CN104253806B - Method for authenticating, client and server - Google Patents

Method for authenticating, client and server Download PDF

Info

Publication number
CN104253806B
CN104253806B CN201310270136.XA CN201310270136A CN104253806B CN 104253806 B CN104253806 B CN 104253806B CN 201310270136 A CN201310270136 A CN 201310270136A CN 104253806 B CN104253806 B CN 104253806B
Authority
CN
China
Prior art keywords
client
server
sip
certification key
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310270136.XA
Other languages
Chinese (zh)
Other versions
CN104253806A (en
Inventor
刘德
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Device Co Ltd
Huawei Device Shenzhen Co Ltd
Original Assignee
Huawei Device Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Device Co Ltd filed Critical Huawei Device Co Ltd
Priority to CN201310270136.XA priority Critical patent/CN104253806B/en
Publication of CN104253806A publication Critical patent/CN104253806A/en
Application granted granted Critical
Publication of CN104253806B publication Critical patent/CN104253806B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Telephonic Communication Services (AREA)

Abstract

The embodiment of the present invention provides a kind of method for authenticating, client and server.A kind of method for authenticating includes:Client consults to determine the certification key used in session initiation protocol SIP authentication processes with server;The client carries out two-way SIP authentications with the server using the certification key for consulting to determine.The certification key that technical solution of the present invention is used by dynamic negotiation SIP authentication processes, the security of SIP communications can be improved.

Description

Method for authenticating, client and server
Technical field
The present invention relates to the communication technology, more particularly to a kind of method for authenticating, client and server.
Background technology
Session initiation protocol(Session Initiation Protocol, referred to as SIP)It is by Internet Engineering Task Group(Internet Engineering Task Force, referred to as IETF)A kind of Multimedia session based on application of issue Control protocol, the Primary communication agreement of multimedia communication has been increasingly becoming it.At present, SIP uses client/server(Client/ Server)The message mechanism of structure, its syntax and semantics have used for reference HTTP(Hypertext transfer Protocol, referred to as HTTP), have the advantages that it is simple, flexibly, be easily achieved, but easily imitated by attacker, so as to enter Row is distorted and attacked.
To solve the above problems, SIP ensures security by authentication mechanism.Wherein, a kind of conventional authentication method is Mutual authentication method, i.e., on the basis of server carries out authentication to client, add body of the client to server Part checking.This method is that verification username and password is located at client and server respectively, if both ends are close using identical Key, once one end key is illegally accessed, attacker's server that can equally disguise oneself as is gained the trust of client by cheating and attacked.
The content of the invention
A kind of method for authenticating, client and server are provided, to improve the security of SIP communications.
First aspect provides a kind of method for authenticating, including:
Client consults to determine the certification key used in session initiation protocol SIP authentication processes with server;
The client carries out two-way SIP authentications with the server using the certification key for consulting to determine.
With reference in a first aspect, in the first possible implementation of first aspect, the client is assisted with server The certification key that business determines to use in session initiation protocol SIP authentication processes includes:
The client generates the certification key at random, and the certification key is encrypted using public key;
Certification key after encryption is carried and the server is sent in the first sip request message by the client, So that the certification key after the encryption is decrypted using private key corresponding with the public key for the server, described in acquisition Certification key is simultaneously stored in local.
With reference to the first possible implementation of first aspect, in second of possible implementation of first aspect In, the client generates the certification key at random, and using public key the certification key is encrypted including:
The client generates the certification key at random, and determines the life cycle of the certification key;
The certification key and the life cycle are encrypted simultaneously using the public key for the client;
Certification key after encryption is carried and the server is sent in the first sip request message by the client, So that the certification key after the encryption is decrypted using private key corresponding with the public key for the server, described in acquisition Certification key is simultaneously stored in local include:
The client carries the certification key after encryption and the life cycle after encryption simultaneously please in the first SIP Ask and the server is sent in message, so that after the server uses private key corresponding with the public key to the encryption Life cycle after certification key and the encryption is decrypted, and obtains the certification key and the life cycle respectively and deposits Storage in local, wherein, the generation cycle is used to determine the remaining effective time of certification key for the server, and When the remaining effective time of certification key is less than pre-determined threshold, certification key updating process is initiated to the client.
With reference to second of possible implementation of first aspect, in the third possible implementation of first aspect In, the method for authenticating further comprises:
The client receives the second sip request message that the server is sent, and second SIP request is used for described Server is updated to the client request to the certification key;
The client is according to second sip request message, after the life cycle of the certification key terminates, at random New certification key is generated, and the server is sent to after the new certification key is encrypted, to realize to institute State the renewal of certification key.
Second with reference to the possible implementation of the first of first aspect or first aspect or first aspect is possible The possible implementation of the third of implementation or first aspect, in the 4th kind of possible implementation of first aspect, The client carries out two-way SIP authentications with the server using the certification key for consulting to determine to be included:
The client sends the first SIP invitation messages to the server, actively to initiate the server to described The SIP authentication processes of client;
The client receives the 2nd SIP invitation messages that the server is sent, to initiate the client to described The SIP authentication processes of server, wherein, the 2nd SIP invitation messages are that the server passes through in client authentication Send afterwards.
Second with reference to the possible implementation of the first of first aspect or first aspect or first aspect is possible The possible implementation of the third of implementation or first aspect, in the 5th kind of possible implementation of first aspect, The client carries out two-way SIP authentications with the server using the certification key for consulting to determine to be included:
The client receives the 3rd SIP invitation messages that the server is sent, to initiate the server to described The SIP authentication processes of client;
The client sends the 4th SIP invitation messages after authentication passes through, to the server, to initiate the client Hold the SIP authentication processes to the server.
Second aspect provides a kind of method for authenticating, including:
Server is consulted to determine the certification key used in session initiation protocol SIP authentication processes with client;
The server carries out two-way SIP authentications with the client using the certification key for consulting to determine.
With reference to second aspect, in the first possible implementation of second aspect, the server is assisted with client The certification key that business determines to use in session initiation protocol SIP authentication processes includes:
The server receives the first sip request message that the client is sent, and first sip request message carries There is the client to use the certification key after public key encryption;
The certification key after the encryption is decrypted using private key corresponding with the public key for the server, is obtained The certification key is simultaneously stored in local.
With reference to the first possible implementation of second aspect, in second of possible implementation of second aspect In, first sip request message further comprises that the client uses the life cycle after public key encryption, the existence week Phase is that the client is that the certification key determines after the certification key is generated;
The method for authenticating further comprises:
The life cycle after the encryption is decrypted using the private key for the server, obtains the life cycle And it is stored in local.
With reference to second of possible implementation of second aspect, in the third possible implementation of second aspect In, the method for authenticating further comprises:
The server determines the remaining effective time of certification key, and recognize described according to the life cycle Card key remaining effective time is when being less than pre-determined threshold, to the client the second sip request message of transmission, described second SIP request is updated for the server to the client request to the certification key;
The server receives the new certification key after the encryption that the client is sent, close to the certification to realize The renewal of key, the new certification key be the client according to second sip request message, in the certification key After life cycle terminates, generate at random.
Second with reference to the possible implementation of the first of second aspect or second aspect or second aspect is possible The possible implementation of the third of implementation or second aspect, in the 4th kind of possible implementation of second aspect, The server carries out two-way SIP authentications with the client using the certification key for consulting to determine to be included:
The server receives the first SIP invitation messages that the client is sent, to initiate the server to described The SIP authentication processes of client;
The server sends the 2nd SIP invitation messages after client authentication passes through, to the client, with hair Play SIP authentication process of the client to the server.
Second with reference to the possible implementation of the first of second aspect or second aspect or second aspect is possible The possible implementation of the third of implementation or second aspect, in the 5th kind of possible implementation of second aspect, The server carries out two-way SIP authentications with the client using the certification key for consulting to determine to be included:
The server sends the 3rd SIP invitation messages to the client, to initiate the server to the client The SIP authentication processes at end;
The server receives the 4th SIP invitation messages that the client is sent, to initiate the client to described The SIP authentication processes of server, wherein, the 4th SIP invitation messages are that the client passes through in server authentication Send afterwards.
The third aspect provides a kind of client, including:
Negotiation module, for consulting to determine the certification key used in session initiation protocol SIP authentication processes with server;
Authentication module, the certification key for consulting to determine using the negotiation module with the server carry out two-way SIP is authenticated.
With reference to the third aspect, in the first possible implementation of the third aspect, the negotiation module includes:
Ciphering unit is generated, the certification key is added for generating the certification key at random, and using public key It is close;
Transmitting element, for the certification key after the generation ciphering unit encryption to be carried in the first sip request message In be sent to the server, for the server using private key corresponding with the public key it is close to the certification after the encryption Key is decrypted, and obtains the certification key and is stored in local.
With reference to the first possible implementation of the third aspect, in second of possible implementation of the third aspect In, the generation ciphering unit is specifically used for generating the certification key at random, and determines the life cycle of the certification key, The certification key and the life cycle are encrypted simultaneously using the public key;
The transmitting element is specifically used for the certification key after the generation ciphering unit encryption and the existence after encryption Cycle simultaneously carry be sent to the server in first sip request message so that the server use with it is described Certification key after the encryption and the life cycle after the encryption are decrypted private key corresponding to public key, obtain institute respectively State certification key and the life cycle and be stored in local, wherein, the generation cycle is used to determine institute for the server The remaining effective time of certification key is stated, and when the remaining effective time of certification key is less than pre-determined threshold, to described Client initiates certification key updating process.
With reference to second of possible implementation of the third aspect, in the third possible implementation of the third aspect In, the client further comprises:
Receiving module, the second sip request message sent for receiving the server, second SIP request are used for The server is updated to the client request to the certification key;
Update module, for according to second sip request message, after the life cycle of the certification key terminates, New certification key is generated at random, and is sent to the server after the new certification key is encrypted, to realize Renewal to the certification key.
Second with reference to the possible implementation of the first of the third aspect or the third aspect or the third aspect is possible The possible implementation of the third of implementation or the third aspect, in the 4th kind of possible implementation of the third aspect, The authentication module includes:
First authenticating unit, for sending the first SIP invitation messages to the server, actively to initiate the server To the SIP authentication processes of the client;
Second authenticating unit, the 2nd SIP invitation messages sent for receiving the server, to initiate the client To the SIP authentication processes of the server, wherein, the 2nd SIP invitation messages are that the server reflects in the client What power was sent after passing through.
Second with reference to the possible implementation of the first of the third aspect or the third aspect or the third aspect is possible The possible implementation of the third of implementation or the third aspect, in the 5th kind of possible implementation of the third aspect, The authentication module includes:
3rd authenticating unit, the 3rd SIP invitation messages sent for receiving the server, to initiate the server To the SIP authentication processes of the client;
4th authenticating unit, for being after authentication passes through, to the service in the authenticating result of the 3rd authenticating unit Device sends the 4th SIP invitation messages, to initiate SIP authentication process of the client to the server.
Fourth aspect provides a kind of server, including:
Negotiation module, for consulting to determine the certification key used in session initiation protocol SIP authentication processes with client;
Authentication module, for carrying out two-way SIP authentications using the certification key for consulting to determine with the client.
With reference to fourth aspect, in the first possible implementation of fourth aspect, the negotiation module includes:
Receiving unit, the first sip request message sent for receiving the client, first sip request message Carry the client and use the certification key after public key encryption;
Acquiring unit, for the certification key after the encryption to be decrypted using private key corresponding with the public key, Obtain the certification key and be stored in local.
With reference to the first possible implementation of fourth aspect, in second of possible implementation of fourth aspect In, first sip request message further comprises that the client uses the life cycle after public key encryption, the existence week Phase is that the client is that the certification key determines after the certification key is generated;
The acquiring unit is additionally operable to:The life cycle after the encryption is decrypted using the private key, obtains institute State life cycle and be stored in local.
With reference to second of possible implementation of fourth aspect, in the third possible implementation of fourth aspect In, the server further comprises:
Determining module, for according to the life cycle, determining the remaining effective time of certification key;
Sending module, for determining that the remaining effective time of certification key is less than pre- gating in the determining module In limited time, the second sip request message is sent to the client, second SIP request is used for the server to the client End request is updated to the certification key;
Receiving module, the new certification key after the encryption sent for receiving the client, is recognized described with realizing Demonstrate,prove key renewal, the new certification key be the client according to second sip request message, it is close in the certification After the life cycle of key terminates, generate at random.
Second with reference to the possible implementation of the first of fourth aspect or fourth aspect or fourth aspect is possible The possible implementation of the third of implementation or fourth aspect, in the 4th kind of possible implementation of fourth aspect, The authentication module includes:
First authenticating unit, the first SIP invitation messages sent for receiving the client, to initiate the server To the SIP authentication processes of the client;
Second authenticating unit, for the authenticating result of first authenticating unit be the client authentication pass through after, The 2nd SIP invitation messages are sent to the client, to initiate SIP authentication process of the client to the server.
Second with reference to the possible implementation of the first of fourth aspect or fourth aspect or fourth aspect is possible The possible implementation of the third of implementation or fourth aspect, in the 5th kind of possible implementation of fourth aspect, The authentication module includes:
3rd authenticating unit, for sending the 3rd SIP invitation messages to the client, to initiate the server to institute State the SIP authentication processes of client;
4th authenticating unit, for the 3rd authenticating unit authenticating result for the client authentication pass through when, The 4th SIP invitation messages that the client is sent are received, the SIP of the server was authenticated with initiating the client Journey, wherein, the 4th SIP invitation messages are that the client is sent after server authentication passes through.
By the method for authenticating of offer, client and server, client determines that SIP was authenticated through consultation with server The certification key that journey uses, the certification key for being then based on consulting to determine carries out two-way SIP authentications, no longer as prior art Authenticated based on the key pre-set, overcome key existing for prior art and be easily illegally accessed, and then reduce SIP The problem of communications security, be advantageous to improve the security of SIP communications.
Brief description of the drawings
Technical scheme in order to illustrate the embodiments of the present invention more clearly, below will be to embodiment or description of the prior art In the required accompanying drawing used be briefly described, it should be apparent that, drawings in the following description be the present invention some realities Example is applied, for those of ordinary skill in the art, without having to pay creative labor, can also be attached according to these Figure obtains other accompanying drawings.
Fig. 1 is a kind of flow chart of method for authenticating provided in an embodiment of the present invention;
Fig. 2 is the flow chart of another method for authenticating provided in an embodiment of the present invention;
Fig. 3 is that client consults to determine certification key with server in a kind of method for authenticating provided in an embodiment of the present invention Method flow diagram;
Fig. 4 is to update a kind of life cycle of certification key provided in an embodiment of the present invention, SIP client and SIP The method flow diagram of dynamic negotiation certification key between server;
Fig. 5 is the method flow diagram that a kind of client provided in an embodiment of the present invention actively initiates SIP authentications;
Fig. 6 is a kind of structural representation of client provided in an embodiment of the present invention;
Fig. 7 is the structural representation of another client provided in an embodiment of the present invention;
Fig. 8 is the structural representation of another client provided in an embodiment of the present invention;
Fig. 9 is the structural representation of another client provided in an embodiment of the present invention;
Figure 10 is a kind of structural representation of server provided in an embodiment of the present invention;
Figure 11 is the structural representation of another server provided in an embodiment of the present invention;
Figure 12 is the structural representation of another server provided in an embodiment of the present invention;
Figure 13 is the structural representation of another server provided in an embodiment of the present invention.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is Part of the embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
Fig. 1 is a kind of flow chart of method for authenticating provided in an embodiment of the present invention.As shown in figure 1, methods described includes:
101st, client and server are consulted to determine the certification key used in SIP authentication processes.
102nd, client carries out two-way SIP authentications with the server using the certification key for consulting to determine.
In the present embodiment, client supports SIP with server, is authenticated using SIP.The present embodiment to SIP by entering Row extension, it is allowed to client carries out dynamic negotiation with server, is dynamically determined the certification key used in SIP authentication processes, and It is easily non-so as to overcome key existing for prior art using the certification key being pre-configured with no longer as prior art Method obtains, and then the problem of reduction SIP communications securities, is advantageous to improve the security of SIP communications.In addition, in the present embodiment In, client uses identical certification key with server, will not increase the configuration item of client and server both ends, therefore, The complexity of business granting will not be increased.
In an optional embodiment, step 101, i.e., client consults to determine to use in SIP authentication processes with server A kind of implementation process of certification key include:Client generates the certification key at random, and using public key to the certification Key is encrypted;Certification key after encryption is carried and the server is sent in the first sip request message by client, So that the certification key after the encryption is decrypted using private key corresponding with the public key for the server, described in acquisition Certification key is simultaneously stored in local.
Wherein, after server receives the first sip request message, the certification key after encryption is therefrom obtained, and using public Certification key after encryption is decrypted key, obtains the certification key, and the certification key of acquisition is stored in into local, with Just used in SIP authentication processes.
Further, client generates the certification key at random, and bag is encrypted to the certification key using public key Include:Client generates the certification key at random, and determines the life cycle of the certification key(Time To Live, referred to as For TTL);The certification key and the life cycle are encrypted simultaneously using the public key for client.
Accordingly, the certification key after encryption is carried and the service is sent in the first sip request message by client Device, so that the certification key after the encryption is decrypted using private key corresponding with the public key for the server, obtain The certification key is simultaneously stored in local include:
The client carries the certification key after encryption and the life cycle after encryption simultaneously please in the first SIP Ask and the server is sent in message, so that after the server uses private key corresponding with the public key to the encryption Life cycle after certification key and the encryption is decrypted, and obtains the certification key and the life cycle respectively and deposits Storage in local, wherein, the generation cycle is used to determine the remaining effective time of certification key for the server, and When the remaining effective time of certification key is less than pre-determined threshold, certification key updating process is initiated to the client.
Client determines the life cycle of certification key when generating certification key, and such certification key just has timeliness Property, after the life cycle of certification key terminates, the certification key will be failed, and client can be assisted again with server afterwards Business determines new certification key, so can further improve the security of SIP communications.
Based on above-mentioned life cycle, the method for authenticating further comprises:Client receive that the server sends the Two sip request messages, second SIP request are carried out for the server to the client request to the certification key Renewal;Client is according to second sip request message, and after the life cycle of the certification key terminates, random generation is new Certification key, and the server is sent to after the new certification key is encrypted, to realize to the certification The renewal of key.
In an optional embodiment, the embodiment of step 102 includes:Client sends first to the server SIP invitation messages, actively to initiate SIP authentication process of the server to the client;Client receives the service The 2nd SIP invitation messages that device is sent, to initiate SIP authentication process of the client to the server, wherein, described the Two SIP invitation messages are that the server is sent after client authentication passes through.In this embodiment, by client Two-way SIP authentication processes are actively initiated, the key used in authentication process is no longer the fixed key being pre-configured with, but is walked Consult the certification key determined in rapid 101.
In another optional embodiment, the embodiment of step 102 includes:Client receives what the server was sent 3rd SIP invitation messages, to initiate SIP authentication process of the server to the client;The client is logical in authentication Later, the 4th SIP invitation messages are sent to the server, the SIP of the server was authenticated with initiating the client Journey.In this embodiment, two-way SIP authentication processes are actively initiated by server, the key used in authentication process is no longer It is the fixed key being pre-configured with, but consults the certification key determined in step 101.
Fig. 2 is the flow chart of another method for authenticating provided in an embodiment of the present invention.As shown in Fig. 2 methods described includes:
201st, server and client consult to determine the certification key used in session initiation protocol SIP authentication processes.
202nd, server carries out two-way SIP authentications with the client using the certification key for consulting to determine.
In the present embodiment, client supports SIP with server, is authenticated using SIP.The present embodiment to SIP by entering Row extension, it is allowed to client carries out dynamic negotiation with server, is dynamically determined the certification key used in SIP authentication processes, and It is easily non-so as to overcome key existing for prior art using the certification key being pre-configured with no longer as prior art Method obtains, and then the problem of reduction SIP communications securities, is advantageous to improve the security of SIP communications.In addition, in the present embodiment In, client uses identical certification key with server, will not increase the configuration item of client and server both ends, therefore, The complexity of business granting will not be increased.
In an optional embodiment, the embodiment of step 201 includes:Server receive that the client sends the One sip request message, first sip request message carry the client and use the certification key after public key encryption;Clothes The certification key after the encryption is decrypted using private key corresponding with the public key for business device, obtains the certification key simultaneously It is stored in local.
Further, first sip request message further comprises that the client uses the existence week after public key encryption Phase, the life cycle are that the client is that the certification key determines after the certification key is generated.Based on this, institute Method for authenticating is stated to further comprise:The life cycle after the encryption is decrypted using the private key for server, obtains institute State life cycle and be stored in local.
Further, the method for authenticating further comprises:Server determines that the certification is close according to the life cycle The remaining effective time of key, and when the remaining effective time of certification key is less than pre-determined threshold, sent out to the client The second sip request message is sent, second SIP request is used for the server to the client request to the certification key It is updated;The server receives the new certification key after the encryption that the client is sent, to realize to the certification The renewal of key, the new certification key be the client according to second sip request message, in the certification key Life cycle terminate after, generate at random.
In an optional embodiment, the embodiment of step 202 includes:Server receive that the client sends the One SIP invitation messages, to initiate SIP authentication process of the server to the client;The server is in the client After end authentication passes through, the 2nd SIP invitation messages are sent to the client, to initiate the client to the server SIP authentication processes.
In another optional embodiment, the embodiment of step 202 includes:Server sends the 3rd to the client SIP invitation messages, to initiate SIP authentication process of the server to the client;The server receives the client The 4th SIP invitation messages sent are held, to initiate SIP authentication process of the client to the server, wherein, described the Four SIP invitation messages are that the client is sent after server authentication passes through.
Fig. 3 is that client consults to determine certification key with server in a kind of method for authenticating provided in an embodiment of the present invention Method flow diagram.As shown in figure 3, methods described includes:
31st, SIP client(client)A certification key is randomly generated, and defines the TTL of the certification key.
32nd, SIP client uses public key(Publickey)To certification key, SIP account numbers(username)With above-mentioned TTL It is encrypted, the client request key after being encrypted(Clientrequestkey).
In the present embodiment, two keys are produced using asymmetric arithmetic:Public key(Publickey)And private key (Privatekey).Public key distribution gives corresponding SIP client, and private key distributes to sip server(server)Use.
33rd, the client request key after encryption is filled into SIP request by SIP client(request)Extended in message Protocol fields in, and be sent to sip server.
34th, after sip server receives sip request message, the sip request message is solved using private key corresponding to public key It is close.
35th, sip server checking SIP accounts, and obtain the TTL of certification key and certification key.
36th, sip server is returned to SIP client and confirmed(ok)Message.
The certification key for consulting to determine uses in SIP request flow, that is, is inviting(invite)When use the certification Key is as verification password.
Fig. 4 is to update a kind of life cycle of certification key provided in an embodiment of the present invention, SIP client and SIP service The method flow diagram of dynamic negotiation certification key between device.As shown in figure 4, methods described includes:
41st, when sip server detect TTL close to it is overtime when, using private key corresponding to public key to current certification key, The mark of SIP account numbers and TTL=0 is signed, the server requests key after being signed(Serverrequestkey).
Sip server can determine the remaining effective time of certification key according to TTL, when certification key is remaining effective When length is less than pre-determined threshold, the TTL of certification key is determined close to time-out or is closed to an end.When it is determined that the TTL of certification key is approached Time-out or when closing to an end, TTl is labeled as 0 by sip server.
42nd, sip server is sent is filled into SIP request the server requests key after signature(request)In message In the protocol fields of extension, and it is sent to SIP client.
43rd, after SIP client receives sip request message, server requests key is decrypted using public key, it is determined that working as The TTL of preceding certification key will time-out.
44th, after SIP client detects TTL=0, new certification key is randomly generated again and determines the certification key TTL。
45th, SIP client is added using public key to the TTL of new certification key, SIP account numbers and new certification key It is close, the client request key after being encrypted.
46th, SIP client is filled into the client request key after encryption the protocol fields extended in sip request message In, and it is sent to sip server.
47th, after sip server receives sip request message, the sip request message is decrypted using private key.
48th, sip server checking SIP accounts, and obtain the TTL of new certification key and the new certification key.
49th, sip server is returned to SIP client and confirmed(ok)Message.
Hereafter, the certification key for consulting to determine uses in SIP request flow, that is, is inviting(invite)When using should Certification key is as verification password.
For example, a kind of client actively initiate SIP authentication method flow as shown in figure 5, including:
51st, SIP client sends sip request message to sip server, for asking to carry out SIP authentications.
52nd, sip server generates field at random(Random nonce), and pass through challenge(challenge)Message high-ranking military officer Domain and reality are carried to SIP client.
53rd, consult the certification key determined before SIP client use, field, challenge, SIP accounts are encrypted, obtained Response after must encrypting.
54th, the response after encryption, field, challenge, SIP accounts are filled into what is extended in sip request message by SIP client In protocol fields, and it is sent to sip server.
55th, the certification key determined is consulted before sip server use, after sip request message and encryption therein Response is verified.
56th, when the result is successfully, sip server is sent to SIP client to be confirmed(ok)Message.
Accordingly, as shown in figure 5, the process that client carries out SIP authentications to server includes:
57th, sip server sends sip request message to SIP client, for asking to carry out SIP authentications.
58th, SIP client generates field at random(Random nonce), and pass through challenge(challenge)Message high-ranking military officer Domain and reality are carried to sip server.
59th, consult the certification key determined before sip server use, field, challenge, SIP accounts are encrypted, obtained Response after must encrypting.
60th, the response after encryption, field, challenge, SIP accounts are filled into what is extended in sip request message by sip server In protocol fields, and it is sent to SIP client.
61st, the certification key determined is consulted before SIP client use, after sip request message and encryption therein Response is verified.
62nd, when the result is successfully, SIP client is sent to sip server to be confirmed(ok)Message.
Illustrate herein, if server actively initiates SIP authorizing procedures, i.e. client passively receives authentication request, its Process is similar with said process, will not be repeated here.
Visible with reference to above-mentioned Fig. 3-embodiment illustrated in fig. 5, the embodiment of the present invention to SIP by being extended, it is allowed to client End carries out dynamic negotiation with server, is dynamically determined the certification key used in SIP authentication processes, and no longer as prior art that Sample is easily illegally accessed, and then reduce using the certification key being pre-configured with so as to overcome key existing for prior art The problem of SIP communications securities, be advantageous to improve the security of SIP communications.In addition, in embodiments of the present invention, client with Server uses identical certification key, will not increase the configuration item of client and server both ends, therefore, will not increase business The complexity of granting.
Fig. 6 is a kind of structural representation of client provided in an embodiment of the present invention.As shown in fig. 6, the client bag Include:Negotiation module 601 and authentication module 602.
Negotiation module 601, for consulting to determine the certification key used in SIP authentication processes with server.
Authentication module 602, it is connected with negotiation module 601, for consulting to determine using negotiation module 601 with the server Certification key carry out two-way SIP authentications.
In an optional embodiment, as shown in fig. 7, one kind of negotiation module 601 realizes that structure includes:Generation encryption is single Member 611 and transmitting element 612.
Ciphering unit 611 is generated, the certification key is carried out for generating the certification key at random, and using public key Encryption.
Transmitting element 612, it is connected with generation ciphering unit 611, it is close for the certification after ciphering unit 611 is encrypted will to be generated Key carries and the server is sent in the first sip request message, so that the server use is corresponding with the public key Certification key after the encryption is decrypted private key, obtains the certification key and is stored in local.
Wherein, generation ciphering unit 611 is also connected with authentication module 602, for providing the certification to authentication module 602 Key.
Further alternative, generation ciphering unit 611 is particularly used in generates the certification key at random, and described in determination The TTL of certification key, the certification key and the TTL are encrypted simultaneously using the public key.Correspondingly, transmitting element 612 are particularly used in the TTL after generating the certification key after ciphering unit 611 is encrypted and encrypting while carry described first The server is sent in sip request message, so that server use private key corresponding with the public key adds to described The TTL after certification key and the encryption after close is decrypted, and obtains the certification key and the TTL respectively and is stored in It is local, wherein, the generation cycle is used to determine the remaining effective time of certification key for the server, and described When the remaining effective time of certification key is less than pre-determined threshold, certification key updating process is initiated to the client.
Based on above-mentioned, as shown in fig. 7, the client further comprises:Receiving module 603 and update module 604.
Receiving module 603, the second sip request message sent for receiving the server, second SIP request are used The certification key is updated to the client request in the server.
Update module 604, it is connected with receiving module 603, the second SIP request for being received according to receiving module 603 disappears Breath, after the TTL of the certification key terminates, new certification key is generated at random, and carry out to the new certification key The server is sent to after encryption, to realize the renewal to the certification key.
Wherein, update module 604 is also connected with authentication module 602, for providing the certification after renewal to authentication module 602 Key.
In an optional embodiment, as shown in fig. 7, one kind of the authentication module 602 realizes that structure includes:First mirror Weigh the authenticating unit 622 of unit 621 and second.
First authenticating unit 621, for sending the first SIP invitation messages to the server, actively to initiate the clothes SIP authentication process of the business device to the client.
Second authenticating unit 622, it is connected with the first authenticating unit 621, for the authenticating result in the first authenticating unit 621 After passing through for client authentication, the 2nd SIP invitation messages that the server is sent are received, to initiate the client pair The SIP authentication processes of the server, wherein, the 2nd SIP invitation messages are that the server authenticates in the client Pass through rear transmission.
In an optional embodiment, as shown in figure 8, one kind of the authentication module 602 realizes that structure includes:3rd mirror Weigh the authenticating unit 624 of unit 623 and the 4th.
3rd authenticating unit 623, the 3rd SIP invitation messages sent for receiving the server, to initiate the clothes SIP authentication process of the business device to the client.
4th authenticating unit 624, it is connected with the 3rd authenticating unit 623, for the authenticating result in the 3rd authenticating unit 623 After passing through for authentication, the 4th SIP invitation messages are sent to the server, to initiate the client to the server SIP authentication processes.
The present embodiment provide client each functional module or unit can be used for perform Fig. 1-embodiment illustrated in fig. 5 in by The operating process of client executing, its concrete operating principle repeat no more, and refer to the description of embodiment of the method.
The client that the present embodiment provides, the certification key that SIP authentication processes use is determined with server, so through consultation Two-way SIP authentications are carried out based on the certification key for consulting to determine afterwards, based on the key pre-set no longer as prior art The problem of being authenticated, overcome key existing for prior art and be easily illegally accessed, and then reducing SIP communications securities, Be advantageous to improve the security of SIP communications.
Fig. 9 is the structural representation of another client provided in an embodiment of the present invention.As shown in figure 9, the client Including:Memory 91 and processor 92.
Memory 91, for storage program.Specifically, program can include program code, and described program code includes meter Calculation machine operational order.
Memory 91 can include high-speed RAM memory, can also include nonvolatile memory(non-volatile memory), a for example, at least magnetic disk storage.
Processor 92, for performing the program of the storage of memory 91, for:Consult to determine that SIP authenticated with server The certification key used in journey, and carry out two-way SIP authentications using the certification key for consulting to determine with the server.
Processor 92 can be a central processing unit(Central Processing Unit, referred to as CPU), or It is specific integrated circuit(Application Specific Integrated Circuit, referred to as ASIC), or by with It is set to the one or more integrated circuits for implementing the embodiment of the present invention.
Further, as shown in figure 9, the client further comprises:Transmitter 93 and receiver 94.
Processor 92 is used to include with the certification key that server is consulted to determine to use in SIP authentication processes:Processor 92 The certification key is encrypted for generating the certification key at random, and using public key, and will be added by transmitter 93 Certification key after close carries is sent to the server in the first sip request message, for the server use and institute State private key corresponding to public key the certification key after the encryption is decrypted, obtain the certification key and be stored in local.
Transmitter 93, carry for the certification key after processor 92 is encrypted and be sent in the first sip request message The server.
Further, processor 92 is specifically used for generating the certification key at random, and determines the TTL of the certification key, The certification key and the TTL are encrypted simultaneously using the public key, and by transmitter 93 by the certification after encryption TTL after key and encryption is carried simultaneously is sent to the server in first sip request message, so that the service The certification key after the encryption and the TTL after the encryption are decrypted using private key corresponding with the public key for device, point The certification key and the TTL are not obtained and are stored in local, wherein, the generation cycle is used to determine for the server The remaining effective time of certification key, and when the remaining effective time of certification key is less than pre-determined threshold, to institute State client and initiate certification key updating process.
Based on this, transmitter 93 is particularly used in the certification key after encryption and the TTL after encryption while carried in institute State and the server is sent in the first sip request message.
Based on the second sip request message above-mentioned, that receiver 94 is sent for receiving the server, the 2nd SIP Ask to be updated the certification key to the client request for the server.
Processor 92, the second sip request message received according to receiver 94 is additionally operable to, in the TTL of the certification key After end, new certification key is generated at random, and is sent to the server after the new certification key is encrypted, To realize the renewal to the certification key.
In an optional embodiment, processor 92 is used to carry out using the certification key for consulting to determine with the server Two-way SIP authentications include:Processor 92 sends the first SIP invitation messages especially by transmitter 93 to the server, with master It is dynamic to initiate SIP authentication process of the server to the client, and after the authentication of the client passes through, by connecing Receive device 94 and receive the 2nd SIP invitation messages that the server is sent, the SIP of the server is reflected with initiating the client Power process, wherein, the 2nd SIP invitation messages are that the server is sent after client authentication passes through.
Correspondingly, transmitter 93 is additionally operable to send the first SIP invitation messages to the server;Receiver 94 is additionally operable to connect Receive the 2nd SIP invitation messages that the server is sent.
In another optional embodiment, processor 92 is used to using the certification key for consulting to determine enter with the server The two-way SIP authentications of row include:Processor 92 is specifically used for the 3rd SIP invitations for receiving the server by receiver 94 and sending Message, to initiate SIP authentication process of the server to the client, and after client authentication passes through, lead to Cross transmitter 93 and send the 4th SIP invitation messages to the server, the SIP of the server is reflected with initiating the client Power process.
Correspondingly, receiver 94 is additionally operable to receive the 3rd SIP invitation messages that the server is sent;Transmitter 93 is also used In to the server send the 4th SIP invitation messages.
Optionally, in specific implementation, if memory 91, processor 92, transmitter 93 and the independent realization of receiver 94, Then memory 91, processor 92, transmitter 93 and receiver 94 can be connected with each other by bus and complete mutual communication. The bus can be industry standard architecture(Industry Standard Architecture, referred to as ISA)Bus, External equipment interconnection(Peripheral Component, referred to as PCI)Bus or extended industry-standard architecture (Extended Industry Standard Architecture, referred to as EISA)Bus etc..The bus can be divided into ground Location bus, data/address bus, controlling bus etc..For ease of representing, only represented in Fig. 9 with a thick line, it is not intended that only one Root bus or a type of bus.
Optionally, in specific implementation, if memory 91, processor 92, transmitter 93 and receiver 94 are integrated in one Realized on block chip, then memory 91, processor 92, transmitter 93 and receiver 94 can be completed by internal interface it is identical between Communication.
The client that the present embodiment provides can be used for performing in Fig. 1-embodiment illustrated in fig. 5 by the operation stream of client executing Journey, its concrete operating principle repeat no more, and refer to the description of embodiment of the method.
The client that the present embodiment provides, the certification key that SIP authentication processes use is determined with server, so through consultation Two-way SIP authentications are carried out based on the certification key for consulting to determine afterwards, based on the key pre-set no longer as prior art The problem of being authenticated, overcome key existing for prior art and be easily illegally accessed, and then reducing SIP communications securities, Be advantageous to improve the security of SIP communications.
Figure 10 is a kind of structural representation of server provided in an embodiment of the present invention.As shown in Figure 10, the server Including:Negotiation module 1001 and authentication module 1002.
Negotiation module 1001, for consulting to determine the certification key used in SIP authentication processes with client.
Authentication module 1002, it is connected with negotiation module 1001, for being consulted with the client using negotiation module 1001 The certification key of determination carries out two-way SIP authentications.
In an optional embodiment, as shown in figure 11, one kind of the negotiation module 1001 realizes that structure includes:Receive Unit 10011 and acquiring unit 10012.
Receiving unit 10011, the first sip request message sent for receiving the client, first SIP request Message carries the client and uses the certification key after public key encryption.
Acquiring unit 10012, it is connected with receiving unit 10011, for use private key corresponding with the public key to receiving Certification key after the encryption that unit 10011 receives is decrypted, and obtains the certification key and is stored in local.
Acquiring unit 10012 is also connected with weighting block 1002, for providing certification key to authentication module 1002.
In an optional embodiment, first sip request message further comprises that the client is added using public key TTL after close, the TTL are that the client is that the certification key determines after the certification key is generated.
Based on above-mentioned, acquiring unit 10012 is also used for the private key and the TTL after the encryption is decrypted, and obtains Take the TTL and be stored in local.
Based on above-mentioned, as shown in figure 11, the server further comprises:Determining module 1003, the and of sending module 1004 Receiving module 1005.
Determining module 1003, it is connected with acquiring unit 10012, for the TTL obtained according to acquiring unit 10012, Determine the remaining effective time of certification key.
Sending module 1004, it is connected with determining module 1003, for determining the certification key in determining module 1003 When remaining effective time is less than pre-determined threshold, the second sip request message, second SIP request are sent to the client The certification key is updated to the client request for the server.
Receiving module 1005, be connected with sending module 1004, for sending module 1004 send the second SIP request after, The new certification key after the encryption that the client is sent is received, it is described new to realize the renewal to the certification key Certification key is the client according to second sip request message, after the TTL of the certification key terminates, random life Into.
Receiving module 1005 is also connected with authentication module 1002, for providing new certification key to authentication module 1002.
In an optional embodiment, as shown in figure 11, the authentication module 1002 includes:First authenticating unit 10021 With the second authenticating unit 10022.
First authenticating unit 10021, the first SIP invitation messages sent for receiving the client, with described in initiation SIP authentication process of the server to the client.
Second authenticating unit 10022, it is connected with the first authenticating unit 10021, for the mirror in the first authenticating unit 10021 Power result is after client authentication passes through, the 2nd SIP invitation messages to be sent to the client, to initiate the client To the SIP authentication processes of the server.
In another optional embodiment, as shown in figure 12, the authentication module 1002 includes:3rd authenticating unit 10023 and the 4th authenticating unit 10024.
3rd authenticating unit 10023, for sending the 3rd SIP invitation messages to the client, to initiate the service SIP authentication process of the device to the client.
4th authenticating unit 10024, it is connected with the 3rd authenticating unit 10023, for the mirror in the 3rd authenticating unit 10023 When power result is that client authentication passes through, the 4th SIP invitation messages that the client is sent are received, to initiate the visitor Family end to the SIP authentication processes of the server, wherein, the 4th SIP invitation messages are the clients in the service What device authentication was sent after passing through.
The present embodiment provide server each functional module or unit can be used for perform Fig. 1-embodiment illustrated in fig. 5 in by The operating process that server performs, its concrete operating principle repeat no more, and refer to the description of embodiment of the method.
The server that the present embodiment provides, the certification key that SIP authentication processes use is determined with client, so through consultation Two-way SIP authentications are carried out based on the certification key for consulting to determine afterwards, based on the key pre-set no longer as prior art The problem of being authenticated, overcome key existing for prior art and be easily illegally accessed, and then reducing SIP communications securities, Be advantageous to improve the security of SIP communications.
Figure 13 is the structural representation of another server provided in an embodiment of the present invention.As shown in figure 13, the service Device includes:Memory 1301 and processor 1302.
Memory 1301, for storage program.Specifically, program can include program code, and described program code includes Computer-managed instruction.
Memory 1301 can include high-speed RAM memory, can also include nonvolatile memory(non-volatile memory), a for example, at least magnetic disk storage.
Processor 1302, for consulting to determine the certification key that uses in SIP authentication processes with client, and with the visitor Family end carries out two-way SIP authentications using the certification key for consulting to determine.
Processor 1302 can be a CPU, or specific ASIC, or be arranged to implement the embodiment of the present invention One or more integrated circuits.
Further, as shown in figure 13, the server further comprises:Receiver 1303 and transmitter 1304.
Optionally, processor 1302 is used to include with the certification key that client consults to determine to use in SIP authentication processes: Processor 1302 receives the first sip request message of the client transmission by receiver 1303, and first SIP request disappears Breath carries the client using the certification key after public key encryption, then uses private key corresponding with the public key to receiving Certification key after the encryption that device 1303 receives is decrypted, and obtains the certification key and is stored in local.
In an optional embodiment, first sip request message further comprises that the client is added using public key TTL after close, the TTL are that the client is that the certification key determines after the certification key is generated.
Further, processor 1302 is also used for the private key TTL after the encryption is decrypted, described in acquisition TTL is simultaneously stored in local.
Based on above-mentioned, processor 1302 is additionally operable to the TTL according to acquisition, determines that the certification key is remaining effectively Duration.
Transmitter 1304, for determining that the remaining effective time of certification key is less than pre- gating in processor 1302 In limited time, the second sip request message is sent to the client, second SIP request is used for the server to the client End request is updated to the certification key.
Receiver 1303, it is additionally operable to after transmitter 1304 sends the second SIP request, receives adding for the client transmission New certification key after close, to realize the renewal to the certification key, the new certification key is the client root According to second sip request message, after the TTL of the certification key terminates, generate at random.
In an optional embodiment, processor 1302 is used to using the certification key for consulting to determine enter with the client The two-way SIP authentications of row include:
Processor 1302 receives the first SIP invitation messages of the client transmission by receiver 1303, to initiate SIP authentication process of the server to the client is stated, and after client authentication passes through, by transmitter 1304 to institute State client and send the 2nd SIP invitation messages, to initiate SIP authentication process of the client to the server.
Correspondingly, receiver 1303 is additionally operable to receive the first SIP invitation messages that the client is sent;Transmitter 1304 It is additionally operable to send the 2nd SIP invitation messages to the client.
In another optional embodiment, processor 1302 is used to use the certification key for consulting to determine with the client Carrying out two-way SIP authentications includes:
Processor 1302 sends the 3rd SIP invitation messages by transmitter 1304 to the client, to initiate the clothes Device be engaged in the SIP authentication processes of the client, and when client authentication passes through, passes through receiver 1303 and receives institute The 4th SIP invitation messages of client transmission are stated, to initiate SIP authentication process of the client to the server, wherein, The 4th SIP invitation messages are that the client is sent after server authentication passes through.
Correspondingly, transmitter 1304 is additionally operable to send the 3rd SIP invitation messages to the client;Receiver 1303 is also used In the 4th SIP invitation messages for receiving the client transmission.
Optionally, in specific implementation, if memory 1301, processor 1302, receiver 1303 and transmitter 1304 Independent to realize, then memory 1301, processor 1302, receiver 1303 and transmitter 1304 can be connected with each other simultaneously by bus Complete mutual communication.The bus can be isa bus, pci bus or eisa bus etc..The bus can be divided into ground Location bus, data/address bus, controlling bus etc..For ease of representing, only represented in Figure 13 with a thick line, it is not intended that only one Root bus or a type of bus.
Optionally, in specific implementation, if memory 1301, processor 1302, receiver 1303 and transmitter 1304 Integrated to realize on one chip, then memory 1301, processor 1302, receiver 1303 and transmitter 1304 can be by interior Portion's interface completes the communication of identical.
The server that the present embodiment provides can be used for performing the operation stream performed by server in Fig. 1-embodiment illustrated in fig. 5 Journey, its concrete operating principle repeat no more, and refer to the description of embodiment of the method.
The server that the present embodiment provides, the certification key that SIP authentication processes use is determined with client, so through consultation Two-way SIP authentications are carried out based on the certification key for consulting to determine afterwards, based on the key pre-set no longer as prior art The problem of being authenticated, overcome key existing for prior art and be easily illegally accessed, and then reducing SIP communications securities, Be advantageous to improve the security of SIP communications.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above-mentioned each method embodiment can lead to The related hardware of programmed instruction is crossed to complete.Foregoing program can be stored in a computer read/write memory medium.The journey Sequence upon execution, execution the step of including above-mentioned each method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or Person's CD etc. is various can be with the medium of store program codes.
Finally it should be noted that:Various embodiments above is merely illustrative of the technical solution of the present invention, rather than its limitations;To the greatest extent The present invention is described in detail with reference to foregoing embodiments for pipe, it will be understood by those within the art that:Its according to The technical scheme described in foregoing embodiments can so be modified, either which part or all technical characteristic are entered Row equivalent substitution;And these modifications or replacement, the essence of appropriate technical solution is departed from various embodiments of the present invention technology The scope of scheme.

Claims (20)

  1. A kind of 1. method for authenticating, it is characterised in that including:
    Client consults to determine the certification key used in session initiation protocol SIP authentication processes with server;
    The client carries out two-way SIP authentications with the server using the certification key for consulting to determine;
    The certification key that the client consults to determine to use in session initiation protocol SIP authentication processes with server includes:
    The client generates the certification key at random, and the certification key is encrypted using public key;
    Certification key after encryption is carried and the server is sent in the first sip request message by the client, for The certification key after the encryption is decrypted using private key corresponding with the public key for the server, obtains the certification Key is simultaneously stored in local.
  2. 2. method for authenticating according to claim 1, it is characterised in that the client generates the certification key at random, And the certification key is encrypted using public key including:
    The client generates the certification key at random, and determines the life cycle of the certification key;
    The certification key and the life cycle are encrypted simultaneously using the public key for the client;
    Certification key after encryption is carried and the server is sent in the first sip request message by the client, for The certification key after the encryption is decrypted using private key corresponding with the public key for the server, obtains the certification Key is simultaneously stored in local include:
    The client carries the certification key after encryption and the life cycle after encryption simultaneously to disappear in first SIP request The server is sent in breath, so that the server uses private key corresponding with the public key to the certification after the encryption Life cycle after key and the encryption is decrypted, and obtains the certification key and the life cycle respectively and is stored in It is local, wherein, it is used to the life cycle determine the remaining effective time of certification key for the server, and described When the remaining effective time of certification key is less than pre-determined threshold, certification key updating process is initiated to the client.
  3. 3. method for authenticating according to claim 2, it is characterised in that further comprise:
    The client receives the second sip request message that the server is sent, and second SIP request is used for the service Device is updated to the client request to the certification key;
    The client is according to second sip request message, after the life cycle of the certification key terminates, random generation New certification key, and the server is sent to after the new certification key is encrypted, recognized with realizing described Demonstrate,prove the renewal of key.
  4. 4. according to the method for authenticating described in claim any one of 1-3, it is characterised in that the client makes with the server Carrying out two-way SIP authentications with the certification key for consulting to determine includes:
    The client sends the first SIP invitation messages to the server, actively to initiate the server to the client The SIP authentication processes at end;
    The client receives the 2nd SIP invitation messages that the server is sent, to initiate the client to the service The SIP authentication processes of device, wherein, the 2nd SIP invitation messages are that the server is sent out after client authentication passes through Send.
  5. 5. according to the method for authenticating described in claim any one of 1-3, it is characterised in that the client makes with the server Carrying out two-way SIP authentications with the certification key for consulting to determine includes:
    The client receives the 3rd SIP invitation messages that the server is sent, to initiate the server to the client The SIP authentication processes at end;
    The client sends the 4th SIP invitation messages after authentication passes through, to the server, to initiate the client pair The SIP authentication processes of the server.
  6. A kind of 6. method for authenticating, it is characterised in that including:
    Server is consulted to determine the certification key used in session initiation protocol SIP authentication processes with client;
    The server carries out two-way SIP authentications with the client using the certification key for consulting to determine;
    The certification key that the server is consulted to determine to use in session initiation protocol SIP authentication processes with client includes:
    The server receives the first sip request message that the client is sent, and first sip request message carries State client and use the certification key after public key encryption;
    The certification key after the encryption is decrypted using private key corresponding with the public key for the server, described in acquisition Certification key is simultaneously stored in local.
  7. 7. method for authenticating according to claim 6, it is characterised in that first sip request message further comprises institute Client is stated using the life cycle after public key encryption, the life cycle is the client after the certification key is generated Determined for the certification key;
    The method for authenticating further comprises:
    The life cycle after the encryption is decrypted using the private key for the server, is obtained the life cycle and is protected In the presence of local.
  8. 8. method for authenticating according to claim 7, it is characterised in that further comprise:
    The server determines the remaining effective time of certification key according to the life cycle, and close in the certification When the remaining effective time of key is less than pre-determined threshold, the second sip request message is sent to the client, the 2nd SIP please Ask and the certification key is updated to the client request for the server;
    The server receives the new certification key after the encryption that the client is sent, to realize to the certification key Renewal, the new certification key be the client according to second sip request message, in the existence of the certification key After end cycle, generate at random.
  9. 9. according to the method for authenticating described in claim any one of 6-8, it is characterised in that the server makes with the client Carrying out two-way SIP authentications with the certification key for consulting to determine includes:
    The server receives the first SIP invitation messages that the client is sent, to initiate the server to the client The SIP authentication processes at end;
    The server sends the 2nd SIP invitation messages after client authentication passes through, to the client, to initiate State SIP authentication process of the client to the server.
  10. 10. according to the method for authenticating described in claim any one of 6-8, it is characterised in that the server and the client Carrying out two-way SIP authentications using the certification key for consulting to determine includes:
    The server sends the 3rd SIP invitation messages to the client, to initiate the server to the client SIP authentication processes;
    The server receives the 4th SIP invitation messages that the client is sent, to initiate the client to the service The SIP authentication processes of device, wherein, the 4th SIP invitation messages are that the client is sent out after server authentication passes through Send.
  11. A kind of 11. client, it is characterised in that including:
    Negotiation module, for consulting to determine the certification key used in session initiation protocol SIP authentication processes with server;
    Authentication module, the certification key for consulting to determine using the negotiation module with the server carry out two-way SIP mirror Power;
    The negotiation module includes:
    Ciphering unit is generated, the certification key is encrypted for generating the certification key at random, and using public key;
    Transmitting element, sent out for the certification key after the generation ciphering unit encryption to be carried in the first sip request message The server is given, so that the server is entered using private key corresponding with the public key to the certification key after the encryption Row decryption, obtains the certification key and is stored in local.
  12. 12. client according to claim 11, it is characterised in that the generation ciphering unit is specifically used for random generation The certification key, and the life cycle of the certification key is determined, using the public key simultaneously to the certification key and institute State and be encrypted life cycle;
    The transmitting element was specifically used for the certification key after the generation ciphering unit encryption and the life cycle after encryption Carry simultaneously and be sent to the server in first sip request message, so that the server use and the public key Certification key after the encryption and the life cycle after the encryption are decrypted corresponding private key, recognize respectively described in acquisition Card key and the life cycle are simultaneously stored in local, wherein, it is used for the life cycle for recognizing described in server determination The remaining effective time of key is demonstrate,proved, and when the remaining effective time of certification key is less than pre-determined threshold, to the client Initiate certification key updating process in end.
  13. 13. client according to claim 12, it is characterised in that further comprise:
    Receiving module, the second sip request message sent for receiving the server, second SIP request is used for described Server is updated to the client request to the certification key;
    Update module, for according to second sip request message, after the life cycle of the certification key terminates, at random New certification key is generated, and the server is sent to after the new certification key is encrypted, to realize to institute State the renewal of certification key.
  14. 14. according to the client described in claim any one of 11-13, it is characterised in that the authentication module includes:
    First authenticating unit, for sending the first SIP invitation messages to the server, actively to initiate the server to institute State the SIP authentication processes of client;
    Second authenticating unit, the 2nd SIP invitation messages sent for receiving the server, to initiate the client to institute The SIP authentication processes of server are stated, wherein, the 2nd SIP invitation messages are that the server is logical in client authentication Later send.
  15. 15. according to the client described in claim any one of 11-13, it is characterised in that the authentication module includes:
    3rd authenticating unit, the 3rd SIP invitation messages sent for receiving the server, to initiate the server to institute State the SIP authentication processes of client;
    4th authenticating unit, for being after authentication passes through, to be sent out to the server in the authenticating result of the 3rd authenticating unit The 4th SIP invitation messages are sent, to initiate SIP authentication process of the client to the server.
  16. A kind of 16. server, it is characterised in that including:
    Negotiation module, for consulting to determine the certification key used in session initiation protocol SIP authentication processes with client;
    Authentication module, for carrying out two-way SIP authentications using the certification key for consulting to determine with the client;The negotiation mould Block includes:
    Receiving unit, the first sip request message sent for receiving the client, first sip request message carry There is the client to use the certification key after public key encryption;
    Acquiring unit, for the certification key after the encryption to be decrypted using private key corresponding with the public key, obtain The certification key is simultaneously stored in local.
  17. 17. server according to claim 16, it is characterised in that first sip request message further comprises institute Client is stated using the life cycle after public key encryption, the life cycle is the client after the certification key is generated Determined for the certification key;
    The acquiring unit is additionally operable to:The life cycle after the encryption is decrypted using the private key, obtains the life Cycle of deposit is simultaneously stored in local.
  18. 18. server according to claim 17, it is characterised in that further comprise:
    Determining module, for according to the life cycle, determining the remaining effective time of certification key;
    Sending module, for determining that the remaining effective time of certification key is less than pre-determined threshold in the determining module When, the second sip request message is sent to the client, second SIP request is used for the server to the client Request is updated to the certification key;
    Receiving module, the new certification key after the encryption sent for receiving the client are close to the certification to realize The renewal of key, the new certification key be the client according to second sip request message, in the certification key After life cycle terminates, generate at random.
  19. 19. according to the server described in claim any one of 16-18, it is characterised in that the authentication module includes:
    First authenticating unit, the first SIP invitation messages sent for receiving the client, to initiate the server to institute State the SIP authentication processes of client;
    Second authenticating unit, for being after client authentication passes through, to institute in the authenticating result of first authenticating unit State client and send the 2nd SIP invitation messages, to initiate SIP authentication process of the client to the server.
  20. 20. according to the server described in claim any one of 16-18, it is characterised in that the authentication module includes:
    3rd authenticating unit, for sending the 3rd SIP invitation messages to the client, to initiate the server to the visitor The SIP authentication processes at family end;
    4th authenticating unit, for when the authenticating result of the 3rd authenticating unit passes through for client authentication, receiving The 4th SIP invitation messages that the client is sent, to initiate SIP authentication process of the client to the server, its In, the 4th SIP invitation messages are that the client is sent after server authentication passes through.
CN201310270136.XA 2013-06-29 2013-06-29 Method for authenticating, client and server Active CN104253806B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310270136.XA CN104253806B (en) 2013-06-29 2013-06-29 Method for authenticating, client and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310270136.XA CN104253806B (en) 2013-06-29 2013-06-29 Method for authenticating, client and server

Publications (2)

Publication Number Publication Date
CN104253806A CN104253806A (en) 2014-12-31
CN104253806B true CN104253806B (en) 2017-11-17

Family

ID=52188343

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310270136.XA Active CN104253806B (en) 2013-06-29 2013-06-29 Method for authenticating, client and server

Country Status (1)

Country Link
CN (1) CN104253806B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656992B (en) * 2016-11-03 2020-06-19 林锦吾 Information verification method
CN110636503B (en) * 2019-09-24 2023-03-24 中国联合网络通信集团有限公司 Data encryption method, device, equipment and computer readable storage medium
CN114726558A (en) * 2020-12-21 2022-07-08 航天信息股份有限公司 Authentication method, authentication device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004075584A1 (en) * 2003-02-20 2004-09-02 Siemens Aktiengesellschaft Method for creating and distributing cryptographic keys in a mobile radio system, and corresponding mobile radio system
CN1728635A (en) * 2004-07-30 2006-02-01 华为技术有限公司 Authentication method in use for digital clustering operation in CDMA system
CN101969446A (en) * 2010-11-02 2011-02-09 北京交通大学 Mobile commerce identity authentication method
CN103096317A (en) * 2011-11-08 2013-05-08 中国电信股份有限公司 Two-way authentication method and system based on sharing enciphered data

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004075584A1 (en) * 2003-02-20 2004-09-02 Siemens Aktiengesellschaft Method for creating and distributing cryptographic keys in a mobile radio system, and corresponding mobile radio system
CN1728635A (en) * 2004-07-30 2006-02-01 华为技术有限公司 Authentication method in use for digital clustering operation in CDMA system
CN101969446A (en) * 2010-11-02 2011-02-09 北京交通大学 Mobile commerce identity authentication method
CN103096317A (en) * 2011-11-08 2013-05-08 中国电信股份有限公司 Two-way authentication method and system based on sharing enciphered data

Also Published As

Publication number Publication date
CN104253806A (en) 2014-12-31

Similar Documents

Publication Publication Date Title
US10243742B2 (en) Method and system for accessing a device by a user
TWI744532B (en) Methods and systems to establish trusted peer-to-peer communications between nodes in a blockchain network
US20190207762A1 (en) Communication method, apparatus and system, electronic device, and computer readable storage medium
US8843415B2 (en) Secure software service systems and methods
Jangirala et al. A multi-server environment with secure and efficient remote user authentication scheme based on dynamic ID using smart cards
CN111431713B (en) Private key storage method and device and related equipment
EP2639997A1 (en) Method and system for secure access of a first computer to a second computer
CN106878245B (en) Graphic code information providing and obtaining method, device and terminal
CN109728909A (en) Identity identifying method and system based on USBKey
US20080235513A1 (en) Three Party Authentication
CN107257334A (en) Identity authentication method for Hadoop cluster
CN105553654B (en) Key information processing method and device, key information management system
JP2011125020A (en) System and method for designing secure client-server communication based on certificateless public key infrastructure
CN113612605A (en) Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology
WO2012055166A1 (en) Removable storage device, and data processing system and method based on the device
CN110959163A (en) Computer-implemented system and method for enabling secure storage of large blockchains on multiple storage nodes
CN106487765A (en) Authorize access method and the equipment using the method
CN101393628A (en) Novel network safe transaction system and method
CN108566273A (en) Identity authorization system based on quantum network
CN109741068A (en) Internetbank inter-bank contracting method, apparatus and system
CN113612797A (en) Kerberos identity authentication protocol improvement method based on state cryptographic algorithm
CN104253806B (en) Method for authenticating, client and server
CN110866754A (en) Pure software DPVA (distributed data authentication and privacy infrastructure) identity authentication method based on dynamic password
CN113545004A (en) Authentication system with reduced attack surface
JP4499575B2 (en) Network security method and network security system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 518129 Building 2, B District, Bantian HUAWEI base, Longgang District, Shenzhen, Guangdong.

Patentee after: Huawei terminal (Shenzhen) Co.,Ltd.

Address before: 518129 Building 2, B District, Bantian HUAWEI base, Longgang District, Shenzhen, Guangdong.

Patentee before: HUAWEI DEVICE Co.,Ltd.

CP01 Change in the name or title of a patent holder
TR01 Transfer of patent right

Effective date of registration: 20181218

Address after: 523808 Southern Factory Building (Phase I) Project B2 Production Plant-5, New Town Avenue, Songshan Lake High-tech Industrial Development Zone, Dongguan City, Guangdong Province

Patentee after: HUAWEI DEVICE Co.,Ltd.

Address before: 518129 Building 2, B District, Bantian HUAWEI base, Longgang District, Shenzhen, Guangdong.

Patentee before: Huawei terminal (Shenzhen) Co.,Ltd.

TR01 Transfer of patent right