CN104253806A

CN104253806A - Authentication method, client and server

Info

Publication number: CN104253806A
Application number: CN201310270136.XA
Authority: CN
Inventors: 刘德
Original assignee: Huawei Device Co Ltd
Current assignee: Huawei Device Co Ltd; Huawei Device Shenzhen Co Ltd
Priority date: 2013-06-29
Filing date: 2013-06-29
Publication date: 2014-12-31
Anticipated expiration: 2033-06-29
Also published as: CN104253806B

Abstract

An embodiment of the invention provides an authentication method, a client and a server. The authentication method includes the steps: the client negotiates with the server to determine an authentication key used in an SIP (session initialization protocol) authentication process; the client and the server use the negotiation determined authentication key to perform two-way SIP authentication. According to the technical scheme, dynamic negotiation of the authentication key used in the SIP authentication process leads to higher SIP communication safety.

Description

Method for authenticating, client and server

Technical field

The present invention relates to the communication technology, particularly relate to a kind of method for authenticating, client and server.

Background technology

Session initiation protocol (Session Initiation Protocol, referred to as SIP) be by Internet Engineering Task group (Internet Engineering Task Force, referred to as IETF) issue a kind of based on application Multimedia session control protocol, become the Primary communication agreement of multimedia communication gradually.At present, SIP adopts the message mechanism of client/server (Client/Server) structure, its syntax and semantics has used for reference HTML (Hypertext Markup Language) (Hypertext transfer protocol, referred to as HTTP), have simple, flexibly, be easy to the advantages such as realization, but easily victim imitates, thus carries out distorting and attacking.

For solving the problem, SIP ensures fail safe by authentication mechanism.Wherein, a kind of conventional authentication method is mutual authentication method, namely carries out on the basis of authentication at server to client, adds the authentication of client to server.This method is that verified users name and password lay respectively at client and server, if two ends use identical key, once one end key is illegally accessed, assailant's trust that server gains client by cheating that can disguise oneself as equally is attacked.

Summary of the invention

There is provided a kind of method for authenticating, client and server, in order to improve the fail safe of SIP communication.

First aspect provides a kind of method for authenticating, comprising:

The authenticate key used in client and server negotiate determination session initiation protocol SIP authentication process;

Described client and described server use the authenticate key consulting to determine to carry out two-way SIP authentication.

In conjunction with first aspect, in the first possible implementation of first aspect, the authenticate key used in described client and server negotiate determination session initiation protocol SIP authentication process comprises:

Authenticate key described in described client stochastic generation, and use public-key described authenticate key is encrypted;

Authenticate key after encryption is carried in the first sip request message and sends to described server by described client, use the private key corresponding with described PKI to be decrypted the authenticate key after described encryption for described server, obtain described authenticate key and be stored in this locality.

In conjunction with the first possible implementation of first aspect, in the implementation that the second of first aspect is possible, authenticate key described in described client stochastic generation, and use public-key to be encrypted described authenticate key and comprise:

Authenticate key described in described client stochastic generation, and determine the life cycle of described authenticate key;

Described client uses described PKI to be encrypted described authenticate key and described life cycle simultaneously;

Authenticate key after encryption is carried in the first sip request message and sends to described server by described client, use the private key corresponding with described PKI to be decrypted the authenticate key after described encryption for described server, obtain described authenticate key and be stored in this locality and comprise:

Life cycle after authenticate key after encryption and encryption is carried in described first sip request message simultaneously sends to described server by described client, the private key corresponding with described PKI is used to be decrypted the life cycle after the authenticate key after described encryption and described encryption to make described server, obtain described authenticate key and described life cycle respectively and be stored in this locality, wherein, described generating period is used for determining the remaining effective duration of described authenticate key for described server, and when the remaining effective duration of described authenticate key is less than pre-determined threshold, authenticate key renewal process is initiated to described client.

In conjunction with the implementation that the second of first aspect is possible, in the third possible implementation of first aspect, described method for authenticating comprises further:

Described client receives the second sip request message that described server sends, and described second SIP request is used for described server and upgrades described authenticate key to described client-requested;

Described client is according to described second sip request message, after terminating the life cycle of described authenticate key, the authenticate key that stochastic generation is new, and after described new authenticate key is encrypted, send to described server, to realize the renewal to described authenticate key.

In conjunction with the third possible implementation of first aspect or the first possible implementation of first aspect or the possible implementation of the second of first aspect or first aspect, in the 4th kind of possible implementation of first aspect, described client and described server use the authenticate key consulting to determine to carry out two-way SIP authentication to comprise:

Described client sends the first sip invite message to described server, initiatively to initiate the SIP authentication process of described server to described client;

Described client receive described server send the second sip invite message, to initiate the SIP authentication process of described client to described server, wherein, described second sip invite message be described server in described client authentication by rear transmission.

In conjunction with the third possible implementation of first aspect or the first possible implementation of first aspect or the possible implementation of the second of first aspect or first aspect, in the 5th kind of possible implementation of first aspect, described client and described server use the authenticate key consulting to determine to carry out two-way SIP authentication to comprise:

Described client receives the Three S's IP invitation message that described server sends, to initiate the SIP authentication process of described server to described client;

Described client, after authentication is passed through, sends the 4th sip invite message, to initiate the SIP authentication process of described client to described server to described server.

Second aspect provides a kind of method for authenticating, comprising:

The authenticate key used in server and client negotiate determination session initiation protocol SIP authentication process;

Described server and described client use the authenticate key consulting to determine to carry out two-way SIP authentication.

In conjunction with second aspect, in the first possible implementation of second aspect, the authenticate key used in described server and client negotiate determination session initiation protocol SIP authentication process comprises:

Described server receive described client send the first sip request message, described first sip request message carry described client use public-key encryption after authenticate key;

Described server uses the private key corresponding with described PKI to be decrypted the authenticate key after described encryption, obtains described authenticate key and is stored in this locality.

In conjunction with the first possible implementation of second aspect, in the implementation that the second of second aspect is possible, described first sip request message comprises described client further and uses public-key the life cycle after encrypting, and described life cycle is that described client is determined for described authenticate key after the described authenticate key of generation;

Described method for authenticating comprises further:

Described server uses described private key to be decrypted the life cycle after described encryption, obtains described life cycle and is kept at this locality.

In conjunction with the implementation that the second of second aspect is possible, in the third possible implementation of second aspect, described method for authenticating comprises further:

Described server is according to described life cycle, determine the remaining effective duration of described authenticate key, and when the remaining effective duration of described authenticate key is less than pre-determined threshold, send the second sip request message to described client, described second SIP request is used for described server and upgrades described authenticate key to described client-requested;

Described server receives the new authenticate key after the encryption of described client transmission, to realize the renewal to described authenticate key, described new authenticate key be described client according to described second sip request message, after terminating the life cycle of described authenticate key, stochastic generation.

In conjunction with the third possible implementation of second aspect or the first possible implementation of second aspect or the possible implementation of the second of second aspect or second aspect, in the 4th kind of possible implementation of second aspect, described server and described client use the authenticate key consulting to determine to carry out two-way SIP authentication to comprise:

Described server receives the first sip invite message that described client sends, to initiate the SIP authentication process of described server to described client;

Described server, after described client authentication is passed through, sends the second sip invite message to described client, to initiate the SIP authentication process of described client to described server.

In conjunction with the third possible implementation of second aspect or the first possible implementation of second aspect or the possible implementation of the second of second aspect or second aspect, in the 5th kind of possible implementation of second aspect, described server and described client use the authenticate key consulting to determine to carry out two-way SIP authentication to comprise:

Described server sends Three S's IP invitation message to described client, to initiate the SIP authentication process of described server to described client;

Described server receive described client send the 4th sip invite message, to initiate the SIP authentication process of described client to described server, wherein, described 4th sip invite message be described client at described server authenticates by rear transmission.

The third aspect provides a kind of client, comprising:

Negotiation module, for the authenticate key that uses in server negotiate determination session initiation protocol SIP authentication process;

Authentication module, carries out two-way SIP authentication for the authenticate key using described negotiation module to consult to determine with described server.

In conjunction with the third aspect, in the first possible implementation of the third aspect, described negotiation module comprises:

Generate ciphering unit, for authenticate key described in stochastic generation, and use public-key described authenticate key is encrypted;

Transmitting element, described server is sent to for being carried in the first sip request message by the authenticate key after described generation encryption unit encrypts, use the private key corresponding with described PKI to be decrypted the authenticate key after described encryption for described server, obtain described authenticate key and be stored in this locality.

In conjunction with the first possible implementation of the third aspect, in the implementation that the second of the third aspect is possible, described generation ciphering unit is specifically for authenticate key described in stochastic generation, and determine the life cycle of described authenticate key, use described PKI to be encrypted described authenticate key and described life cycle simultaneously;

Described transmitting element sends to described server specifically for being carried in described first sip request message the life cycle after the authenticate key after described generation encryption unit encrypts and encryption simultaneously, the private key corresponding with described PKI is used to be decrypted the life cycle after the authenticate key after described encryption and described encryption to make described server, obtain described authenticate key and described life cycle respectively and be stored in this locality, wherein, described generating period is used for determining the remaining effective duration of described authenticate key for described server, and when the remaining effective duration of described authenticate key is less than pre-determined threshold, authenticate key renewal process is initiated to described client.

In conjunction with the implementation that the second of the third aspect is possible, in the third possible implementation of the third aspect, described client comprises further:

Receiver module, for receiving the second sip request message that described server sends, described second SIP request is used for described server and upgrades described authenticate key to described client-requested;

Update module, for according to described second sip request message, after terminating the life cycle of described authenticate key, the authenticate key that stochastic generation is new, and after described new authenticate key is encrypted, send to described server, to realize the renewal to described authenticate key.

In conjunction with the third possible implementation of the third aspect or the first possible implementation of the third aspect or the possible implementation of the second of the third aspect or the third aspect, in the 4th kind of possible implementation of the third aspect, described authentication module comprises:

First authenticating unit, for sending the first sip invite message to described server, initiatively to initiate the SIP authentication process of described server to described client;

Second authenticating unit, for receiving the second sip invite message that described server sends, to initiate the SIP authentication process of described client to described server, wherein, described second sip invite message be described server in described client authentication by rear transmission.

In conjunction with the third possible implementation of the third aspect or the first possible implementation of the third aspect or the possible implementation of the second of the third aspect or the third aspect, in the 5th kind of possible implementation of the third aspect, described authentication module comprises:

3rd authenticating unit, for receiving the Three S's IP invitation message that described server sends, to initiate the SIP authentication process of described server to described client;

4th authenticating unit, for being after authentication is passed through in the authenticating result of described 3rd authenticating unit, sends the 4th sip invite message, to initiate the SIP authentication process of described client to described server to described server.

Fourth aspect provides a kind of server, comprising:

Negotiation module, for the authenticate key that uses in client negotiate determination session initiation protocol SIP authentication process;

Authentication module, for using the authenticate key consulting to determine to carry out two-way SIP authentication with described client.

In conjunction with fourth aspect, in the first possible implementation of fourth aspect, described negotiation module comprises:

Receiving element, for receive described client send the first sip request message, described first sip request message carry described client use public-key encryption after authenticate key;

Acquiring unit, for using the private key corresponding with described PKI to be decrypted the authenticate key after described encryption, obtaining described authenticate key and being stored in this locality.

In conjunction with the first possible implementation of fourth aspect, in the implementation that the second of fourth aspect is possible, described first sip request message comprises described client further and uses public-key the life cycle after encrypting, and described life cycle is that described client is determined for described authenticate key after the described authenticate key of generation;

Described acquiring unit also for: use described private key to be decrypted the life cycle after described encryption, obtain described life cycle and be kept at this locality.

In conjunction with the implementation that the second of fourth aspect is possible, in the third possible implementation of fourth aspect, described server comprises further:

Determination module, for according to described life cycle, determines the remaining effective duration of described authenticate key;

Sending module, during for determining that at described determination module the remaining effective duration of described authenticate key is less than pre-determined threshold, send the second sip request message to described client, described second SIP request is used for described server and upgrades described authenticate key to described client-requested;

Receiver module, for receive described client send encryption after new authenticate key, to realize the renewal to described authenticate key, described new authenticate key is that described client is according to described second sip request message, after terminating the life cycle of described authenticate key, stochastic generation.

In conjunction with the third possible implementation of fourth aspect or the first possible implementation of fourth aspect or the possible implementation of the second of fourth aspect or fourth aspect, in the 4th kind of possible implementation of fourth aspect, described authentication module comprises:

First authenticating unit, for receiving the first sip invite message that described client sends, to initiate the SIP authentication process of described server to described client;

Second authenticating unit, for being, after described client authentication is passed through, send the second sip invite message to described client in the authenticating result of described first authenticating unit, to initiate the SIP authentication process of described client to described server.

In conjunction with the third possible implementation of fourth aspect or the first possible implementation of fourth aspect or the possible implementation of the second of fourth aspect or fourth aspect, in the 5th kind of possible implementation of fourth aspect, described authentication module comprises:

3rd authenticating unit, for sending Three S's IP invitation message to described client, to initiate the SIP authentication process of described server to described client;

4th authenticating unit, for in the authenticating result of described 3rd authenticating unit be described client authentication pass through time, receive the 4th sip invite message that described client sends, to initiate the SIP authentication process of described client to described server, wherein, described 4th sip invite message be described client at described server authenticates by rear transmission.

By the method for authenticating, client and the server that provide, client and server determine the authenticate key that SIP authentication process uses through consultation, then two-way SIP authentication is carried out based on the authenticate key consulting to determine, no longer as prior art, carry out authentication based on the key pre-set, the key overcoming prior art existence is easily illegally accessed, and then reduce the problem of SIP communications security, be conducive to the fail safe improving SIP communication.

Accompanying drawing explanation

In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.

The flow chart of a kind of method for authenticating that Fig. 1 provides for the embodiment of the present invention;

The flow chart of the another kind of method for authenticating that Fig. 2 provides for the embodiment of the present invention;

The method flow diagram of client and server negotiate determination authenticate key in a kind of method for authenticating that Fig. 3 provides for the embodiment of the present invention;

The life cycle of a kind of authenticate key that Fig. 4 provides for the embodiment of the present invention upgrades, the method flow diagram of dynamic negotiation authenticate key between SIP client and SIP server;

Fig. 5 initiatively initiates the method flow diagram of SIP authentication for a kind of client that the embodiment of the present invention provides;

The structural representation of a kind of client that Fig. 6 provides for the embodiment of the present invention;

The structural representation of the another kind of client that Fig. 7 provides for the embodiment of the present invention;

The structural representation of another client that Fig. 8 provides for the embodiment of the present invention;

The structural representation of another client that Fig. 9 provides for the embodiment of the present invention;

The structural representation of a kind of server that Figure 10 provides for the embodiment of the present invention;

The structural representation of the another kind of server that Figure 11 provides for the embodiment of the present invention;

The structural representation of another server that Figure 12 provides for the embodiment of the present invention;

The structural representation of another server that Figure 13 provides for the embodiment of the present invention.

Embodiment

For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.

The flow chart of a kind of method for authenticating that Fig. 1 provides for the embodiment of the present invention.As shown in Figure 1, described method comprises:

101, client and server negotiate determine the authenticate key that uses in SIP authentication process.

102, client and described server use the authenticate key consulting to determine to carry out two-way SIP authentication.

In the present embodiment, client and server all support SIP, adopt SIP authentication.The present embodiment is by expanding SIP, client and server is allowed to carry out dynamic negotiation, dynamically determine the authenticate key used in SIP authentication process, and as prior art, no longer use pre-configured authenticate key, thus the key overcoming prior art existence is easily illegally accessed, and then reduce the problem of SIP communications security, be conducive to the fail safe improving SIP communication.In addition, in the present embodiment, client and server use identical authenticate key, can not increase the configuration item at client and server two ends, therefore, can not increase the complexity of service dispense.

In an Alternate embodiments, step 101, namely client and server negotiate determine that a kind of implementation process of the authenticate key used in SIP authentication process comprises: authenticate key described in client stochastic generation, and use public-key and to be encrypted described authenticate key; Authenticate key after encryption is carried in the first sip request message and sends to described server by client, use the private key corresponding with described PKI to be decrypted the authenticate key after described encryption for described server, obtain described authenticate key and be stored in this locality.

Wherein, after server receives the first sip request message, therefrom obtain the authenticate key after encryption, and the authenticate key after to encryption that uses public-key is decrypted, obtain described authenticate key, and the authenticate key of acquisition is kept at this locality, to use in SIP authentication process.

Further, authenticate key described in client stochastic generation, and use public-key to be encrypted described authenticate key and comprise: authenticate key described in client stochastic generation, and the life cycle (Time To Live, referred to as TTL) determining described authenticate key; Client uses described PKI to be encrypted described authenticate key and described life cycle simultaneously.

Accordingly, authenticate key after encryption is carried in the first sip request message and sends to described server by client, use the private key corresponding with described PKI to be decrypted the authenticate key after described encryption for described server, obtain described authenticate key and be stored in this locality and comprise:

Client is when generating authenticate key, determine the life cycle of authenticate key, such authenticate key just to have ageing, after terminating the life cycle of authenticate key, this authenticate key will lose efficacy, client and server can be consulted to determine new authenticate key again afterwards, can improve the fail safe of SIP communication so further.

Based on above-mentioned life cycle, described method for authenticating comprises further: client receives the second sip request message that described server sends, and described second SIP request is used for described server and upgrades described authenticate key to described client-requested; Client according to described second sip request message, after terminating the life cycle of described authenticate key, the authenticate key that stochastic generation is new, and send to described server after described new authenticate key is encrypted, to realize the renewal to described authenticate key.

In an Alternate embodiments, the execution mode of step 102 comprises: client sends the first sip invite message to described server, initiatively to initiate the SIP authentication process of described server to described client; Client receive described server send the second sip invite message, to initiate the SIP authentication process of described client to described server, wherein, described second sip invite message be described server in described client authentication by rear transmission.In this embodiment, initiatively initiate two-way SIP authentication process by client, the key used in authentication process is no longer pre-configured fixed key, but consults the authenticate key determined in step 101.

In another Alternate embodiments, the execution mode of step 102 comprises: client receives the Three S's IP invitation message that described server sends, to initiate the SIP authentication process of described server to described client; Described client, after authentication is passed through, sends the 4th sip invite message, to initiate the SIP authentication process of described client to described server to described server.In this embodiment, initiatively initiate two-way SIP authentication process by server, the key used in authentication process is no longer pre-configured fixed key, but consults the authenticate key determined in step 101.

The flow chart of the another kind of method for authenticating that Fig. 2 provides for the embodiment of the present invention.As shown in Figure 2, described method comprises:

201, the authenticate key used in server and client negotiate determination session initiation protocol SIP authentication process.

202, server and described client use the authenticate key consulting to determine to carry out two-way SIP authentication.

In an Alternate embodiments, the execution mode of step 201 comprises: server receive described client send the first sip request message, described first sip request message carry described client use public-key encryption after authenticate key; Server uses the private key corresponding with described PKI to be decrypted the authenticate key after described encryption, obtains described authenticate key and is stored in this locality.

Further, described first sip request message comprises described client further and uses public-key the life cycle after encrypting, and described life cycle is that described client is determined for described authenticate key after the described authenticate key of generation.Based on this, described method for authenticating comprises further: server uses described private key to be decrypted the life cycle after described encryption, obtains described life cycle and is kept at this locality.

Further, described method for authenticating comprises further: server is according to described life cycle, determine the remaining effective duration of described authenticate key, and when the remaining effective duration of described authenticate key is less than pre-determined threshold, send the second sip request message to described client, described second SIP request is used for described server and upgrades described authenticate key to described client-requested; Described server receives the new authenticate key after the encryption of described client transmission, to realize the renewal to described authenticate key, described new authenticate key be described client according to described second sip request message, after terminating the life cycle of described authenticate key, stochastic generation.

In an Alternate embodiments, the execution mode of step 202 comprises: server receives the first sip invite message that described client sends, to initiate the SIP authentication process of described server to described client; Described server, after described client authentication is passed through, sends the second sip invite message to described client, to initiate the SIP authentication process of described client to described server.

In another Alternate embodiments, the execution mode of step 202 comprises: server sends Three S's IP invitation message to described client, to initiate the SIP authentication process of described server to described client; Described server receive described client send the 4th sip invite message, to initiate the SIP authentication process of described client to described server, wherein, described 4th sip invite message be described client at described server authenticates by rear transmission.

The method flow diagram of client and server negotiate determination authenticate key in a kind of method for authenticating that Fig. 3 provides for the embodiment of the present invention.As shown in Figure 3, described method comprises:

31, SIP client (client) produces an authenticate key at random, and defines the TTL of this authenticate key.

32, SIP client use public-key (Publickey) authenticate key, SIP account number (username) and above-mentioned TTL are encrypted, obtain encryption after client-requested key (Clientrequestkey).

In the present embodiment, asymmetric arithmetic is utilized to produce two keys: PKI (Publickey) and private key (Privatekey).Public key distribution gives corresponding SIP client, and private key is distributed to sip server (server) and used.

33, SIP client is filled into the client-requested key after encryption in the protocol fields expanded in SIP request (request) message, and sends to sip server.

34, after sip server receives sip request message, the private key utilizing PKI corresponding is decrypted this sip request message.

35, sip server checking SIP account, and obtain the TTL of authenticate key and authenticate key.

36, sip server returns confirmation (ok) message to SIP client.

The authenticate key consulting to determine uses in the request flow process of SIP, namely uses this authenticate key as verification password when inviting (invite).

The life cycle of a kind of authenticate key that Fig. 4 provides for the embodiment of the present invention upgrades, the method flow diagram of dynamic negotiation authenticate key between SIP client and sip server.As shown in Figure 4, described method comprises:

41, when sip server detects TTL close to time-out, the private key utilizing PKI corresponding is to current authenticate key, and the mark of SIP account number and TTL=0 is signed, and obtains the server requests key (Serverrequestkey) after signature.

Sip server can determine the remaining effective duration of authenticate key according to TTL, when the remaining effective duration of authenticate key is less than pre-determined threshold, determines the close time-out of the TTL of authenticate key or closes to an end.When determining the close time-out of the TTL of authenticate key or closing to an end, TTl is labeled as 0 by sip server.

42, sip server transmission is filled into the server requests key after signature in the protocol fields expanded in SIP request (request) message, and sends to SIP client.

43, after SIP client receives sip request message, using public-key is decrypted server requests key, determines that the TTL of current authentication key is about to time-out.

44, after SIP client detects TTL=0, produce new authenticate key and determine the TTL of this authenticate key again at random.

45, SIP client uses public-key and to be encrypted the TTL of new authenticate key, SIP account number and new authenticate key, obtains the client-requested key after encryption.

46, SIP client is filled into the client-requested key after encryption in the protocol fields expanded in sip request message, and sends to sip server.

47, after sip server receives sip request message, private key is utilized to be decrypted this sip request message.

48, sip server checking SIP account, and obtain the TTL of new authenticate key and this new authenticate key.

49, sip server returns confirmation (ok) message to SIP client.

After this, the authenticate key consulting to determine uses in the request flow process of SIP, namely uses this authenticate key as verification password when inviting (invite).

Such as, a kind of client initiatively initiates the method flow of SIP authentication as shown in Figure 5, comprising:

51, SIP client sends sip request message to sip server, carries out SIP authentication for request.

52, sip server stochastic generation field (Random nonce), and by challenge (challenge) message, field and reality are carried to SIP client.

53, consult the authenticate key determined before SIP client use, field, challenge, SIP account are encrypted, obtain the response after encryption.

54, the response after encryption, field, challenge, SIP account are filled in the protocol fields expanded in sip request message, and send to sip server by SIP client.

55, consult the authenticate key determined before sip server use, the response after sip request message and encryption is wherein verified.

56, when the result be successfully time, sip server to SIP client send confirm (ok) message.

Accordingly, as shown in Figure 5, client comprises the process that server carries out SIP authentication:

57, sip server sends sip request message to SIP client, carries out SIP authentication for request.

58, SIP client stochastic generation field (Random nonce), and by challenge (challenge) message, field and reality are carried to sip server.

59, consult the authenticate key determined before sip server use, field, challenge, SIP account are encrypted, obtain the response after encryption.

60, the response after encryption, field, challenge, SIP account are filled in the protocol fields expanded in sip request message, and send to SIP client by sip server.

61, consult the authenticate key determined before SIP client use, the response after sip request message and encryption is wherein verified.

62, when the result be successfully time, SIP client to sip server send confirm (ok) message.

This illustrate, if server initiatively initiates SIP authorizing procedure, i.e. the passive reception authentication request of client, its process and said process similar, do not repeat them here.

In conjunction with above-mentioned Fig. 3-embodiment illustrated in fig. 5 visible, the embodiment of the present invention is by expanding SIP, client and server is allowed to carry out dynamic negotiation, dynamically determine the authenticate key used in SIP authentication process, and as prior art, no longer use pre-configured authenticate key, thus the key overcoming prior art existence is easily illegally accessed, and then reduce the problem of SIP communications security, be conducive to the fail safe improving SIP communication.In addition, in embodiments of the present invention, client and server use identical authenticate key, can not increase the configuration item at client and server two ends, therefore, can not increase the complexity of service dispense.

The structural representation of a kind of client that Fig. 6 provides for the embodiment of the present invention.As shown in Figure 6, described client comprises: negotiation module 601 and authentication module 602.

Negotiation module 601, for determining with server negotiate the authenticate key that uses in SIP authentication process.

Authentication module 602, is connected with negotiation module 601, carries out two-way SIP authentication for the authenticate key using negotiation module 601 to consult to determine with described server.

In an Alternate embodiments, as shown in Figure 7, a kind of implementation structure of negotiation module 601 comprises: generate ciphering unit 611 and transmitting element 612.

Generate ciphering unit 611, for authenticate key described in stochastic generation, and use public-key described authenticate key is encrypted.

Transmitting element 612, be connected with generation ciphering unit 611, for by generate ciphering unit 611 encrypt after authenticate key be carried in the first sip request message and send to described server, use the private key corresponding with described PKI to be decrypted the authenticate key after described encryption for described server, obtain described authenticate key and be stored in this locality.

Wherein, generate ciphering unit 611 to be also connected with authentication module 602, for providing described authenticate key to authentication module 602.

Further alternative, generate ciphering unit 611 and specifically can be used for authenticate key described in stochastic generation, and determine the TTL of described authenticate key, use described PKI to be encrypted described authenticate key and described TTL simultaneously.Correspondingly, TTL after transmitting element 612 specifically can be used for the authenticate key after being encrypted by generation ciphering unit 611 and encrypts is carried in described first sip request message simultaneously and sends to described server, the private key corresponding with described PKI is used to be decrypted the TTL after the authenticate key after described encryption and described encryption to make described server, obtain described authenticate key and described TTL respectively and be stored in this locality, wherein, described generating period is used for determining the remaining effective duration of described authenticate key for described server, and when the remaining effective duration of described authenticate key is less than pre-determined threshold, authenticate key renewal process is initiated to described client.

Based on above-mentioned, as shown in Figure 7, described client comprises further: receiver module 603 and update module 604.

Receiver module 603, for receiving the second sip request message that described server sends, described second SIP request is used for described server and upgrades described authenticate key to described client-requested.

Update module 604, be connected with receiver module 603, for the second sip request message received according to receiver module 603, after the TTL of described authenticate key terminates, the authenticate key that stochastic generation is new, and after described new authenticate key is encrypted, send to described server, to realize the renewal to described authenticate key.

Wherein, update module 604 is also connected with authentication module 602, for providing the authenticate key after renewal to authentication module 602.

In an Alternate embodiments, as shown in Figure 7, a kind of implementation structure of described authentication module 602 comprises: the first authenticating unit 621 and the second authenticating unit 622.

First authenticating unit 621, for sending the first sip invite message to described server, initiatively to initiate the SIP authentication process of described server to described client.

Second authenticating unit 622, be connected with the first authenticating unit 621, for being after described client authentication is passed through in the authenticating result of the first authenticating unit 621, receive the second sip invite message that described server sends, to initiate the SIP authentication process of described client to described server, wherein, described second sip invite message be described server in described client authentication by rear transmission.

In an Alternate embodiments, as shown in Figure 8, a kind of implementation structure of described authentication module 602 comprises: the 3rd authenticating unit 623 and the 4th authenticating unit 624.

3rd authenticating unit 623, for receiving the Three S's IP invitation message that described server sends, to initiate the SIP authentication process of described server to described client.

4th authenticating unit 624, is connected with the 3rd authenticating unit 623, for being after authentication is passed through in the authenticating result of the 3rd authenticating unit 623, sends the 4th sip invite message, to initiate the SIP authentication process of described client to described server to described server.

Each functional module of the client that the present embodiment provides or unit can be used for performing the operating process by client executing in Fig. 1-embodiment illustrated in fig. 5, and its specific works principle repeats no more, and refers to the description of embodiment of the method.

The client that the present embodiment provides, the authenticate key that SIP authentication process uses is determined through consultation with server, then two-way SIP authentication is carried out based on the authenticate key consulting to determine, no longer as prior art, carry out authentication based on the key pre-set, the key overcoming prior art existence is easily illegally accessed, and then reduce the problem of SIP communications security, be conducive to the fail safe improving SIP communication.

The structural representation of another client that Fig. 9 provides for the embodiment of the present invention.As shown in Figure 9, described client comprises: memory 91 and processor 92.

Memory 91, for storage program.Particularly, program can comprise program code, and described program code comprises computer-managed instruction.

Memory 91 can comprise high-speed RAM memory, also can comprise nonvolatile memory (non-volatile memory), such as at least one magnetic disc store.

Processor 92, for the program that execute store 91 stores, for: determine with server negotiate the authenticate key that uses in SIP authentication process, and use the authenticate key consulting to determine to carry out two-way SIP authentication with described server.

Processor 92 can be a central processing unit (Central Processing Unit, referred to as CPU), or specific integrated circuit (Application Specific Integrated Circuit, referred to as ASIC), or be configured to the one or more integrated circuits implementing the embodiment of the present invention.

Further, as shown in Figure 9, described client comprises further: reflector 93 and receiver 94.

With server negotiate, processor 92 is for determining that the authenticate key used in SIP authentication process comprises: processor 92 is for authenticate key described in stochastic generation, and use public-key described authenticate key is encrypted, and by reflector 93, the authenticate key after encryption is carried in the first sip request message and sends to described server, use the private key corresponding with described PKI to be decrypted the authenticate key after described encryption for described server, obtain described authenticate key and be stored in this locality.

Reflector 93, is carried in the first sip request message for the authenticate key after being encrypted by processor 92 and sends to described server.

Further, processor 92 is specifically for authenticate key described in stochastic generation, and determine the TTL of described authenticate key, use described PKI to be encrypted described authenticate key and described TTL simultaneously, and by reflector 93, the TTL after the authenticate key after encryption and encryption is carried in described first sip request message simultaneously and sends to described server, the private key corresponding with described PKI is used to be decrypted the TTL after the authenticate key after described encryption and described encryption to make described server, obtain described authenticate key and described TTL respectively and be stored in this locality, wherein, described generating period is used for determining the remaining effective duration of described authenticate key for described server, and when the remaining effective duration of described authenticate key is less than pre-determined threshold, authenticate key renewal process is initiated to described client.

Based on this, the TTL after reflector 93 specifically can be used for the authenticate key after by encryption and encryption is carried in described first sip request message simultaneously and sends to described server.

Based on above-mentioned, the second sip request message that receiver 94 sends for receiving described server, described second SIP request is used for described server and upgrades described authenticate key to described client-requested.

Processor 92, the second sip request message also for receiving according to receiver 94, after the TTL of described authenticate key terminates, the authenticate key that stochastic generation is new, and after described new authenticate key is encrypted, send to described server, to realize the renewal to described authenticate key.

In an Alternate embodiments, processor 92 comprises for using the authenticate key consulting to determine to carry out two-way SIP authentication with described server: processor 92 sends the first sip invite message especially by reflector 93 to described server, initiatively to initiate the SIP authentication process of described server to described client, and after the authentication of described client is passed through, the second sip invite message of described server transmission is received by receiver 94, to initiate the SIP authentication process of described client to described server, wherein, described second sip invite message be described server in described client authentication by rear transmission.

Correspondingly, reflector 93 is also for sending the first sip invite message to described server; Receiver 94 is also for receiving the second sip invite message that described server sends.

In another Alternate embodiments, processor 92 comprises for using the authenticate key consulting to determine to carry out two-way SIP authentication with described server: the Three S's IP invitation message that processor 92 is sent specifically for being received described server by receiver 94, to initiate the SIP authentication process of described server to described client, and after described client authentication is passed through, the 4th sip invite message is sent, to initiate the SIP authentication process of described client to described server to described server by reflector 93.

Correspondingly, receiver 94 is also for receiving the Three S's IP invitation message that described server sends; Reflector 93 is also for sending the 4th sip invite message to described server.

Optionally, in specific implementation, realize if memory 91, processor 92, reflector 93 and receiver 94 are independent, then memory 91, processor 92, reflector 93 and receiver 94 can be interconnected by bus and complete mutual communicating.Described bus can be industry standard architecture (Industry Standard Architecture, referred to as ISA) bus, peripheral component interconnect (Peripheral Component, referred to as PCI) bus or extended industry-standard architecture (Extended Industry Standard Architecture, referred to as EISA) bus etc.Described bus can be divided into address bus, data/address bus, control bus etc.For ease of representing, only representing with a thick line in Fig. 9, but not representing the bus only having a bus or a type.

Optionally, in specific implementation, if memory 91, processor 92, reflector 93 and receiver 94 is integrated realizes on one chip, then memory 91, processor 92, reflector 93 and receiver 94 can complete identical communicating by internal interface.

The client that the present embodiment provides can be used for performing the operating process by client executing in Fig. 1-embodiment illustrated in fig. 5, and its specific works principle repeats no more, and refers to the description of embodiment of the method.

The structural representation of a kind of server that Figure 10 provides for the embodiment of the present invention.As shown in Figure 10, described server comprises: negotiation module 1001 and authentication module 1002.

Negotiation module 1001, for determining with client negotiate the authenticate key that uses in SIP authentication process.

Authentication module 1002, is connected with negotiation module 1001, carries out two-way SIP authentication for the authenticate key using negotiation module 1001 to consult to determine with described client.

In an Alternate embodiments, as shown in figure 11, a kind of implementation structure of described negotiation module 1001 comprises: receiving element 10011 and acquiring unit 10012.

Receiving element 10011, for receive described client send the first sip request message, described first sip request message carry described client use public-key encryption after authenticate key.

Acquiring unit 10012, is connected with receiving element 10011, and the authenticate key after the described encryption received receiving element 10011 for using the private key corresponding with described PKI is decrypted, and obtains described authenticate key and is stored in this locality.

Acquiring unit 10012 is also connected with weighting block 1002, for providing authenticate key to authentication module 1002.

In an Alternate embodiments, described first sip request message comprises described client further and uses public-key that to be described client determine for described authenticate key after the described authenticate key of generation for the TTL after encryption, described TTL.

Based on above-mentioned, acquiring unit 10012 also for using described private key to be decrypted the TTL after described encryption, obtaining described TTL and being kept at this locality.

Based on above-mentioned, as shown in figure 11, described server comprises further: determination module 1003, sending module 1004 and receiver module 1005.

Determination module 1003, is connected with acquiring unit 10012, for the described TTL obtained according to acquiring unit 10012, determines the remaining effective duration of described authenticate key.

Sending module 1004, be connected with determination module 1003, during for determining that at determination module 1003 the remaining effective duration of described authenticate key is less than pre-determined threshold, send the second sip request message to described client, described second SIP request is used for described server and upgrades described authenticate key to described client-requested.

Receiver module 1005, be connected with sending module 1004, for after sending module 1004 sends the second SIP request, receive the new authenticate key after the encryption of described client transmission, to realize the renewal to described authenticate key, described new authenticate key be described client according to described second sip request message, after the TTL of described authenticate key terminates, stochastic generation.

Receiver module 1005 is also connected with authentication module 1002, for providing new authenticate key to authentication module 1002.

In an Alternate embodiments, as shown in figure 11, described authentication module 1002 comprises: the first authenticating unit 10021 and the second authenticating unit 10022.

First authenticating unit 10021, for receiving the first sip invite message that described client sends, to initiate the SIP authentication process of described server to described client.

Second authenticating unit 10022, be connected with the first authenticating unit 10021, for being, after described client authentication is passed through, send the second sip invite message to described client in the authenticating result of the first authenticating unit 10021, to initiate the SIP authentication process of described client to described server.

In another Alternate embodiments, as shown in figure 12, described authentication module 1002 comprises: the 3rd authenticating unit 10023 and the 4th authenticating unit 10024.

3rd authenticating unit 10023, for sending Three S's IP invitation message to described client, to initiate the SIP authentication process of described server to described client.

4th authenticating unit 10024, be connected with the 3rd authenticating unit 10023, for in the authenticating result of the 3rd authenticating unit 10023 be described client authentication pass through time, receive the 4th sip invite message that described client sends, to initiate the SIP authentication process of described client to described server, wherein, described 4th sip invite message be described client at described server authenticates by rear transmission.

Each functional module of the server that the present embodiment provides or unit can be used for performing the operating process performed by server in Fig. 1-embodiment illustrated in fig. 5, and its specific works principle repeats no more, and refers to the description of embodiment of the method.

The server that the present embodiment provides, the authenticate key that SIP authentication process uses is determined through consultation with client, then two-way SIP authentication is carried out based on the authenticate key consulting to determine, no longer as prior art, carry out authentication based on the key pre-set, the key overcoming prior art existence is easily illegally accessed, and then reduce the problem of SIP communications security, be conducive to the fail safe improving SIP communication.

The structural representation of another server that Figure 13 provides for the embodiment of the present invention.As shown in figure 13, described server comprises: memory 1301 and processor 1302.

Memory 1301, for storage program.Particularly, program can comprise program code, and described program code comprises computer-managed instruction.

Memory 1301 can comprise high-speed RAM memory, also can comprise nonvolatile memory (non-volatile memory), such as at least one magnetic disc store.

Processor 1302, for determining with client negotiate the authenticate key that uses in SIP authentication process, and uses the authenticate key consulting to determine to carry out two-way SIP authentication with described client.

Processor 1302 can be a CPU, or specific ASIC, or is configured to the one or more integrated circuits implementing the embodiment of the present invention.

Further, as shown in figure 13, described server comprises further: receiver 1303 and reflector 1304.

Optionally, with client negotiate, processor 1302 is for determining that the authenticate key used in SIP authentication process comprises: processor 1302 receives by receiver 1303 the first sip request message that described client sends, described first sip request message carry described client use public-key encryption after authenticate key, then the authenticate key after the described encryption using the private key corresponding with described PKI to receive receiver 1303 is decrypted, and obtains described authenticate key and is stored in this locality.

Further, processor 1302 also for using described private key to be decrypted the TTL after described encryption, obtaining described TTL and being kept at this locality.

Based on above-mentioned, processor 1302 also for according to the described TTL obtained, determines the remaining effective duration of described authenticate key.

Reflector 1304, during for determining that at processor 1302 the remaining effective duration of described authenticate key is less than pre-determined threshold, send the second sip request message to described client, described second SIP request is used for described server and upgrades described authenticate key to described client-requested.

Receiver 1303, also for after reflector 1304 sends the second SIP request, receive the new authenticate key after the encryption of described client transmission, to realize the renewal to described authenticate key, described new authenticate key is that described client is according to described second sip request message, after the TTL of described authenticate key terminates, stochastic generation.

In an Alternate embodiments, processor 1302 comprises for using the authenticate key consulting to determine to carry out two-way SIP authentication with described client:

Processor 1302 receives the first sip invite message of described client transmission by receiver 1303, to initiate the SIP authentication process of described server to described client, and after described client authentication is passed through, the second sip invite message is sent to described client, to initiate the SIP authentication process of described client to described server by reflector 1304.

Correspondingly, receiver 1303 is also for receiving the first sip invite message that described client sends; Reflector 1304 is also for sending the second sip invite message to described client.

In another Alternate embodiments, processor 1302 comprises for using the authenticate key consulting to determine to carry out two-way SIP authentication with described client:

Processor 1302 sends Three S's IP invitation message by reflector 1304 to described client, to initiate the SIP authentication process of described server to described client, and when described client authentication is passed through, the 4th sip invite message of described client transmission is received by receiver 1303, to initiate the SIP authentication process of described client to described server, wherein, described 4th sip invite message be described client at described server authenticates by rear transmission.

Correspondingly, reflector 1304 is also for sending Three S's IP invitation message to described client; Receiver 1303 is also for receiving the 4th sip invite message that described client sends.

Optionally, in specific implementation, realize if memory 1301, processor 1302, receiver 1303 and reflector 1304 are independent, then memory 1301, processor 1302, receiver 1303 and reflector 1304 can be interconnected by bus and complete mutual communicating.Described bus can be isa bus, pci bus or eisa bus etc.Described bus can be divided into address bus, data/address bus, control bus etc.For ease of representing, only representing with a thick line in Figure 13, but not representing the bus only having a bus or a type.

Optionally, in specific implementation, if memory 1301, processor 1302, receiver 1303 and reflector 1304 is integrated realizes on one chip, then memory 1301, processor 1302, receiver 1303 and reflector 1304 can complete identical communicating by internal interface.

The server that the present embodiment provides can be used for performing the operating process performed by server in Fig. 1-embodiment illustrated in fig. 5, and its specific works principle repeats no more, and refers to the description of embodiment of the method.

One of ordinary skill in the art will appreciate that: all or part of step realizing above-mentioned each embodiment of the method can have been come by the hardware that program command is relevant.Aforesaid program can be stored in a computer read/write memory medium.This program, when performing, performs the step comprising above-mentioned each embodiment of the method; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium.

Last it is noted that above each embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to foregoing embodiments to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein some or all of technical characteristic; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.

Claims

1. a method for authenticating, is characterized in that, comprising:

2. method for authenticating according to claim 1, is characterized in that, the authenticate key used in described client and server negotiate determination session initiation protocol SIP authentication process comprises:

3. method for authenticating according to claim 2, is characterized in that, authenticate key described in described client stochastic generation, and uses public-key to be encrypted described authenticate key and comprise:

4. method for authenticating according to claim 3, is characterized in that, comprises further:

5. the method for authenticating according to any one of claim 1-4, is characterized in that, described client and described server use the authenticate key consulting to determine to carry out two-way SIP authentication to comprise:

6. the method for authenticating according to any one of claim 1-4, is characterized in that, described client and described server use the authenticate key consulting to determine to carry out two-way SIP authentication to comprise:

7. a method for authenticating, is characterized in that, comprising:

8. method for authenticating according to claim 7, is characterized in that, the authenticate key used in described server and client negotiate determination session initiation protocol SIP authentication process comprises:

9. method for authenticating according to claim 8, it is characterized in that, described first sip request message comprises described client further and uses public-key the life cycle after encrypting, and described life cycle is that described client is determined for described authenticate key after the described authenticate key of generation;

Described method for authenticating comprises further:

10. method for authenticating according to claim 9, is characterized in that, comprises further:

11. method for authenticating according to any one of claim 7-10, is characterized in that, described server and described client use the authenticate key consulting to determine to carry out two-way SIP authentication to comprise:

12. method for authenticating according to any one of claim 7-10, is characterized in that, described server and described client use the authenticate key consulting to determine to carry out two-way SIP authentication to comprise:

13. 1 kinds of clients, is characterized in that, comprising:

14. clients according to claim 13, is characterized in that, described negotiation module comprises:

15. clients according to claim 14, it is characterized in that, described generation ciphering unit specifically for authenticate key described in stochastic generation, and determines the life cycle of described authenticate key, uses described PKI to be encrypted described authenticate key and described life cycle simultaneously;

16. clients according to claim 15, is characterized in that, comprise further:

17. clients according to any one of claim 13-16, it is characterized in that, described authentication module comprises:

18. clients according to any one of claim 13-16, it is characterized in that, described authentication module comprises:

19. 1 kinds of servers, is characterized in that, comprising:

20. servers according to claim 19, is characterized in that, described negotiation module comprises:

21. servers according to claim 20, it is characterized in that, described first sip request message comprises described client further and uses public-key the life cycle after encrypting, and described life cycle is that described client is determined for described authenticate key after the described authenticate key of generation;

22. servers according to claim 21, is characterized in that, comprise further:

23. servers according to any one of claim 19-22, it is characterized in that, described authentication module comprises:

24. servers according to any one of claim 19-22, it is characterized in that, described authentication module comprises: