CN102006567B - Push-message processing method and system and equipment for implementing push-message processing method - Google Patents

Push-message processing method and system and equipment for implementing push-message processing method Download PDF

Info

Publication number
CN102006567B
CN102006567B CN201010545591.2A CN201010545591A CN102006567B CN 102006567 B CN102006567 B CN 102006567B CN 201010545591 A CN201010545591 A CN 201010545591A CN 102006567 B CN102006567 B CN 102006567B
Authority
CN
China
Prior art keywords
message
applications client
client
pushing news
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201010545591.2A
Other languages
Chinese (zh)
Other versions
CN102006567A (en
Inventor
加雄伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201010545591.2A priority Critical patent/CN102006567B/en
Publication of CN102006567A publication Critical patent/CN102006567A/en
Application granted granted Critical
Publication of CN102006567B publication Critical patent/CN102006567B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a push-message processing method and a system and equipment for implementing the push-message processing method. The push-message processing method comprises the following steps that: message receiving equipment receives a push-message which is sent by a message sending system and comprises a push application identifier; the message receiving equipment matches a corresponding application client according to the push application identifier, judges whether the matched application client is registered or not, and whether a push message response capability file generated by the matched application client obtains a signature; if the matched application client is registered, and the push message response capability file obtains the signature, the matched application client is started to process the received push-message; and if the matched application client is not registered, or the push message response capability file does not obtains the signature, the received push-message is refused to be processed. So, the application client for processing the push-message is safe and controllable, and improves the safety for processing the push-message.

Description

The pushing news processing method, be used for to realize system and the equipment of pushing news processing method
Technical field
The present invention relates to the communication technology, relate in particular to a kind of pushing news processing method, be used for to realize system and the equipment of pushing news processing method.
Background technology
Mobile network's pushing news (PUSH message) business is the basic business among the mobile network.
Mobile Network Operator (perhaps value added service provider) can pass through the PUSH messaging service, sends the message of control type to mobile network's terminal.For example, when mobile phone users (originating party user) sends Multimedia Message (MMS) to other mobile phone users (debit user), mobile network's operation system can send the PUSH message of extracting MMS message to debit's user terminal, debit's user terminal extracts MMS message according to the prompting of PUSH message to the network address of agreement.In addition, mobile network's value added service provider sends the multimedia advertisement link information to debit user, after debit's user terminal receives relevant information, according to the agreement of information, application software is play in the advertisement that starts in the terminal, and advertisement is play application software by the information broadcast advertisement of agreement.
The PUSH message handling system comprises: message transmission system (equipment), message delivery system and message sink equipment.Mobile Network Operator (perhaps value added service provider) generates and sends PUSH message to the message delivery system by message transmission system (equipment), the message delivery system with the PUSH message push to message sink equipment such as debit's user terminal.
But also there is Communication Security Problem in the transmission of PUSH message, and whether from the malice sender, whether PUSH message itself safety etc. such as PUSH message.
In the prior art, application number is 200610137955.7 Chinese patent application " a kind of method for checking PUSH message and transmit leg identity thereof ", by push initiator (PUSH Initiator, PI) IP address or PI are at certificate verification center (Certificate Authority, CA) identity of the digital certificate checking PI of registration acquisition, and the integrality of the digital signature authentication PUSH message by PUSH message, in case any attack in the stop-pass letter process realizes the fail safe in the PUSH message transmitting process.
In addition, in order to guarantee safety, mobile network's operator is the not transmission route of open PUSH message usually, with for the situation of not unifying controling mechanism in existing PUSH Message Processing technology and the standard, determines that PUSH message sends safety.
The defective that prior art exists is at least: although said method can both guarantee the fail safe in the PUSH message transmitting process, can't guarantee that all the processing safety of PUSH message is controlled.Such as an entity (for example, Mobile Network Operator, value added service provider, be called the originating party entity) to another entity (for example, the mobile service user, be called debit's entity) transmission PUSH message, when applications client is the malicious application client, under the triggering of PUSH message, can carry out such as with attacks such as the capsule information in the message sink equipment send.
Summary of the invention
The invention provides a kind of pushing news processing method, be used for to realize system and the equipment of pushing news processing method, in order to solve the low problem of fail safe of message sink device processes pushing news in the prior art, realize that pushing news processes the raising of fail safe.
The invention provides a kind of pushing news processing method, comprising:
Message sink equipment receipt message transmitting system sends comprises the pushing news that pushes away application identities;
Message sink equipment mates corresponding applications client according to the described application identities that pushes away, and judges whether the applications client of coupling is registered, and whether the pushing news responding ability file that the applications client of described coupling generates obtains signature;
If the applications client of described coupling is registered, and its pushing news responding ability file acquisition signature, the applications client that starts described coupling is processed the pushing news that receives; If the applications client of described coupling is unregistered, or its pushing news responding ability file do not obtain signature, and then refusal is processed the pushing news receive.
The present invention also provides a kind of message safety management system be used to realizing above-mentioned pushing news processing method, comprising:
Application management and service module are used for the pushing news responding ability file of using client is signed, and described applications client is registered, and verified the signature of the pushing news responding ability file of described applications client;
Trusted application list management and service module, for setting up and safeguard the trusted application tabulation, described trusted application tabulation is for passing through the applications client information list of registration and signature.
The present invention also provides a kind of message sink equipment be used to realizing above-mentioned pushing news processing method, comprising:
The message sink client is for the pushing news that pushes away application identities that comprises of receipt message transmitting system transmission;
Message safety management visitor end, link to each other with described message sink client, be used for the application identities that pushes away according to the pushing news of described message sink client, mate corresponding applications client, whether the applications client of judging coupling is registered, and whether the pushing news responding ability file that the applications client of described coupling generates obtains signature, if the pushing news responding ability file that the applications client of described coupling is registered and generate obtains signature, then call and the applications client that starts described coupling is processed described pushing news;
Applications client links to each other with described message safety administrative client, is used for starting and process the pushing news of described message sink client under the calling of described message safety administrative client.
The present invention also provides a kind of pushing news treatment system, comprises message transmission system, message delivery system, wherein, also comprises: above-mentioned message safety management system and above-mentioned message sink equipment;
Described message safety management system is connected with described message transmission system, message delivery system and message sink devices communicating;
Described message transmission system is by described message delivery system, the pushing news that pushes away application identities that comprises that generates is sent to described message sink equipment, described message sink equipment is used for mating corresponding applications client according to the described application identities that pushes away, whether the applications client of judging coupling is registered, and whether the pushing news responding ability file that the applications client of described coupling generates obtains signature; If the pushing news responding ability file that the applications client of described coupling is registered and generate obtains signature, then call and the applications client that starts described coupling is processed described pushing news.
The present invention also provides a kind of method for above-mentioned pushing news treatment system application letter of identity, comprising:
Message transmission system, message delivery system or message sink equipment send application information to the message safety management system, the application letter of identity, and described application information comprises at least: user name, user cipher, user profile and COS;
Described message safety management system generates letter of identity and corresponding key according to described application information, feeds back to described message transmission system, message delivery system or message sink equipment.
The present invention also provides a kind of method for above-mentioned pushing news treatment system applications client signature, comprising:
Applications client generates and comprises at least the pushing news responding ability file that pushes away application identities and applications client sign; Described applications client sends the signature request of described pushing news responding ability file;
The message safety management system is supported to calculate the document of described pushing news responding ability file in the situation of signature request; Described message safety management system employing self certificate private key is encrypted described document;
Described message safety management system adds the document of encrypting in the described pushing news responding ability file; The pushing news responding ability file reverse that described message safety management system will be signed the result and added the document of the encrypting described applications client of feeding.
The present invention also provides a kind of method for above-mentioned pushing news treatment system applications client registration, comprise: when applications client is installed to message sink equipment, submit registration information to the message safety administrative client, comprise pushing news responding ability file in the described registration information;
Described message safety administrative client is examined the pushing news responding ability file in the described registration information; If audit is passed through, then described message safety administrative client inquiry and renewal trusted application are tabulated, and described trusted application is tabulated and is the information list of the applications client of registering by the message safety management system and signing; If audit is not passed through, then finish registration, feedback registration failure result;
If include the information of the applications client of submitting registration information in the described trusted application tabulation, then described message safety administrative client records the log-on message of the applications client of described submission registration information, and feeds back the result that succeeds in registration; If described trusted application tabulation does not comprise the information of the applications client of described submission registration information, then feed back the registration failure result.
Pushing news processing method provided by the invention, be used for to realize system and the equipment of pushing news processing method, obtain in the situation of signature by and pushing news responding ability file registered in the applications client that pushes away the application identities coupling, the applications client that starts coupling is processed the pushing news that receives, otherwise refusal is processed pushing news, guaranteed to process the security reliability of the applications client of pushing news, so that it is controlled to process the applications client safety of pushing news, improved the fail safe that pushing news is processed.
Description of drawings
The flow chart of the pushing news processing method that Fig. 1 provides for the embodiment of the invention;
The structural representation of the message safety management system that Fig. 2 provides for the embodiment of the invention;
Fig. 3 was provided for the embodiment of the invention can be used for of providing by the structural representation of the message sink equipment of above-mentioned pushing news processing method;
The structural representation of the pushing news treatment system that Fig. 4 provides for the embodiment of the invention;
The structural representation of message transmission system in the pushing news treatment system that Fig. 5 provides for the embodiment of the invention;
The structural representation of message delivery system in the pushing news treatment system that Fig. 6 provides for the embodiment of the invention;
The flow chart of the embodiment of the method for application letter of identity in the pushing news treatment system that Fig. 7 provides for the embodiment of the invention;
The signaling process figure of message transmission system application letter of identity in the pushing news treatment system that Fig. 8 provides for the embodiment of the invention;
The flow chart of the embodiment of the method for applications client signature in the pushing news treatment system that Fig. 9 provides for the embodiment of the invention;
Figure 10 is the signaling process figure corresponding with Fig. 9;
The flow chart of the embodiment of the method for applications client registration in the pushing news treatment system that Figure 11 A provides for the embodiment of the invention;
Figure 11 B is the signaling process figure corresponding with Figure 11 A;
The pushing news treatment system that Figure 12 provides for the embodiment of the invention is sent the flow chart of pushing news;
The flow chart of message sink device processes pushing news in the pushing news treatment system that Figure 13 provides for the embodiment of the invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
The flow chart of the pushing news processing method that Fig. 1 provides for the embodiment of the invention.As shown in Figure 1, the pushing news processing method comprises:
Step 11, message sink equipment receipt message transmitting system send comprises the pushing news that pushes away (PUSH) application identities;
Step 12, message sink equipment mate corresponding applications client according to the described application identities that pushes away, and judge whether the applications client of coupling is registered, and whether the pushing news responding ability file that the applications client of described coupling generates obtains signature;
If the applications client of the described coupling of step 13 is registered, and its pushing news responding ability file acquisition signature, the applications client that starts described coupling is processed the pushing news that receives; If the applications client of described coupling is unregistered, or its pushing news responding ability file do not obtain signature, and then refusal is processed the pushing news receive.
In the present embodiment, message sink equipment obtains in the situation of signature by and pushing news responding ability file registered in the applications client that pushes away the application identities coupling, the applications client that starts coupling is processed the pushing news that receives, otherwise refusal is processed pushing news, guaranteed to process the security reliability of the applications client of pushing news, so that it is controlled to process the applications client safety of pushing news, improved the fail safe that pushing news is processed.
In the above-mentioned steps 11, pushing news also can further comprise the applications client sign, at this moment, in the step 12, message sink equipment mates corresponding applications client and comprises according to the described application identities that pushes away: message sink equipment is according to described application identities and the marking matched corresponding applications client of applications client of pushing away.
When pushing away application identities coupling a plurality of applications client arranged, can directly match the applications client that the message transmission system expectation is used by the applications client sign, process pushing news.
Wherein, push away application identities and refer in PUSH messages application standard, be used for the application identities string (text-string) of sign applications client program.Push away application identities by Open Mobile Alliance (OMA) organizational protection.Same applications client can respond a plurality of application identities that push away simultaneously.
The applications client sign refers to can use global user ID (GUID) to identify as applications client for the identification string of sign applications client.
In the above-mentioned steps 11, message transmission system sends comprises the pushing news that pushes away application identities, also can comprise eap-message digest, and this eap-message digest can be the summary through described message transmission system signature.
When eap-message digest is the summary of the described message transmission system signature of process, also can further comprise before the above-mentioned steps 12: the summary that message sink equipment is signed through described message transmission system according to described pushing news is the identity that digest is verified described message transmission system, if checking is passed through, then message sink equipment mates corresponding applications client according to the described application identities that pushes away; If checking is not passed through, then refusal is processed described pushing news.Guarantee in the insecure situation of message sender, to avoid processing the pushing news that receives, alleviated the processing load of message sink equipment, improved efficient and the fail safe of processing pushing news.
Thought based on pushing news processing method in above-described embodiment, the embodiment of the invention provides message safety management system and the message safety administrative client that can be used for realizing above-mentioned pushing news processing method, wherein the message safety management system is carried out safety management to using client, be responsible for guaranteeing the security reliability of applications client, the message safety administrative client is installed in the message sink equipment, is used for assisting the message safety management system to guarantee the security reliability of applications client.
The structural representation of the message safety management system that Fig. 2 provides for the embodiment of the invention, as shown in Figure 2, the message safety management system comprises: application management and service module 21 and trusted application list management and service module 22.
Application management and service module 21 are used for the pushing news responding ability file of using client is signed, and described applications client is registered, and verified the signature of the pushing news responding ability file of described applications client.Wherein, applications client can directly be initiated the application of registration and signature to the message safety management system, also can transmit the application that sends registration and front to the message safety management system by message transmission system.
Trusted application list management and service module 22 are used for foundation and safeguard the applications client information list that passes through registration and signature, for ease of description, and will be by registration and the applications client information list called after trusted application of signing tabulation (together lower).When applications client registration and signature PUSH message response capability file, the trusted application tabulation is revised and safeguarded to the message safety management system.Only have the application client client information by registration and Digital signature service just to be written into the trusted application tabulation.The message safety administrative client can regularly be downloaded the trusted application tabulation (or irregularly) from the message safety management system, the registration of applications client is installed to be used for message sink equipment, and for calling and starting reliable applications client processing pushing news, see the description in the registration of following message sink apparatus embodiments and applications client, the pushing news Processing Example for details.
In the present embodiment, the message safety management system is the security infrastructure of PUSH message handling system, and the what's new that can be used as the message delivery system is arranged at the message delivery system, also can arrange separately.
The message safety management system that the embodiment of the invention provides also can further comprise certificate management and service module 23, be used for the application information according to message transmission system, message delivery system or the transmission of message sink equipment, the key of letter of identity and correspondence is provided for the application information of message transmission system, message delivery system or message sink equipment, and verify the letter of identity of described message transmission system, message delivery system or message sink equipment, further to guarantee to send in the pushing news treatment system, send and receive the security reliability of the functional entity of links.Especially for message transmission system, as long as by obtain letter of identity and corresponding key to the application of message safety management system, and the authentication by the message safety management system, just can become the transmit leg of pushing news, both guarantee the fail safe of transmit leg, guaranteed again the opening that pushing news sends.
Wherein, application information comprises at least: the information such as user name, user cipher, user profile and COS.Described letter of identity comprises at least: signature mechanism sign and the certificate profile of certificate format and version, certificate coding method, signature algorithm, digest algorithm, certificate serial number, certificate subject, certificate.Certificate format and version can adopt X.509 form; The certificate coding method can be used BASE64; Signature algorithm can use RSA Algorithm; Digest algorithm can adopt miniature nomography (SHA-1); Certificate serial number is generated by the message safety management system, can be random number; Certificate subject can comprise country's sign, applicant's type etc.; The signature mechanism sign of certificate is the sign of message safety management system; Certificate profile is for detection of certificate.The PKI that letter of identity is corresponding is stored in the letter of identity, and the private key that letter of identity is corresponding is stored in the safe storage place of corresponding function entity such as message transmission system, message delivery system, message sink equipment etc., and can store in the mode of encrypting.
Fig. 3 realizes the structural representation of the message sink equipment of above-mentioned pushing news processing method for the embodiment of the invention can be used for of providing, and as shown in Figure 3, message sink equipment comprises message sink client 31, message safety administrative client 32 and applications client 33.
Message sink client 31 is used for the pushing news that pushes away application identities that comprises of receipt message transmitting system transmission, and particularly, the pushing news that message transmission system sends can be by the message delivery system forwards to message sink client 31.
After message sink client 31 receives PUSH message, the PUSH message push to message safety administrative client 32, is carried out subsequent treatment by 32 pairs of PUSH message of message safety administrative client.And message sink client 31 also is used for the result of receipt message safety management client 32.
Message safety administrative client 32 links to each other with described message sink client 31, the application identities that pushes away for the pushing news that receives according to described message sink client 31, mate corresponding applications client, whether the applications client of judging coupling is registered, and whether the pushing news responding ability file that the applications client of described coupling generates obtains signature, if the pushing news responding ability file that the applications client of described coupling is registered and generate obtains signature, then call and the applications client that starts described coupling is processed described pushing news.If comprise the applications client sign in the pushing news, then processing mode sees the explanation among the said method embodiment for details, or further sees description hereinafter for details.
Applications client 33 can have a plurality of, and to be used for the processing of different pushing news, certainly, a pushing news also can be brought in processing by different application client.The applications client 33 of coupling is under the calling of message safety administrative client 32, and the PUSH message content that starts also processing messages safety management client 32 transmission is the pushing news that message sink client 31 receives.
Applications client 33 need to be registered to the message safety management system before being distributed to message sink equipment, and the request message safety management system is signed to the PUSH message response capability file of using client 33 generations.
When applications client 33 is installed in message sink equipment, need to be to the registration information of message safety administrative client 32 submissions, registration PUSH message response capability.Registration information comprises at least: the complete trails of pushing news responding ability file, applications client installation path and applications client main program behind the signature.Message safety administrative client 32 is registered the applications client of submitting this registration information to according to institute's registration information.All be safe and reliable with the applications client in the further assurance message sink equipment, thereby improve the fail safe that pushing news is processed in the message sink equipment.
When registration, applications client 33 need to provide the PUSH message response capability file of being signed by the message safety management system to message safety administrative client 32.
If applications client 33 does not generate PUSH message response capability file, perhaps this ability file is not signed by the message safety management system, perhaps applications client 33 is not registered in message sink equipment, then this applications client 33 will not possess the ability that receives and process PUSH message, that is to say that message safety administrative client 32 can not call this applications client 33 and process PUSH message.
Message safety administrative client 32 can be regarded as the extension of message safety management system in message sink equipment, collaborative message safety management system, the safety problem of solution PUSH message.
When summary is signed in the pushing news that message sink client 31 receives, message safety administrative client 32 also is used for the digest according to the pushing news of described message sink client 31 receptions, the message transmission system that sends described pushing news is carried out authentication, if authentication is passed through, then mate corresponding applications client, call and start the described pushing news of applications client 33 processing of coupling; If authentication is not passed through, then refusal is processed described pushing news.
In the pushing news that message sink client 31 receives, include the applications client sign, show that message sender selected to process the applications client of this pushing news, then described message safety administrative client 32 also can be used for directly mating corresponding applications client by described applications client sign, to satisfy the requirement of message transmission system.
When whether 32 audits of message safety administrative client accept the registration request of applications client, can work in coordination with the message safety management system.The applications client of only registering in the message safety management system just can be accepted registration by message safety administrative client 32.
Message safety administrative client 32 can regularly obtain the trusted application tabulation from the message safety management system (or irregularly), whether to accept the important evidence of applications client registration request as message safety administrative client 32.
The message sink equipment that the embodiment of the invention provides also can comprise: identity application module 34, and be used for to the application of message safety management system and obtain letter of identity and corresponding key, also safe and reliable to guarantee the message sink equipment in the pushing news treatment system.
In the present embodiment, message sink equipment receives by the message safety administrative client and comes from the PUSH message that message sink client 31 pushes.Message safety administrative client 32 is according to the application identities that pushes away of PUSH message, in the registered applications client tabulation of message sink equipment, search the applications client of coupling, find and start the applications client of coupling, and the delivery of content in the PUSH message is given the applications client of the coupling that starts.Wherein, registered applications client tabulation is the tabulation of mounted applications client in the message sink equipment.Obviously, information is kept at the applications client in this applications client tabulation, and its information is inevitable correspondingly to be kept in the trusted application tabulation.And the applications client that information is kept in the trusted application tabulation not necessarily is installed in the message sink equipment, therefore, when the message safety administrative client calls applications client processing pushing news, also to check whether the applications client that will call is mounted according to registered client application tabulation, otherwise, also unavailable even this application client client information is kept in the trusted application tabulation.Also not this registered applications client tabulation in the message sink equipment, in this case, can pass through in this application client client information of message safety administrative client preservation in local trusted application tabulation, increase mounted sign, representing whether believable applications client is installed in the message sink equipment, also is also to include applications client in the local trusted application tabulation whether to be installed in local information.When PUSH message also comprises the applications client sign, then message safety administrative client 32 can directly identify according to applications client, in registered applications client tabulation, find and start the applications client of coupling, the pushing news that processing receives, the fail safe of applications client and the fail safe of Message Processing have been guaranteed, and the applications client of message sink device processes pushing news can be controlled by message transmission system.
Message safety management system, message safety administrative client and message sink equipment that the pushing news treatment system that the embodiment of the invention provides provides by introducing above-described embodiment are realized above-mentioned pushing news processing method.
The structural representation of the pushing news treatment system that Fig. 4 provides for the embodiment of the invention.As shown in Figure 4, the pushing news treatment system comprises message transmission system 41, message delivery system 42, message safety management system 43 and message sink equipment 44.
Message safety management system 43 and described message transmission system 41, message delivery system 42 and 44 communication connections of message sink equipment.
Described message transmission system 41 is by described message delivery system 42, the pushing news that pushes away application identities that comprises that generates is sent to described message sink equipment 44, described message sink equipment 44 is used for mating corresponding applications client according to the described application identities that pushes away, whether the applications client of judging coupling is registered, and whether the pushing news responding ability file that the applications client of described coupling generates obtains signature; If the pushing news responding ability file that the applications client of described coupling is registered and generate obtains signature, then call and the applications client that starts described coupling is processed described pushing news.
Above-mentioned any message safety management system that provides embodiment illustrated in fig. 2 is provided message safety management system 43, it is the Core System in the pushing news treatment system, have the relevant management function of PUSH message safety, comprising: the registration Digital signature service of applications client, trusted application list management and service etc.Letter of identity and key management and the service of other functional entity also can be provided further.
Message transmission system 41 is used for sending PUSH message to the user, specifically can send PUSH message to message sink equipment 44 by message delivery system 42, also can provide the service function of arranging in the PUSH message simultaneously.For example, in the PUSH message that message transmission system 41 sends to the user, comprise the information of the webpage of inviting user's access constraints, then message transmission system can be to the provide support WEB service of described webpage of user.When message transmission system 41 only was used for realizing above-mentioned functions, the message transmission system in the available existing pushing news treatment system substituted.When the function such as sending, letter of identity obtains when message transmission system 41 has message, as shown in Figure 5, the structural representation of message transmission system in the pushing news treatment system that Fig. 5 provides for the embodiment of the invention.Message transmission system 41 can comprise: message transmission module 51, application service module 52 and identity application module 53.
Message transmission module 51 is used for sending the pushing news that generates to the message delivery system.In the PUSH message that message transmission system generates, comprise and push away application identities, see the explanation in above-described embodiment for details, be used for message sink equipment according to the one or more applications client that push away the application identities coupling and can be used to process pushing news.
The service that comprises in the PUSH message that message transmission system 41 generates can be provided by application service module 52, also can be provided by other application system.For example, comprise the service of accessing certain WEB webpage in the PUSH message, this WEB webpage can be provided by the WEB application service of message transmission system, also can be provided by other WEB application service.
Identity application module 53 is used for to the application of message safety management system and obtains letter of identity and corresponding key, and letter of identity sees the explanation in above-described embodiment for details.
Message transmission system 41 also can further comprise applications client management and service module 54, be used for the synergistic application client and sign to the pushing news responding ability file of 43 pairs of described applications client of described message safety management system, and register to described message safety management system 43 for collaborative described applications client.
Applications client management and service module 54 also are used for record and register and the information of the applications client of signing to message safety management system 43, so that from the information of the applications client of record, select corresponding applications client when sending pushing news, and the applications client sign of the applications client selected is arranged in the pushing news, Indication message receiving equipment 44 starts the applications client of selecting and processes pushing news, to guarantee the fail safe of Message Processing.
Message transmission system 41 also can further comprise digest module 55, for the letter of identity that uses described identity application module 53 to obtain and corresponding key, the eap-message digest of the pushing news that described message transmission system 41 is generated is signed, so that message safety management system 43, message sink equipment 44 can confirm to send the identity of the message transmission system 41 of pushing news, guarantee that the transmit leg of pushing news is safe and reliable.
Message transmission system 41 also can comprise client identification add-on module 56, be used for the pushing news in described message transmission system 41 generations, be provided for Indication message receiving equipment 44 and start the applications client sign that corresponding applications client is processed described pushing news, to guarantee that message sink equipment 44 is used for processing the applications client of pushing news, the message transmission system that is the transmission pushing news is known, and the processing of pushing news is safe.Be can also comprise the applications client sign in the pushing news that sends of message transmission module 51, like this, message transmission system 41 can clearly indicate the PUSH message of generation and be processed by the applications client of appointment.
Message transmission system 41 is not limited to said structure, it also can be the Capacity extension to existing message transmission system (equipment), as long as the basis at existing message transmission system increases following function: message transmission system (equipment) has to the certificate of message safety management system application system (equipment) and corresponding key, and supports the function of related credentials and key algorithm; PUSH responding ability file with collaborative registered application client and applications client, and the function of the information of record applications client; Has when generating PUSH message attendant applications client identification in PUSH message; When having the PUSH of generation message, subsidiary PUSH eap-message digest in PUSH message, the function of the private key signature of the certificate of this eap-message digest use message transmission system (equipment) and correspondence.
Message delivery system 42 is used for the PUSH message that receipt message transmitting system 41 sends, and by the transmission requirement, this PUSH message push to message sink equipment 44.As shown in Figure 6, the major function of message delivery system 42 comprises: service management, Message Processing, message sink, message delivery.
Message delivery system 42 can be the improvement to the message delivery system in the existing PUSH Message Processing system.The sending before the PUSH message of existing PUSH message delivery system, to 43 requests of message safety management system this PUSH message and sender are done audit such as message delivery system 42, the PUSH message by audit just can be pushed to message sink equipment 44.
Message delivery system 42 can also store the PUSH message of sending.In described PUSH message, comprise sender of the message's (message transmission system) to the digest of PUSH message, when message safety management system 43 is arranged in the message delivery system 42 as the part of message delivery system 42, message delivery system 42 itself can be by the sender of this digest acknowledge message, to strengthen the message delivery system to tracking and the monitoring capacity of PUSH message.
Message delivery system 42 can be the Capacity extension to existing message delivery system, namely increased following function on the basis of existing message delivery system: can be to certificate and the corresponding key of message safety management system 43 application systems, and support the function of related credentials and key algorithm; When sending PUSH message, examine by message safety management system 43 first, and determine whether further to send the function of PUSH message according to the latter's auditing result; The PUSH message that record is sent, and can according to the digest of PUSH message, search and verify the function of the actual sending entity of PUSH message.
Message delivery system 42 can also increase on the basis of existing message delivery system identity application module 61, be used for sending application information to described message safety management system 43, and be used for obtaining letter of identity and corresponding key from described message safety management system 43, to guarantee the reliability of message delivery system, improve pushing news and sending the fail safe of link.Described application information comprises at least: user name, user cipher, user profile and COS, described letter of identity comprises at least: signature mechanism sign and the certificate profile of certificate format and version, certificate coding method, signature algorithm, digest algorithm, certificate serial number, certificate subject, certificate.
Message delivery system 42 is before sending PUSH message, to 43 requests of message safety management system this PUSH message and sender are done audit, PUSH message by 43 audits of message safety management system just can be pushed to message sink equipment 44, guarantee the reliability of informed source, strengthened tracking and the monitoring capacity of 43 pairs of PUSH message of message safety management system.
Message sink equipment 44 is also referred to as user terminal, is used for receiving and processing PUSH message.Message sink client message in the message sink equipment 44, then notification message safety management client, applications client by message safety administrative client calling convention is processed PUSH message, namely calls corresponding applications client according to the sign of the applications client in the pushing news and processes this pushing news.Above-mentioned any message sink equipment that provides embodiment illustrated in fig. 3 is provided message sink equipment 44.
The pushing news treatment system that above-described embodiment provides can generate PUSH message by message transmission system, the PUSH message push to the message delivery system, the PUSH message of receiving by message safety management system or message delivery system audit, then the PUSH message push by audit to message sink equipment; After message sink equipment receives PUSH message, search and start the applications client of arranging in the PUSH message, then the PUSH message content is pushed to the applications client that is activated.The applications client that starts is according to the PUSH message content, the application service system of access constraints.
The flow chart of the embodiment of the method for application letter of identity in the pushing news treatment system that Fig. 7 provides for the embodiment of the invention.As shown in Figure 7, message transmission system 41, message delivery system 42 or message sink equipment 44 comprise to the method for message safety management system 43 application letters of identity:
Step 71, message transmission system 41, message delivery system 42 or message sink equipment 44 send application information to message safety management system 43, the application letter of identity.Described application information sees the explanation of above-described embodiment for details, comprises at least: user name, user cipher, user profile and COS;
Step 72, described message safety management system 43 generate letter of identity and corresponding key according to described application information, feed back to message transmission system 41, message delivery system 42 or message sink equipment 44.Letter of identity sees the explanation of above-described embodiment for details, comprises at least: signature mechanism sign and the certificate profile of certificate format and version, certificate coding method, signature algorithm, digest algorithm, certificate serial number, certificate subject, certificate.
Described message safety management system 43 generates letter of identity according to described application information and corresponding key also comprises before:
Described message safety management system 43 is verified the identity of described message transmission system 41, message delivery system 42 or message sink equipment 44 according to described application information, if checking is not passed through, then refuse the application of described message transmission system 41, message delivery system 42 or message sink equipment 44; If checking is passed through, judge then whether described message transmission system 41, message delivery system 42 or message sink equipment 44 is registered, because the requesting party may apply for repeatedly, if described message transmission system 41, message delivery system 42 or message sink equipment 44 are registered, if namely the requesting party successfully applied for (namely successfully registering), before being described, requesting party's letter of identity and corresponding key generated, then the letter of identity that generated of message safety management system 43 direct feedbacks and the key of correspondence; If described message transmission system 41, message delivery system 42 or message sink equipment 44 are unregistered, then registration message transmitting system 41, message delivery system 42 or message sink equipment 44 generate and store corresponding letter of identity and corresponding key.
The key of 43 application letters of identity and correspondence is as example take message transmission system 41 to the message safety management system, and concrete steps comprise as shown in Figure 8:
Step 81, message transmission system 41 send application information to message safety management system 43, with application letter of identity and corresponding key.
Message transmission system 41 comprises to the application information that message safety management system 43 sends: the information such as the user name of message transmission system, user cipher, user profile, COS.
Step 82, message safety management system 43 check, and generate letter of identity and corresponding key.
Described message safety management system 43 is verified the identity of described message transmission system 41 according to described application information, if checking is not passed through, then refuse the application of described message transmission system 41, go to application result and related causes that step 83 feedback refusal provides letter of identity; If checking is passed through, then the message safety management system checks whether described message transmission system 41 exists active registration, check namely whether this message transmission system 41 successfully applies for letter of identity and corresponding key, if there is active registration, the then letter of identity of the described message transmission system 41 that generated of message safety management system 43 direct feedbacks and corresponding key, and execution in step 83, the letter of identity and the corresponding key that directly generate to described message transmission system 41 feedbacks.
If there is not active registration in described message transmission system 41, then the registration message transmitting system 41, generate and store letter of identity and the corresponding key of message transmission system 41, then go to the application result that step 83 feedback provides letter of identity.
Step 83, message safety management system 43 are to message transmission system 41 feedback application results.If message safety management system 43 provides letter of identity and key for message transmission system 41, letter of identity and corresponding key that message safety management system 43 generates to message transmission system 41 feedbacks; If message safety management system 43 determines that not for message transmission system 41 provides letter of identity and key then message safety management system 43 provides application result and the related causes of letter of identity to message transmission system 41 feedback refusals.
The step of the key of message delivery system 42 application letters of identity and correspondence is similar to above-mentioned steps 81~step 83, and the application main body changes the message delivery system into and gets final product.Similarly, the step of the key of message sink equipment 44 application letters of identity and correspondence is similar to above-mentioned steps 81~step 83, and the application main body changes message sink equipment into and gets final product.
The flow chart of the embodiment of the method for applications client signature in the pushing news treatment system that Fig. 9 provides for the embodiment of the invention.As shown in Figure 9, the method for applications client signature comprises:
Step 91, applications client generate and comprise at least the pushing news responding ability file that pushes away application identities and applications client sign.Push away application identities and applications client and identify the explanation that sees for details in above-described embodiment.
Step 92, described applications client send the signature request of described pushing news responding ability file.
Applications client can directly be initiated signature request to message safety management system 43, also can bind with message transmission system 41, perhaps applications client and message transmission system 41 are individual system, then initiate signature request by message transmission system 41, as shown in figure 10, applications client described in the step 101 sends signature request to message transmission system 41, and in the step 102, message transmission system 41 is transmitted to message safety management system 43 with signature request.
Except pushing news responding ability file, the signature request of applications client can also comprise: the information such as copyright, size, application description.
The letter of identity that message transmission system 41 utilizations obtain and message safety management system 43 are set up secured communication channel, and (for example, HTTPS), interactive information under the environment of safety sends to message safety management system 43 to the signature request of applications client.
Step 93, message safety management system 43 are supported to calculate the document of described pushing news responding ability file in the situation of signature request.
Message safety management system 43 audit message transmission systems 41, and the signature request of applications client determine whether to support association requests.If message safety management system 43 is not supported association requests, then feedback processing result and Reason For Denial.
If message safety management system 43 is supported association requests, then take the content of described pushing news responding ability file as the basis, adopt the digest algorithm (for example SHA-1) of agreement, calculate the document of described pushing news responding ability file.
Step 94, message safety management system 43 employings self certificate private key are encrypted described document, namely with the described ability document of encrypted private key corresponding to self certificate, generate new ability document.
Step 95, message safety management system 43 add the document of encrypting in the described pushing news responding ability file, namely newly-generated ability document is joined appointed position in the described pushing news responding ability file, as join the positions such as afterbody of pushing news responding ability file.
The pushing news responding ability file reverse that step 96, message safety management system 43 will be signed the result and added the document of the encrypting described applications client of feeding.
Particularly, when applications client directly asked for an autograph to message safety management system 43, then the message safety management system 43 pushing news responding ability file that directly will sign the result and add the document of encrypting sent to described applications client; When applications client asked for an autograph by message transmission system 41, message safety management system 43 was transmitted to applications client by message transmission system 41 again to the signature result of the described ability file of message transmission system 41 feedbacks.At this moment, if message safety management system 43 is returned the pushing news responding ability file behind the signature, then the method for the applications client signature that provides of the embodiment of the invention also can further comprise:
Step 97, the described pushing news responding ability file that has added the document of encrypting of described message transmission system 41 storages, i.e. pushing news responding ability file behind the storage signature.Like this, message transmission system 41 to select to process the applications client of pushing news, guarantees the fail safe that pushing news is processed generating, when sending pushing news, can using the ability fileinfo of storage.
Above-mentioned steps 97 can be carried out in the implementation of step 96, also can carry out after step 96.
After the above-mentioned steps 96, also can further comprise:
Step 98, described applications client will add the pushing news responding ability file of the document of encrypting as self part, be distributed to message sink equipment 44.
Above-mentioned steps 97 and the requirement of step 98 out-of-order can be carried out simultaneously, also can first execution in step 97 rear execution in step 98, and perhaps first execution in step 98 execution in step 97 again.
If message safety management system 43 refusal signatures, message transmission system 41 is to the denial of service information of applications client feedback message safety management system 43.
Applications client is installed to message sink equipment 44.Applications client need to be registered to the message safety administrative client of message sink equipment 44 ability information of oneself when mounted.Applications client just can be called by the message safety administrative client after only having successfully registration, to process PUSH message.The flow chart of the embodiment of the method for applications client registration in the pushing news treatment system that Figure 11 A provides for the embodiment of the invention.Figure 11 B is the signaling process figure corresponding with Figure 11 A.Shown in Figure 11 A, Figure 11 B, the method for applications client registration comprises:
When step 111, applications client are installed to message sink equipment 44, submit registration information to the message safety administrative client, comprise pushing news responding ability file in the described registration information.
The registration information of submitting to comprises at least: the complete trails of the pushing news responding ability file behind the described signature, applications client installation path, applications client main program (the full name that comprises path and main program).Can also comprise the method that main program starts, for example, the literary style of parameter etc. when main program is carried out.
Step 112, message safety administrative client judge whether applications client is registered.
Particularly, the message safety administrative client check this applications client whether registered foundation can be whether the complete trails of applications client main program and the ability file behind the signature exist.If exist, and identical with registration information, then forward step 116 to, the information that directly succeeds in registration to the applications client feedback avoiding the applications client repeated registration, and improves the registration request treatment effeciency.For the equal unregistered situation of applications client, this step 112 can be saved.
Step 113, described message safety administrative client are examined the pushing news responding ability file in the described registration information.
Because the message safety administrative client has certificate and the PKI of message safety management service system 43, the message safety administrative client can be by the digest calculations method of message safety management service system 43, the pushing news responding ability file of submitting to take applications client is as basis, the document A of generative capacity file.
In addition, the message safety administrative client extracts the document B of pushing news responding ability file from the pushing news responding ability file that applications client is submitted to.
The message safety administrative client uses the PKI of message safety management system 43, and abstracts of declassified documents B obtains document C.
Message safety administrative client comparison document summary A and document C.If both are identical, think that then the ability file that applications client is submitted to is legal and effective, audit is passed through; Otherwise, to think illegally or invalid, audit is not passed through, and turns to step 116, processes unsuccessfully reaching reason to applications client feedback registration request,, if audit is not passed through, then finishes registration that is, feeds back the registration failure result.
If step 114 audit is passed through, then described message safety administrative client inquiry and the tabulation of renewal trusted application, described trusted application tabulation sees the explanation of above-described embodiment for details, and the message safety management system is registered and the information list of the applications client of signature in order to pass through.
Described trusted application tabulation is the backup of trusted application tabulation in message sink equipment 44 in the message safety management system 43.Described trusted application tabulation is generated and is safeguarded by message safety management system 43.In described trusted application tabulation, (namely examining through message safety management system 43) application client client information that storing message safety management system 43 is trusted, relevant information comprises: applications client push away ability file behind application identities, applications client sign, the signature and the out of Memory of applications client.
Applications client if message safety management system 43 is accepted the request of applications client, then can be added the information of described applications client in the trusted application tabulation of oneself when request message safety management system 43 signature pushing news responding ability file.
The message safety administrative client regularly check with download message safety management system 43 in trusted application tabulation, the trusted application tabulation in the maintain message receiving equipment 44.The message safety administrative client also can be when needed (for example, the trusted application tabulation does not exist, perhaps in the situation such as expired), to message safety management system 43 submit applications, downloads up-to-date trusted application and tabulate.Can adopt the protocol interaction data such as HTTPS between message safety administrative client and the message safety management system 43.
The message safety administrative client is inquired about the information that whether includes the applications client of submitting registration information in the local existing trusted application tabulation, if do not exist, then download up-to-date trusted application tabulation from the message safety management system this locality is upgraded, and the inquiry packet of tabulating again of the trusted application after renewal contains the information of the applications client of submitting registration information to.
If include the information of the applications client of submitting registration information in the described trusted application tabulation of step 115, the applications client that is request registration is credible, then described message safety administrative client records the log-on message of the applications client of described submission registration information, and continue execution in step 116, feed back the result that succeeds in registration; If described trusted application tabulation does not comprise the information of the applications client of described submission registration information, then go to step 116, feedback registration failure result.
Step 116, message safety administrative client feed back the result of registration request to applications client.
If the message safety administrative client is accepted the registration request of applications client, then feed back the result's that succeeds in registration information to applications client; Otherwise, the information of message safety administrative client feedback registration failure.
The method of the applications client registration that the embodiment of the invention provides also can further comprise:
The log information of step 117, the management of described message safety administrative client record security, and regularly submit log information to described message safety management system 43.
The pushing news treatment system that Figure 12 provides for the embodiment of the invention is sent the flow chart of pushing news.As shown in figure 12, message transmission system 41 generates PUSH message, is delivered to message delivery system 42, and whether message delivery system 42 can send by 43 audits of message safety management system, if of course, then message delivery system 42 message push to message sink equipment 44.The key step of message delivery comprises:
Step 121, message transmission system 41 generate PUSH message.
In the described PUSH message, comprise at least and push away application identities.If message transmission system 41 is wished the applications client of the described PUSH message of designated treatment, then can in described PUSH message, add the applications client sign.
In the described PUSH message, also comprise the PUSH eap-message digest that generates according to the PUSH message content.By described PUSH eap-message digest, can assert that then described PUSH message is that described message transmission system generates.This is the important method under the sign PUSH message.This PUSH eap-message digest (for example, SHA-1) generates, then use this PUSH eap-message digest of encrypted private key of message transmission system 41, and the summary after the encryption is as the part of PUSH message by message transmission system 41 digest algorithm according to a preconcerted arrangement.The form of described PUSH message can adopt the agreement that has PUSH message specification system now.
Step 122, message transmission system 41 send to message delivery system 42 with described PUSH message, ask its further transmission.
Between message transmission system 41 and the message delivery system 42, can adopt the protocol interaction data such as HTTPS.
Because the safety of PUSH message and message sink equipment 44, and the operation security of business operation system is closely related, therefore, message delivery system 42 before sending described PUSH message, can the request message safety management system the described message transmission system of the 43 audits described PUSH message of whether having the ability to send.
Step 123, message delivery system 42 check and process PUSH message to 43 requests of message safety management system.Carry out authentication such as the sender to PUSH message.
Step 124, message safety management system 43 check and process PUSH message.
Step 125, message safety management system 43 are fed back the result of PUSH message to message delivery system 42.
When message safety management system 43 is arranged in the message delivery system 42, during as the partial function of message delivery system 42, can omit step 123 to step 125, check and process PUSH message by message delivery system 42.
Step 126, in step 125 feedback result for by the time, message delivery system 42 described PUSH message push to message sink equipment 44.
Message delivery system 42 can be by the standard system of existing PUSH message push, the PUSH message push to message sink equipment 44.Step 126 is asynchronous.
Step 127, message delivery system 42 are to message transmission system 41 feedback PUSH message delivery results.
Message delivery system 42 can be by the standard system of existing PUSH message push, to message transmission system 41 feedback processing results.Step 127 is asynchronous.
The flow chart of message sink device processes pushing news in the pushing news treatment system that Figure 13 provides for the embodiment of the invention.As shown in figure 13, the message sink client of message sink equipment 44 is processed the PUSH message push after PUSH message to the message safety administrative client.The message safety administrative client is according to pushing away application identities and applications client sign in the PUSH message, searches and starts the target application client, by the described PUSH message of target application client process.The key step of message sink device processes PUSH message comprises:
Step 131, message sink client PUSH message.
The method of message sink client PUSH message can be processed by existing PUSH message delivery and reception technique.
The PUSH message push that step 132, message sink client handle receive is to the message safety administrative client.
In the described PUSH message, comprise at least the described application identities that pushes away, if do not comprise, then go to step 136, feedback can't be processed described PUSH message.
Step 133, message safety administrative client are searched the applications client of coupling from local trusted application tabulation.
When storing registered applications client tabulation in the message sink equipment 44, this step can be omitted, and directly carries out next step 134.Not this registered applications client tabulation in message sink equipment 44, but mounted applications client message identification in local trusted application tabulation the time, is carried out this step, judge at first whether the target application client is reliable.
The message safety administrative client is searched the described application client client information that pushes away application identities of coupling in local trusted application tabulation.By associative search, the applications client that finds may exist, and also may not exist, and also may exist simultaneously a plurality of.If there is no, then forward step 136 to, feedback can operate described PUSH message without applications client.
If in the described PUSH message, also comprise described applications client sign, then the message safety administrative client further mates described applications client sign.If find and mate simultaneously the described applications client that pushes away application identities and described applications client sign, then go to step 134, if do not find the applications client of the described applications client sign of coupling, then can further process according to service needed, for example, termination is called, and perhaps selects one to call etc.
Step 134, message safety administrative client check the validity of target application client.
Particularly, the message safety administrative client further checks whether physical presence of target application client, and namely the message safety administrative client checks by registered applications client tabulation whether this target application client has been installed in message sink equipment 44.When storing registered applications client tabulation in the message sink equipment, if the target application client is installed, the information of target application client is arranged in the registered applications client tabulation then, also be target application client physical presence.If there is no, then go to step 136, feedback is without the described PUSH message of effective application client process.
When the applications client message identification of installing in the message sink equipment is in local trusted application tabulation, if the information of target application client has been kept in the local trusted application tabulation when carrying out above-mentioned steps 133, then further carry out this step, judge in the local trusted application tabulation and whether comprise the mounted sign of target application client in the target application client-side information, if comprise sign is installed, target application client physical presence is described; If comprise sign is not installed, illustrates that the target application client does not exist, then go to step 136, feedback is without the described PUSH message of effective application client process.
Step 135, message safety administrative client start the target application client by the rule of agreement.
Particularly, the method for agreement starts the target application client during the according to target applications client registration of message safety administrative client, and described PUSH message is sent to the target application client process.
Step 136, message safety administrative client are to message sink client feedback Message Processing result.
Step 137, message safety administrative client recording messages are processed daily record, and regularly submit to message safety management system 43.Step 137 is asynchronous, and is optional.
The above embodiment of the present invention is not only applicable to the mobile network, is applicable to other network yet, and for example, broadband fixed network, the Internet etc. on the basis of the existing PUSH Message Processing technology of compatibility, have strengthened fail safe and opening that pushing news is processed.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: the various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment puts down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (32)

1. a pushing news processing method is characterized in that, comprising:
Message sink equipment receipt message transmitting system sends comprises the pushing news that pushes away application identities;
Message sink equipment mates corresponding applications client according to the described application identities that pushes away, and judges whether the applications client of coupling is registered, and whether the pushing news responding ability file that the applications client of described coupling generates obtains signature;
If the applications client of described coupling is registered, and its pushing news responding ability file acquisition signature, the applications client that starts described coupling is processed the pushing news that receives; If the applications client of described coupling is unregistered, or its pushing news responding ability file do not obtain signature, and then refusal is processed the pushing news receive.
2. pushing news processing method according to claim 1, it is characterized in that the pushing news that pushes away application identities that comprises that message sink equipment receipt message transmitting system sends comprises: message sink equipment receipt message transmitting system sends comprises the pushing news that pushes away application identities and applications client sign;
Message sink equipment mates corresponding applications client and comprises according to the described application identities that pushes away: message sink equipment is according to described application identities and the marking matched corresponding applications client of applications client of pushing away.
3. pushing news processing method according to claim 2 is characterized in that, described applications client is designated global user ID.
4. each described pushing news processing method is characterized in that according to claim 1-3, and the pushing news that pushes away application identities that comprises that message transmission system sends also comprises eap-message digest, and described eap-message digest is the summary through described message transmission system signature;
Message sink equipment mates and also comprises before the corresponding applications client according to the described application identities that pushes away:
According to the identity of the described message transmission system of Digest Authentication of signing through described message transmission system in the described pushing news, if checking is passed through, then message sink equipment mates corresponding applications client according to the described application identities that pushes away; If checking is not passed through, then refusal is processed described pushing news.
5. a message safety management system that is used for realizing each described pushing news processing method of the claims 1-4 is characterized in that, comprising:
Application management and service module are used for the pushing news responding ability file of using client is signed, and described applications client is registered, and verified the signature of the pushing news responding ability file of described applications client;
Trusted application list management and service module, for setting up and safeguard the trusted application tabulation, described trusted application tabulation is for passing through the applications client information list of registration and signature.
6. message safety management system according to claim 5 is characterized in that, also comprises:
Certificate management and service module, be used for the application information according to message transmission system, message delivery system or the transmission of message sink equipment, for described message transmission system, message delivery system or message sink equipment provide letter of identity and corresponding key, and verify the letter of identity of described message transmission system, message delivery system or message sink equipment.
7. message safety management system according to claim 6 is characterized in that, described application information comprises at least: user name, user cipher, user profile and COS;
Described letter of identity comprises at least: signature mechanism sign and the certificate profile of certificate format and version, certificate coding method, signature algorithm, digest algorithm, certificate serial number, certificate subject, certificate.
8. each described message safety management system is characterized in that according to claim 5~7, also comprises:
Message Processing daily record receiver module is used for the Message Processing daily record that the receipt message receiving equipment sends.
9. a message sink equipment that is used for realizing each described pushing news processing method of the claims 1-4 is characterized in that, comprising:
The message sink client is for the pushing news that pushes away application identities that comprises of receipt message transmitting system transmission;
The message safety administrative client, with described message sink client, be connected, the application identities that pushes away for the pushing news according to described message sink client, mate corresponding applications client, whether the applications client of judgement coupling is registered, and whether the pushing news responding ability file that the applications client of described coupling generates obtains signature, if the pushing news responding ability file that the applications client of described coupling is registered and generate obtains signature, call and start the described pushing news of applications client processing of described coupling
Applications client links to each other with described message safety administrative client, is used for starting and process the pushing news of described message sink client under the calling of described message safety administrative client.
10. message sink equipment according to claim 9, it is characterized in that, described message safety administrative client also is used for receiving the registration information that the applications client when installing is submitted to, and according to described registration information the applications client of submitting this registration information to is registered.
11. message sink equipment according to claim 10 is characterized in that, described registration information comprises at least: the complete trails of pushing news responding ability file, applications client installation path and applications client main program behind the signature.
12. message sink equipment according to claim 9, it is characterized in that, described message safety administrative client also is used for verifying according to the digest of pushing news the identity of the transmit leg of described pushing news, if authentication is passed through, then mate corresponding applications client, if authentication is not passed through, then refusal is processed described pushing news.
13. message sink equipment according to claim 9 is characterized in that, includes the applications client sign in the described pushing news, described message safety administrative client also is used for directly mating corresponding applications client by described applications client sign.
14. each described message sink equipment is characterized in that according to claim 9~13, described message safety administrative client also is used for recording messages and processes daily record, and regularly sends the Message Processing daily record to the message safety management system.
15. each described message sink equipment is characterized in that according to claim 9~13, also comprises:
Identity application module is used for to the application of message safety management system and obtains letter of identity and corresponding key.
16. each described message sink equipment according to claim 9~13, it is characterized in that, described message safety administrative client also is used for downloading the trusted application tabulation from the message safety management system, and described trusted application tabulation is the information list by the applications client of the registration of message safety management system and signature.
17. a pushing news treatment system comprises message transmission system, message delivery system, it is characterized in that, also comprises: each described message safety management system of the claims 5-7 and each described message sink equipment of the claims 9-12;
Described message safety management system is connected with described message transmission system, message delivery system and message sink devices communicating;
Described message transmission system is by described message delivery system, the pushing news that pushes away application identities that comprises that generates is sent to described message sink equipment, described message sink equipment is used for mating corresponding applications client according to the described application identities that pushes away, whether the applications client of judging coupling is registered, and whether the pushing news responding ability file that the applications client of described coupling generates obtains signature; If the pushing news responding ability file that the applications client of described coupling is registered and generate obtains signature, then call and the applications client that starts described coupling is processed described pushing news.
18. pushing news treatment system according to claim 17 is characterized in that, any one during described message transmission system, message delivery system and message sink are not standby or combination also comprise:
Identity application module, be used for sending application information to described message safety management system, and be used for obtaining letter of identity and corresponding key from described message safety management system, described application information comprises at least: user name, user cipher, user profile and COS, described letter of identity comprises at least: signature mechanism sign and the certificate profile of certificate format and version, certificate coding method, signature algorithm, digest algorithm, certificate serial number, certificate subject, certificate.
19. pushing news treatment system according to claim 17 is characterized in that, described message transmission system also comprises:
Applications client management and service module, be used for the synergistic application client and to described message safety management system the pushing news responding ability file of described applications client signed, collaborative described applications client is registered to described message safety management system;
Wherein, described synergistic application client is signed to the pushing news responding ability file of described applications client to described message safety management system and is comprised:
The signature request that described applications client is sent is transmitted to described message safety management system;
The signature result of the described ability file of described message safety management system feedback is transmitted to described applications client.
20. pushing news treatment system according to claim 19 is characterized in that, described applications client management and service module also are used for recording the information of the applications client of signing and registering.
21. pushing news treatment system according to claim 18 is characterized in that, described message transmission system also comprises:
The digest module is used for letter of identity and the corresponding key use described identity application module to obtain, and the eap-message digest of the pushing news that described message transmission system is generated is signed.
22. each described pushing news treatment system according to claim 17-21 is characterized in that described message transmission system also comprises:
The client identification add-on module is used for the pushing news in described message transmission system generation, is provided for Indication message and receives the applications client sign that does not have the standby applications client that starts correspondence to process described pushing news.
23. a method that is used for the claims 17~22 each described pushing news treatment system application letters of identity is characterized in that, comprising:
Message transmission system, message delivery system or message sink equipment send application information to the message safety management system, the application letter of identity, and described application information comprises at least: user name, user cipher, user profile and COS;
Described message safety management system generates letter of identity and corresponding key according to described application information, feeds back to described message transmission system, message delivery system or message sink equipment.
24. the method for application letter of identity according to claim 23 is characterized in that, described message safety management system generates letter of identity according to described application information and corresponding key also comprises before:
Described message safety management system is verified the identity of described message transmission system, message delivery system or message sink equipment according to described application information, if checking is not passed through, then refuse the application that described application information is verified described message transmission system, message delivery system or message sink equipment; If checking is passed through, judge then whether described message transmission system, message delivery system or message sink equipment is registered, if described message transmission system, message delivery system or message sink equipment are registered, the direct letter of identity and the corresponding key that have generated of feedback then; If described message transmission system, message delivery system or message sink do not have standby unregistered, then register described message transmission system, message delivery system or message sink equipment, generate and store corresponding letter of identity and corresponding key.
25. according to claim 23 or the method for 24 described application letters of identity, it is characterized in that described letter of identity comprises at least: signature mechanism sign and the certificate profile of certificate format and version, certificate coding method, signature algorithm, digest algorithm, certificate serial number, certificate subject, certificate.
26. a method that is used for the claims 17~22 each described pushing news treatment system applications client signatures is characterized in that, comprising:
Applications client generates and comprises at least the pushing news responding ability file that pushes away application identities and applications client sign;
Described applications client sends the signature request of described pushing news responding ability file;
The message safety management system is supported to calculate the document of described pushing news responding ability file in the situation of signature request;
Described message safety management system employing self certificate private key is encrypted described document;
Described message safety management system adds the document of encrypting in the described pushing news responding ability file;
The pushing news responding ability file reverse that described message safety management system will be signed the result and added the document of the encrypting described applications client of feeding.
27. the method for applications client signature according to claim 26 is characterized in that the signature request that described applications client sends described pushing news responding ability file comprises:
Described applications client is by message transmission system, and the signature request of described pushing news responding ability file is sent to described message safety management system;
The pushing news responding ability file reverse that described message safety management system will be signed the result and added the document of the encrypting described applications client of feeding comprises:
To sign result and added the pushing news responding ability file of the document of encrypting of described message safety management system feeds back to described applications client by described message transmission system.
28. the method for applications client signature according to claim 27 is characterized in that, also comprises:
The described pushing news responding ability file that has added the document of encrypting of described message transmission system storage.
29. the method for each described applications client signature according to claim 26-28, it is characterized in that the pushing news responding ability file reverse that described message safety management system will be signed the result and added the document of encrypting is fed and also comprised after the described applications client:
Described applications client will add the pushing news responding ability file of the document of encrypting as self part, be distributed to message sink equipment.
30. a method that is used for the claims 17~22 each described pushing news treatment system applications client registrations is characterized in that, comprising:
When applications client is installed to message sink equipment, submit registration information to the message safety administrative client, comprise pushing news responding ability file in the described registration information;
Described message safety administrative client is examined the pushing news responding ability file in the described registration information;
If audit is passed through, then described message safety administrative client inquiry and renewal trusted application are tabulated, and described trusted application is tabulated and is the information list of the applications client of registering by the message safety management system and signing; If audit is not passed through, then finish registration, feedback registration failure result;
If include the information of the applications client of submitting registration information in the described trusted application tabulation, then described message safety administrative client records the log-on message of the applications client of described submission registration information, and feeds back the result that succeeds in registration; If described trusted application tabulation does not comprise the information of the applications client of described submission registration information, then feed back the registration failure result.
31. the method for applications client registration according to claim 30 is characterized in that, the pushing news responding ability file that described message safety administrative client is examined in the described registration information also comprises before:
Judge whether described applications client is registered, if registered, then directly feed back the result that succeeds in registration to described applications client; If unregistered, then examine described registration information.
32. according to claim 30 or the method for 31 described applications client registration, it is characterized in that, also comprise:
The log information of described message safety administrative client record security management, and regularly submit log information to described message safety management system.
CN201010545591.2A 2010-11-15 2010-11-15 Push-message processing method and system and equipment for implementing push-message processing method Active CN102006567B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201010545591.2A CN102006567B (en) 2010-11-15 2010-11-15 Push-message processing method and system and equipment for implementing push-message processing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010545591.2A CN102006567B (en) 2010-11-15 2010-11-15 Push-message processing method and system and equipment for implementing push-message processing method

Publications (2)

Publication Number Publication Date
CN102006567A CN102006567A (en) 2011-04-06
CN102006567B true CN102006567B (en) 2013-03-27

Family

ID=43813557

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010545591.2A Active CN102006567B (en) 2010-11-15 2010-11-15 Push-message processing method and system and equipment for implementing push-message processing method

Country Status (1)

Country Link
CN (1) CN102006567B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106385491B (en) * 2016-09-05 2019-10-29 努比亚技术有限公司 A kind of system, method and mobile terminal controlling PUSH message
CN108900302A (en) * 2018-06-19 2018-11-27 广州佳都数据服务有限公司 Two dimensional code generation, generates terminal and authenticating device at authentication method
CN109922046B (en) * 2019-01-30 2021-06-29 广东腾一科技有限公司 Data receiving and transmitting system and method
CN114338788B (en) * 2020-09-24 2024-03-15 花瓣云科技有限公司 Message pushing method, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1783790A (en) * 2004-11-29 2006-06-07 华为技术有限公司 Advertisement information transfering method
CN1863038A (en) * 2005-05-12 2006-11-15 中国电信股份有限公司 Method of implementing control and management of applied program in terminal apparatus
WO2010128916A1 (en) * 2009-05-04 2010-11-11 Telefonaktiebolaget Lm Ericsson (Publ) Session push transfer

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7721104B2 (en) * 2003-10-20 2010-05-18 Nokia Corporation System, method and computer program product for downloading pushed content

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1783790A (en) * 2004-11-29 2006-06-07 华为技术有限公司 Advertisement information transfering method
CN1863038A (en) * 2005-05-12 2006-11-15 中国电信股份有限公司 Method of implementing control and management of applied program in terminal apparatus
WO2010128916A1 (en) * 2009-05-04 2010-11-11 Telefonaktiebolaget Lm Ericsson (Publ) Session push transfer

Also Published As

Publication number Publication date
CN102006567A (en) 2011-04-06

Similar Documents

Publication Publication Date Title
Ylonen et al. The secure shell (SSH) authentication protocol
KR101133829B1 (en) Verifying authenticity of webpages
CN101719250B (en) Payment authentication method, platform and system
CN102546532B (en) Capacity calling method, request unit, platform and system
CN104954330B (en) A kind of methods, devices and systems to be conducted interviews to data resource
CN101110831B (en) Digital cryptographic key protection method
US9100171B1 (en) Computer-implemented forum for enabling secure exchange of information
CN105207774A (en) Key negotiation method and device of verification information
US9026793B2 (en) Method for installing rights object for content in memory card
US20130311783A1 (en) Mobile radio device-operated authentication system using asymmetric encryption
CN109714370B (en) HTTP (hyper text transport protocol) -based cloud security communication implementation method
CN105516135A (en) Method and device used for account login
CN112905979B (en) Electronic signature authorization method and device, storage medium and electronic device
CN112765626A (en) Authorization signature method, device and system based on escrow key and storage medium
US20130054965A1 (en) Usage Control of Digital Data Exchanged Between Terminals of a Telecommunications Network
CN105142139A (en) Method and device for obtaining verification information
CN102006567B (en) Push-message processing method and system and equipment for implementing push-message processing method
CA2793422C (en) Hypertext link verification in encrypted e-mail for mobile devices
CN110034922B (en) Request processing method, processing device, request verification method and verification device
CN102208980A (en) Communication method and system
CN114726606B (en) User authentication method, client, gateway and authentication server
WO2019234801A1 (en) Service provision system and service provision method
JP2011165193A (en) User authentication method and device of hybrid terminal
CN112084485A (en) Data acquisition method, device, equipment and computer storage medium
CN115189975B (en) Login method, login device, electronic equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant