CN109120408A - For authenticating the methods, devices and systems of user identity - Google Patents
For authenticating the methods, devices and systems of user identity Download PDFInfo
- Publication number
- CN109120408A CN109120408A CN201710492457.2A CN201710492457A CN109120408A CN 109120408 A CN109120408 A CN 109120408A CN 201710492457 A CN201710492457 A CN 201710492457A CN 109120408 A CN109120408 A CN 109120408A
- Authority
- CN
- China
- Prior art keywords
- user terminal
- encryption algorithm
- authentication password
- service server
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3215—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a plurality of channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention discloses a kind of for authenticating the methods, devices and systems of user identity, is related to the communications field.Wherein service server is after the registration request for the first time for receiving user terminal transmission, if user terminal is specified type, authentication password then is sent to user terminal, so that user terminal utilizes selected Encryption Algorithm, specified message is encrypted to obtain ciphertext according to authentication password;Service server is after receiving the Layer 2 registration request of user terminal transmission, Encryption Algorithm index and ciphertext are extracted from Layer 2 registration request, utilize authentication password and Encryption Algorithm corresponding with Encryption Algorithm index, ciphertext is decrypted, if successful decryption, instruction of succeeding in registration is sent to user terminal.The present invention is by the Layer 2 registration between user terminal and service server, to improve the safety of RCS operation system.
Description
Technical field
It is the present invention relates to the communications field, in particular to a kind of for authenticating the methods, devices and systems of user identity.
Background technique
In the user identity authentication technical field of Internet application, mainstream technology, which uses, at present is based on HTTP (HyperText
Transfer Protocol, hypertext transfer protocol) Digest make a summary ID authentication mechanism.Recognize in Digest abstract identity
Under card mechanism, in user account, password loss situation, Internet application system or platform are generally difficult to screen user identity
True or false.Therefore, single Digest means authentication protective capacities has certain limitation.
RCS (Rich Communication Suite, rich communication suite) business is telecom operators towards VoLTE
The newly-increased new business that (Voice over LTE, the voice based on LTE) user provides supports high resolution audio and video, multimedia
Similar OTT (the Over The Top) service application such as converged message, mobile payment.
There are two kinds of terminal forms by RCS: Natvie, App software client.Native terminal accesses VoLTE by private network
IMS core net, using AKA ID authentication mechanism, safety is relatively high.However, RCS APP software client passes through
Internet access, at present mainly using Digest abstract ID authentication mechanism.In verification process, there are registration informations to intercept,
User identity is by counterfeit security risk.It hides, there are security risks for existing RCS user identity authentication mode business use.
Summary of the invention
The embodiment of the present invention provide it is a kind of for authenticating the methods, devices and systems of user identity, by user terminal and
Layer 2 registration between service server, to improve the safety of RCS operation system.
According to an aspect of the present invention, a kind of method for authenticating user identity is provided, comprising:
After the registration request for the first time for receiving user terminal transmission, if user terminal is specified type, to user's end
End sends authentication password, so that user terminal utilizes selected Encryption Algorithm, is added according to authentication password to specified message
It is close to obtain ciphertext;
After receiving the Layer 2 registration request of user terminal transmission, Encryption Algorithm rope is extracted from Layer 2 registration request
Draw and ciphertext;
Using authentication password and Encryption Algorithm corresponding with Encryption Algorithm index, ciphertext is decrypted;
If successful decryption, instruction of succeeding in registration is sent to user terminal.
In one embodiment, sending authentication password to user terminal includes:
Certification short message is sent to user terminal, wherein including authentication password in certification short message.
In one embodiment, short message is the invisible short message of user.
In one embodiment, after succeeding in registration instruction to user terminal transmission, further includes:
Receive user terminal transmission service request after, from Layer 2 registration request in extract Encryption Algorithm index and
Ciphertext;
Corresponding Encryption Algorithm and authentication password associated with user terminal are indexed using with Encryption Algorithm, it is right
Ciphertext is decrypted, to obtain service message and carry out corresponding forward process.
In one embodiment, after the service request for receiving user terminal transmission, further includes:
Whether before the deadline to judge authentication password associated with user terminal;
If before the deadline whether authentication password associated with user terminal, extracts and add from Layer 2 registration request
Close algorithm index and ciphertext.
In one embodiment, if authentication password associated with user terminal not before the deadline, indicates user's end
End retransmits registration request for the first time.
According to another aspect of the present invention, a kind of method for authenticating user identity is provided, comprising:
Registration request for the first time is sent to service server, wherein for the first time including the terminal class of user terminal in registration request
Type, so that service server sends authentication password to user terminal when user terminal is specified type;
Receive the authentication password that service server is sent;
Select Encryption Algorithm;
Specified message is encrypted to obtain ciphertext using selected Encryption Algorithm and authentication password;
Layer 2 registration request is sent to service server, wherein Layer 2 registration request includes ciphertext and and Encryption Algorithm
Corresponding Encryption Algorithm index, so that service server is calculated using authentication password and encryption corresponding with Encryption Algorithm index
Ciphertext is decrypted in method.
In one embodiment, receiving the authentication password that service server is sent includes:
Receive the certification short message that service server is sent;
Authentication password is extracted from certification short message.
In one embodiment, short message is the invisible short message of user.
In one embodiment, it after the instruction of succeeding in registration for receiving service server transmission, is sent out to service server
Service request is sent, wherein service request includes Encryption Algorithm index and ciphertext, so that service server utilizes and Encryption Algorithm rope
Draw corresponding Encryption Algorithm and authentication password associated with user terminal, ciphertext is decrypted, to obtain business report
Text simultaneously carries out corresponding forward process.
According to another aspect of the present invention, it also provides a kind of for authenticating the service server of user identity, comprising:
First receiving module, for receiving the registration request for the first time of user terminal transmission;
Authentication password sending module, for receiving the registration request for the first time of user terminal transmission in the first receiving module
Afterwards, if user terminal is specified type, authentication password is sent to user terminal, so that user terminal utilizes selected encryption
Algorithm encrypts to obtain ciphertext specified message according to authentication password;
Extraction module, after the Layer 2 registration request for receiving user terminal transmission in the first receiving module, from secondary
Encryption Algorithm index and ciphertext are extracted in registration request;
Authentication module carries out ciphertext for utilizing authentication password and Encryption Algorithm corresponding with Encryption Algorithm index
Decryption;
First sending module, for sending instruction of succeeding in registration to user terminal in the case where successful decryption.
In one embodiment, authentication password sending module is used to send certification short message to user terminal, wherein authenticating short
It include authentication password in letter.
In one embodiment, short message is the invisible short message of user.
In one embodiment, service server further includes Service Processing Module, in which:
Extraction module is used for after the service request that the first receiving module receives user terminal transmission, is asked from Layer 2 registration
Encryption Algorithm index and ciphertext are extracted in asking;
Service Processing Module, for using Encryption Algorithm corresponding with Encryption Algorithm index and with user terminal phase
Associated authentication password, is decrypted ciphertext, to obtain service message and carry out corresponding forward process.
In one embodiment, service server further include:
Identification module, for the first receiving module receive user terminal transmission service request after, judgement and user
The associated authentication password of terminal whether before the deadline, if whether authentication password associated with user terminal in validity period
It is interior, then indicate that extraction module extracts Encryption Algorithm index and ciphertext from Layer 2 registration request.
In one embodiment, identification module be also used to authentication password associated with user terminal not before the deadline
In the case where, registration request for the first time is retransmitted by the first sending module indicating user terminal.
According to another aspect of the present invention, it provides a kind of for authenticating the user terminal of user identity, comprising:
Second sending module, for sending registration request for the first time to service server, wherein including in registration request for the first time
The terminal type of user terminal, so that service server is close to user terminal transmission certification when user terminal is specified type
Code;
Authentication password receiving module, for receiving the authentication password of service server transmission;
Algorithms selection module, for selecting Encryption Algorithm;
Encrypting module, it is close to obtain for being encrypted using selected Encryption Algorithm and authentication password to specified message
Text;Indicate the second sending module to service server send Layer 2 registration request, wherein Layer 2 registration request include ciphertext and
Encryption Algorithm index corresponding with Encryption Algorithm is indexed relatively so as to service server using authentication password and with Encryption Algorithm
The Encryption Algorithm answered, is decrypted ciphertext.
In one embodiment, authentication password receiving module is used to receive the certification short message of service server transmission, from recognizing
Authentication password is extracted in card short message.
In one embodiment, short message is the invisible short message of user.
In one embodiment, user terminal further includes the second receiving module, in which:
Second receiving module, for receiving the instruction of succeeding in registration of service server transmission;
Second sending module is also used to after the instruction of succeeding in registration that the second receiving module receives service server transmission,
Service request is sent to service server, wherein service request includes Encryption Algorithm index and ciphertext, so as to service server benefit
Corresponding Encryption Algorithm and authentication password associated with user terminal are indexed with Encryption Algorithm, ciphertext is solved
It is close, to obtain service message and carry out corresponding forward process.
According to another aspect of the present invention, a kind of system for authenticating user identity is provided, comprising:
The service server being related to such as above-mentioned any embodiment;
The user terminal being related to such as above-mentioned any embodiment.
In one embodiment, above system further include:
SMS platform, the certification short message for sending service server are transmitted to user terminal.
By referring to the drawings to the detailed description of exemplary embodiment of the present invention, other feature of the invention and its
Advantage will become apparent.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention without any creative labor, may be used also for those of ordinary skill in the art
To obtain other drawings based on these drawings.
Fig. 1 is the schematic diagram of the method one embodiment of the present invention for authenticating user identity.
Fig. 2 is the schematic diagram of method another embodiment of the present invention for authenticating user identity.
Fig. 3 is the schematic diagram of method another embodiment of the present invention for authenticating user identity.
Fig. 4 is the schematic diagram of method another embodiment of the present invention for authenticating user identity.
Fig. 5 is the schematic diagram of the service server one embodiment of the present invention for authenticating user identity.
Fig. 6 is the schematic diagram of service server another embodiment of the present invention for authenticating user identity.
Fig. 7 is the schematic diagram of the user terminal one embodiment of the present invention for authenticating user identity.
Fig. 8 is the schematic diagram of user terminal another embodiment of the present invention for authenticating user identity.
Fig. 9 is the schematic diagram of the system one embodiment of the present invention for authenticating user identity.
Figure 10 is user identity authentication flow diagram of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Below
Description only actually at least one exemplary embodiment be it is illustrative, never as to the present invention and its application or make
Any restrictions.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise
Under every other embodiment obtained, shall fall within the protection scope of the present invention.
Unless specifically stated otherwise, positioned opposite, the digital table of the component and step that otherwise illustrate in these embodiments
It is not limited the scope of the invention up to formula and numerical value.
Simultaneously, it should be appreciated that for ease of description, the size of various pieces shown in attached drawing is not according to reality
Proportionate relationship draw.
Technology, method and apparatus known to person of ordinary skill in the relevant may be not discussed in detail, but suitable
In the case of, the technology, method and apparatus should be considered as authorizing part of specification.
It is shown here and discuss all examples in, any occurrence should be construed as merely illustratively, without
It is as limitation.Therefore, the other examples of exemplary embodiment can have different values.
It should also be noted that similar label and letter indicate similar terms in following attached drawing, therefore, once a certain Xiang Yi
It is defined in a attached drawing, then in subsequent attached drawing does not need that it is further discussed.
Fig. 1 is the schematic diagram of the method one embodiment of the present invention for authenticating user identity.Optionally, the present embodiment
Method and step can be executed by RCS service server.Wherein:
Step 101, after the registration request for the first time for receiving user terminal transmission, if user terminal is specified type,
Authentication password is sent to user terminal.So that user terminal utilizes selected Encryption Algorithm, according to authentication password to specified report
Text is encrypted to obtain ciphertext.
Wherein, specified type can be RCS applications client.
Optionally, authentication password is sent to user terminal can include:
Certification short message is sent to user terminal, wherein including authentication password in certification short message.
In addition, short message can be the invisible short message of user, user is interfered to reduce.
Step 102, it after receiving the Layer 2 registration request of user terminal transmission, extracts and adds from Layer 2 registration request
Close algorithm index and ciphertext.
Wherein, the corresponding Encryption Algorithm index of selected Encryption Algorithm is supplied to service server by user terminal,
So that service server just although it is understood that the selected Encryption Algorithm of user terminal according to Encryption Algorithm index.
Step 103, using authentication password and Encryption Algorithm corresponding with Encryption Algorithm index, ciphertext is decrypted.
Step 104, if successful decryption, instruction of succeeding in registration is sent to user terminal.
Based on the method for authenticating user identity that the above embodiment of the present invention provides, taken by user terminal and business
Layer 2 registration between business device, to improve the safety of RCS operation system.
Fig. 2 is the schematic diagram of method another embodiment of the present invention for authenticating user identity.Optionally, the present embodiment
Method and step can be executed by RCS service server.Wherein:
Step 201, after the registration request for the first time for receiving user terminal transmission, if user terminal is specified type,
Authentication password is sent to user terminal.So that user terminal utilizes selected Encryption Algorithm, according to authentication password to specified report
Text is encrypted to obtain ciphertext.
Step 202, it after receiving the Layer 2 registration request of user terminal transmission, extracts and adds from Layer 2 registration request
Close algorithm index and ciphertext.
Step 203, using authentication password and Encryption Algorithm corresponding with Encryption Algorithm index, ciphertext is decrypted.
Step 204, if successful decryption, instruction of succeeding in registration is sent to user terminal.
Step 205, after the service request for receiving user terminal transmission, encryption is extracted from Layer 2 registration request and is calculated
Method index and ciphertext.
Step 206, corresponding Encryption Algorithm and certification associated with user terminal are indexed using with Encryption Algorithm
Ciphertext is decrypted in password, to obtain service message and carry out corresponding forward process.
Wherein, after the service request for receiving user terminal transmission, can also further judge associated with user terminal
Authentication password whether before the deadline.Corresponding validity period, such as 1 hour can be set for authentication password.
If before the deadline whether authentication password associated with user terminal, extracts and add from Layer 2 registration request
Close algorithm index and ciphertext carry out the business processings such as corresponding decryption.
If authentication password associated with user terminal before the deadline, does not show that the authentication password is no longer valid, this
When can indicating user terminal retransmit for the first time registration request to obtain new authentication password.
Fig. 3 is the schematic diagram of method another embodiment of the present invention for authenticating user identity.Optionally, the present embodiment
Method and step can be executed by user is specified.Wherein:
Step 301, registration request for the first time is sent to service server, wherein for the first time including user terminal in registration request
Terminal type, so that service server sends authentication password to user terminal when user terminal is specified type.
Step 302, the authentication password that service server is sent is received.
Optionally, the certification short message that can be sent by receiving service server, extracts authentication password from certification short message.
Wherein, short message can be the invisible short message of user.To reduce the interference to user.
Step 303, Encryption Algorithm is selected.
Step 304, specified message is encrypted to obtain ciphertext using selected Encryption Algorithm and authentication password.
Step 305, Layer 2 registration request is sent to service server, wherein Layer 2 registration request includes ciphertext, Yi Jiyu
Encryption Algorithm corresponding Encryption Algorithm index, so that service server utilizes authentication password and corresponding with Encryption Algorithm index
Encryption Algorithm, ciphertext is decrypted.
For example, Encryption Algorithm index and corresponding Encryption Algorithm can be as shown in the table.
Table 1
To which service server can learn Encryption Algorithm used by user terminal, Jin Erjin using Encryption Algorithm index
The subsequent authentication processing of row.
Fig. 4 is the schematic diagram of method another embodiment of the present invention for authenticating user identity.Optionally, the present embodiment
Method and step can be executed by user is specified.Wherein:
Step 401, registration request for the first time is sent to service server, wherein for the first time including user terminal in registration request
Terminal type, so that service server sends authentication password to user terminal when user terminal is specified type.
Step 402, the authentication password that service server is sent is received.
Step 403, Encryption Algorithm is selected.
Step 404, specified message is encrypted to obtain ciphertext using selected Encryption Algorithm and authentication password.
Step 405, Layer 2 registration request is sent to service server, wherein Layer 2 registration request includes ciphertext, Yi Jiyu
Encryption Algorithm corresponding Encryption Algorithm index, so that service server utilizes authentication password and corresponding with Encryption Algorithm index
Encryption Algorithm, ciphertext is decrypted.
Step 406, after the instruction of succeeding in registration for receiving service server transmission, business is sent to service server and is asked
It asks, wherein service request includes Encryption Algorithm index and ciphertext, so that service server is using corresponding with Encryption Algorithm index
Encryption Algorithm and authentication password associated with user terminal, ciphertext is decrypted, to obtain service message and carry out
Corresponding forward process.
Fig. 5 is the schematic diagram of the service server one embodiment of the present invention for authenticating user identity.As shown in figure 5,
Service server may include the first receiving module 51, authentication password sending module 52, extraction module 53, authentication module 54 and first
Sending module 55, in which:
First receiving module 51 is used to receive the registration request for the first time of user terminal transmission.
The registration for the first time that authentication password sending module 52 is used to receive user terminal transmission in the first receiving module 51 is asked
After asking, if user terminal is specified type, authentication password is sent to user terminal, so that user terminal is added using selected
Close algorithm encrypts to obtain ciphertext specified message according to authentication password.
Optionally, authentication password sending module 52 is used to send certification short message to user terminal, wherein wrapping in certification short message
Include authentication password.
Wherein, short message can be the invisible short message of user.
Extraction module 53 is used for after the first receiving module 51 receives the Layer 2 registration request of user terminal transmission, from two
Encryption Algorithm index and ciphertext are extracted in secondary registration request.
Authentication module 54 is used to utilize authentication password and Encryption Algorithm corresponding with Encryption Algorithm index, carries out to ciphertext
Decryption.
First sending module 55 is used in the case where successful decryption, sends instruction of succeeding in registration to user terminal.
Based on the above embodiment of the present invention provide for authenticating the service server of user identity, by with user terminal
Layer 2 registration processing is carried out, to improve the safety of RCS operation system.
Fig. 6 is the schematic diagram of service server another embodiment of the present invention for authenticating user identity.With reality shown in Fig. 5
It applies example to compare, in the embodiment shown in fig. 6, service server further includes Service Processing Module 56.Wherein:
Extraction module 53 is used for after the service request that the first receiving module 51 receives user terminal transmission, from secondary injection
Encryption Algorithm index and ciphertext are extracted in volume request.
Service Processing Module 56 be used for using Encryption Algorithm corresponding with Encryption Algorithm index and with user terminal phase
Associated authentication password, is decrypted ciphertext, to obtain service message and carry out corresponding forward process.
In addition, in the embodiment shown in fig. 6, service server further includes identification module 57, in the first receiving module
After 51 receive the service request of user terminal transmission, judge authentication password associated with user terminal whether in validity period
It is interior, if whether before the deadline authentication password associated with user terminal, indicate that extraction module 53 is requested from Layer 2 registration
In extract Encryption Algorithm index and ciphertext.
Optionally, identification module 57 be also used to authentication password associated with user terminal not before the deadline the case where
Under, registration request for the first time is retransmitted by 55 indicating user terminal of the first sending module.
By the way that validity period is arranged to authentication password, to improve the safety of system.
Fig. 7 is the schematic diagram of the user terminal one embodiment of the present invention for authenticating user identity.As shown in fig. 7, with
Family terminal may include the second sending module 71, authentication password receiving module 72, algorithms selection module 73 and encrypting module 74,
In:
Second sending module 71 is used to send registration request for the first time to service server, wherein including in registration request for the first time
The terminal type of user terminal, so that service server is close to user terminal transmission certification when user terminal is specified type
Code.
Authentication password receiving module 72 is used to receive the authentication password of service server transmission.
Optionally, authentication password receiving module 72 is used to receive the certification short message of service server transmission, from certification short message
Middle extraction authentication password.
Wherein, short message can be the invisible short message of user.
Algorithms selection module 73 is for selecting Encryption Algorithm.
Encrypting module 74 is for encrypting to obtain specified message using selected Encryption Algorithm and authentication password
Ciphertext;Indicate the second sending module 71 to service server send Layer 2 registration request, wherein Layer 2 registration request include ciphertext,
And Encryption Algorithm index corresponding with Encryption Algorithm, it is indexed so as to service server using authentication password and with Encryption Algorithm
Corresponding Encryption Algorithm, is decrypted ciphertext.
Based on the above embodiment of the present invention provide for authenticating the user terminal of user identity, by with service server
Layer 2 registration processing is carried out, to improve the safety of RCS operation system.
Fig. 8 is the schematic diagram of user terminal another embodiment of the present invention for authenticating user identity.Implement with shown in Fig. 7
Example is compared, and in the embodiment shown in fig. 8, user terminal further includes the second receiving module 75, is sent for receiving service server
Instruction of succeeding in registration.
Second sending module 71 is also used to receive the finger that succeeds in registration of service server transmission in the second receiving module 75
After showing, service request is sent to service server, wherein service request includes Encryption Algorithm index and ciphertext, so as to business service
Device, which is utilized, indexes corresponding Encryption Algorithm and authentication password associated with user terminal with Encryption Algorithm, to ciphertext into
Row decryption, to obtain service message and carry out corresponding forward process.
Fig. 9 is the schematic diagram of the system one embodiment of the present invention for authenticating user identity.As shown in figure 9, the system
It may include service server 91 and user terminal 92.Wherein, service server 91 is that any embodiment is related in Fig. 5 or Fig. 6
Service server, user terminal 92 are the user terminal that any embodiment is related in Fig. 7 or Fig. 8.
Below by a specific example, the present invention will be described, as shown in Figure 10.It within the system include RCS business
Two parts of server and user terminal (applications client).Wherein,
1, RCS service server has following functions:
1) judge RCS terminal type;
2) it obtains enhanced authentication information: generating random short message password, obtains user location of the Client in mobile network;
3) registration and service interaction during client identity authenticate.
2, applications client has following functions:
1) enhanced authentication information provides: automatically extracting certification short message password, dynamic select Encryption Algorithm carries out message and adds
It is close;
2) enhance authentication information offer during registration and service interaction.
In the present invention, it is extended by the Contact header field to IMS Session Initiation Protocol, increases by 2 enhanced identity and recognize
Demonstrate,prove parameter, it may be assumed that
Contact:< sip:user@183.1.28.128:11065;Transport=udp;Dpt=8e62_16;
Instance=TeminalType, privacy=sm_passwod:secret_index >;Expires=3600
Wherein, Instance parameter carries user terminal type information.TeminalType GC group connector type:
Instance=imei, RCS Native terminal
Instance=uuid, RCS App software client
Privacy parameter carries the random short message password information of user.
Sm_passwod: short message certification cryptographic secret (validity period is identical as registration period, expired repeating transmission)
Secret_index: selected Encryption Algorithm index indicating bit (service server and the shared encryption of applications client
Algorithm list)
Step 1001, applications client sends registration request for the first time to service server, wherein in Contact header field
Instance parameter is uuid.
Step 1002, service server is after receiving registration request for the first time, according to the Instance in Contact header field
Parameter is uuid, determines and needs to start enhancing authentication mechanism.
Step 1003, service server sends certification short message to SMS platform, wherein including business service in certification short message
The authentication password that device generates at random.
Step 1004, SMS platform is transmitted to applications client for short message is authenticated.
Step 1005, applications client extracts authentication password from certification short message.
Step 1006, applications client randomly chooses Encryption Algorithm.
Step 1007, applications client utilize selected Encryption Algorithm, according to the authentication password to specified message into
Row encryption is to obtain ciphertext.
Step 1008, applications client sends Layer 2 registration request to service server, and wherein Layer 2 registration request includes
Encryption Algorithm index and obtained ciphertext.
Step 1009, service server extracts Encryption Algorithm index and ciphertext from Layer 2 registration request.
Step 1010, service server utilizes above-mentioned authentication password and Encryption Algorithm corresponding with Encryption Algorithm index,
Above-mentioned ciphertext is decrypted.
Step 1011, if successful decryption, service server sends instruction of succeeding in registration to applications client.
Step 1012, applications client sends service request to service server, and wherein service request is including the use of above-mentioned
Authentication password and selected Encryption Algorithm be encrypted obtained encryption message and with selected Encryption Algorithm
Corresponding Encryption Algorithm index.
Step 1013, service server used authentication password before the deadline in the case where, using recognizing accordingly
Password and Encryption Algorithm corresponding with Encryption Algorithm index are demonstrate,proved, encryption message is decrypted to obtain service message.
Step 1014, service server carries out corresponding forward process to obtained service message.
The reference example of registration message is given below:
REGISTER sip:bj.ims.mnc000.mcc460.3gppnetwork.org SIP/2.0
Via:SIP/2.0/UDP
183.1.28.128:11065;Branch=z9hG4bK06ip8ai8obyobpap0idbch5ao;Role=3;
Dpt=8e62_16;TRC=71a-ffffffff
Call-ID:asbcGGecbxhJM@50.51.120.82
From:< sip:user@bj.ims.mnc000.mcc460.3gppnetwork.org >;Tag=HHecbxH
To:< sip:user@bj.ims.mnc000.mcc460.3gppnetwork.org >
CSeq:1REGISTER
Allow:INVITE,ACK,BYE,CANCEL,REGISTER,INFO,PRACK,SUBSCRIBE,NOTIFY,
MESSAGE,RE FER,PUBLISH
Authorization:Digest username=" user@
bj.ims.mnc000.mcc460.3gppnetwork.org",
Realm=" bj.ims.mnc000.mcc460.3gppnetwork.org ", nonce=" ", uri=" sip:
Bj.ims.mnc000.mcc460.3gppnetwo rk.org ", response=" "
Supported:100rel,path
User-Agent:RCS/1.3.0(And)
P-Access-Network-Info:3GPP-E-UTRAN-TDD;Utran-cell-id-3gpp="
4600800000000001"
Contact:< sip:user@183.1.28.128:11065;Transport=udp;Dpt=8e62_16;
Instance=urn:uuid:CBB1A9AA-DB2C-4937-A192-288E8041CC2C, privacy=#x%
7*!~&:00
>;Expires=3600;+ g.3gpp.icsi-ref=" urn%3Aurn-7%3A3gpp-
service.ims.icsi.oma.cpm.msg";+ g.3gpp.icsi-ref=" urn%3Aurn-7%3A3gpp-
service.ims.icsi.oma.cpm.largemsg";+ g.3gpp.icsi-ref=" urn%3Aurn-7%3A3gpp-
service.ims.icsi.oma.cpm.filetransfer";+ g.3gpp.icsi-ref=" urn%3Aurn-7%
3A3gpp-service.ims.icsi.oma.cpm.session"
Path:< sip:term@183.1.28.128:11065;Transport=udp;lr;ssn;hwnos;TYPE=
V4;IP=50.51.120.82;
PORT=16891;Dpt=8e62_86;TRC=71a-ffffffff >
P-Visited-Network-ID:"cmcc.rcs.com"
Max-Forwards:70
Content-Length:0
By applying the present invention, it is available following the utility model has the advantages that
1, the safety of authentication mechanism is higher
Compared with the Digest digest authentication mechanism of Internet, this patent in addition to retaining original Digest authentication method,
By the security advantages of telecom operators' mobile network, VoLTE network, random short message password certification is increased, realization is dual to be recognized
Card mechanism.
After user account, cipher authentication information-leakage, attacker uses the account stolen, password by third party's terminal
It when carrying out registration login, will be unable to obtain the short message password independently of internet channels, will lead to the failure of its location-authentication.
2, increase to the subscriber identity authentication during RCS service interaction
In addition to enhancing register and authentication mechanism, for the present invention during RCS service interaction, system will be to protocol message
The privacy parameter (carrying certification short message ciphertext) of Contact header field carries out user identity authentication identification.To not carrying legal letter
The service request refusal of breath is handled, to prevent attacker from carrying out phone, message class fraud using my true number.
Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardware
It completes, relevant hardware can also be instructed to complete by program, the program can store in a kind of computer-readable
In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
Description of the invention is given for the purpose of illustration and description, and is not exhaustively or will be of the invention
It is limited to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.It selects and retouches
It states embodiment and is to more preferably illustrate the principle of the present invention and practical application, and those skilled in the art is enable to manage
The solution present invention is to design various embodiments suitable for specific applications with various modifications.
Claims (22)
1. a kind of method for authenticating user identity characterized by comprising
After the registration request for the first time for receiving user terminal transmission, if the user terminal is specified type, to the use
Family terminal sends authentication password, so that the user terminal utilizes selected Encryption Algorithm, according to the authentication password to finger
Determine message to be encrypted to obtain ciphertext;
After receiving the Layer 2 registration request that the user terminal is sent, encryption is extracted from Layer 2 registration request and is calculated
Method index and the ciphertext;
Using the authentication password and Encryption Algorithm corresponding with Encryption Algorithm index, the ciphertext is decrypted;
If successful decryption, instruction of succeeding in registration is sent to the user terminal.
2. the method according to claim 1, wherein
Sending the authentication password to the user terminal includes:
Certification short message is sent to the user terminal, wherein including the authentication password in the certification short message.
3. according to the method described in claim 2, it is characterized in that,
The short message is the invisible short message of user.
4. method according to any one of claim 1-3, which is characterized in that
After succeeding in registration instruction to user terminal transmission, further includes:
After receiving the service request that the user terminal is sent, Encryption Algorithm rope is extracted from Layer 2 registration request
Draw and the ciphertext;
It is close using Encryption Algorithm corresponding with Encryption Algorithm index and certification associated with the user terminal
Code, is decrypted the ciphertext, to obtain service message and carry out corresponding forward process.
5. according to the method described in claim 4, it is characterized in that,
After receiving the service request that the user terminal is sent, further includes:
Whether before the deadline to judge authentication password associated with the user terminal;
If before the deadline whether authentication password associated with the user terminal, extracted from Layer 2 registration request
Encryption Algorithm index and the ciphertext out.
6. according to the method described in claim 5, it is characterized in that,
If authentication password associated with the user terminal before the deadline, it is first not indicate that the user terminal retransmits
Secondary registration request.
7. a kind of method for authenticating user identity characterized by comprising
Registration request for the first time is sent to service server, wherein for the first time include the terminal type of user terminal in registration request, with
Just service server sends authentication password to the user terminal when the user terminal is specified type;
Receive the authentication password that service server is sent;
Select Encryption Algorithm;
Specified message is encrypted to obtain ciphertext using selected Encryption Algorithm and the authentication password;
To service server send Layer 2 registration request, wherein Layer 2 registration request include the ciphertext and with the encryption
The corresponding Encryption Algorithm index of algorithm indexes phase using the authentication password and with the Encryption Algorithm so as to service server
The ciphertext is decrypted in corresponding Encryption Algorithm.
8. the method according to the description of claim 7 is characterized in that
Receiving the authentication password that service server is sent includes:
Receive the certification short message that service server is sent;
The authentication password is extracted from the certification short message.
9. according to the method described in claim 8, it is characterized in that,
The short message is the invisible short message of user.
10. according to the method described in claim 9, it is characterized by further comprising:
After the instruction of succeeding in registration for receiving service server transmission, service request is sent to service server, wherein described
Service request includes Encryption Algorithm index and the ciphertext, so that service server is using corresponding with Encryption Algorithm index
Encryption Algorithm and authentication password associated with the user terminal, the ciphertext is decrypted, to obtain business report
Text simultaneously carries out corresponding forward process.
11. a kind of for authenticating the service server of user identity characterized by comprising
First receiving module, for receiving the registration request for the first time of user terminal transmission;
Authentication password sending module, for the first receiving module receive user terminal transmission registration request for the first time after, if
The user terminal is specified type, then sends authentication password to the user terminal, so as to selected by user terminal utilization
The Encryption Algorithm selected encrypts to obtain ciphertext specified message according to the authentication password;
Extraction module, for after the Layer 2 registration request that the first receiving module receives that the user terminal is sent, from described
Encryption Algorithm index and the ciphertext are extracted in Layer 2 registration request;
Authentication module, for utilizing the authentication password and Encryption Algorithm corresponding with Encryption Algorithm index, to described
Ciphertext is decrypted;
First sending module, for sending instruction of succeeding in registration to the user terminal in the case where successful decryption.
12. service server according to claim 11, which is characterized in that
Authentication password sending module is used to send certification short message to the user terminal, wherein including described in the certification short message
Authentication password.
13. service server according to claim 12, which is characterized in that
The short message is the invisible short message of user.
14. service server described in any one of 1-13 according to claim 1, which is characterized in that further include business processing mould
Block, in which:
Extraction module is used for after the service request that the first receiving module receives that the user terminal is sent, from the secondary injection
Encryption Algorithm index and the ciphertext are extracted in volume request;
Service Processing Module, for using Encryption Algorithm corresponding with Encryption Algorithm index and with user end
Associated authentication password is held, the ciphertext is decrypted, to obtain service message and carry out corresponding forward process.
15. service server according to claim 14, which is characterized in that further include identification module, in which:
Identification module, for after the service request that the first receiving module receives that the user terminal is sent, judgement with it is described
The associated authentication password of user terminal whether before the deadline, if authentication password associated with the user terminal whether
In validity period, then indicate that extraction module extracts Encryption Algorithm index and the ciphertext from Layer 2 registration request.
16. service server according to claim 15, which is characterized in that
Identification module be also used to authentication password associated with the user terminal not before the deadline in the case where, pass through
One sending module indicates that the user terminal retransmits registration request for the first time.
17. a kind of for authenticating the user terminal of user identity characterized by comprising
Second sending module, for sending registration request for the first time to service server, wherein for the first time including user in registration request
The terminal type of terminal authenticates so that service server is sent when the user terminal is specified type to the user terminal
Password;
Authentication password receiving module, for receiving the authentication password of service server transmission;
Algorithms selection module, for selecting Encryption Algorithm;
Encrypting module, it is close to obtain for being encrypted using selected Encryption Algorithm and the authentication password to specified message
Text;Indicate the second sending module to service server send Layer 2 registration request, wherein Layer 2 registration request include the ciphertext,
And corresponding with Encryption Algorithm Encryption Algorithm index, so as to service server using the authentication password and with it is described
Encryption Algorithm indexes corresponding Encryption Algorithm, and the ciphertext is decrypted.
18. user terminal according to claim 17, which is characterized in that
Authentication password receiving module is used to receive the certification short message of service server transmission, from the certification short message described in extraction
Authentication password.
19. user terminal according to claim 18, which is characterized in that
The short message is the invisible short message of user.
20. user terminal according to claim 19, which is characterized in that further include the second receiving module, in which:
Second receiving module, for receiving the instruction of succeeding in registration of service server transmission;
Second sending module is also used to after the instruction of succeeding in registration that the second receiving module receives service server transmission, Xiang Ye
Business server sends service request, wherein the service request includes Encryption Algorithm index and the ciphertext, so as to business service
Device, which is utilized, indexes corresponding Encryption Algorithm and authentication password associated with the user terminal with the Encryption Algorithm,
The ciphertext is decrypted, to obtain service message and carry out corresponding forward process.
21. a kind of system for authenticating user identity characterized by comprising
Service server as described in any one of claim 11-16;
User terminal as described in any one of claim 17-20.
22. system according to claim 21, which is characterized in that further include:
SMS platform, the certification short message for sending the service server are transmitted to the user terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710492457.2A CN109120408A (en) | 2017-06-26 | 2017-06-26 | For authenticating the methods, devices and systems of user identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710492457.2A CN109120408A (en) | 2017-06-26 | 2017-06-26 | For authenticating the methods, devices and systems of user identity |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109120408A true CN109120408A (en) | 2019-01-01 |
Family
ID=64732408
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710492457.2A Pending CN109120408A (en) | 2017-06-26 | 2017-06-26 | For authenticating the methods, devices and systems of user identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109120408A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112020063A (en) * | 2019-05-31 | 2020-12-01 | 中国移动通信有限公司研究院 | Registration method, terminal and server for rich communication suite RCS service |
| CN112052432A (en) * | 2020-09-01 | 2020-12-08 | 禾麦科技开发(深圳)有限公司 | Terminal device authorization method and device |
| CN114826574A (en) * | 2022-04-19 | 2022-07-29 | 中国电子科技集团公司第三十研究所 | Intelligent household safety communication system and communication method |
| CN115913593A (en) * | 2021-09-30 | 2023-04-04 | 中国电信股份有限公司 | Method, system and related equipment for service configuration of cloud rich media communication suite |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101043337A (en) * | 2007-03-22 | 2007-09-26 | 中兴通讯股份有限公司 | Interactive process for content class service |
| CN101277192A (en) * | 2008-04-25 | 2008-10-01 | 华为技术有限公司 | Method and system for checking client terminal |
| CN101753296A (en) * | 2009-12-29 | 2010-06-23 | 浙江大学 | Key embedded password |
| CN103906052A (en) * | 2012-12-26 | 2014-07-02 | 中国移动通信集团公司 | Mobile terminal authentication method, service access method and equipment |
| US20160373257A1 (en) * | 2015-06-22 | 2016-12-22 | Farid Adrangi | Key agreement and authentication for wireless communication |
-
2017
- 2017-06-26 CN CN201710492457.2A patent/CN109120408A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101043337A (en) * | 2007-03-22 | 2007-09-26 | 中兴通讯股份有限公司 | Interactive process for content class service |
| CN101277192A (en) * | 2008-04-25 | 2008-10-01 | 华为技术有限公司 | Method and system for checking client terminal |
| CN101753296A (en) * | 2009-12-29 | 2010-06-23 | 浙江大学 | Key embedded password |
| CN103906052A (en) * | 2012-12-26 | 2014-07-02 | 中国移动通信集团公司 | Mobile terminal authentication method, service access method and equipment |
| US20160373257A1 (en) * | 2015-06-22 | 2016-12-22 | Farid Adrangi | Key agreement and authentication for wireless communication |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112020063A (en) * | 2019-05-31 | 2020-12-01 | 中国移动通信有限公司研究院 | Registration method, terminal and server for rich communication suite RCS service |
| CN112052432A (en) * | 2020-09-01 | 2020-12-08 | 禾麦科技开发(深圳)有限公司 | Terminal device authorization method and device |
| CN115913593A (en) * | 2021-09-30 | 2023-04-04 | 中国电信股份有限公司 | Method, system and related equipment for service configuration of cloud rich media communication suite |
| CN115913593B (en) * | 2021-09-30 | 2024-05-14 | 中国电信股份有限公司 | Cloud rich media communication suite service configuration method, system and related equipment |
| CN114826574A (en) * | 2022-04-19 | 2022-07-29 | 中国电子科技集团公司第三十研究所 | Intelligent household safety communication system and communication method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104579694B (en) | A kind of identity identifying method and system | |
| EP2705642B1 (en) | System and method for providing access credentials | |
| US8763097B2 (en) | System, design and process for strong authentication using bidirectional OTP and out-of-band multichannel authentication | |
| CN102160357B (en) | Key management in communication network | |
| CN109302412B (en) | VoIP communication processing method based on CPK, terminal, server and storage medium | |
| CN105141636B (en) | Suitable for the HTTP safety communicating methods and system of CDN value-added service platforms | |
| US20080141313A1 (en) | Authentication bootstrap by network support | |
| KR20180095873A (en) | Wireless network access method and apparatus, and storage medium | |
| CN103906052B (en) | A kind of mobile terminal authentication method, Operational Visit method and apparatus | |
| KR20120109580A (en) | Authentication method, system and device | |
| CN102868665A (en) | Method and device for data transmission | |
| CN109120408A (en) | For authenticating the methods, devices and systems of user identity | |
| CN107483429B (en) | A kind of data ciphering method and device | |
| WO2022033278A1 (en) | Ims data channel-based communication method and device | |
| CN109525565B (en) | Defense method and system for short message interception attack | |
| CN102196426A (en) | Method, device and system for accessing IMS (IP multimedia subsystem) network | |
| CN104378379A (en) | Encryption transmission method, equipment and system for digital content | |
| CN107094156A (en) | A kind of safety communicating method and system based on P2P patterns | |
| CN111756726A (en) | SIP security authentication method supporting State cipher algorithm | |
| Rao et al. | Authentication using mobile phone as a security token | |
| CN103973543B (en) | Instant communicating method and device | |
| Zhang et al. | Cryptanalysis and improvement of password‐authenticated key agreement for session initiation protocol using smart cards | |
| CN114765534A (en) | Private key distribution system based on national password identification cryptographic algorithm | |
| US20150067807A1 (en) | Operating a user device | |
| CN110519304A (en) | HTTPS mutual authentication method based on TEE |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190101 |
|
| RJ01 | Rejection of invention patent application after publication |