CN101697542B - Authentication method, soft switch and terminal - Google Patents
Authentication method, soft switch and terminal Download PDFInfo
- Publication number
- CN101697542B CN101697542B CN200910179882.1A CN200910179882A CN101697542B CN 101697542 B CN101697542 B CN 101697542B CN 200910179882 A CN200910179882 A CN 200910179882A CN 101697542 B CN101697542 B CN 101697542B
- Authority
- CN
- China
- Prior art keywords
- terminal
- softswitch
- information
- agreement
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The invention discloses an authentication method. A soft switch receives a message from a terminal, wherein the message from the terminal comprises first authentication information generated by the terminal by adopting a predetermined algorithm according to an MAC address of the terminal and information in an H.248 media gateway control protocol and information in an H.248 protocol; the soft switch generates second authentication information by adopting the same algorithm with the predetermined algorithm according to the information in the H.248 protocol obtained in the message from the terminal and the MAC address of the terminal stored locally; and the soft switch passes the authentication of the terminal in the condition that the first authentication information is the same with the second authentication information. Through the invention, the reliability of the authentication information is ensured, and the safety of a network is enhanced.
Description
Technical field
The present invention relates to the communications field, in particular to a kind of authentication method, SoftSwitch and terminal.
Background technology
At present, voice over IP transmission agreement (Voice over Internet Protocol, referred to as VoIP) widely apply in " light entering and copper back " engineering of fixed network operator, it utilizes the Internet to carry out voice transfer, compared to traditional PSTN (PublicSwitched Telephone Network, referred to as PSTN), in networking cost, there is great price advantage, and fully excavated the function of data communication network (the Internet).
H.248 agreement (namely, MGCP Media Gateway ControlProtocol, referred to as megaco protocol) as master slave communication protocol main in VoIP protocol, obtain in recent years and develop fast, a large amount of Related products obtains large-scale application, such as, integrated access equipment (Integrated Access Device, referred to as IAD), IAD (Access Gateway, referred to as AG), SoftSwitch (SoftSwitch, referred to as SS) etc., wherein, the terminal equipment multidigits such as IAD are in resident's corridor, the environment of the networking dispersions such as community.Because the text message of the H.248 multiplex plaintext of agreement carries out the mutual of signaling, if do not carry out certification to register flow path, bring great hidden danger can to network security aspect, also cannot avoid the illegal access of some equipment, to the inconvenience that the management on SS brings.
H.248 the non-specification authentication mode of agreement, only require that terminal and SS can identify mutually, the current H.248 many employings of agreement are without certification or Message Digest 55 (Message-DigestAlgorithm version 5, referred to as MD5) authentication mode, so the advantage of the authentication mode of MD5 is at the algorithm of standard, fail safe is guaranteed to a certain extent, but still there is the possibility cracked and the complexity configured.
Carry out the mutual of signaling for the text message due to the H.248 multiplex plaintext of agreement in correlation technique and cause the problem of Network Security Vulnerabilities, not yet proposing effective solution at present.
Summary of the invention
Carry out the mutual of signaling for the text message due to the H.248 multiplex plaintext of agreement in correlation technique and causing the problem of Network Security Vulnerabilities and proposing the present invention, for this reason, main purpose of the present invention is to provide a kind of certificate scheme, to solve the problem.
To achieve these goals, according to an aspect of the present invention, a kind of authentication method is provided.
Authentication method according to the present invention comprises: SoftSwitch receives the message of self terminal, wherein, the message carrying out self terminal comprises: the first authentication information that terminal adopts pre-defined algorithm to generate according to the information in its MAC Address and H.248/MECAMGO Protocol and the information H.248 in agreement; SoftSwitch adopts the algorithm identical with pre-defined algorithm to generate the second authentication information according to the information in the H.248 agreement got in the message of always self terminal with the MAC Address of local terminal of preserving; SoftSwitch when the first authentication information is identical with the second authentication information, by the certification of terminal.
Preferably, when the message that SoftSwitch receives self terminal is logon message, after the certification of SoftSwitch by terminal, successful registration terminal.
Preferably, after SoftSwitch successful registration terminal, method also comprises: SoftSwitch is to terminal replies response message.
Preferably, after the certification of SoftSwitch not by terminal, SoftSwitch ignores the logon message of terminal.
Preferably, after SoftSwitch successful registration terminal, method also comprises: SoftSwitch regular request terminal generates and sends the authentication information adopting pre-defined algorithm to obtain according to its MAC Address and the information H.248 in agreement, with the legitimacy of periodically certification terminal.
Preferably, when the legitimacy of SoftSwitch periodically certification terminal, method also comprises: if SoftSwitch is by the certification of terminal, keeps terminal presence; If SoftSwitch is not by the certification of terminal, the state arranging terminal is not presence.
Preferably, the information H.248 in agreement is one of at least following: Transaction Identifier, timestamp.
To achieve these goals, according to a further aspect in the invention, a kind of SoftSwitch is additionally provided.
SoftSwitch according to the present invention comprises: receiver module, for receiving the message of self terminal, wherein, the message carrying out self terminal comprises: the information in the first authentication information that terminal adopts pre-defined algorithm to generate according to its MAC Address and the information H.248 in agreement and H.248 agreement; Acquisition module, for the information in the H.248 agreement that obtains in the message of always self terminal; First generation module, adopts the algorithm identical with pre-defined algorithm to generate the second authentication information for the information in basis H.248 agreement with the MAC Address of local terminal of preserving; Authentication module, for when the first authentication information is identical with the second authentication information, by the certification of terminal.
Preferably, when the message that receiver module receives self terminal is logon message, after the certification of authentication module by terminal, successful registration terminal.
Preferably, after SoftSwitch successful registration terminal, SoftSwitch also comprises: request module, generates and sends the authentication information adopting pre-defined algorithm to obtain according to its MAC Address and the information H.248 in agreement, with the legitimacy of periodically certification terminal for regular request terminal.
To achieve these goals, in accordance with a further aspect of the present invention, a kind of terminal is additionally provided.
According to terminal of the present invention, comprising: the second generation module, for the authentication information adopting pre-defined algorithm to generate according to the MAC Address of terminal and the information H.248 in agreement; Sending module, for sending authentication information and the information H.248 in agreement, to carry out the legitimacy of certification terminal.
Pass through the present invention, adopt media access control layer (Media AccessControl in network, referred to as MAC) randomness of the uniqueness of address and the information H.248 in agreement, propose a kind of certificate scheme, solve the security hidden trouble existed in H.248 agreement, ensure that the reliability of authentication information, improve the fail safe of network.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide a further understanding of the present invention, and form a application's part, schematic description and description of the present invention, for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart of the authentication method according to the embodiment of the present invention;
Fig. 2 is the flow chart according to the authentication method in the registration process of the embodiment of the present invention;
Fig. 3 is the structured flowchart of the SoftSwitch according to the embodiment of the present invention;
Fig. 4 is the preferred structure block diagram of the SoftSwitch according to the embodiment of the present invention;
Fig. 5 is the structured flowchart of the terminal according to the embodiment of the present invention.
Embodiment
Functional overview
Consider in correlation technique and cause the problem of Network Security Vulnerabilities because the text message of the H.248 multiplex plaintext of agreement carries out the mutual of signaling, embodiments provide a kind of certificate scheme, the program is passed through based on MAC Address and other conceptual content relevant with H.248 agreement, through certain algorithm, obtain the authentication information for checking registration legitimacy.In this programme implementation process, can in the MAC Address of the pre-configured terminal in SS side; Terminal and SS configure this authentication mode, and adopts the algorithm of unified agreement.Wherein, unified canonical algorithm can be adopted by formulating, this authentication mode is expanded to general authentication mode.
It should be noted that, when not conflicting, the embodiment in the application and the feature in embodiment can combine mutually.Below with reference to the accompanying drawings and describe the present invention in detail in conjunction with the embodiments.
In the examples below, can perform in the computer system of such as one group of computer executable instructions in the step shown in the flow chart of accompanying drawing, and, although show logical order in flow charts, but in some cases, can be different from the step shown or described by order execution herein.
Embodiment of the method
According to embodiments of the invention, provide a kind of authentication method, Fig. 1 is the flow chart of the authentication method according to the embodiment of the present invention, and as shown in Figure 1, the method comprises following step S102 to step S106:
Step S102, SoftSwitch receives the message of self terminal, wherein, the message carrying out self terminal comprises: the first authentication information that terminal adopts pre-defined algorithm to generate according to the information in its MAC Address and H.248/MECAMGO Protocol and the information H.248 in agreement.
Step S104, SoftSwitch adopts the algorithm identical with pre-defined algorithm to generate the second authentication information according to the information in the H.248 agreement obtained in the message of always self terminal with the MAC Address of local terminal of preserving.
Step S106, SoftSwitch when the first authentication information is identical with the second authentication information, by the certification of terminal.
In step s 102, when the message that SoftSwitch receives self terminal is logon message, after the certification of SoftSwitch by terminal, successful registration terminal.
Preferably, after SoftSwitch successful registration terminal, SoftSwitch is to terminal replies response message.
Preferably, in step s 106, after the certification of SoftSwitch not by terminal, SoftSwitch ignores the logon message of terminal.
In addition, after SoftSwitch successful registration terminal, preferably, SoftSwitch regular request terminal generates and sends the authentication information adopting pre-defined algorithm to obtain according to its MAC Address and the information H.248 in agreement, with the legitimacy of periodically certification terminal.Particularly, if SoftSwitch is by the certification of terminal, keep terminal presence; If SoftSwitch is not by the certification of terminal, the state arranging terminal is not presence.
Preferably, the information H.248 in agreement is one of at least following: Transaction Identifier, timestamp.
Be described in detail below in conjunction with the implementation procedure of example to the embodiment of the present invention.
Below for the certification in the registration process of terminal, be described the present embodiment, Fig. 2 is the flow chart according to the authentication method in the registration process of the embodiment of the present invention, and as shown in Figure 2, this flow process comprises the steps:
Step S200, on SS, interdependent node configures the MAC Address of H.248 terminal equipment, selects a kind of predetermined identifying algorithm, such as, DES algorithm, privately owned algorithm etc., and this authentication mode is configured in the H.248 terminal supporting this identifying algorithm and SS.
Step S202, H.248 when terminal equipment powers on and registers, when checking that configuration item is this authentication mode, call related algorithm function, input parameter is the MAC Address of equipment self conceptual content relevant with H.248 agreement with other, such as, and the Transaction Identifier (Transaction ID), timestamp etc. of stochastic generation, be described for Transaction ID below, the parameter of output is the authentication information generated based on input parameter.
Step S204, when terminal passes through the signaling transmission logon message of H.248 agreement, sends to SS using this authentication information as spreading parameter is additional in the signaling.
Step S206, SS, after receiving the registration message that H.248 terminal equipment sends, need to extract the Transaction ID in signaling, then according to the MAC Address of Joint Enterprise, equally by calling algorithmic function, obtain the authentication information of oneself.
Step S208, SS extract the authentication information in register command spreading parameter, and and the authentication information oneself generated compare, if unanimously, then represent and succeed in registration, reply the reply message that succeeds in registration to H.248 terminal; If inconsistent, then directly ignore this logon message.
Preferably, for ensureing the lasting effectiveness of certification, the embodiment of the present invention can increase following steps:
Step S302, after succeeding in registration, SS also regularly should send H.248 signaling and, to H.248 terminal, require that it sends authentication information.
Step S304, after H.248 terminal receives this request, must process, and similar when handling process and registration, producing authentication information, sends to SS.
Step S306, SS do similar process, check authentication information, unanimously then remain on line states, inconsistent, need to put end node status for not presence.
It should be noted that, the upper terminal equipment of SS can only be registered on a node, and a node can only configure a MAC Address.
Device embodiment
According to embodiments of the invention, provide a kind of SoftSwitch, this SoftSwitch corresponds to above-mentioned embodiment of the method, and the explanation carried out in embodiment of the method does not repeat them here, and here is the explanation carried out the concrete module in this SoftSwitch.Fig. 3 is the structured flowchart of the SoftSwitch according to the embodiment of the present invention, and as shown in Figure 3, this SoftSwitch comprises: receiver module 30, acquisition module 32, first generation module 34 and authentication module 36.Below this structure is described in detail.
Receiver module 30, for receiving the message of self terminal, wherein, the message carrying out self terminal comprises: the information in the first authentication information that terminal adopts pre-defined algorithm to generate according to its MAC Address and the information H.248 in agreement and H.248 agreement; Acquisition module 32 is connected to receiver module 30, for the information in the H.248 agreement that obtains in the message of always self terminal; First generation module 34 is connected to acquisition module 32, adopts the algorithm identical with pre-defined algorithm to generate the second authentication information for the information in basis H.248 agreement with the MAC Address of local terminal of preserving; Authentication module 36 is connected to the first generation module 34 and receiver module 30, for when the first authentication information is identical with the second authentication information, by the certification of terminal.
Preferably, when the message that receiver module 30 receives self terminal is logon message, after the certification of authentication module 36 by terminal, successful registration terminal.
Fig. 4 is the preferred structure block diagram of the SoftSwitch according to the embodiment of the present invention, as shown in Figure 4, this SoftSwitch also comprises: request module 42, for after SoftSwitch successful registration terminal, regular request terminal generates and sends the authentication information adopting pre-defined algorithm to obtain according to its MAC Address and the information H.248 in agreement, with the legitimacy of periodically certification terminal.
According to embodiments of the invention, additionally provide a kind of terminal, this terminal also corresponds to above-mentioned embodiment of the method, and the explanation carried out in embodiment of the method does not repeat them here, and here is the explanation carried out the concrete module in this terminal.Fig. 5 is the structured flowchart of the terminal according to the embodiment of the present invention, and as shown in Figure 5, this terminal comprises: the second generation module 52 and sending module 54.Below this structure is described in detail.
Second generation module 52, for the authentication information adopting pre-defined algorithm to generate according to the MAC Address of terminal and the information H.248 in agreement; Sending module 54, for sending authentication information and the information H.248 in agreement, to carry out the legitimacy of certification terminal.
In sum, the embodiment of the present invention, without the need to doing complicated configuration, when only needing building network, knows that the MAC Address of H.248 terminal line correlation of going forward side by side configures, and solves the safety issue existed in H.248 agreement.
Obviously, those skilled in the art should be understood that, above-mentioned of the present invention each module or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on network that multiple calculation element forms, alternatively, they can realize with the executable program code of calculation element, thus, they can be stored and be performed by calculation element in the storage device, or they are made into each integrated circuit modules respectively, or the multiple module in them or step are made into single integrated circuit module to realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. an authentication method, is characterized in that, comprising:
SoftSwitch receives the message of self terminal, wherein, described come the message of self terminal comprise: the information in the first authentication information that described terminal adopts pre-defined algorithm to generate according to the information in its MAC Address and H.248/MECAMGO Protocol and described H.248 agreement;
Described SoftSwitch according to from described come self terminal message in get described in information H.248 in agreement adopt the algorithm identical with described pre-defined algorithm to generate the second authentication information with the MAC Address of local described terminal of preserving;
Described SoftSwitch when the first authentication information is identical with the second authentication information, by the certification of described terminal;
Wherein, the information in described H.248 agreement is one of at least following: Transaction Identifier, timestamp.
2. method according to claim 1, is characterized in that, when the described SoftSwitch described message received from described terminal is logon message, after the certification of described SoftSwitch by described terminal, and terminal described in successful registration.
3. method according to claim 2, is characterized in that, after terminal described in described SoftSwitch successful registration, described method also comprises:
Described SoftSwitch gives described terminal replies response message.
4. method according to claim 2, is characterized in that, after the certification of described SoftSwitch not by described terminal, described SoftSwitch ignores the logon message of described terminal.
5. the method according to any one of claim 2 to 4, is characterized in that, after terminal described in described SoftSwitch successful registration, described method also comprises:
Terminal described in described SoftSwitch regular request generates and sends and adopts the authentication information that obtains of pre-defined algorithm according to the information in its MAC Address and described H.248 agreement, with the legitimacy of periodically terminal described in certification.
6. method according to claim 5, is characterized in that, when the legitimacy of described SoftSwitch periodically terminal described in certification, described method also comprises:
If described SoftSwitch is by the certification of described terminal, keep described terminal presence;
If described SoftSwitch is not by the certification of described terminal, the state arranging described terminal is not presence.
7. a SoftSwitch, is characterized in that, comprising:
Receiver module, for receiving the message of self terminal, wherein, described come the message of self terminal comprise: the information in the first authentication information that described terminal adopts pre-defined algorithm to generate according to its MAC Address and the information H.248 in agreement and described H.248 agreement, wherein, the information in described H.248 agreement is one of at least following: Transaction Identifier, timestamp;
Acquisition module, for from described come self terminal message in obtain described in information H.248 in agreement;
First generation module, for adopting the algorithm identical with described pre-defined algorithm to generate the second authentication information according to the information in described H.248 agreement with the MAC Address of local described terminal of preserving;
Authentication module, for when the first authentication information is identical with the second authentication information, by the certification of described terminal.
8. SoftSwitch according to claim 7, is characterized in that, when the described receiver module described message received from described terminal is logon message, after the certification of described authentication module by described terminal, and terminal described in successful registration.
9. SoftSwitch according to claim 8, is characterized in that, after terminal described in described SoftSwitch successful registration, described SoftSwitch also comprises:
Request module, generates and sends for terminal described in regular request and adopts the authentication information that obtains of pre-defined algorithm according to the information in its MAC Address and described H.248 agreement, with the legitimacy of periodically terminal described in certification.
10. a terminal, is characterized in that, comprising:
Second generation module, for adopting pre-defined algorithm producing authentication information according to the MAC Address of terminal and the information H.248 in agreement, wherein, the information in described H.248 agreement be one of at least below: Transaction Identifier, timestamp;
Sending module, for sending the information in described authentication information and described H.248 agreement, to carry out the legitimacy of terminal described in certification.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910179882.1A CN101697542B (en) | 2009-10-19 | 2009-10-19 | Authentication method, soft switch and terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910179882.1A CN101697542B (en) | 2009-10-19 | 2009-10-19 | Authentication method, soft switch and terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101697542A CN101697542A (en) | 2010-04-21 |
| CN101697542B true CN101697542B (en) | 2015-01-28 |
Family
ID=42142616
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910179882.1A Expired - Fee Related CN101697542B (en) | 2009-10-19 | 2009-10-19 | Authentication method, soft switch and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101697542B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102014004A (en) * | 2010-12-16 | 2011-04-13 | 中国电子科技集团公司第三十研究所 | Method for managing network elements by network management system |
| CN105577611B (en) * | 2014-10-10 | 2019-05-24 | 广州联奕信息科技有限公司 | A kind of computer security implementation method and device based on hardware and server authentication |
| CN104869117B (en) * | 2015-05-14 | 2018-08-24 | 新华三技术有限公司 | A kind of safety certifying method and device |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101227474A (en) * | 2008-02-01 | 2008-07-23 | 中兴通讯股份有限公司 | Method for identifying authority of conversation initialized protocol user in soft switching network |
-
2009
- 2009-10-19 CN CN200910179882.1A patent/CN101697542B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101227474A (en) * | 2008-02-01 | 2008-07-23 | 中兴通讯股份有限公司 | Method for identifying authority of conversation initialized protocol user in soft switching network |
Non-Patent Citations (3)
| Title |
|---|
| H.248协议在VoIP中的可靠机制和安全机制;姚辉军 等;《现代电信科技》;20060515(第5期);第21页左栏第8行至第22页左栏第27行 * |
| 下一代网络IAD统一管理系统设计;吴贇 等;《计算机与信息技术》;20061120;第38页右栏第10行至第39页右栏第5行,图4,图5 * |
| 刘韵洁 等.终端设备安全.《下一代网络》.人民邮电出版社,2005,第101页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101697542A (en) | 2010-04-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7042875B2 (en) | Secure dynamic communication networks and protocols | |
| CN110266592B (en) | Communication method and device for SRV6 network and IP MPLS network | |
| RU2291581C2 (en) | Method for equal connection of devices in dynamically operating home networks | |
| CN102368764B (en) | A kind of method, system and client communicated by multi-point login | |
| CN102377814B (en) | Remote assistance service method aiming at embedded operation system | |
| CN106161335A (en) | A kind for the treatment of method and apparatus of network packet | |
| CN103039037B (en) | For effectively managing the method and system of the connection between communication network and this communication network and customer rs premise equipment | |
| CN103067340A (en) | Authentication method for remote control network information domestic appliance, and system and internet domestic gateway | |
| CN101820344A (en) | AAA server, home network access method and system | |
| New et al. | Reliable Delivery for syslog | |
| Josefsson et al. | Using Generic Security Service Application Program Interface (GSS-API) Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 Mechanism Family | |
| CN104811371A (en) | Brand-new instant messaging system | |
| CN105519028A (en) | Wireless system access control method and apparatus | |
| CN103179099A (en) | Unified certification method for accessing to open website platforms and website platform | |
| CN101631127A (en) | File transfer method and clients | |
| CN101697542B (en) | Authentication method, soft switch and terminal | |
| CN101262504A (en) | A method, device and system for source and destination IP address translation | |
| CN102075351A (en) | Network management remote control method and system | |
| CN103795630A (en) | Message transmitting method and device of label switching network | |
| CN102823219A (en) | Method of securing access to data or services that are accessible via a device implementing the method and corresponding device | |
| CA2533543A1 (en) | System and method for managing communication for component applications | |
| CN101599834B (en) | Method for identification and deployment and management equipment thereof | |
| CN107040507B (en) | Network blocking method and equipment | |
| CN100456671C (en) | Method for distributing session affairs identifier | |
| CN103475506B (en) | Multiple equipment management control method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20171229 Address after: A group of wulanba banner of Bahrain 024000 the Inner Mongolia Autonomous Region Sanshan village Su Chifeng City Patentee after: Xu Caihua Address before: 518057 Nanshan District science and technology, Guangdong Province, South Road, No. 55, No. Patentee before: ZTE Corporation |
|
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Xu Caihua Inventor before: Li Guojie |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150128 Termination date: 20181019 |