Summary of the invention
Carry out the mutual of signaling for the text message due to the H.248 multiplex plaintext of agreement in correlation technique and causing the problem of Network Security Vulnerabilities and proposing the present invention, for this reason, main purpose of the present invention is to provide a kind of certificate scheme, to solve the problem.
To achieve these goals, according to an aspect of the present invention, a kind of authentication method is provided.
Authentication method according to the present invention comprises: SoftSwitch receives the message of self terminal, wherein, the message carrying out self terminal comprises: the first authentication information that terminal adopts pre-defined algorithm to generate according to the information in its MAC Address and H.248/MECAMGO Protocol and the information H.248 in agreement; SoftSwitch adopts the algorithm identical with pre-defined algorithm to generate the second authentication information according to the information in the H.248 agreement got in the message of always self terminal with the MAC Address of local terminal of preserving; SoftSwitch when the first authentication information is identical with the second authentication information, by the certification of terminal.
Preferably, when the message that SoftSwitch receives self terminal is logon message, after the certification of SoftSwitch by terminal, successful registration terminal.
Preferably, after SoftSwitch successful registration terminal, method also comprises: SoftSwitch is to terminal replies response message.
Preferably, after the certification of SoftSwitch not by terminal, SoftSwitch ignores the logon message of terminal.
Preferably, after SoftSwitch successful registration terminal, method also comprises: SoftSwitch regular request terminal generates and sends the authentication information adopting pre-defined algorithm to obtain according to its MAC Address and the information H.248 in agreement, with the legitimacy of periodically certification terminal.
Preferably, when the legitimacy of SoftSwitch periodically certification terminal, method also comprises: if SoftSwitch is by the certification of terminal, keeps terminal presence; If SoftSwitch is not by the certification of terminal, the state arranging terminal is not presence.
Preferably, the information H.248 in agreement is one of at least following: Transaction Identifier, timestamp.
To achieve these goals, according to a further aspect in the invention, a kind of SoftSwitch is additionally provided.
SoftSwitch according to the present invention comprises: receiver module, for receiving the message of self terminal, wherein, the message carrying out self terminal comprises: the information in the first authentication information that terminal adopts pre-defined algorithm to generate according to its MAC Address and the information H.248 in agreement and H.248 agreement; Acquisition module, for the information in the H.248 agreement that obtains in the message of always self terminal; First generation module, adopts the algorithm identical with pre-defined algorithm to generate the second authentication information for the information in basis H.248 agreement with the MAC Address of local terminal of preserving; Authentication module, for when the first authentication information is identical with the second authentication information, by the certification of terminal.
Preferably, when the message that receiver module receives self terminal is logon message, after the certification of authentication module by terminal, successful registration terminal.
Preferably, after SoftSwitch successful registration terminal, SoftSwitch also comprises: request module, generates and sends the authentication information adopting pre-defined algorithm to obtain according to its MAC Address and the information H.248 in agreement, with the legitimacy of periodically certification terminal for regular request terminal.
To achieve these goals, in accordance with a further aspect of the present invention, a kind of terminal is additionally provided.
According to terminal of the present invention, comprising: the second generation module, for the authentication information adopting pre-defined algorithm to generate according to the MAC Address of terminal and the information H.248 in agreement; Sending module, for sending authentication information and the information H.248 in agreement, to carry out the legitimacy of certification terminal.
Pass through the present invention, adopt media access control layer (Media AccessControl in network, referred to as MAC) randomness of the uniqueness of address and the information H.248 in agreement, propose a kind of certificate scheme, solve the security hidden trouble existed in H.248 agreement, ensure that the reliability of authentication information, improve the fail safe of network.
Embodiment
Functional overview
Consider in correlation technique and cause the problem of Network Security Vulnerabilities because the text message of the H.248 multiplex plaintext of agreement carries out the mutual of signaling, embodiments provide a kind of certificate scheme, the program is passed through based on MAC Address and other conceptual content relevant with H.248 agreement, through certain algorithm, obtain the authentication information for checking registration legitimacy.In this programme implementation process, can in the MAC Address of the pre-configured terminal in SS side; Terminal and SS configure this authentication mode, and adopts the algorithm of unified agreement.Wherein, unified canonical algorithm can be adopted by formulating, this authentication mode is expanded to general authentication mode.
It should be noted that, when not conflicting, the embodiment in the application and the feature in embodiment can combine mutually.Below with reference to the accompanying drawings and describe the present invention in detail in conjunction with the embodiments.
In the examples below, can perform in the computer system of such as one group of computer executable instructions in the step shown in the flow chart of accompanying drawing, and, although show logical order in flow charts, but in some cases, can be different from the step shown or described by order execution herein.
Embodiment of the method
According to embodiments of the invention, provide a kind of authentication method, Fig. 1 is the flow chart of the authentication method according to the embodiment of the present invention, and as shown in Figure 1, the method comprises following step S102 to step S106:
Step S102, SoftSwitch receives the message of self terminal, wherein, the message carrying out self terminal comprises: the first authentication information that terminal adopts pre-defined algorithm to generate according to the information in its MAC Address and H.248/MECAMGO Protocol and the information H.248 in agreement.
Step S104, SoftSwitch adopts the algorithm identical with pre-defined algorithm to generate the second authentication information according to the information in the H.248 agreement obtained in the message of always self terminal with the MAC Address of local terminal of preserving.
Step S106, SoftSwitch when the first authentication information is identical with the second authentication information, by the certification of terminal.
In step s 102, when the message that SoftSwitch receives self terminal is logon message, after the certification of SoftSwitch by terminal, successful registration terminal.
Preferably, after SoftSwitch successful registration terminal, SoftSwitch is to terminal replies response message.
Preferably, in step s 106, after the certification of SoftSwitch not by terminal, SoftSwitch ignores the logon message of terminal.
In addition, after SoftSwitch successful registration terminal, preferably, SoftSwitch regular request terminal generates and sends the authentication information adopting pre-defined algorithm to obtain according to its MAC Address and the information H.248 in agreement, with the legitimacy of periodically certification terminal.Particularly, if SoftSwitch is by the certification of terminal, keep terminal presence; If SoftSwitch is not by the certification of terminal, the state arranging terminal is not presence.
Preferably, the information H.248 in agreement is one of at least following: Transaction Identifier, timestamp.
Be described in detail below in conjunction with the implementation procedure of example to the embodiment of the present invention.
Below for the certification in the registration process of terminal, be described the present embodiment, Fig. 2 is the flow chart according to the authentication method in the registration process of the embodiment of the present invention, and as shown in Figure 2, this flow process comprises the steps:
Step S200, on SS, interdependent node configures the MAC Address of H.248 terminal equipment, selects a kind of predetermined identifying algorithm, such as, DES algorithm, privately owned algorithm etc., and this authentication mode is configured in the H.248 terminal supporting this identifying algorithm and SS.
Step S202, H.248 when terminal equipment powers on and registers, when checking that configuration item is this authentication mode, call related algorithm function, input parameter is the MAC Address of equipment self conceptual content relevant with H.248 agreement with other, such as, and the Transaction Identifier (Transaction ID), timestamp etc. of stochastic generation, be described for Transaction ID below, the parameter of output is the authentication information generated based on input parameter.
Step S204, when terminal passes through the signaling transmission logon message of H.248 agreement, sends to SS using this authentication information as spreading parameter is additional in the signaling.
Step S206, SS, after receiving the registration message that H.248 terminal equipment sends, need to extract the Transaction ID in signaling, then according to the MAC Address of Joint Enterprise, equally by calling algorithmic function, obtain the authentication information of oneself.
Step S208, SS extract the authentication information in register command spreading parameter, and and the authentication information oneself generated compare, if unanimously, then represent and succeed in registration, reply the reply message that succeeds in registration to H.248 terminal; If inconsistent, then directly ignore this logon message.
Preferably, for ensureing the lasting effectiveness of certification, the embodiment of the present invention can increase following steps:
Step S302, after succeeding in registration, SS also regularly should send H.248 signaling and, to H.248 terminal, require that it sends authentication information.
Step S304, after H.248 terminal receives this request, must process, and similar when handling process and registration, producing authentication information, sends to SS.
Step S306, SS do similar process, check authentication information, unanimously then remain on line states, inconsistent, need to put end node status for not presence.
It should be noted that, the upper terminal equipment of SS can only be registered on a node, and a node can only configure a MAC Address.
Device embodiment
According to embodiments of the invention, provide a kind of SoftSwitch, this SoftSwitch corresponds to above-mentioned embodiment of the method, and the explanation carried out in embodiment of the method does not repeat them here, and here is the explanation carried out the concrete module in this SoftSwitch.Fig. 3 is the structured flowchart of the SoftSwitch according to the embodiment of the present invention, and as shown in Figure 3, this SoftSwitch comprises: receiver module 30, acquisition module 32, first generation module 34 and authentication module 36.Below this structure is described in detail.
Receiver module 30, for receiving the message of self terminal, wherein, the message carrying out self terminal comprises: the information in the first authentication information that terminal adopts pre-defined algorithm to generate according to its MAC Address and the information H.248 in agreement and H.248 agreement; Acquisition module 32 is connected to receiver module 30, for the information in the H.248 agreement that obtains in the message of always self terminal; First generation module 34 is connected to acquisition module 32, adopts the algorithm identical with pre-defined algorithm to generate the second authentication information for the information in basis H.248 agreement with the MAC Address of local terminal of preserving; Authentication module 36 is connected to the first generation module 34 and receiver module 30, for when the first authentication information is identical with the second authentication information, by the certification of terminal.
Preferably, when the message that receiver module 30 receives self terminal is logon message, after the certification of authentication module 36 by terminal, successful registration terminal.
Fig. 4 is the preferred structure block diagram of the SoftSwitch according to the embodiment of the present invention, as shown in Figure 4, this SoftSwitch also comprises: request module 42, for after SoftSwitch successful registration terminal, regular request terminal generates and sends the authentication information adopting pre-defined algorithm to obtain according to its MAC Address and the information H.248 in agreement, with the legitimacy of periodically certification terminal.
According to embodiments of the invention, additionally provide a kind of terminal, this terminal also corresponds to above-mentioned embodiment of the method, and the explanation carried out in embodiment of the method does not repeat them here, and here is the explanation carried out the concrete module in this terminal.Fig. 5 is the structured flowchart of the terminal according to the embodiment of the present invention, and as shown in Figure 5, this terminal comprises: the second generation module 52 and sending module 54.Below this structure is described in detail.
Second generation module 52, for the authentication information adopting pre-defined algorithm to generate according to the MAC Address of terminal and the information H.248 in agreement; Sending module 54, for sending authentication information and the information H.248 in agreement, to carry out the legitimacy of certification terminal.
In sum, the embodiment of the present invention, without the need to doing complicated configuration, when only needing building network, knows that the MAC Address of H.248 terminal line correlation of going forward side by side configures, and solves the safety issue existed in H.248 agreement.
Obviously, those skilled in the art should be understood that, above-mentioned of the present invention each module or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on network that multiple calculation element forms, alternatively, they can realize with the executable program code of calculation element, thus, they can be stored and be performed by calculation element in the storage device, or they are made into each integrated circuit modules respectively, or the multiple module in them or step are made into single integrated circuit module to realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.