The content of the invention
A kind of method for authenticating, client and server are provided, to improve the security of SIP communications.
First aspect provides a kind of method for authenticating, including:
Client consults to determine the certification key used in session initiation protocol SIP authentication processes with server;
The client carries out two-way SIP authentications with the server using the certification key for consulting to determine.
With reference in a first aspect, in the first possible implementation of first aspect, the client is assisted with server
The certification key that business determines to use in session initiation protocol SIP authentication processes includes:
The client generates the certification key at random, and the certification key is encrypted using public key;
Certification key after encryption is carried and the server is sent in the first sip request message by the client,
So that the certification key after the encryption is decrypted using private key corresponding with the public key for the server, described in acquisition
Certification key is simultaneously stored in local.
With reference to the first possible implementation of first aspect, in second of possible implementation of first aspect
In, the client generates the certification key at random, and using public key the certification key is encrypted including:
The client generates the certification key at random, and determines the life cycle of the certification key;
The certification key and the life cycle are encrypted simultaneously using the public key for the client;
Certification key after encryption is carried and the server is sent in the first sip request message by the client,
So that the certification key after the encryption is decrypted using private key corresponding with the public key for the server, described in acquisition
Certification key is simultaneously stored in local include:
The client carries the certification key after encryption and the life cycle after encryption simultaneously please in the first SIP
Ask and the server is sent in message, so that after the server uses private key corresponding with the public key to the encryption
Life cycle after certification key and the encryption is decrypted, and obtains the certification key and the life cycle respectively and deposits
Storage in local, wherein, the generation cycle is used to determine the remaining effective time of certification key for the server, and
When the remaining effective time of certification key is less than pre-determined threshold, certification key updating process is initiated to the client.
With reference to second of possible implementation of first aspect, in the third possible implementation of first aspect
In, the method for authenticating further comprises:
The client receives the second sip request message that the server is sent, and second SIP request is used for described
Server is updated to the client request to the certification key;
The client is according to second sip request message, after the life cycle of the certification key terminates, at random
New certification key is generated, and the server is sent to after the new certification key is encrypted, to realize to institute
State the renewal of certification key.
Second with reference to the possible implementation of the first of first aspect or first aspect or first aspect is possible
The possible implementation of the third of implementation or first aspect, in the 4th kind of possible implementation of first aspect,
The client carries out two-way SIP authentications with the server using the certification key for consulting to determine to be included:
The client sends the first SIP invitation messages to the server, actively to initiate the server to described
The SIP authentication processes of client;
The client receives the 2nd SIP invitation messages that the server is sent, to initiate the client to described
The SIP authentication processes of server, wherein, the 2nd SIP invitation messages are that the server passes through in client authentication
Send afterwards.
Second with reference to the possible implementation of the first of first aspect or first aspect or first aspect is possible
The possible implementation of the third of implementation or first aspect, in the 5th kind of possible implementation of first aspect,
The client carries out two-way SIP authentications with the server using the certification key for consulting to determine to be included:
The client receives the 3rd SIP invitation messages that the server is sent, to initiate the server to described
The SIP authentication processes of client;
The client sends the 4th SIP invitation messages after authentication passes through, to the server, to initiate the client
Hold the SIP authentication processes to the server.
Second aspect provides a kind of method for authenticating, including:
Server is consulted to determine the certification key used in session initiation protocol SIP authentication processes with client;
The server carries out two-way SIP authentications with the client using the certification key for consulting to determine.
With reference to second aspect, in the first possible implementation of second aspect, the server is assisted with client
The certification key that business determines to use in session initiation protocol SIP authentication processes includes:
The server receives the first sip request message that the client is sent, and first sip request message carries
There is the client to use the certification key after public key encryption;
The certification key after the encryption is decrypted using private key corresponding with the public key for the server, is obtained
The certification key is simultaneously stored in local.
With reference to the first possible implementation of second aspect, in second of possible implementation of second aspect
In, first sip request message further comprises that the client uses the life cycle after public key encryption, the existence week
Phase is that the client is that the certification key determines after the certification key is generated;
The method for authenticating further comprises:
The life cycle after the encryption is decrypted using the private key for the server, obtains the life cycle
And it is stored in local.
With reference to second of possible implementation of second aspect, in the third possible implementation of second aspect
In, the method for authenticating further comprises:
The server determines the remaining effective time of certification key, and recognize described according to the life cycle
Card key remaining effective time is when being less than pre-determined threshold, to the client the second sip request message of transmission, described second
SIP request is updated for the server to the client request to the certification key;
The server receives the new certification key after the encryption that the client is sent, close to the certification to realize
The renewal of key, the new certification key be the client according to second sip request message, in the certification key
After life cycle terminates, generate at random.
Second with reference to the possible implementation of the first of second aspect or second aspect or second aspect is possible
The possible implementation of the third of implementation or second aspect, in the 4th kind of possible implementation of second aspect,
The server carries out two-way SIP authentications with the client using the certification key for consulting to determine to be included:
The server receives the first SIP invitation messages that the client is sent, to initiate the server to described
The SIP authentication processes of client;
The server sends the 2nd SIP invitation messages after client authentication passes through, to the client, with hair
Play SIP authentication process of the client to the server.
Second with reference to the possible implementation of the first of second aspect or second aspect or second aspect is possible
The possible implementation of the third of implementation or second aspect, in the 5th kind of possible implementation of second aspect,
The server carries out two-way SIP authentications with the client using the certification key for consulting to determine to be included:
The server sends the 3rd SIP invitation messages to the client, to initiate the server to the client
The SIP authentication processes at end;
The server receives the 4th SIP invitation messages that the client is sent, to initiate the client to described
The SIP authentication processes of server, wherein, the 4th SIP invitation messages are that the client passes through in server authentication
Send afterwards.
The third aspect provides a kind of client, including:
Negotiation module, for consulting to determine the certification key used in session initiation protocol SIP authentication processes with server;
Authentication module, the certification key for consulting to determine using the negotiation module with the server carry out two-way
SIP is authenticated.
With reference to the third aspect, in the first possible implementation of the third aspect, the negotiation module includes:
Ciphering unit is generated, the certification key is added for generating the certification key at random, and using public key
It is close;
Transmitting element, for the certification key after the generation ciphering unit encryption to be carried in the first sip request message
In be sent to the server, for the server using private key corresponding with the public key it is close to the certification after the encryption
Key is decrypted, and obtains the certification key and is stored in local.
With reference to the first possible implementation of the third aspect, in second of possible implementation of the third aspect
In, the generation ciphering unit is specifically used for generating the certification key at random, and determines the life cycle of the certification key,
The certification key and the life cycle are encrypted simultaneously using the public key;
The transmitting element is specifically used for the certification key after the generation ciphering unit encryption and the existence after encryption
Cycle simultaneously carry be sent to the server in first sip request message so that the server use with it is described
Certification key after the encryption and the life cycle after the encryption are decrypted private key corresponding to public key, obtain institute respectively
State certification key and the life cycle and be stored in local, wherein, the generation cycle is used to determine institute for the server
The remaining effective time of certification key is stated, and when the remaining effective time of certification key is less than pre-determined threshold, to described
Client initiates certification key updating process.
With reference to second of possible implementation of the third aspect, in the third possible implementation of the third aspect
In, the client further comprises:
Receiving module, the second sip request message sent for receiving the server, second SIP request are used for
The server is updated to the client request to the certification key;
Update module, for according to second sip request message, after the life cycle of the certification key terminates,
New certification key is generated at random, and is sent to the server after the new certification key is encrypted, to realize
Renewal to the certification key.
Second with reference to the possible implementation of the first of the third aspect or the third aspect or the third aspect is possible
The possible implementation of the third of implementation or the third aspect, in the 4th kind of possible implementation of the third aspect,
The authentication module includes:
First authenticating unit, for sending the first SIP invitation messages to the server, actively to initiate the server
To the SIP authentication processes of the client;
Second authenticating unit, the 2nd SIP invitation messages sent for receiving the server, to initiate the client
To the SIP authentication processes of the server, wherein, the 2nd SIP invitation messages are that the server reflects in the client
What power was sent after passing through.
Second with reference to the possible implementation of the first of the third aspect or the third aspect or the third aspect is possible
The possible implementation of the third of implementation or the third aspect, in the 5th kind of possible implementation of the third aspect,
The authentication module includes:
3rd authenticating unit, the 3rd SIP invitation messages sent for receiving the server, to initiate the server
To the SIP authentication processes of the client;
4th authenticating unit, for being after authentication passes through, to the service in the authenticating result of the 3rd authenticating unit
Device sends the 4th SIP invitation messages, to initiate SIP authentication process of the client to the server.
Fourth aspect provides a kind of server, including:
Negotiation module, for consulting to determine the certification key used in session initiation protocol SIP authentication processes with client;
Authentication module, for carrying out two-way SIP authentications using the certification key for consulting to determine with the client.
With reference to fourth aspect, in the first possible implementation of fourth aspect, the negotiation module includes:
Receiving unit, the first sip request message sent for receiving the client, first sip request message
Carry the client and use the certification key after public key encryption;
Acquiring unit, for the certification key after the encryption to be decrypted using private key corresponding with the public key,
Obtain the certification key and be stored in local.
With reference to the first possible implementation of fourth aspect, in second of possible implementation of fourth aspect
In, first sip request message further comprises that the client uses the life cycle after public key encryption, the existence week
Phase is that the client is that the certification key determines after the certification key is generated;
The acquiring unit is additionally operable to:The life cycle after the encryption is decrypted using the private key, obtains institute
State life cycle and be stored in local.
With reference to second of possible implementation of fourth aspect, in the third possible implementation of fourth aspect
In, the server further comprises:
Determining module, for according to the life cycle, determining the remaining effective time of certification key;
Sending module, for determining that the remaining effective time of certification key is less than pre- gating in the determining module
In limited time, the second sip request message is sent to the client, second SIP request is used for the server to the client
End request is updated to the certification key;
Receiving module, the new certification key after the encryption sent for receiving the client, is recognized described with realizing
Demonstrate,prove key renewal, the new certification key be the client according to second sip request message, it is close in the certification
After the life cycle of key terminates, generate at random.
Second with reference to the possible implementation of the first of fourth aspect or fourth aspect or fourth aspect is possible
The possible implementation of the third of implementation or fourth aspect, in the 4th kind of possible implementation of fourth aspect,
The authentication module includes:
First authenticating unit, the first SIP invitation messages sent for receiving the client, to initiate the server
To the SIP authentication processes of the client;
Second authenticating unit, for the authenticating result of first authenticating unit be the client authentication pass through after,
The 2nd SIP invitation messages are sent to the client, to initiate SIP authentication process of the client to the server.
Second with reference to the possible implementation of the first of fourth aspect or fourth aspect or fourth aspect is possible
The possible implementation of the third of implementation or fourth aspect, in the 5th kind of possible implementation of fourth aspect,
The authentication module includes:
3rd authenticating unit, for sending the 3rd SIP invitation messages to the client, to initiate the server to institute
State the SIP authentication processes of client;
4th authenticating unit, for the 3rd authenticating unit authenticating result for the client authentication pass through when,
The 4th SIP invitation messages that the client is sent are received, the SIP of the server was authenticated with initiating the client
Journey, wherein, the 4th SIP invitation messages are that the client is sent after server authentication passes through.
By the method for authenticating of offer, client and server, client determines that SIP was authenticated through consultation with server
The certification key that journey uses, the certification key for being then based on consulting to determine carries out two-way SIP authentications, no longer as prior art
Authenticated based on the key pre-set, overcome key existing for prior art and be easily illegally accessed, and then reduce SIP
The problem of communications security, be advantageous to improve the security of SIP communications.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
Part of the embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art
The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
Fig. 1 is a kind of flow chart of method for authenticating provided in an embodiment of the present invention.As shown in figure 1, methods described includes:
101st, client and server are consulted to determine the certification key used in SIP authentication processes.
102nd, client carries out two-way SIP authentications with the server using the certification key for consulting to determine.
In the present embodiment, client supports SIP with server, is authenticated using SIP.The present embodiment to SIP by entering
Row extension, it is allowed to client carries out dynamic negotiation with server, is dynamically determined the certification key used in SIP authentication processes, and
It is easily non-so as to overcome key existing for prior art using the certification key being pre-configured with no longer as prior art
Method obtains, and then the problem of reduction SIP communications securities, is advantageous to improve the security of SIP communications.In addition, in the present embodiment
In, client uses identical certification key with server, will not increase the configuration item of client and server both ends, therefore,
The complexity of business granting will not be increased.
In an optional embodiment, step 101, i.e., client consults to determine to use in SIP authentication processes with server
A kind of implementation process of certification key include:Client generates the certification key at random, and using public key to the certification
Key is encrypted;Certification key after encryption is carried and the server is sent in the first sip request message by client,
So that the certification key after the encryption is decrypted using private key corresponding with the public key for the server, described in acquisition
Certification key is simultaneously stored in local.
Wherein, after server receives the first sip request message, the certification key after encryption is therefrom obtained, and using public
Certification key after encryption is decrypted key, obtains the certification key, and the certification key of acquisition is stored in into local, with
Just used in SIP authentication processes.
Further, client generates the certification key at random, and bag is encrypted to the certification key using public key
Include:Client generates the certification key at random, and determines the life cycle of the certification key(Time To Live, referred to as
For TTL);The certification key and the life cycle are encrypted simultaneously using the public key for client.
Accordingly, the certification key after encryption is carried and the service is sent in the first sip request message by client
Device, so that the certification key after the encryption is decrypted using private key corresponding with the public key for the server, obtain
The certification key is simultaneously stored in local include:
The client carries the certification key after encryption and the life cycle after encryption simultaneously please in the first SIP
Ask and the server is sent in message, so that after the server uses private key corresponding with the public key to the encryption
Life cycle after certification key and the encryption is decrypted, and obtains the certification key and the life cycle respectively and deposits
Storage in local, wherein, the generation cycle is used to determine the remaining effective time of certification key for the server, and
When the remaining effective time of certification key is less than pre-determined threshold, certification key updating process is initiated to the client.
Client determines the life cycle of certification key when generating certification key, and such certification key just has timeliness
Property, after the life cycle of certification key terminates, the certification key will be failed, and client can be assisted again with server afterwards
Business determines new certification key, so can further improve the security of SIP communications.
Based on above-mentioned life cycle, the method for authenticating further comprises:Client receive that the server sends the
Two sip request messages, second SIP request are carried out for the server to the client request to the certification key
Renewal;Client is according to second sip request message, and after the life cycle of the certification key terminates, random generation is new
Certification key, and the server is sent to after the new certification key is encrypted, to realize to the certification
The renewal of key.
In an optional embodiment, the embodiment of step 102 includes:Client sends first to the server
SIP invitation messages, actively to initiate SIP authentication process of the server to the client;Client receives the service
The 2nd SIP invitation messages that device is sent, to initiate SIP authentication process of the client to the server, wherein, described the
Two SIP invitation messages are that the server is sent after client authentication passes through.In this embodiment, by client
Two-way SIP authentication processes are actively initiated, the key used in authentication process is no longer the fixed key being pre-configured with, but is walked
Consult the certification key determined in rapid 101.
In another optional embodiment, the embodiment of step 102 includes:Client receives what the server was sent
3rd SIP invitation messages, to initiate SIP authentication process of the server to the client;The client is logical in authentication
Later, the 4th SIP invitation messages are sent to the server, the SIP of the server was authenticated with initiating the client
Journey.In this embodiment, two-way SIP authentication processes are actively initiated by server, the key used in authentication process is no longer
It is the fixed key being pre-configured with, but consults the certification key determined in step 101.
Fig. 2 is the flow chart of another method for authenticating provided in an embodiment of the present invention.As shown in Fig. 2 methods described includes:
201st, server and client consult to determine the certification key used in session initiation protocol SIP authentication processes.
202nd, server carries out two-way SIP authentications with the client using the certification key for consulting to determine.
In the present embodiment, client supports SIP with server, is authenticated using SIP.The present embodiment to SIP by entering
Row extension, it is allowed to client carries out dynamic negotiation with server, is dynamically determined the certification key used in SIP authentication processes, and
It is easily non-so as to overcome key existing for prior art using the certification key being pre-configured with no longer as prior art
Method obtains, and then the problem of reduction SIP communications securities, is advantageous to improve the security of SIP communications.In addition, in the present embodiment
In, client uses identical certification key with server, will not increase the configuration item of client and server both ends, therefore,
The complexity of business granting will not be increased.
In an optional embodiment, the embodiment of step 201 includes:Server receive that the client sends the
One sip request message, first sip request message carry the client and use the certification key after public key encryption;Clothes
The certification key after the encryption is decrypted using private key corresponding with the public key for business device, obtains the certification key simultaneously
It is stored in local.
Further, first sip request message further comprises that the client uses the existence week after public key encryption
Phase, the life cycle are that the client is that the certification key determines after the certification key is generated.Based on this, institute
Method for authenticating is stated to further comprise:The life cycle after the encryption is decrypted using the private key for server, obtains institute
State life cycle and be stored in local.
Further, the method for authenticating further comprises:Server determines that the certification is close according to the life cycle
The remaining effective time of key, and when the remaining effective time of certification key is less than pre-determined threshold, sent out to the client
The second sip request message is sent, second SIP request is used for the server to the client request to the certification key
It is updated;The server receives the new certification key after the encryption that the client is sent, to realize to the certification
The renewal of key, the new certification key be the client according to second sip request message, in the certification key
Life cycle terminate after, generate at random.
In an optional embodiment, the embodiment of step 202 includes:Server receive that the client sends the
One SIP invitation messages, to initiate SIP authentication process of the server to the client;The server is in the client
After end authentication passes through, the 2nd SIP invitation messages are sent to the client, to initiate the client to the server
SIP authentication processes.
In another optional embodiment, the embodiment of step 202 includes:Server sends the 3rd to the client
SIP invitation messages, to initiate SIP authentication process of the server to the client;The server receives the client
The 4th SIP invitation messages sent are held, to initiate SIP authentication process of the client to the server, wherein, described the
Four SIP invitation messages are that the client is sent after server authentication passes through.
Fig. 3 is that client consults to determine certification key with server in a kind of method for authenticating provided in an embodiment of the present invention
Method flow diagram.As shown in figure 3, methods described includes:
31st, SIP client(client)A certification key is randomly generated, and defines the TTL of the certification key.
32nd, SIP client uses public key(Publickey)To certification key, SIP account numbers(username)With above-mentioned TTL
It is encrypted, the client request key after being encrypted(Clientrequestkey).
In the present embodiment, two keys are produced using asymmetric arithmetic:Public key(Publickey)And private key
(Privatekey).Public key distribution gives corresponding SIP client, and private key distributes to sip server(server)Use.
33rd, the client request key after encryption is filled into SIP request by SIP client(request)Extended in message
Protocol fields in, and be sent to sip server.
34th, after sip server receives sip request message, the sip request message is solved using private key corresponding to public key
It is close.
35th, sip server checking SIP accounts, and obtain the TTL of certification key and certification key.
36th, sip server is returned to SIP client and confirmed(ok)Message.
The certification key for consulting to determine uses in SIP request flow, that is, is inviting(invite)When use the certification
Key is as verification password.
Fig. 4 is to update a kind of life cycle of certification key provided in an embodiment of the present invention, SIP client and SIP service
The method flow diagram of dynamic negotiation certification key between device.As shown in figure 4, methods described includes:
41st, when sip server detect TTL close to it is overtime when, using private key corresponding to public key to current certification key,
The mark of SIP account numbers and TTL=0 is signed, the server requests key after being signed(Serverrequestkey).
Sip server can determine the remaining effective time of certification key according to TTL, when certification key is remaining effective
When length is less than pre-determined threshold, the TTL of certification key is determined close to time-out or is closed to an end.When it is determined that the TTL of certification key is approached
Time-out or when closing to an end, TTl is labeled as 0 by sip server.
42nd, sip server is sent is filled into SIP request the server requests key after signature(request)In message
In the protocol fields of extension, and it is sent to SIP client.
43rd, after SIP client receives sip request message, server requests key is decrypted using public key, it is determined that working as
The TTL of preceding certification key will time-out.
44th, after SIP client detects TTL=0, new certification key is randomly generated again and determines the certification key
TTL。
45th, SIP client is added using public key to the TTL of new certification key, SIP account numbers and new certification key
It is close, the client request key after being encrypted.
46th, SIP client is filled into the client request key after encryption the protocol fields extended in sip request message
In, and it is sent to sip server.
47th, after sip server receives sip request message, the sip request message is decrypted using private key.
48th, sip server checking SIP accounts, and obtain the TTL of new certification key and the new certification key.
49th, sip server is returned to SIP client and confirmed(ok)Message.
Hereafter, the certification key for consulting to determine uses in SIP request flow, that is, is inviting(invite)When using should
Certification key is as verification password.
For example, a kind of client actively initiate SIP authentication method flow as shown in figure 5, including:
51st, SIP client sends sip request message to sip server, for asking to carry out SIP authentications.
52nd, sip server generates field at random(Random nonce), and pass through challenge(challenge)Message high-ranking military officer
Domain and reality are carried to SIP client.
53rd, consult the certification key determined before SIP client use, field, challenge, SIP accounts are encrypted, obtained
Response after must encrypting.
54th, the response after encryption, field, challenge, SIP accounts are filled into what is extended in sip request message by SIP client
In protocol fields, and it is sent to sip server.
55th, the certification key determined is consulted before sip server use, after sip request message and encryption therein
Response is verified.
56th, when the result is successfully, sip server is sent to SIP client to be confirmed(ok)Message.
Accordingly, as shown in figure 5, the process that client carries out SIP authentications to server includes:
57th, sip server sends sip request message to SIP client, for asking to carry out SIP authentications.
58th, SIP client generates field at random(Random nonce), and pass through challenge(challenge)Message high-ranking military officer
Domain and reality are carried to sip server.
59th, consult the certification key determined before sip server use, field, challenge, SIP accounts are encrypted, obtained
Response after must encrypting.
60th, the response after encryption, field, challenge, SIP accounts are filled into what is extended in sip request message by sip server
In protocol fields, and it is sent to SIP client.
61st, the certification key determined is consulted before SIP client use, after sip request message and encryption therein
Response is verified.
62nd, when the result is successfully, SIP client is sent to sip server to be confirmed(ok)Message.
Illustrate herein, if server actively initiates SIP authorizing procedures, i.e. client passively receives authentication request, its
Process is similar with said process, will not be repeated here.
Visible with reference to above-mentioned Fig. 3-embodiment illustrated in fig. 5, the embodiment of the present invention to SIP by being extended, it is allowed to client
End carries out dynamic negotiation with server, is dynamically determined the certification key used in SIP authentication processes, and no longer as prior art that
Sample is easily illegally accessed, and then reduce using the certification key being pre-configured with so as to overcome key existing for prior art
The problem of SIP communications securities, be advantageous to improve the security of SIP communications.In addition, in embodiments of the present invention, client with
Server uses identical certification key, will not increase the configuration item of client and server both ends, therefore, will not increase business
The complexity of granting.
Fig. 6 is a kind of structural representation of client provided in an embodiment of the present invention.As shown in fig. 6, the client bag
Include:Negotiation module 601 and authentication module 602.
Negotiation module 601, for consulting to determine the certification key used in SIP authentication processes with server.
Authentication module 602, it is connected with negotiation module 601, for consulting to determine using negotiation module 601 with the server
Certification key carry out two-way SIP authentications.
In an optional embodiment, as shown in fig. 7, one kind of negotiation module 601 realizes that structure includes:Generation encryption is single
Member 611 and transmitting element 612.
Ciphering unit 611 is generated, the certification key is carried out for generating the certification key at random, and using public key
Encryption.
Transmitting element 612, it is connected with generation ciphering unit 611, it is close for the certification after ciphering unit 611 is encrypted will to be generated
Key carries and the server is sent in the first sip request message, so that the server use is corresponding with the public key
Certification key after the encryption is decrypted private key, obtains the certification key and is stored in local.
Wherein, generation ciphering unit 611 is also connected with authentication module 602, for providing the certification to authentication module 602
Key.
Further alternative, generation ciphering unit 611 is particularly used in generates the certification key at random, and described in determination
The TTL of certification key, the certification key and the TTL are encrypted simultaneously using the public key.Correspondingly, transmitting element
612 are particularly used in the TTL after generating the certification key after ciphering unit 611 is encrypted and encrypting while carry described first
The server is sent in sip request message, so that server use private key corresponding with the public key adds to described
The TTL after certification key and the encryption after close is decrypted, and obtains the certification key and the TTL respectively and is stored in
It is local, wherein, the generation cycle is used to determine the remaining effective time of certification key for the server, and described
When the remaining effective time of certification key is less than pre-determined threshold, certification key updating process is initiated to the client.
Based on above-mentioned, as shown in fig. 7, the client further comprises:Receiving module 603 and update module 604.
Receiving module 603, the second sip request message sent for receiving the server, second SIP request are used
The certification key is updated to the client request in the server.
Update module 604, it is connected with receiving module 603, the second SIP request for being received according to receiving module 603 disappears
Breath, after the TTL of the certification key terminates, new certification key is generated at random, and carry out to the new certification key
The server is sent to after encryption, to realize the renewal to the certification key.
Wherein, update module 604 is also connected with authentication module 602, for providing the certification after renewal to authentication module 602
Key.
In an optional embodiment, as shown in fig. 7, one kind of the authentication module 602 realizes that structure includes:First mirror
Weigh the authenticating unit 622 of unit 621 and second.
First authenticating unit 621, for sending the first SIP invitation messages to the server, actively to initiate the clothes
SIP authentication process of the business device to the client.
Second authenticating unit 622, it is connected with the first authenticating unit 621, for the authenticating result in the first authenticating unit 621
After passing through for client authentication, the 2nd SIP invitation messages that the server is sent are received, to initiate the client pair
The SIP authentication processes of the server, wherein, the 2nd SIP invitation messages are that the server authenticates in the client
Pass through rear transmission.
In an optional embodiment, as shown in figure 8, one kind of the authentication module 602 realizes that structure includes:3rd mirror
Weigh the authenticating unit 624 of unit 623 and the 4th.
3rd authenticating unit 623, the 3rd SIP invitation messages sent for receiving the server, to initiate the clothes
SIP authentication process of the business device to the client.
4th authenticating unit 624, it is connected with the 3rd authenticating unit 623, for the authenticating result in the 3rd authenticating unit 623
After passing through for authentication, the 4th SIP invitation messages are sent to the server, to initiate the client to the server
SIP authentication processes.
The present embodiment provide client each functional module or unit can be used for perform Fig. 1-embodiment illustrated in fig. 5 in by
The operating process of client executing, its concrete operating principle repeat no more, and refer to the description of embodiment of the method.
The client that the present embodiment provides, the certification key that SIP authentication processes use is determined with server, so through consultation
Two-way SIP authentications are carried out based on the certification key for consulting to determine afterwards, based on the key pre-set no longer as prior art
The problem of being authenticated, overcome key existing for prior art and be easily illegally accessed, and then reducing SIP communications securities,
Be advantageous to improve the security of SIP communications.
Fig. 9 is the structural representation of another client provided in an embodiment of the present invention.As shown in figure 9, the client
Including:Memory 91 and processor 92.
Memory 91, for storage program.Specifically, program can include program code, and described program code includes meter
Calculation machine operational order.
Memory 91 can include high-speed RAM memory, can also include nonvolatile memory(non-volatile
memory), a for example, at least magnetic disk storage.
Processor 92, for performing the program of the storage of memory 91, for:Consult to determine that SIP authenticated with server
The certification key used in journey, and carry out two-way SIP authentications using the certification key for consulting to determine with the server.
Processor 92 can be a central processing unit(Central Processing Unit, referred to as CPU), or
It is specific integrated circuit(Application Specific Integrated Circuit, referred to as ASIC), or by with
It is set to the one or more integrated circuits for implementing the embodiment of the present invention.
Further, as shown in figure 9, the client further comprises:Transmitter 93 and receiver 94.
Processor 92 is used to include with the certification key that server is consulted to determine to use in SIP authentication processes:Processor 92
The certification key is encrypted for generating the certification key at random, and using public key, and will be added by transmitter 93
Certification key after close carries is sent to the server in the first sip request message, for the server use and institute
State private key corresponding to public key the certification key after the encryption is decrypted, obtain the certification key and be stored in local.
Transmitter 93, carry for the certification key after processor 92 is encrypted and be sent in the first sip request message
The server.
Further, processor 92 is specifically used for generating the certification key at random, and determines the TTL of the certification key,
The certification key and the TTL are encrypted simultaneously using the public key, and by transmitter 93 by the certification after encryption
TTL after key and encryption is carried simultaneously is sent to the server in first sip request message, so that the service
The certification key after the encryption and the TTL after the encryption are decrypted using private key corresponding with the public key for device, point
The certification key and the TTL are not obtained and are stored in local, wherein, the generation cycle is used to determine for the server
The remaining effective time of certification key, and when the remaining effective time of certification key is less than pre-determined threshold, to institute
State client and initiate certification key updating process.
Based on this, transmitter 93 is particularly used in the certification key after encryption and the TTL after encryption while carried in institute
State and the server is sent in the first sip request message.
Based on the second sip request message above-mentioned, that receiver 94 is sent for receiving the server, the 2nd SIP
Ask to be updated the certification key to the client request for the server.
Processor 92, the second sip request message received according to receiver 94 is additionally operable to, in the TTL of the certification key
After end, new certification key is generated at random, and is sent to the server after the new certification key is encrypted,
To realize the renewal to the certification key.
In an optional embodiment, processor 92 is used to carry out using the certification key for consulting to determine with the server
Two-way SIP authentications include:Processor 92 sends the first SIP invitation messages especially by transmitter 93 to the server, with master
It is dynamic to initiate SIP authentication process of the server to the client, and after the authentication of the client passes through, by connecing
Receive device 94 and receive the 2nd SIP invitation messages that the server is sent, the SIP of the server is reflected with initiating the client
Power process, wherein, the 2nd SIP invitation messages are that the server is sent after client authentication passes through.
Correspondingly, transmitter 93 is additionally operable to send the first SIP invitation messages to the server;Receiver 94 is additionally operable to connect
Receive the 2nd SIP invitation messages that the server is sent.
In another optional embodiment, processor 92 is used to using the certification key for consulting to determine enter with the server
The two-way SIP authentications of row include:Processor 92 is specifically used for the 3rd SIP invitations for receiving the server by receiver 94 and sending
Message, to initiate SIP authentication process of the server to the client, and after client authentication passes through, lead to
Cross transmitter 93 and send the 4th SIP invitation messages to the server, the SIP of the server is reflected with initiating the client
Power process.
Correspondingly, receiver 94 is additionally operable to receive the 3rd SIP invitation messages that the server is sent;Transmitter 93 is also used
In to the server send the 4th SIP invitation messages.
Optionally, in specific implementation, if memory 91, processor 92, transmitter 93 and the independent realization of receiver 94,
Then memory 91, processor 92, transmitter 93 and receiver 94 can be connected with each other by bus and complete mutual communication.
The bus can be industry standard architecture(Industry Standard Architecture, referred to as ISA)Bus,
External equipment interconnection(Peripheral Component, referred to as PCI)Bus or extended industry-standard architecture
(Extended Industry Standard Architecture, referred to as EISA)Bus etc..The bus can be divided into ground
Location bus, data/address bus, controlling bus etc..For ease of representing, only represented in Fig. 9 with a thick line, it is not intended that only one
Root bus or a type of bus.
Optionally, in specific implementation, if memory 91, processor 92, transmitter 93 and receiver 94 are integrated in one
Realized on block chip, then memory 91, processor 92, transmitter 93 and receiver 94 can be completed by internal interface it is identical between
Communication.
The client that the present embodiment provides can be used for performing in Fig. 1-embodiment illustrated in fig. 5 by the operation stream of client executing
Journey, its concrete operating principle repeat no more, and refer to the description of embodiment of the method.
The client that the present embodiment provides, the certification key that SIP authentication processes use is determined with server, so through consultation
Two-way SIP authentications are carried out based on the certification key for consulting to determine afterwards, based on the key pre-set no longer as prior art
The problem of being authenticated, overcome key existing for prior art and be easily illegally accessed, and then reducing SIP communications securities,
Be advantageous to improve the security of SIP communications.
Figure 10 is a kind of structural representation of server provided in an embodiment of the present invention.As shown in Figure 10, the server
Including:Negotiation module 1001 and authentication module 1002.
Negotiation module 1001, for consulting to determine the certification key used in SIP authentication processes with client.
Authentication module 1002, it is connected with negotiation module 1001, for being consulted with the client using negotiation module 1001
The certification key of determination carries out two-way SIP authentications.
In an optional embodiment, as shown in figure 11, one kind of the negotiation module 1001 realizes that structure includes:Receive
Unit 10011 and acquiring unit 10012.
Receiving unit 10011, the first sip request message sent for receiving the client, first SIP request
Message carries the client and uses the certification key after public key encryption.
Acquiring unit 10012, it is connected with receiving unit 10011, for use private key corresponding with the public key to receiving
Certification key after the encryption that unit 10011 receives is decrypted, and obtains the certification key and is stored in local.
Acquiring unit 10012 is also connected with weighting block 1002, for providing certification key to authentication module 1002.
In an optional embodiment, first sip request message further comprises that the client is added using public key
TTL after close, the TTL are that the client is that the certification key determines after the certification key is generated.
Based on above-mentioned, acquiring unit 10012 is also used for the private key and the TTL after the encryption is decrypted, and obtains
Take the TTL and be stored in local.
Based on above-mentioned, as shown in figure 11, the server further comprises:Determining module 1003, the and of sending module 1004
Receiving module 1005.
Determining module 1003, it is connected with acquiring unit 10012, for the TTL obtained according to acquiring unit 10012,
Determine the remaining effective time of certification key.
Sending module 1004, it is connected with determining module 1003, for determining the certification key in determining module 1003
When remaining effective time is less than pre-determined threshold, the second sip request message, second SIP request are sent to the client
The certification key is updated to the client request for the server.
Receiving module 1005, be connected with sending module 1004, for sending module 1004 send the second SIP request after,
The new certification key after the encryption that the client is sent is received, it is described new to realize the renewal to the certification key
Certification key is the client according to second sip request message, after the TTL of the certification key terminates, random life
Into.
Receiving module 1005 is also connected with authentication module 1002, for providing new certification key to authentication module 1002.
In an optional embodiment, as shown in figure 11, the authentication module 1002 includes:First authenticating unit 10021
With the second authenticating unit 10022.
First authenticating unit 10021, the first SIP invitation messages sent for receiving the client, with described in initiation
SIP authentication process of the server to the client.
Second authenticating unit 10022, it is connected with the first authenticating unit 10021, for the mirror in the first authenticating unit 10021
Power result is after client authentication passes through, the 2nd SIP invitation messages to be sent to the client, to initiate the client
To the SIP authentication processes of the server.
In another optional embodiment, as shown in figure 12, the authentication module 1002 includes:3rd authenticating unit
10023 and the 4th authenticating unit 10024.
3rd authenticating unit 10023, for sending the 3rd SIP invitation messages to the client, to initiate the service
SIP authentication process of the device to the client.
4th authenticating unit 10024, it is connected with the 3rd authenticating unit 10023, for the mirror in the 3rd authenticating unit 10023
When power result is that client authentication passes through, the 4th SIP invitation messages that the client is sent are received, to initiate the visitor
Family end to the SIP authentication processes of the server, wherein, the 4th SIP invitation messages are the clients in the service
What device authentication was sent after passing through.
The present embodiment provide server each functional module or unit can be used for perform Fig. 1-embodiment illustrated in fig. 5 in by
The operating process that server performs, its concrete operating principle repeat no more, and refer to the description of embodiment of the method.
The server that the present embodiment provides, the certification key that SIP authentication processes use is determined with client, so through consultation
Two-way SIP authentications are carried out based on the certification key for consulting to determine afterwards, based on the key pre-set no longer as prior art
The problem of being authenticated, overcome key existing for prior art and be easily illegally accessed, and then reducing SIP communications securities,
Be advantageous to improve the security of SIP communications.
Figure 13 is the structural representation of another server provided in an embodiment of the present invention.As shown in figure 13, the service
Device includes:Memory 1301 and processor 1302.
Memory 1301, for storage program.Specifically, program can include program code, and described program code includes
Computer-managed instruction.
Memory 1301 can include high-speed RAM memory, can also include nonvolatile memory(non-volatile
memory), a for example, at least magnetic disk storage.
Processor 1302, for consulting to determine the certification key that uses in SIP authentication processes with client, and with the visitor
Family end carries out two-way SIP authentications using the certification key for consulting to determine.
Processor 1302 can be a CPU, or specific ASIC, or be arranged to implement the embodiment of the present invention
One or more integrated circuits.
Further, as shown in figure 13, the server further comprises:Receiver 1303 and transmitter 1304.
Optionally, processor 1302 is used to include with the certification key that client consults to determine to use in SIP authentication processes:
Processor 1302 receives the first sip request message of the client transmission by receiver 1303, and first SIP request disappears
Breath carries the client using the certification key after public key encryption, then uses private key corresponding with the public key to receiving
Certification key after the encryption that device 1303 receives is decrypted, and obtains the certification key and is stored in local.
In an optional embodiment, first sip request message further comprises that the client is added using public key
TTL after close, the TTL are that the client is that the certification key determines after the certification key is generated.
Further, processor 1302 is also used for the private key TTL after the encryption is decrypted, described in acquisition
TTL is simultaneously stored in local.
Based on above-mentioned, processor 1302 is additionally operable to the TTL according to acquisition, determines that the certification key is remaining effectively
Duration.
Transmitter 1304, for determining that the remaining effective time of certification key is less than pre- gating in processor 1302
In limited time, the second sip request message is sent to the client, second SIP request is used for the server to the client
End request is updated to the certification key.
Receiver 1303, it is additionally operable to after transmitter 1304 sends the second SIP request, receives adding for the client transmission
New certification key after close, to realize the renewal to the certification key, the new certification key is the client root
According to second sip request message, after the TTL of the certification key terminates, generate at random.
In an optional embodiment, processor 1302 is used to using the certification key for consulting to determine enter with the client
The two-way SIP authentications of row include:
Processor 1302 receives the first SIP invitation messages of the client transmission by receiver 1303, to initiate
SIP authentication process of the server to the client is stated, and after client authentication passes through, by transmitter 1304 to institute
State client and send the 2nd SIP invitation messages, to initiate SIP authentication process of the client to the server.
Correspondingly, receiver 1303 is additionally operable to receive the first SIP invitation messages that the client is sent;Transmitter 1304
It is additionally operable to send the 2nd SIP invitation messages to the client.
In another optional embodiment, processor 1302 is used to use the certification key for consulting to determine with the client
Carrying out two-way SIP authentications includes:
Processor 1302 sends the 3rd SIP invitation messages by transmitter 1304 to the client, to initiate the clothes
Device be engaged in the SIP authentication processes of the client, and when client authentication passes through, passes through receiver 1303 and receives institute
The 4th SIP invitation messages of client transmission are stated, to initiate SIP authentication process of the client to the server, wherein,
The 4th SIP invitation messages are that the client is sent after server authentication passes through.
Correspondingly, transmitter 1304 is additionally operable to send the 3rd SIP invitation messages to the client;Receiver 1303 is also used
In the 4th SIP invitation messages for receiving the client transmission.
Optionally, in specific implementation, if memory 1301, processor 1302, receiver 1303 and transmitter 1304
Independent to realize, then memory 1301, processor 1302, receiver 1303 and transmitter 1304 can be connected with each other simultaneously by bus
Complete mutual communication.The bus can be isa bus, pci bus or eisa bus etc..The bus can be divided into ground
Location bus, data/address bus, controlling bus etc..For ease of representing, only represented in Figure 13 with a thick line, it is not intended that only one
Root bus or a type of bus.
Optionally, in specific implementation, if memory 1301, processor 1302, receiver 1303 and transmitter 1304
Integrated to realize on one chip, then memory 1301, processor 1302, receiver 1303 and transmitter 1304 can be by interior
Portion's interface completes the communication of identical.
The server that the present embodiment provides can be used for performing the operation stream performed by server in Fig. 1-embodiment illustrated in fig. 5
Journey, its concrete operating principle repeat no more, and refer to the description of embodiment of the method.
The server that the present embodiment provides, the certification key that SIP authentication processes use is determined with client, so through consultation
Two-way SIP authentications are carried out based on the certification key for consulting to determine afterwards, based on the key pre-set no longer as prior art
The problem of being authenticated, overcome key existing for prior art and be easily illegally accessed, and then reducing SIP communications securities,
Be advantageous to improve the security of SIP communications.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above-mentioned each method embodiment can lead to
The related hardware of programmed instruction is crossed to complete.Foregoing program can be stored in a computer read/write memory medium.The journey
Sequence upon execution, execution the step of including above-mentioned each method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or
Person's CD etc. is various can be with the medium of store program codes.
Finally it should be noted that:Various embodiments above is merely illustrative of the technical solution of the present invention, rather than its limitations;To the greatest extent
The present invention is described in detail with reference to foregoing embodiments for pipe, it will be understood by those within the art that:Its according to
The technical scheme described in foregoing embodiments can so be modified, either which part or all technical characteristic are entered
Row equivalent substitution;And these modifications or replacement, the essence of appropriate technical solution is departed from various embodiments of the present invention technology
The scope of scheme.