CN109873972A - Prevent the register method, method of calling, medium, equipment of negotiating DoS attack again - Google Patents
Prevent the register method, method of calling, medium, equipment of negotiating DoS attack again Download PDFInfo
- Publication number
- CN109873972A CN109873972A CN201910113119.2A CN201910113119A CN109873972A CN 109873972 A CN109873972 A CN 109873972A CN 201910113119 A CN201910113119 A CN 201910113119A CN 109873972 A CN109873972 A CN 109873972A
- Authority
- CN
- China
- Prior art keywords
- conference terminal
- interval
- negotiating
- negotiation
- duration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The present invention provides register method, method of calling, storage medium, the electronic equipment for preventing from negotiating again DoS attack.The present invention is by controlling weight negotiated speed, and simple extension is carried out to existing SIP signaling to realize the negotiation of counterweight negotiated speed, different heavy negotiated speeds is distributed according to the important level of meeting, weight negotiated speed may be updated negotiating, while the urgent negotiation characteristic again of compatible needs in special circumstances and the compatible normal video meeting SIP interactive process for not supporting extended field of the present invention.Increase the difficulty and complexity that key cracks by Zhi Chichong negotiation, ensure the safety of connection, obtains great guarantee to ensure Content of Communication safety of the double hairs of communication in the case of prolonged video conference.By the interaction of application layer SIP signaling, the attribute of encryption and decryption layer is arranged, weight negotiated speed is controlled, solves loophole characteristic bring intrinsic in video conference by the possibility of DoS attack.
Description
Technical field
The present invention relates to telecommunications fields, more particularly to are carrying out video council using based on the Sip agreement in TLS connection
View, prevention TLS negotiate a kind of solution, the storage medium, electronic equipment that lead to possible DoS attack because of Zhi Chichong.
Background technique
SSL/TLS (Transport Layer Security, transport layer security protocol) agreement is modern the Internet peace
Full basis, any Web bank, e-commerce, E-Government, electron medical treatment etc. internet important application, will be based on
The safety of SSL/TLS offer, secrecy, trusted mechanism could operate normally.SSL/TLS is to be located at a kind of reliably network layer protocol
An agreement on Transmission Control Protocol, the agreement be in order to generate a secure attachment between clients and servers, it is this
Connection is secret, reliable and communicating pair can verify mutually the identity of both sides.Therefore, SSL/TLS agreement has machine
Close property, integrality and certainty.
With everybody raising to awareness of safety, in present video conferencing system, how to ensure that video conference is double
The Content of Communication of side has become safely an emphasis of industry research, and nowadays the most commonly used is transmitting to communication signaling
Layer encryption (uses Transport Layer Security TLS), uses SRTP (Secure Real-time Transport to code stream
Protocol, Security Real Time Protocol) carry out encryption and decryption.The cipher key delivery of SRTP is connect with the TLS that update is all based on encryption
Upper (negotiation of srtp uses Session Initiation Protocol (Session Initiation Protocol, session initiation protocol) in video conference,
Sip protocol is based on tls connection), therefore the safety of TLS connection is with regard to particularly important.If the connection of TLS is for a long time using identical
Algorithm, key, crack the time then just providing to attacker, increase security risk.
Therefore we (negotiation again: that is, renegotiate, can be referred to and consulted with the heavy negotiation mechanism of TLS
It is renegotiated in SSL/TLS TCP connection, to more scaling method, replacement digital certificate, verifying other side's identity, update are shared again
Key etc.) reach an agreement to new security parameter, difficulty is cracked to increase, enhances the safety of TLS connection.SSL/TLS
Agreement Zhi Chichong itself negotiates, and RFC document suggests that SSL/TLS realizes that (referring to the libraries such as OPENSSL) should also default Zhi Chichong association
Quotient.
For renegotiating, a ssl protocol is once set up, and client (Client) and server (Server) are all
It can require to renegotiate, client can once be assisted by sending a new client Hello message to create again
Quotient.Similarly, server can send a Hello request message, so that client be made to respond a new client
Hello is renegotiated with creating one.The handshake process of TLS needs to carry out authentication and close using asymmetric arithmetic
Key is negotiated, this process needs many computing resources;Handshake is original only to be executed once when TLS connection is begun setting up, but
Due to the introducing of weight negotiation mechanism, so that client is allowed to constantly initiate new handshake.Since client can be used
Less resource come execute handshake (such as: do not check the certificate of server, in this way can opening to avoid signature verification
Pin), such attacker constantly can weigh arranging key (such as famous THC-SSL-DoS) after establishing SSL/TLS, just
Can smaller cost more easily exhaust the resource of server its refusal caused for the request of other users to provide service.
And the way of mainstream is exactly to reach prevention DoS (Denial of by configuring disabling weight negotiation functionality now
Service, i.e. Denial of Service attack), but will lead to the characteristic for relying on and negotiating again in this way and be not available;Or client is forbidden to send out
Lifting is negotiated, this just loses the flexibility negotiated again;Or the TLS connection newly to arrive and the rate negotiated again are limited
System;And if only one-side go to limit, other side has been not aware that this limitation, that just has unnecessary communication resource wave
Take and cannot prevent in time rogue attacks.
Therefore, under the premise of ensureing weight negotiation mechanism, DoS attack how to be effectively prevent to become to need what is solved to ask at present
Topic.
Summary of the invention
For overcome the deficiencies in the prior art, proposed by the present invention a kind of to prevent the register method for negotiating DoS attack again, exhale
It is method, so that the video conferencing system based on Session Initiation Protocol, it is unnecessary to prevent to negotiate weight negotiated speed by signaling method
Negotiate detection again, effectively avoids the wasting of resources, and by increasing weight negotiated speed verifying function in encryption and decryption layer, prevent illegal
The negotiation DoS attack again that attacker carries out.
The present invention provides the register method for preventing from negotiating again DoS attack, comprising the following steps:
Conference terminal sends registration request to server, wherein the desired heavy association of conference terminal is configured in registration request
The field information at quotient's duration interval;
Server receives registration request, and carries out digest authentication to conference terminal, and server return authentication is requested to meeting
Terminal;
After conference terminal receives certification request, conference terminal carries the transmission registration request of authentication information to server again
Authenticated, if certification passes through, conference terminal succeeds in registration, the duration of the negotiation again interval that the server connects this into
Row configuration.
Preferably, it further comprises the steps of:
After conference terminal succeeds in registration, the security level of conference terminal is obtained, according to the security level and conference terminal
It is desired it is heavy negotiate duration interval come configure this connection the duration of negotiation again interval.
Preferably, it further comprises the steps of:
The value with server configuration for negotiating duration interval again of this connection is finally to negotiate duration interval again.
Preferably, it further comprises the steps of:
Conference terminal sends register update and requests to server;Wherein, configured with the association again updated in register update request
The field information at quotient's duration interval, for updating the duration of the negotiation again interval of this connection.
The present invention also provides the method for callings for preventing from negotiating DoS attack again, comprising the following steps:
It is main that conference terminal transmission call request is exhaled extremely to be exhaled conference terminal, wherein to exhale meeting configured with master in call request
The desired heavy field information for negotiating duration interval of terminal;
If conference terminal is exhaled to receive this calling, the duration of the negotiation again interval of this calling connection is configured.
Preferably, the call request is also configured with the main security level for exhaling conference terminal, is exhaled conference terminal confirmation master
The security level of conference terminal is exhaled, and exhales the desired heavy negotiation duration interval of conference terminal to configure according to the security level and master
The duration of the negotiation again interval of this calling connection.
Preferably, the meeting setting that the duration interval of negotiation again of this calling connection passes through video conference MCU is configured.
Preferably, the duration of the negotiation again interval of this calling connection is configured by being exhaled conference terminal.
Preferably, it further comprises the steps of:
Duration interval is updated, in calling procedure, conference terminal or transmission update request to other end conference terminal;Its
In, it updates configured with the field information for negotiating duration interval again updated in request, when for updating the negotiation again of this connection
Long interval.
Preferably, it further comprises the steps of:
Negotiating in duration interval again, the message request that it is zero configured with security level that conference terminal, which is sent, to other end meeting
Terminal is discussed, for requesting other end conference terminal to be negotiated immediately again.
A kind of electronic equipment, comprising: processor;
Memory;And program, wherein described program is stored in the memory, and is configured to by processor
It executes, described program includes for executing the register method or method of calling that prevent negotiating DoS attack again.
A kind of computer readable storage medium, is stored thereon with computer program, and the computer program is held by processor
Row prevents the register method or method of calling of negotiating DoS attack again.
Compared with prior art, the beneficial effects of the present invention are:
The present invention provides register method, method of calling, storage medium, the electronic equipment for preventing from negotiating again DoS attack.This hair
It is bright to weigh negotiated speed by controlling, and simple extension is carried out to existing SIP signaling to realize the negotiation of counterweight negotiated speed, root
Different heavy negotiated speeds is distributed according to the important level of meeting, weight negotiated speed is renewable to be negotiated, while compatibility is in special circumstances
Needs urgent negotiate characteristic and the compatible normal video meeting SIP interactive process for not supporting extended field of the present invention again.It is logical
It crosses Zhi Chichong to negotiate to ensure the safety of connection to increase the difficulty and complexity that key cracks, to ensure the double hairs of communication
Content of Communication in the case of prolonged video conference has obtained great guarantee safe.Pass through application layer SIP signaling
Interaction control weight negotiated speed to be arranged the attribute of encryption and decryption layer, solve loophole characteristic intrinsic in video conference and bring
The possibility by DoS attack.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And can be implemented in accordance with the contents of the specification, the following is a detailed description of the preferred embodiments of the present invention and the accompanying drawings.
A specific embodiment of the invention is shown in detail by following embodiment and its attached drawing.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is the register method flow diagram for preventing from negotiating again DoS attack of the invention;
Fig. 2 is the method for calling flow diagram for preventing from negotiating again DoS attack of the invention;
Fig. 3 is that the present invention prevents the register method flow chart for negotiating DoS attack again in one embodiment;
Fig. 4 is that the present invention prevents the method for calling flow chart for negotiating DoS attack again in one embodiment;
Fig. 5 is present invention step S23 flow chart in one embodiment;
Fig. 6 is present invention step S24 flow chart in one embodiment;
Fig. 7 is present invention step S24 flow chart in another embodiment.
Specific embodiment
In the following, being described further in conjunction with attached drawing and specific embodiment to the present invention, it should be noted that not
Under the premise of conflicting, new implementation can be formed between various embodiments described below or between each technical characteristic in any combination
Example.
The present invention provides a kind of register method for preventing from negotiating DoS attack again, and in the present embodiment, the meeting that need to be registered is whole
After TCP connection is actively established to registrar in end, both sides complete TLS handshake procedure;Carry out again the TLS channel based on safety into
Row registration process, as shown in Figure 1, comprising the following steps:
S11, conference terminal send registration request to server, wherein desired configured with conference terminal in registration request
TLS negotiates the field information at duration interval again;As shown in figure 3, in one embodiment, in REGISTER, conference terminal is carried
ReTLS_Interval:value head file, wherein value indicates desired heavy negotiation duration interval, and unit is the second (s).
S12, server receive registration request, and to conference terminal carry out digest authentication, server return authentication request to
Conference terminal;As shown in figure 3, in one embodiment, server needs to carry out terminal digest authentication, SIP 401/ is just replied
407, conference terminal carries authentication information and re-initiates REGISTER;Wherein,
401Unauthorized, clearly prompt is unauthorized.This response is generated by UAS and registrar.Often
When seeing that scene is Register user's registration.
407proxy authentication required means that proxy server needs to provide authentication information.Often
When seeing that scene is that Invite initiates calling.
After S13, conference terminal receive certification request, conference terminal carries authentication information and retransmits registration request to service
Device is authenticated, if certification passes through, conference terminal succeeds in registration, and is negotiated duration interval again to the TLS of this connection and is matched
It sets.Preferably, in step s 13: after conference terminal succeeds in registration, the security level of conference terminal is obtained, according to the safety
Grade negotiates duration interval again with the desired TLS of conference terminal to configure the TLS that this connect and negotiate duration interval again.This connects
The value with server configuration that the TLS connect negotiates duration interval again is final negotiation duration interval again.
In one embodiment, as shown in figure 3, passing through if server authenticates conference terminal, and agree to conference terminal
Registration then confirms the security level of terminal, and sets TLS according to security level and negotiate duration interval again, and reply 200OK.?
In the present embodiment, the value of server is subject at final interval, for example, head file reTLS_Interval in server 200OK:
240, then show that last server is divided into 240s, i.e. supervention after conference terminal to the duration of negotiation again that this registers connection setting
The duration interval that lifting is negotiated has to be larger than 240s.Distinguishingly, if server reply 200OK in head file reTLS_
Interval:0 then shows that this registration conference terminal is not supported actively to initiate TLS and negotiate again.
Preferably, it further comprises the steps of:
S14, more new registration, conference terminal send register update and request to server;Wherein, configuration in register update request
There is the TLS of update to negotiate the field information at duration interval again, the TLS for updating this connection negotiates duration interval again.One
In embodiment, if carrying out step S14 more new registration, carrying new as shown in figure 3, follow-up meeting's terminal is wanted to update duration interval
Expectation duration;If server is agreed to, 200OK is replied, confirms that new TLS negotiates duration interval again.
The present invention also provides the method for callings for preventing from negotiating DoS attack again, in the present embodiment, as shown in Fig. 2, master exhales end
It holds after being exhaled terminal to establish TCP connection, both sides complete TLS handshake procedure, then carry out the TLS channel based on safety and called
Process, comprising the following steps:
S21, master exhale conference terminal to send call request and are extremely exhaled conference terminal, wherein exhale in call request configured with main
The desired TLS of conference terminal negotiates the field information at duration interval again;Preferably, the call request is also configured with master and exhales meeting
The security level of terminal.In one embodiment, main that conference terminal is exhaled to carry reTLS_ as shown in figure 4, in INVITE
Priority:value head file, wherein value indicates the security level of this meeting (1-5 grade, the smaller grade of number is got over
It is high);ReTLS_Interval:value head file is carried, wherein value indicates desired heavy negotiation duration interval, and unit is the second
(s)。
If S22, conference terminal is exhaled to receive this calling, to the TLS of this calling connection negotiate again duration interval into
Row configuration.Preferably, the main security level for exhaling conference terminal of conference terminal confirmation is exhaled, and is exhaled according to the security level and master
The desired TLS of conference terminal negotiates duration interval and configures the TLS of this calling connection to negotiate duration interval again again.In an embodiment
In, as shown in figure 4, confirming security level, and set TLS weight according to security level if conference terminal is exhaled to receive this time to call
Negotiate duration interval, replys 200OK.
In a preferred embodiment, the TLS of this calling connection negotiates the meeting that duration interval passes through video conference MCU again
Setting is configured.In the present embodiment, it calls to pass through the meeting of video conference MCU, wherein video conference MCU (Multi
Control Unit, multipoint control unit are also conference multipoint control unit), meeting grade and TLS negotiate duration interval again
Meeting of being subject to setting.For example, passing through the meeting of video conference MCU, meeting grade is 3, and negotiating duration interval again is 120s,
Then MCU head file band reTLS_Priority:3 in INVITE (master exhales) or 200 (by exhaling);ReTLS_Interval:
120, that is, the duration of the negotiation again interval for SS later of attending a meeting is no less than 120s.
In a preferred embodiment, the TLS of this calling connection negotiates duration interval by being exhaled conference terminal to carry out again
Configuration.In the present embodiment, it calls not pass through the point-to-point meeting of video conference MCU, meeting grade and TLS negotiate again when
Long interval is to be exhaled conference terminal to determine, wherein the server for being exhaled conference terminal to be generally TLS connection.
In one embodiment, if video conference MCU or exhaled conference terminal reply reTLS_Interval:0, show
This call-conference terminal is not supported actively to initiate TLS and negotiate again.In another embodiment, if video conference MCU or being exhaled meeting
ReTLS_Interval is not carried in view terminal replies field, shows not support what this call-conference terminal was done on standard SIP
Extension, then without negotiating again, compatibility standard.
In a preferred embodiment, as shown in figure 5, further comprising the steps of:
S23, duration interval is updated, in calling procedure, conference terminal or transmission update request to other end conference terminal;
Wherein, the field information for negotiating duration interval in request again configured with the TLS updated is updated, for updating the TLS of this connection
Negotiate duration interval again.In the present embodiment, as shown in figure 5, in calling procedure, if conference terminal MT1 (Meeting
Terminal) think renewal time interval, then use UPDATE, carry new interval duration;If server MT2 agrees to, reply
200OK confirms new interval;Otherwise SIP 403 is replied, Warning header field carries Reason For Denial.
In a preferred embodiment, as shown in Figure 6, Figure 7, it further comprises the steps of:
S24, negotiate in duration interval again in TLS, conference terminal send configured with security level be zero message request extremely
Other end conference terminal is negotiated again for requesting other end conference terminal to carry out TLS immediately.In the present embodiment, such as Fig. 6 institute
Show, if conference terminal MT1 need to initiate to negotiate (such as interface click) again in interval, then sending INFO gives conference terminal MT2,
ReTLS_Priority:0 is carried, demonstrates the need for carrying out TLS immediately negotiating again, if conference terminal MT2 agrees to, is replied
200OK;Otherwise, as shown in fig. 7, replying SIP 403, and Reason For Denial is carried in Warning header field.
It should be appreciated that application layer strategy used above carrys out the rate manner that restricted T LS negotiates again, rate is set with video
In the case of meeting MCU or registrar, then determined by video conference MCU and server;Without video conference MCU or
The point-to-point meeting of server is then determined by the called party of TLS connection.If calling is connected with registration using same TLS, then
The setting of rate according to: have the call negotiation of being subject to of calling, when then restoring to be subject to when not calling to register.Video conference
By reTLS_Interval:value head file, notice conference terminal actively initiates the speed that TLS negotiates again for MCU or server
Rate forbids terminal actively to initiate to negotiate again, if non-zero, informs one speed negotiated again of conference terminal if value is 0
Rate.
It is also understood that the setting of restricted T LS weight negotiated speed, is served only for the main calling client mono- of restricted T LS connection
Actively initiate the rate that TLS negotiates again in side;Server as called party depending on the role in conference system, if
Conference terminal then cannot actively initiate to negotiate again;If video conference MCU or registrar, then can actively send out at any time
Lifting is negotiated.After the application layer both sides connected based on TLS consult rate, limitation side, such as TLS connection are called
Server is arranged duration to encryption and decryption layer, wherein encryption and decryption layer need to carry out the function according to restricted T LS negotiated speed.Matching
It sets after completing calling connection, if after multiple, then regard as TLS negotiating to initiate renegotiation request in duration interval again and negotiate again
DoS attack can then disconnect this connection, so that the TLS for effectivelying prevent rogue attacks person to carry out negotiates DoS attack again.
A kind of electronic equipment, comprising: processor;Memory;And program, wherein described program is stored in the storage
It in device, and is configured to be executed by processor, described program includes for executing the registration side for preventing negotiating DoS attack again
Method, method of calling.A kind of computer readable storage medium, is stored thereon with computer program, and the computer program is processed
Device executes register method, the method for calling for preventing from negotiating again DoS attack.
It is above-mentioned that this specification specific embodiment is described.Other embodiments are in the scope of the appended claims
It is interior.In some cases, the movement recorded in detail in the claims or step can be come according to the sequence being different from embodiment
It executes and desired result still may be implemented.In addition, in the accompanying drawings process not necessarily require the particular order shown or
Consecutive order is just able to achieve desired result.In some embodiments, multitasking and parallel processing it is also possible or
Person may be advantageous.
In the 1990s, the improvement of a technology can be distinguished clearly be on hardware improvement (for example,
Improvement to circuit structures such as diode, transistor, switches) or software on improvement (improvement for method flow).So
And with the development of technology, the improvement of current many method flows can be considered as directly improving for hardware circuit.
Designer nearly all obtains corresponding hardware circuit by the way that improved method flow to be programmed into hardware circuit.Cause
This, it cannot be said that the improvement of a method flow cannot be realized with hardware entities module.For example, programmable logic device
(Programmable Logic Device, PLD) (such as field programmable gate array (Field Programmable Gate
Array, FPGA)) it is exactly such a integrated circuit, logic function determines device programming by user.By designer
Voluntarily programming comes a digital display circuit " integrated " on a piece of PLD, designs and makes without asking chip maker
Dedicated IC chip.Moreover, nowadays, substitution manually makes IC chip, this programming is also used instead mostly " is patrolled
Volume compiler (logic compiler) " software realizes that software compiler used is similar when it writes with program development,
And the source code before compiling also write by handy specific programming language, this is referred to as hardware description language
(Hardware Description Language, HDL), and HDL is also not only a kind of, but there are many kind, such as ABEL
(Advanced Boolean Expression Language)、AHDL(Altera Hardware Description
Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL
(Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby
Hardware Description Language) etc., most generally use at present VHDL (Very-High-Speed,
Integrated Circuit Hardware Description Language) and Verilog.Those skilled in the art also answer
This understands, it is only necessary to method flow slightly programming in logic and is programmed into integrated circuit with above-mentioned several hardware description languages,
The hardware circuit for realizing the logical method process can be readily available.
It should be understood by those skilled in the art that, the embodiment of this specification can provide as method, system or computer journey
Sequence product.Therefore, complete hardware embodiment, complete software embodiment or knot can be used in this specification one or more embodiment
The form of embodiment in terms of conjunction software and hardware.Moreover, this specification one or more embodiment can be used at one or more
A wherein includes computer-usable storage medium (the including but not limited to magnetic disk storage, CD- of computer usable program code
ROM, optical memory etc.) on the form of computer program product implemented.
The embodiment of this specification is referring to the method, equipment (system) and computer journey according to this specification embodiment
The flowchart and/or the block diagram of sequence product describes.It should be understood that flow chart and/or box can be realized by computer program instructions
The combination of the process and/or box in each flow and/or block and flowchart and/or the block diagram in figure.It can provide this
A little computer program instructions are to general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices
Processor to generate a machine so that the finger executed by the processor of computer or other programmable data processing devices
It enables and generates to specify in one or more flows of the flowchart and/or one or more blocks of the block diagram
The device of function.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net
Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium
Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves
State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable
Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM),
Digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices
Or any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, it calculates
Machine readable medium does not include temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability
It include so that the process, method, commodity or the equipment that include a series of elements not only include those elements, but also to wrap
Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including described want
There is also other identical elements in the process, method of element, commodity or equipment.
It will be understood by those skilled in the art that the embodiment of this specification can provide as the production of method, system or computer program
Product.Therefore, this specification one or more embodiment can be used complete hardware embodiment, complete software embodiment or combine software
With the form of the embodiment of hardware aspect.Moreover, this specification one or more embodiment can be used it is one or more wherein
It include computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, the light of computer usable program code
Learn memory etc.) on the form of computer program product implemented.
This specification one or more embodiment can computer executable instructions it is general on
It hereinafter describes, such as program module.Generally, program module includes executing particular task or realization particular abstract data type
Routine, programs, objects, component, data structure etc..Can also practice in a distributed computing environment this specification one or
Multiple embodiments, in these distributed computing environments, by being executed by the connected remote processing devices of communication network
Task.In a distributed computing environment, the local and remote computer that program module can be located at including storage equipment is deposited
In storage media.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for system reality
For applying example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to embodiment of the method
Part explanation.
The present invention carries out simple extension to existing SIP signaling to realize to TLS by control TLS weight negotiated speed
The negotiation of weight negotiated speed distributes different heavy negotiated speeds according to the important level of meeting, and weight negotiated speed is renewable to be negotiated,
Needs in special circumstances compatible simultaneously are urgent to negotiate characteristic and the compatible normal video for not supporting extended field of the present invention again
Meeting SIP interactive process.Increase the difficulty and complexity that key cracks by Zhi Chichong negotiation, ensures the peace of TLS connection
Quan Xing has obtained great guarantor to ensure Content of Communication safety of the double hairs of communication in the case of prolonged video conference
Card.By the interaction of application layer SIP signaling, the attribute of encryption and decryption layer is arranged, control TLS weight negotiated speed is solved in video
TLS intrinsic loophole characteristic bring is by the possibility of DoS attack in meeting.
More than, only presently preferred embodiments of the present invention is not intended to limit the present invention in any form;All current rows
The those of ordinary skill of industry can be shown in by specification attached drawing and above and swimmingly implement the present invention;But all to be familiar with sheet special
The technical staff of industry without departing from the scope of the present invention, is made a little using disclosed above technology contents
The equivalent variations of variation, modification and evolution is equivalent embodiment of the invention;Meanwhile all substantial technologicals according to the present invention
The variation, modification and evolution etc. of any equivalent variations to the above embodiments, still fall within technical solution of the present invention
Within protection scope.
Claims (10)
1. a kind of register method for preventing from negotiating DoS attack again, which comprises the following steps:
Conference terminal sends registration request to server, wherein in registration request when heavy negotiation desired configured with conference terminal
The field information at long interval;
Server receives registration request, and authenticates to conference terminal, and server return authentication is requested to conference terminal;
After conference terminal receives certification request, conference terminal retransmit carry the registration request of authentication information to server into
Row certification, if certification passes through, conference terminal succeeds in registration, and the server carries out the duration of the negotiation again interval that this is connected
Configuration.
2. preventing the register method for negotiating DoS attack again as described in claim 1, which is characterized in that further comprise the steps of:
After conference terminal succeeds in registration, the server obtains the security level of conference terminal, according to the security level and meeting
The desired heavy negotiation duration interval of terminal is discussed to configure the duration of the negotiation again interval of this connection.
3. preventing the register method for negotiating DoS attack again as described in claim 1, which is characterized in that further comprise the steps of:
Conference terminal sends register update and requests to server;Wherein, when in register update request configured with the negotiation again updated
The field information at long interval, for updating the duration of the negotiation again interval of this connection.
4. a kind of method of calling for preventing from negotiating DoS attack again, which comprises the following steps:
It is main that conference terminal transmission call request is exhaled extremely to be exhaled conference terminal, wherein to exhale conference terminal configured with master in call request
The desired heavy field information for negotiating duration interval;
If conference terminal is exhaled to receive this calling, the duration of the negotiation again interval of this calling connection is configured.
5. preventing the method for calling for negotiating DoS attack again as claimed in claim 4, it is characterised in that: the call request is also
Configured with the main security level for exhaling conference terminal, the main security level for exhaling conference terminal of conference terminal confirmation is exhaled, and according to institute
State security level and the main duration of the negotiation again interval for exhaling the desired heavy negotiation duration interval of conference terminal to configure this calling connection.
6. preventing the method for calling for negotiating DoS attack again as claimed in claim 5, it is characterised in that: this calling connection
The meeting setting that negotiation duration interval passes through video conference MCU again is configured,
Alternatively, the duration of the negotiation again interval of this calling connection is configured by being exhaled conference terminal.
7. such as the described in any item method of callings for preventing from negotiating DoS attack again of claim 4-6, which is characterized in that further include
Step:
In calling procedure, conference terminal or transmission update request to other end conference terminal;Wherein, it updates and is configured in request
What is updated negotiates the field information at duration interval again, for updating the duration of the negotiation again interval of this connection.
8. preventing the method for calling for negotiating DoS attack again as described in claim 4 or 5, which is characterized in that further comprise the steps of:
Negotiating in duration interval again, the message request that it is zero configured with security level that conference terminal, which is sent, is whole to other end meeting
End, for requesting other end conference terminal to be negotiated immediately again.
9. a kind of electronic equipment, characterized by comprising: processor;
Memory;And program, wherein described program is stored in the memory, and is configured to be held by processor
Row, described program include for executing such as any one of claim 1-3 or the described in any item methods of claim 4-8.
10. a kind of computer readable storage medium, is stored thereon with computer program, it is characterised in that: the computer program
It is executed by processor such as any one of claim 1-3 or the described in any item methods of claim 4-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910113119.2A CN109873972B (en) | 2019-02-13 | 2019-02-13 | Registration method, calling method, medium and device for preventing renegotiation DoS attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910113119.2A CN109873972B (en) | 2019-02-13 | 2019-02-13 | Registration method, calling method, medium and device for preventing renegotiation DoS attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109873972A true CN109873972A (en) | 2019-06-11 |
| CN109873972B CN109873972B (en) | 2022-02-18 |
Family
ID=66918698
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910113119.2A Active CN109873972B (en) | 2019-02-13 | 2019-02-13 | Registration method, calling method, medium and device for preventing renegotiation DoS attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109873972B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110971862A (en) * | 2019-11-04 | 2020-04-07 | 厦门亿联网络技术股份有限公司 | Video conference broadcasting method and device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1658551A (en) * | 2004-02-16 | 2005-08-24 | 华为技术有限公司 | Safety ability consultation method |
| CN102131248A (en) * | 2010-01-19 | 2011-07-20 | 华为技术有限公司 | Rate negotiation method, data transmission system and related equipment |
| US8190876B2 (en) * | 2007-11-19 | 2012-05-29 | Red Hat, Inc. | Renegotiating SSL/TLS connections with client certificates on post requests |
| CN104137513A (en) * | 2012-09-17 | 2014-11-05 | 华为技术有限公司 | Protection method and device against attacks |
| CN104717211A (en) * | 2015-02-16 | 2015-06-17 | 中国南方电网有限责任公司 | Substation message analysis method based on encryption communication shared secret key management |
| US9712621B1 (en) * | 2013-02-11 | 2017-07-18 | Amazon Technologies, Inc. | Information sharing endpoint |
| CN108833943A (en) * | 2018-04-24 | 2018-11-16 | 苏州科达科技股份有限公司 | The encrypted negotiation method, apparatus and conference terminal of code stream |
-
2019
- 2019-02-13 CN CN201910113119.2A patent/CN109873972B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1658551A (en) * | 2004-02-16 | 2005-08-24 | 华为技术有限公司 | Safety ability consultation method |
| US8190876B2 (en) * | 2007-11-19 | 2012-05-29 | Red Hat, Inc. | Renegotiating SSL/TLS connections with client certificates on post requests |
| CN102131248A (en) * | 2010-01-19 | 2011-07-20 | 华为技术有限公司 | Rate negotiation method, data transmission system and related equipment |
| CN104137513A (en) * | 2012-09-17 | 2014-11-05 | 华为技术有限公司 | Protection method and device against attacks |
| US9712621B1 (en) * | 2013-02-11 | 2017-07-18 | Amazon Technologies, Inc. | Information sharing endpoint |
| CN104717211A (en) * | 2015-02-16 | 2015-06-17 | 中国南方电网有限责任公司 | Substation message analysis method based on encryption communication shared secret key management |
| CN108833943A (en) * | 2018-04-24 | 2018-11-16 | 苏州科达科技股份有限公司 | The encrypted negotiation method, apparatus and conference terminal of code stream |
Non-Patent Citations (1)
| Title |
|---|
| REMY: "《OpenSSL-TLS重协商》", 《CSDN 博客,网址:HTTPS://BLOG.CSDN.NET/U011130578/ARTICLE/DETAILS/77890551?FPS=1&LOCATIONNUM=7》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110971862A (en) * | 2019-11-04 | 2020-04-07 | 厦门亿联网络技术股份有限公司 | Video conference broadcasting method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109873972B (en) | 2022-02-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6609086B1 (en) | Implementing non-intrusive security for federated single sign-on (SSO) | |
| US20200204527A1 (en) | Secure telecommunications and transactional platform | |
| CN104580190B (en) | The implementation method and secure browser device of secure browser | |
| US20210344645A1 (en) | Multi-channel based just-in-time firewall control | |
| US20230208822A1 (en) | Method and system for secure communications | |
| US11736304B2 (en) | Secure authentication of remote equipment | |
| JP2017524214A (en) | Company authentication through third-party authentication support | |
| CN107426174A (en) | A kind of access control system and method for credible performing environment | |
| JP5827680B2 (en) | One-time password with IPsec and IKE version 1 authentication | |
| CN106169952B (en) | A kind of authentication method that internet Key Management Protocol is negotiated again and device | |
| WO2018234885A9 (en) | Systems and methods for data encryption for cloud services | |
| Beltran et al. | User identity for WebRTC services: A matter of trust | |
| WO2018209138A1 (en) | Secure telecommunications and transactional platform | |
| Ali et al. | Uplifting healthcare cyber resilience with a multi-access edge computing zero-trust security model | |
| US10798757B2 (en) | Systems, methods, and computer program products for token-based session setup in telecommunication services | |
| US20220014359A1 (en) | Login and consent methodology that follows rest principles and uses the oauth protocol with attested clients | |
| US20210377239A1 (en) | Method for distributed application segmentation through authorization | |
| Hamoudy et al. | Video security in Internet of things: an overview | |
| CN109873972A (en) | Prevent the register method, method of calling, medium, equipment of negotiating DoS attack again | |
| Tschofenig et al. | Using saml to protect the session initiation protocol (sip) | |
| El Jaouhari et al. | Security issues of the web of things | |
| US9571462B1 (en) | Extensible personality-based messaging system in a distributed computerized infrastructure for establishing a social network | |
| US9286240B1 (en) | Systems and methods for controlling access to content in a distributed computerized infrastructure for establishing a social network | |
| Alappat | Multifactor Authentication Using Zero Trust | |
| Kogan et al. | The case for secure delegation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |