described safe interface call method flow charts;
Fig. 4 is the embodiment of the invention one a safe interface call operation flow chart;
Fig. 5 is the embodiment of the invention two safe interface call operation flow charts;
Fig. 6 is embodiment of the present invention four described user terminal module diagrams;
Fig. 7 is embodiment of the present invention five described application server module schematic diagrames;
Fig. 8 is embodiment of the present invention six described interface interchange Verification System module diagrams.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
The embodiment of the invention makes network to authenticate user service identification according to this subscriber identity information by carrying user service identification and subscriber identity information when the application call interface in the interface interchange request message.In addition, in order to realize that application is authenticated, can carry application identity information simultaneously when the application call interface, network can authenticate application according to identity information and user's collocation strategy information of this application.
Below being that example is described in detail embodiment of the present invention to calling of USI interface, those skilled in the art as can be known, the scheme of the embodiment of the invention is not limited to the USI interface interchange.
Embodiment of the present invention one provides a kind of safe interface call method, as shown in Figure 1, comprises the steps:
Step 1: user terminal is in logining the verification process of network, and user terminal and network produce shares key;
To produce the USI association key is example, produce the USI association key based on verification process user terminal and network, concrete USI association key can derive from such a way: under the authentication success situation, user terminal and network (being generally aaa server) produce master session key (MSK, Master SessionKey)/extended master session key (EMSK, Extended Master Session Key), user terminal and network can be according to the rules mode, utilize MSK/EMSK to derive shared key, be USI association key (USI-RK), the derivation of concrete USI-RK can be exemplified below:
USI-RK=hash (EMSK); Perhaps USI-RK=hash (MSK); Perhaps USI-RK=hash (EMSK+MSK);
Wherein hash is any hash function, also can be other function, perhaps directly equates with MSK/EMSK.
Network is preserved the network identity of user terminal such as the information such as shared key of NAI, user service identification and IP address, network and user terminal.
Step 2: it is mutual that application layer is carried out in user terminal and application, uses and obtain subscriber identity information and user service identification.
According to applied business logic (as application need visit USI interface system), application need is to user terminal requests user service identification and subscriber identity information, or user terminal is initiatively to using report of user service identification and subscriber identity information.
Described user service identification can be URI (Uniform Resource Identifiers; universal resource identifier; as defining among the IETF rfc2396) form; form by user name (username) and domain name (realm) two parts; user name part is divided in order to protect privacy of user can be a string character string; domain name part has identified user's home network, and Internet Service Provider and its USI system address that provides of user attaching can be provided according to the domain name part in the user service identification in application.User service identification is distributed by user's home network provider, and in home network (as the user attaching aaa server), preserve user service identification and user service identification and network access Identifier (Network AccessIdentifier, NAI) corresponding relation between.
Described subscriber identity information is used for network user's service identification is authenticated, and can comprise number signature and/or IP address information.
Described number signature is: utilize the shared cipher key calculation of user terminal and network to generate, user terminal uses consistent algorithm (as the MD5 digest algorithm) when signing with the described number of network calculations.Can also import user service identification or application layer parameter during calculating.
Also can go out the key of this application specific according to the shared key derivation of the sign of using and user terminal and network, utilize the key of this derivative application specific to calculate the subscriber identity information of this application specific.
When subscriber identity information is the number signature, this number signature packets can be contained in the user service identification, as be included in the user name of user service identification, parameter that like this can be independent is transmitted subscriber identity information.
Step 3: application call USI interface, in the interface interchange request message, carry user service identification and subscriber identity information, request authenticates user service identification;
Can also carry the sign (using the situation of the cipher key calculation subscriber identity information of application specific) of application and the application layer parameter (situation that comprises the application layer parameter when calculating subscriber identity information) that needs in the described interface interchange request message.
Described USI interface can be the USI system provide be specifically designed to the interface that user service identification is authenticated, also can be general calling service interface.
The difference of carrying out the service identification authentication by two kinds of interfaces is: described special interface allows the USI system that user service identification is authenticated by the type of message sign, and by special return messages notice application authorization result; And described general calling service interface is to allow the USI system that user service identification is authenticated by a flag bit (in the call request related news increase a sign) when calling service, and with the access message return authentication result of calling service.Two kinds of service identification and subscriber identity informations that all require to carry in the message user.
Step 4: the subscriber identity information that network based application provides authenticates user service identification;
Network can be finished by the user service identification authentication ' unit the authentication of user service identification, this authentication ' unit can be positioned at the USI internal system, perhaps be arranged in USI system outside (as being positioned at AAA), this embodiment of the invention is not done qualification, the deployed position of authentication ' unit does not influence enforcement of the present invention, and being positioned at the USI internal system with Verification System in the present embodiment is that example describes.
The USI system comprises to its idiographic flow that authenticates as shown in Figure 2:
Step 21:USI system obtains user service identification and subscriber identity information;
If USI do not get access to described user service identification and subscriber identity information, then the USI system can the return authentication failed message gives and uses, and can carry the information authentication information of user service identification (as lack) of failure cause in this authentification failure message.
If the USI system gets access to described user service identification and subscriber identity information, then execution in step 22;
Comprise sign and the application layer parameter of obtaining application alternatively.
Step 22: after the USI system has obtained above-mentioned user service identification and subscriber identity information, check that according to user service identification or IP address information (if comprising) whether user terminal is in the USI system registry;
To the USI system registry, user terminal USI system when the USI system registry preserves user's the network identity such as the shared key of NAI, user service identification, IP address and network and user terminal to USI system requirements user terminal when access network.
If the USI system determines not registration of user terminal, then can give application, the information that can in this authentification failure message, carry failure cause by the return authentication failed message.
If the USI system determines user terminal and registers that then execution in step 23;
Step 23:USI system authenticates user service identification according to subscriber identity information;
Described USI system optionally also comprises the sign and the application layer parameter of application with subscriber identity information and user service identification, sends to the user service identification authentication ' unit and requires to carry out the user service identification authentication, and verification process comprises:
If subscriber identity information is the number signature, then authentication ' unit inquires shared key in the log-on message according to user service identification or IP address (if comprising), by sharing key or utilizing the private key (authentication ' unit obtains according to the algorithm computation identical with user terminal) of sharing the application that key derivation goes out to use algorithm predefined and the user terminal unanimity, comprise the parameter identical with user terminal, calculate the number signature, with the number signature that carries in the number that calculates signature and the interface interchange request message relatively, if it is consistent, represent that then user service identification authentication passes through, otherwise authentification failure;
If subscriber identity information is the IP address, then directly utilize IP address in the interface interchange as index, in log-on message, find the user service identification of this IP address correspondence, compare with the user service identification of carrying in the interface interchange, or with the user service identification of carrying in the interface interchange as index, in log-on message, find corresponding IP address, compare with the IP address of carrying in the interface interchange, if unanimity then authenticate is passed through, otherwise authentification failure;
If subscriber identity information comprises number signature and IP address information simultaneously, then carry out two above-mentioned verification process.Any one authentication is not passed through, and then shows authentification failure, and two authentications are all passed through, and then show authentication success.
If above-mentioned authentication is passed through, then can give application by the return authentication success message.
Step 5: after authentication was passed through, application can be preserved the corresponding relation of user application layer sign and user service identification, need not all to ask the USI system to carry out user's service identification authentication so at every turn.
Optionally; if the user service identification authentication is passed through; and what use is that the private key of using calculates the number signature; then USI sends to application with the private key of using; this private key of applications exploiting as with the shared key of user terminal communication, to use and user terminal between message or data protect.
When having realized application call USI interface, said process, in practical operation, can when user service identification is authenticated, authenticate fail safe, as described in enforcement mode two to application in order further to guarantee to the authentication of user service identification.
Execution mode two, be with the difference of execution mode one, when when application call USI interface, carrying user service identification and subscriber identity information, also carry application identity information, the USI system is described with execution mode one to the verification process of user service identification, repeat no more, the USI system can authenticate application according to application identity information and subscriber policy data configuration information herein.Described the authentication of using is comprised that network is to the authentication of using identity with to using authentication to user's the operation authentication of the interface interchange used (promptly to).As shown in Figure 3, specifically comprise the steps:
Step 31: carry user service identification and subscriber identity information during application call USI interface, and application identity information;
Step 32: network based application identity information authenticates using identity;
Described network authenticates the application identity and is meant, the interface whether the network provider checking allows this application call network to provide, and concrete verification process is:
Need carry the identity information of application when being applied in calling interface, be used for the identity that the USI system validation is used, have only application provider just can visit the USI interface through operation visit USI system after contracting with Virtual network operator.The authentication techniques of using identity are belonged to prior art, and the embodiment of the invention is not done qualification, for example can adopt the known authentication techniques of certificate or shared key to carry out authentication.
The application identity authentication is by back execution in step 33, otherwise the return authentication failed message is given and used the information that can carry failure cause in this authentification failure message;
Step 33: the subscriber identity information that network based application provides authenticates user service identification;
The concrete verification process of user service identification with described in the execution mode one, is repeated no more herein.
Execution in step 34 after to the user service identification authentication success, otherwise the return authentication failed message is given and is used the information that can carry failure cause in this authentification failure message.
Step 34:USI system authenticates the interface interchange of using;
Behind above-mentioned application identity authentication and user service identification authentication success, also need whether allowing this specific interface of application call certain specific user terminal to be operated the authentication of carrying out user level.Being the application call interface also needs permission through user terminal to the operation of user terminal, need carry out the authentication of client layer.Can realize by the collocation strategy of inquiring user terminal, described user terminal collocation strategy can be kept in the USI system or on the aaa server or independent deploying servers (subscriber policy server), if user's collocation strategy information is not in the USI system, then the USI system will carry out interacting message with aaa server or user terminal collocation strategy server, utilize user service identification or user NAI to carry out index, obtain the collocation strategy data of user terminal by message (XCAP or HTTP get message), be used to determine whether to allow to use operation user terminal.If authentication is passed through, then the return authentication success message is given and is used; If authentification failure, then the return authentication failed message is given and is used.
When said process had been realized application call USI interface, network had guaranteed the fail safe of interface interchange to the authentication and the authentication to using of user service identification.
With specific embodiment embodiment of the present invention is elaborated below.
Embodiment one, and the application scenarios of this embodiment is: user A is the WiMAX network user, also is paying Video Applications party B-subscriber simultaneously, uses the USI interface of the WiMAX network that B can invoke user A ownership; User A watches the paying video on application B, and deduct fees by the account of WiMAX network, using B deducts fees by the USI withholding fee interface that the WiMAX network provides, when calling USI withholding fee interface, application B need the service identification of user A be authenticated, as shown in Figure 4, idiographic flow comprises:
41, after user A logins the WiMAX network, initiate registration to the USI system;
Log-on message comprises: the user network identity information, as N AI, user's IP address, user service identification and network and user's shared key information; The log-on message of USI recording user A returns the user A message that succeeds in registration;
42, it is mutual that user A and application B carry out application layer, and one section paying video on the B is used in user A request, and subscriber identity information and user service identification are provided, and the mode that requires the use network to withhold expense is deducted fees;
43, use that B carries this user service identification and subscriber identity information is initiated the request of user's withholding fee to user A home network USI system, request USI system authenticates (if this interface that calls is general calling service interface, then carrying the flag bit information that requires the USI system that user service identification is authenticated in the lump in this request message) to user service identification;
44, the USI system authenticates using identity, and the application identity authentication authenticates user service identification by the back;
If the application identity authentification failure at direct return authentication failed message, is not carried out the verification process to user service identification.If the application identity authentication success then authenticates user service identification, authentification failure, then the return authentication failure response is given and is used B;
45, as if the user service identification authentication success, then the USI system transmits the withholding fee request message to account system;
46, billing and accounting system is returned response message to the USI system;
Billing and accounting system can be returned response message according to the user balance situation, if user balance is deducted fees inadequately, then returns failure response, and carries reason, as the expense deficiency; If deduct fees successfully, then return success response.
47, the USI system will be transmitted to from the response message that billing and accounting system is received and use B;
48, if what use that B receives is success response message, then uses B and begin displaying video to user A.
The foregoing description has been realized in the application call USI interface procedure user service identification being authenticated, and has improved the fail safe of interface interchange.
Embodiment two, and the application scenarios of this embodiment is: user A is the WiMAX network user, simultaneously also is that instant message is used the party B-subscriber, and instant message is used the USI interface of the WiMAX network that B can invoke user A ownership; User A is its user service identification of registration on instant messages application B, and allow user A when it does not login instant message application B, the instant message that the good friend is sent to he sends to user A by the message server interface that the WiMAX network provides, in using B message call server interface process, need user service identification and use B to authenticate, as shown in Figure 5, idiographic flow is as follows:
51, after user A logins the WiMAX network, initiate registration to the USI system;
Log-on message comprises: user network identity information (as NAI), IP address, user service identification and network and user's information such as shared key; The log-on message of USI recording user A returns the user A message that succeeds in registration;
52, it is mutual that user A and instant message application B carries out application layer, and user A registered user's identity information and service identification are used B to instant message;
53, instant message is used B and is initiated the user service identification authentication request message to the USI address of user A ownership, carries the subscriber identity information of user A and the user service identification that user A provides;
Described subscriber identity information comprises number signature and/or IP address information.
54, after the request message of request authentication user service identification is received by the USI system, earlier the identity of using B is authenticated, authentication authenticates user service identification according to subscriber identity information (as digital signature) by the back, if authentication is passed through, then the return authentication success message is used B to instant message; If last authentification failure is not then carried out follow-up authentication, and any one authentication do not pass through, and then the return authentication failed message is used B to instant message, and no longer carries out follow-up operation.
After above-mentioned authentication was passed through, whether the USI system can also allow user A operated and carry out authentication (user level) using B according to user's collocation strategy, promptly the interface interchange of using B is authenticated.After authentication was finished, the return authentication response message was given and is used B, if authentication success, then the return authentication success message is given and used B, if authentification failure, then the return authentication failed message is given and used B.
55, after authentication was passed through, instant message was used the application layer sign binding of B with service identification with the user A of user A, finish behind the aforesaid operations user A and withdraw from instant message and use B, instant message use B upward user A be off-line state;
56, instant message is used B under user A off-line state, receive that user A good friend sends to the instant message of user A, instant message is used B and is arranged on instant message according to user A and uses message interface that strategy on the B calls USI and carry out forwards (described user's collocation strategy is pre-configured for the user, described strategy can not have when using the B login for user A, when being off-line, the message that the good friend sends sends to the WiMAX terminal of user A by the USI interface), in message, carry the service identification of user A;
57, after USI receives the message interface message call, instant message is used B carry out authentication and interface interchange authentication, promptly check the collocation strategy of user A, whether checking allows to use B and sends message to user A, checking by after described message call is transmitted to message server, transmit message by message server and give user A;
Before USI transmitted described message, USI can be according to user service identification and the corresponding relation of NAI of storage, and user service identification is replaced with user's NAI address, again with forwards to message server;
58, after the forwards success, the USI system returns response message and uses B to instant message.
Present embodiment has been realized in the interface interchange process authentication that user service identification and application interface are called effectively having guaranteed the fail safe of interface interchange.
Embodiment of the present invention three provides a kind of safe interface calling system, comprises application server and interface interchange Verification System.
Described application server is used for carrying user service identification and subscriber identity information at the interface interchange request message, and described interface interchange request message is sent to described interface interchange Verification System;
Further, in the embodiment of the invention, described application server also is used in user terminal and carries out obtaining subscriber identity information and user service identification when mutual, and when calling interface, carries described user service identification and subscriber identity information in the interface interchange request message.
In the embodiment of the invention, described subscriber identity information comprises number signature and/or IP address information.Further, carry application identity information alternatively in the described interface interchange request message.
Described interface interchange Verification System is used to obtain subscriber identity information and the user service identification that described application server provides, and utilizes described subscriber identity information that user service identification is authenticated;
The information that described alternatively interface interchange Verification System is obtained from application server also comprises the sign and the application layer parameter of application identity information, application.Alternatively the interface interchange of using identity and application is authenticated.
The described subscriber identity information that utilizes comprises the process that is used for service identification and authenticates:
If subscriber identity information comprises the number signature, then the user service identification of network based reception or IP address find the shared key of user terminal and network, the key that utilizes this shared key or utilize shared key derivation to go out uses the algorithm computation number signature consistent with user terminal, compare with the number signature of described reception, unanimity represents that then user service identification authentication passes through, otherwise expression user service identification authentification failure;
If subscriber identity information comprises IP address, then utilize described IP address as index, in log-on message, find the user service identification of this IP address correspondence, compare with the user service identification of carrying in the described interface interchange; Or with the user service identification of carrying in the interface interchange request message as index, in log-on message, find corresponding IP address, compare with the IP address of carrying in the interface interchange request message, if unanimity then represent that user service identification authentication passes through, otherwise expression user service identification authentification failure.
If not only comprise the number signature but also comprise IP address information, then need carry out above-mentioned two kinds of authentications.
The embodiment of the invention authenticates user service identification according to this subscriber identity information by carry user service identification and subscriber identity information in the interface interchange process, has effectively guaranteed the safety of interface interchange.
Embodiment of the present invention four provides a kind of user terminal, is illustrated in figure 6 as the module diagram of this user terminal, and described user terminal is used for carrying out report of user identity information and user service identification when mutual with application.
It is provided with:
The subscriber identity information generation unit is used for generating subscriber identity information according to the shared key of user terminal and network or the cipher key calculation of utilizing shared key derivation to go out.Can also import user's service identification or application layer parameter during calculating.
In the embodiment of the invention, the subscriber identity information that described calculating generates is the number signature.
The information interaction unit is used for and the application apparatus interactive information;
Authentication information reports the unit, is used for reporting the authentication-related information that comprises user service identification and subscriber identity information in information described and that application apparatus is mutual.
In the embodiment of the invention, the described subscriber identity information that reports can comprise number signature and/or IP address information.
In the embodiment of the invention, user terminal with application server reciprocal process in report the authentication-related information that comprises user service identification and subscriber identity information, help follow-up this subscriber identity information that in the interface interchange process, uses user service identification is authenticated, effectively guaranteed the safety of interface interchange.
Embodiment of the present invention five provides a kind of application server, be illustrated in figure 7 as the module diagram of this application server, described application server is used for carrying out obtaining when mutual subscriber identity information and user service identification with user terminal, and when calling interface, carry described user service identification and subscriber identity information in the interface interchange request message, request authenticates user service identification;
It is provided with:
The authentication information receiving element is used to receive the authentication-related information that comprises user service identification and subscriber identity information of user terminal to send up;
In the embodiment of the invention, can also carry sign and the application layer parameter and the application identity information of application in the described authentication-related information.
The interface interchange unit is used for calling relevant interface according to described user service identification, and carries the user service identification and the subscriber identity information of described reception in the interface interchange request message;
In the embodiment of the invention, carry the sign and/or the application layer parameter of application identity information, application in the described interface interchange request message alternatively.
It is provided with:
Flag bit is provided with the unit, is used at the interface interchange request message flag bit that request authenticates user service identification being set.
In the embodiment of the invention, application server is when calling interface, in the interface interchange request message, carry described user service identification and subscriber identity information, request authenticates user service identification, so that interface can authenticate user service identification according to this subscriber identity information, effectively guaranteed the safety of interface interchange.
Embodiment of the present invention six provides a kind of interface interchange Verification System, be illustrated in figure 8 as the module diagram of this interface interchange Verification System, it is used to obtain subscriber identity information and the user service identification that described application server provides, and utilizes described subscriber identity information that user service identification is authenticated;
The information that described alternatively interface interchange Verification System is obtained from application server also can comprise the sign and the application layer parameter of application identity information, application.This interface interchange Verification System authenticates the identity of application and the interface interchange of application alternatively.
It is provided with:
Receiving element is used to receive the interface interchange request message that carries user service identification and subscriber identity information;
In the embodiment of the invention, described subscriber identity information comprises number signature and/or IP address information;
In the embodiment of the invention, comprise the sign of application identity information, application and in the application layer parameter one or more in the described interface interchange request message alternatively.
The user service identification authentication ' unit is used for according to the subscriber identity information of described reception user service identification being authenticated.
If subscriber identity information comprises the number signature, then the user service identification of network based reception or IP address find the shared key of user terminal and network, the key that utilizes this shared key or utilize shared key derivation to go out uses the algorithm computation number signature consistent with user terminal, compare with the number signature of described reception, unanimity represents that then user service identification authentication passes through, otherwise expression user service identification authentification failure;
If subscriber identity information comprises IP address, then utilize described IP address as index, in log-on message, find the user service identification of this IP address correspondence, compare with the user service identification of carrying in the described interface interchange; Or with the user service identification of carrying in the interface interchange request message as index, in log-on message, find corresponding IP address, compare with the IP address of carrying in the interface interchange request message, if unanimity then represent that user service identification authentication passes through, otherwise expression user service identification authentification failure.
If not only comprise the number signature but also comprise IP address information, then need carry out above-mentioned two kinds of authentications.
Can also be provided with:
The application authorization unit is used for the identity of application and the interface interchange of application are authenticated.
In the embodiment of the invention, described application authorization unit obtains user's collocation strategy according to the user service identification that authentication is passed through, and judges whether to allow the interface interchange of described application according to described collocation strategy, if allow, then interface interchange authentication is passed through, if do not allow, and interface interchange authentification failure then.
In the embodiment of the invention, described application authorization unit authenticates the identity of using according to the application identity information of described reception.
This interface interchange Verification System can also be provided with special user service identification authentication interface, and application apparatus calls this interface can realize authentication to user service identification.Described interface interchange Verification System can be the USI system, also can realize the system of this function for other, and the embodiment of the invention is not done qualification.
In sum, the embodiment of the invention has effectively guaranteed the safety of interface interchange by in the interface interchange process user service identification being authenticated.
When the USI interface interchange, can improve WiMAX user and use the USI service security, further guarantee the fail safe of USI system deployment in the Operation Network.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to finish by program, described program can be stored in a kind of computer-readable recording medium, this program comprises the steps: when carrying out
Interface receives uses the interface interchange request message that carries user service identification and subscriber identity information that sends;
Subscriber identity information according to described reception authenticates described user service identification.
The above-mentioned storage medium of mentioning can be a readable memory, disk or CD etc.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.

Claims (19)

1, a kind of safe interface call method is characterized in that, comprising:
Interface receives uses the interface interchange request message that carries user service identification and subscriber identity information that sends;
Subscriber identity information according to described reception authenticates described user service identification.
2, the method for claim 1 is characterized in that, described subscriber identity information comprise following any one or multiple: number signature, IP address information;
Described number signature is that the cipher key calculation of utilizing the shared key of user terminal and network or utilizing described shared key derivation to go out produces.
3, method as claimed in claim 2 is characterized in that, described number signature packets is contained in the user service identification.
4, method as claimed in claim 1 or 2 is characterized in that, described user service identification and subscriber identity information report application by user terminal when mutual carrying out application layer with application.
5, method as claimed in claim 2 is characterized in that, described subscriber identity information according to described reception comprises the step that described user service identification authenticates:
If subscriber identity information comprises the number signature, then the user service identification of network based reception or IP address find the shared key of user terminal and network, the key that utilizes this shared key or utilize shared key derivation to go out uses the algorithm computation number signature consistent with user terminal, compare with the number signature of described reception, unanimity represents that then user service identification authentication passes through, otherwise expression user service identification authentification failure;
If subscriber identity information comprises IP address information, then utilize described IP address as index, in log-on message, find the user service identification of this IP address correspondence, compare with the user service identification of carrying in the described interface interchange; Or with the user service identification of carrying in the interface interchange request message as index, in log-on message, find corresponding IP address, compare with the IP address of carrying in the interface interchange request message, if unanimity then represent that user service identification authentication passes through, otherwise expression user service identification authentification failure.
6, as claim 1 or 5 described methods, it is characterized in that, after the user service identification authentication is passed through, also comprise:
Application is with this user service identification and the binding of application layer sign.
7, method as claimed in claim 5 is characterized in that, if user service identification authentication is passed through, and what use is to share the key that key derivation goes out to calculate the number signature, after the user service identification authentication is passed through, also comprises:
The key of described shared key derivation is sent to application, share key, message or data between application and the user terminal are protected as the special use of using with user terminal communication.
8, method as claimed in claim 1 or 2 is characterized in that, also carries application identity information in the described interface interchange request message.
9, method as claimed in claim 8, it is characterized in that, interface receives after the interface interchange request message that carries user service identification and subscriber identity information that use to send, and before according to the subscriber identity information of described reception described user service identification being authenticated, also comprises:
Network provider determines to allow the described interface of described application call according to application identity Information Authentication application identity.
10, method as claimed in claim 1 or 2, it is characterized in that, subscriber identity information according to described reception authenticates described user service identification, and after authentication is passed through, also comprise the step that the interface interchange of using is authenticated, the described step that the interface interchange of using is authenticated specifically comprises:
Obtain user's collocation strategy according to the user service identification that authentication is passed through;
Judge whether to allow the interface interchange of described application according to described collocation strategy, if allow, interface interchange authentication success then, if do not allow, interface interchange authentification failure then.
11, the method for claim 1 is characterized in that, carries the flag bit that the expression request authenticates user service identification in the described interface interchange request message.
12, a kind of user terminal is characterized in that, comprising:
The subscriber identity information generation unit is used for generating subscriber identity information according to the shared key of user terminal and network or the cipher key calculation of utilizing shared key derivation to go out;
The information interaction unit is used for and the application apparatus interactive information;
Authentication information reports the unit, is used for reporting the authentication-related information that comprises user service identification and subscriber identity information in information described and that application apparatus is mutual.
13, a kind of application server is characterized in that, comprising:
The authentication information receiving element is used to receive the authentication-related information that comprises user service identification and subscriber identity information of user terminal to send up;
The interface interchange unit is used for calling relevant interface according to described user service identification, and carries the user service identification and the subscriber identity information of described reception in the interface interchange request message.
14, application server as claimed in claim 13 is characterized in that, also carries the application identity information that shows the application server identity, the sign and/or the application layer parameter of application in the described interface interchange request message.
15, as claim 13 or 14 described application servers, it is characterized in that, also comprise:
Flag bit is provided with the unit, is used at the interface interchange request message flag bit that request authenticates user service identification being set.
16, a kind of interface interchange Verification System is characterized in that, comprising:
Receiving element is used to receive the interface interchange request message that carries user service identification and subscriber identity information;
The user service identification authentication ' unit is used for according to the subscriber identity information of described reception described user service identification being authenticated.
17, interface interchange Verification System as claimed in claim 16 is characterized in that, also comprises:
The application authorization unit is used for the identity of application and the interface interchange of application are authenticated.
18, a kind of safe interface calling system is characterized in that, comprising:
Application server is used for carrying user service identification and subscriber identity information at the interface interchange request message, and described interface interchange request message is sent to described interface interchange Verification System;
The interface interchange Verification System is used for according to the subscriber identity information of described interface interchange request message described user service identification being authenticated.
19, system as claimed in claim 18 is characterized in that, described interface interchange Verification System also is used for the interface interchange of using identity and application is authenticated.
CN 200810007068 2008-02-01 2008-02-01 Method, apparatus and system for safe interface call Pending CN101499904A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200810007068 CN101499904A (en) 2008-02-01 2008-02-01 Method, apparatus and system for safe interface call

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 200810007068 CN101499904A (en) 2008-02-01 2008-02-01 Method, apparatus and system for safe interface call
PCT/CN2009/070177 WO2009097778A1 (en) 2008-02-01 2009-01-16 A method, device and system for calling the security interface

Publications (1)

Publication Number Publication Date
CN101499904A true CN101499904A (en) 2009-08-05

Family

ID=40946797

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200810007068 Pending CN101499904A (en) 2008-02-01 2008-02-01 Method, apparatus and system for safe interface call

Country Status (2)

Country Link
CN (1) CN101499904A (en)
WO (1) WO2009097778A1 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102779071A (en) * 2012-06-14 2012-11-14 华为技术有限公司 Method, device and system for calling software interface
CN105471931A (en) * 2014-08-06 2016-04-06 腾讯科技(北京)有限公司 Method, device and system for querying service data
CN105721163A (en) * 2009-08-11 2016-06-29 中兴通讯股份有限公司 System and method for accessing visited service provider
CN106209751A (en) * 2015-05-08 2016-12-07 中标软件有限公司 Service-oriented interface authentication method based on the operating system certificate of authority
WO2017129008A1 (en) * 2016-01-29 2017-08-03 广州广电运通金融电子股份有限公司 Application authentication method and apparatus for linux system based financial self-service device
CN107426266A (en) * 2017-03-14 2017-12-01 阿里巴巴集团控股有限公司 Data processing method and server
CN107580322A (en) * 2017-08-28 2018-01-12 驭势科技(北京)有限公司 Upgrade method, device and the automatic driving vehicle of automatic driving vehicle software systems
CN107888548A (en) * 2016-09-30 2018-04-06 北京金山云网络技术有限公司 A kind of Information Authentication method and device
CN108365961A (en) * 2018-01-02 2018-08-03 深圳壹账通智能科技有限公司 The response method and server that interface call method and terminal device, interface call
CN108600264A (en) * 2018-05-09 2018-09-28 聚龙股份有限公司 A kind of encrypting and decrypting method and credit Verification System applied to credit certification
CN109067818A (en) * 2018-06-04 2018-12-21 杭州数梦工场科技有限公司 A kind of business access method and device
CN109309667A (en) * 2018-08-28 2019-02-05 东软集团股份有限公司 The authentication method and device, storage medium and electronic equipment that interface calls

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
BRPI0615559A2 (en) * 2005-07-20 2017-09-12 Verimatrix Inc network user authentication system and method
CN1731723A (en) * 2005-08-19 2006-02-08 上海林果科技有限公司 Electron/handset token dynamic password identification system
US20070143830A1 (en) * 2005-12-20 2007-06-21 International Business Machines Corporation Method, apparatus and system for preventing unauthorized access to password-protected system
CN1889430A (en) * 2006-06-21 2007-01-03 南京联创网络科技有限公司 Safety identification control method based on 802.1 X terminal wideband switching-in
CN100574193C (en) * 2006-10-31 2009-12-23 华为技术有限公司 Method, system and third party website, service server that the switching third party lands
CN101102192A (en) * 2007-07-18 2008-01-09 北京飞天诚信科技有限公司 Authentication device, method and system

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105721163A (en) * 2009-08-11 2016-06-29 中兴通讯股份有限公司 System and method for accessing visited service provider
CN102779071A (en) * 2012-06-14 2012-11-14 华为技术有限公司 Method, device and system for calling software interface
CN105471931A (en) * 2014-08-06 2016-04-06 腾讯科技(北京)有限公司 Method, device and system for querying service data
CN106209751B (en) * 2015-05-08 2019-05-03 中标软件有限公司 Service-oriented interface authentication method based on the operating system certificate of authority
CN106209751A (en) * 2015-05-08 2016-12-07 中标软件有限公司 Service-oriented interface authentication method based on the operating system certificate of authority
WO2017129008A1 (en) * 2016-01-29 2017-08-03 广州广电运通金融电子股份有限公司 Application authentication method and apparatus for linux system based financial self-service device
CN107888548A (en) * 2016-09-30 2018-04-06 北京金山云网络技术有限公司 A kind of Information Authentication method and device
CN107426266A (en) * 2017-03-14 2017-12-01 阿里巴巴集团控股有限公司 Data processing method and server
CN107426266B (en) * 2017-03-14 2020-08-04 阿里巴巴集团控股有限公司 Data processing method and server
CN107580322A (en) * 2017-08-28 2018-01-12 驭势科技(北京)有限公司 Upgrade method, device and the automatic driving vehicle of automatic driving vehicle software systems
CN108365961A (en) * 2018-01-02 2018-08-03 深圳壹账通智能科技有限公司 The response method and server that interface call method and terminal device, interface call
CN108600264A (en) * 2018-05-09 2018-09-28 聚龙股份有限公司 A kind of encrypting and decrypting method and credit Verification System applied to credit certification
CN108600264B (en) * 2018-05-09 2020-10-02 聚龙股份有限公司 Encryption and decryption method applied to credit authorization and credit authorization system
CN109067818A (en) * 2018-06-04 2018-12-21 杭州数梦工场科技有限公司 A kind of business access method and device
CN109067818B (en) * 2018-06-04 2019-08-20 杭州数梦工场科技有限公司 A kind of business access method and device
CN109309667A (en) * 2018-08-28 2019-02-05 东软集团股份有限公司 The authentication method and device, storage medium and electronic equipment that interface calls
CN109309667B (en) * 2018-08-28 2021-08-13 东软集团股份有限公司 Authentication method and device for interface call, storage medium and electronic equipment

Also Published As

Publication number Publication date
WO2009097778A1 (en) 2009-08-13

Similar Documents

Publication Publication Date Title
CN101499904A (en) Method, apparatus and system for safe interface call
EP2719202B1 (en) Methods, apparatuses and computer program products for identity management in a multi-network system
CN101521569B (en) Method, equipment and system for realizing service access
KR101158956B1 (en) Method for distributing certificates in a communication system
EP2770662A1 (en) Centralized security management method and system for third party application and corresponding communication system
Dey et al. PseudoID: Enhancing privacy in federated login
KR20110126124A (en) Transforming static password systems to become 2-factor authentication
US20040073786A1 (en) Method and apparatus for providing authentication, authorization and accounting to roaming nodes
EP2767029B1 (en) Secure communication
FR2877521A1 (en) Position information distributing device, has distribution unit distributing return message to user terminal, where message is produced based on authentication request by adding position data based on cooperating procedure
CN102082665B (en) Identity authentication method, system and equipment in EAP (Extensible Authentication Protocol) authentication
EP2553894B1 (en) Certificate authority
Davidson et al. Privacy Pass: Bypassing Internet Challenges Anonymously.
US20080256605A1 (en) Localized authorization system in IP networks
CN103067337A (en) Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
US8234497B2 (en) Method and apparatus for providing secure linking to a user identity in a digital rights management system
Fett et al. An extensive formal security analysis of the openid financial-grade api
CN103024735B (en) Method and equipment for service access of card-free terminal
Wang et al. Achieving secure and flexible m-services through tickets
EP2561659B1 (en) Ticket authorisation
CN102045166A (en) Method and system of single sign-on
US20130183934A1 (en) Methods for initializing and/or activating at least one user account for carrying out a transaction, as well as terminal device
CN101039181B (en) Method for preventing service function entity of general authentication framework from attack
KR20090054774A (en) Method of integrated security management in distribution network
Shaikh et al. Identity management in cloud computing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20090805