CN112291072B - Secure video communication method, device, equipment and medium based on management plane protocol - Google Patents

Secure video communication method, device, equipment and medium based on management plane protocol Download PDF

Info

Publication number
CN112291072B
CN112291072B CN202011574372.7A CN202011574372A CN112291072B CN 112291072 B CN112291072 B CN 112291072B CN 202011574372 A CN202011574372 A CN 202011574372A CN 112291072 B CN112291072 B CN 112291072B
Authority
CN
China
Prior art keywords
server
information
equipment
video
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011574372.7A
Other languages
Chinese (zh)
Other versions
CN112291072A (en
Inventor
王艳辉
陆宏成
韩杰
覃才俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Visionvera Information Technology Co Ltd
Original Assignee
Visionvera Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Visionvera Information Technology Co Ltd filed Critical Visionvera Information Technology Co Ltd
Priority to CN202011574372.7A priority Critical patent/CN112291072B/en
Publication of CN112291072A publication Critical patent/CN112291072A/en
Application granted granted Critical
Publication of CN112291072B publication Critical patent/CN112291072B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

The application provides a secure video communication method, a device, equipment and a medium based on a management plane protocol. The method comprises the following steps: in the equipment query stage, acquiring security verification information sent by a server, generating first parameter information at least according to identity information of video networking equipment when the security verification information is determined to be matched with the security level of the video networking equipment, and feeding the first parameter information back to the server; in the equipment authentication stage, legality verification information sent by the server is obtained, when the server is verified to be legal according to the legality verification information, second parameter information is generated according to historical interaction information between the server and the video network equipment, and the second parameter information is fed back to the server; in the equipment login stage, the information integrity identifier sent by the server is obtained, and when the target information is verified to be the complete information according to the information integrity identifier, the successful network access of the video network is determined.

Description

Secure video communication method, device, equipment and medium based on management plane protocol
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a secure video communication method, apparatus, device, and medium based on a management plane protocol.
Background
In the video networking, the device can perform video networking service only after completing network access. When a device accesses a network, multiple interactions with a server are often required, however, in the related art, no security measure is made on the network access interaction between the server and the device, for example, after the device sends a network access request to the server, the server directly allocates a network access address to the device and sends the network access address to the device, and the device receives the network access address, that is, indicates a successful network access, and then performs network access service by using the network access address. Because the network access interaction process of the two parties does not have any safety guarantee, various potential safety hazards such as illegal equipment network access, network access information leakage and the like exist. Therefore, how to improve the network access security of the video networking device becomes a problem to be solved urgently.
Disclosure of Invention
In view of the above problems, the present application provides a secure video communication method, apparatus, device and medium based on a management plane protocol, which can effectively prevent potential safety hazards caused by network access information leakage, and realize secure network access of video networking devices.
The application provides a secure video communication method based on a management plane protocol in a first aspect, wherein the method is applied to video networking equipment, and the method comprises the following steps:
in an equipment query phase, acquiring security verification information sent by a server, generating first parameter information at least according to identity information of video networking equipment when the security verification information is determined to be matched with the security level of the video networking equipment, and feeding the first parameter information back to the server so that the server verifies the identity of the video networking equipment according to the first parameter information, wherein the security verification information comprises one or more parameters for representing the security level of the server;
in the equipment authentication stage, obtaining legality verification information sent by the server, generating second parameter information according to historical interaction information between the server and the video network equipment when the server is verified to be legal according to the legality verification information, and feeding the second parameter information back to the server so that the server verifies the legality of the video network equipment according to the second parameter information, wherein the legality verification information at least comprises validity verification information and first verification information of the server and the video network equipment, and the validity verification information is used for verifying the validity of the legality verification information;
and in the equipment login stage, acquiring an information integrity identifier sent by the server, and determining successful network access to the video network when target information is verified to be complete information according to the information integrity identifier, wherein the information integrity identifier is used for protecting the integrity of the target information.
The second aspect of the present application provides a secure video communication apparatus based on management plane protocol, where the apparatus is applied to video networking equipment, and the apparatus includes:
the system comprises an inquiry module, a security verification module and a security verification module, wherein the inquiry module is used for acquiring security verification information sent by a server in an equipment inquiry stage, generating first parameter information at least according to identity information of video networking equipment when the security verification information is determined to be matched with the security level of the video networking equipment, and feeding the first parameter information back to the server so that the server verifies the identity of the video networking equipment according to the first parameter information, wherein the security verification information comprises one or more parameters for representing the security level of the server;
the authentication module is used for acquiring legality verification information sent by the server in an equipment authentication stage, generating second parameter information according to historical interaction information between the server and the video network equipment when the server is verified to be legal according to the legality verification information, and feeding the second parameter information back to the server so that the server verifies the legality of the video network equipment according to the second parameter information, wherein the legality verification information at least comprises validity verification information and first verification information of the server and the video network equipment, and the validity verification information is used for verifying the validity of the legality verification information;
and the login module is used for acquiring the information integrity identifier sent by the server in the equipment login stage, and determining successful network access to the video network when the target information is verified to be the complete information according to the information integrity identifier, wherein the information integrity identifier is used for protecting the integrity of the target information.
A third aspect of the embodiments of the present application provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the secure video communication method based on the management plane protocol according to the first aspect of the present application when executing the method.
A fourth aspect of the embodiments of the present application provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps in the management plane protocol-based secure video communication method according to the first aspect of the present application.
According to the safety video communication method based on the management plane protocol, the video network equipment completes network access sequentially through an equipment query stage, an equipment authentication stage and an equipment login stage, specifically, in the equipment query stage, the video network equipment acquires safety verification information sent by a server, verifies whether the safety level of the video network equipment is matched with the safety level of the server according to the safety verification information, and when the safety level of the video network equipment is matched with the safety level of the server, the video network equipment generates first parameter information and feeds the first parameter information back to the server. After the server verifies that the identity of the video network equipment is accurate according to the first parameter information, the server enters an equipment authentication stage, legality verification information is sent to the video network equipment, and when the video network equipment verifies that the server is legal according to the video network equipment, second parameter information is generated and fed back to the server. And after verifying that the video network equipment is legal according to the second parameter information, the server enters an equipment login stage and sends an information integrity identifier to the video network equipment, the video network equipment verifies the integrity of the target information according to the information integrity identifier, and when the target information is complete information, the server determines that the video network equipment is successfully accessed. By the method, the identity and the legality of the other side are continuously mutually verified at each stage of the network access interaction process of the video networking equipment and the server, potential safety hazards caused by network access information leakage can be effectively prevented, the security of the interaction process is greatly improved, and the safe network access of the video networking equipment is realized.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings used in the description of the embodiments of the present application will be briefly described below.
FIG. 1 is a schematic diagram of an implementation environment shown in an embodiment of the present application;
fig. 2 is a flowchart illustrating a secure network access method based on a management plane protocol according to an embodiment of the present application;
FIG. 3 is a diagram illustrating a frame structure of a video networking security management protocol according to an embodiment of the present application;
fig. 4 is an interaction diagram of a secure network access method based on a management plane protocol according to an embodiment of the present application;
fig. 5 is a block diagram illustrating a secure network access device based on a management plane protocol according to an embodiment of the present application;
FIG. 6 is a schematic networking diagram of a video network, according to an embodiment of the present application;
fig. 7 is a schematic diagram illustrating a hardware structure of a node server according to an embodiment of the present application;
fig. 8 is a schematic diagram illustrating a hardware structure of an access switch according to an embodiment of the present application;
fig. 9 is a schematic diagram of a hardware structure of an ethernet protocol conversion gateway according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Fig. 1 is a schematic diagram of an implementation environment according to an embodiment of the present application. In fig. 1, a server may be communicatively connected to a plurality of video network devices (including video network device 1-video network device N), and each video network device may complete a network access process through the server. After each video networking device successfully accesses the network, the video networking service can be developed. The server may be a network management server, a conference management server, an autonomous server, a core switching server, and the like in the video network, and the video network device may be a video network terminal, a monitoring access server, a monitoring sharing server, a storage server, a video network routing device, and the like in the video network.
The application provides a network access method which is applied to any one video networking device in figure 1. Fig. 2 is a flowchart illustrating a secure network entry method based on a management plane protocol according to an embodiment of the present application. Referring to fig. 2, the secure network access method of the present application may include the steps of:
step S21: in the equipment query stage, security verification information sent by a server is obtained, when the security verification information is determined to be matched with the security level of the video networking equipment, first parameter information is generated at least according to the identity information of the video networking equipment, and the first parameter information is fed back to the server, so that the server verifies the identity of the video networking equipment according to the first parameter information, wherein the security verification information comprises one or more parameters used for representing the security level of the server.
In this embodiment, the process of accessing the internet of view networking device to the internet of view networking mainly includes three stages, namely, a device query stage, a device authentication stage, and a device login stage, and after the three stages are verified, the internet of view networking device becomes the successful internet of view networking.
In the equipment inquiry phase, the server firstly sends security verification information to the video network equipment which is not accessed to the network, wherein the security verification information mainly comprises parameters for representing the security level of the server. After the video network equipment receives the security verification information, the parameters carried in the security verification information are compared with corresponding parameters which are stored by the video network equipment and used for representing the security level of the video network equipment, so that whether the security level of the video network equipment is matched with the security level of the server or not is checked. The security verification information may be one or multiple parameters, and the parameters representing the security level of the server may be of multiple types, and may be specifically set according to actual requirements, which is not specifically limited in this embodiment.
Illustratively, when the security verification information carries the first type of parameter and the second type of parameter, the video network device compares the first type of parameter in the security verification information with the first type of parameter of the video network device, compares the second type of parameter in the security verification information with the second type of parameter of the video network device, and determines that the security level of the video network device is matched with the security level of the server when the two are matched.
After determining that the security level of the video networking device matches the security level of the server, the video networking device generates the first parameter information according to the identity information of the video networking device, where the identity information of the video networking device may adopt any information that can characterize the characteristics of the video networking device, such as an address, a device identifier, a device certificate, and the like of the video networking device, and the identity is not specifically limited in this embodiment.
And then, the video network equipment sends the generated first parameter information to the server, so that the server verifies the identity of the video network equipment according to the first parameter information. Specifically, the server verifies whether each item of information in the first parameter information is accurate, if any item of information fails to pass the verification, the server indicates that the identity of the video network equipment is incorrect, the server returns a message of failed verification to the server, otherwise, if each item of information is accurate, the server indicates that the identity of the video network equipment is correct, namely, the identity of the video network equipment passes the verification, and then the server enters an equipment authentication phase.
Step S22: in the equipment authentication stage, legality verification information sent by a server is obtained, when the server is verified to be legal according to the legality verification information, second parameter information is generated according to historical interaction information between the server and the video network equipment, and the second parameter information is fed back to the server, so that the server verifies the legality of the video network equipment according to the second parameter information, wherein the legality verification information at least comprises first validity verification information and first verification information of the server and the video network equipment, and the first validity verification information is used for verifying the validity of the legality verification information.
In this embodiment, after verifying that the identity of the video networking device passes, the server sends validity verification information to the video networking device, where the validity verification information carries first verification information of the server, the first verification information of the video networking device, and the first validity verification information.
After the video network equipment receives the validity verification information, the validity of the validity verification information is verified according to the first validity verification information, if the verification result is valid, the video network equipment continues to verify the first verification information of the server and the first verification information of the video network equipment so as to verify whether the server is legal or not. The first verification information of the server may adopt any information that can characterize the characteristics of the server, such as an address of the server, a server identifier, and the like, and the first verification information of the video networking device may adopt any information that can characterize the characteristics of the video networking device, such as an address of the video networking device, a device identifier, a device certificate, and the like, which is not limited in this embodiment.
And if the server is legal, the video network equipment generates second parameter information according to the historical interaction information between the server and the video network equipment. The video network device may generate the second parameter information according to any key information extracted from the historical interaction information, for example, a server identifier, a device identifier of the video network device, and the like, which is not limited in this embodiment specifically.
And then, the video network equipment sends the second parameter information to the server so that the server verifies the legality of the video network equipment according to the second parameter information. Specifically, the server verifies whether each item of information in the second parameter information is accurate, if any item of information fails to be verified, the server indicates that the video network device may be an illegal device (for example, a device carrying a virus, etc.), and the server returns a message of verification failure to the video network device, otherwise, if each item of information is accurate, the server indicates that the video network device is a legal device, and then the server enters a device authentication phase.
Step S23: and in the equipment login stage, acquiring an information integrity identifier sent by the server, and when the target information is verified to be the integral information according to the information integrity identifier, determining that the network is successfully accessed to the video network, wherein the information integrity identifier is used for protecting the integrity of the target information.
In this embodiment, the information integrity indicator is a value obtained by calculating target information according to a preset algorithm, and the target information is mainly key information sent to the video network device by the server. Illustratively, the server prepares to transmit a piece of data (target information) to the video network device, in order to ensure the integrity of the data received by the video network device, the server may calculate the piece of data according to a calculation formula negotiated with the video network device in advance, use the calculation result as an information integrity identifier, then encapsulate the piece of data and the information integrity identifier in a data packet, after the video network device receives the data packet, calculate the piece of data according to the calculation formula negotiated with the server in advance, and if the calculation result is the same as the information integrity identifier, indicate that the piece of received data is complete.
In the device login stage in this embodiment, the interaction information between the server and the video network device may carry an information integrity identifier, thereby ensuring that the information received by both parties is complete each time. Certainly, in actual implementation, in the device query stage and the device authentication stage, the information integrity identifier may also be carried in the interaction information between the server and the video network device, and may be selectively set according to actual requirements, which is not specifically limited in this embodiment.
In specific implementation, the video network device receives a data packet sent by the server at the device login stage, obtains target information and an information integrity identifier from the data packet, calculates the target information according to a calculation formula negotiated with the server in advance, and if the calculation result is the same as the information integrity identifier, the target information is complete. Since the target information contains information required by the video networking equipment for carrying out the video networking service, the video networking equipment can already carry out the video networking service according to the complete target information, namely the video networking equipment is successfully accessed into the video networking.
In this embodiment, the video networking device completes network access sequentially through a device query stage, a device authentication stage, and a device login stage, and specifically, in the device query stage, the video networking device obtains security verification information sent by the server, verifies whether the security level of the video networking device matches the security level of the server according to the security verification information, and when the security level of the video networking device matches the security level of the server, the video networking device generates first parameter information and feeds the first parameter information back to the server. After the server verifies that the identity of the video network equipment is accurate according to the first parameter information, the server enters an equipment authentication stage, legality verification information is sent to the video network equipment, and when the video network equipment verifies that the server is legal according to the video network equipment, second parameter information is generated and fed back to the server. And after verifying that the video network equipment is legal according to the second parameter information, the server enters an equipment login stage and sends an information integrity identifier to the video network equipment, the video network equipment verifies the integrity of the target information according to the information integrity identifier, and when the target information is complete information, the server determines that the video network equipment is successfully accessed. By the method, the identity and the legality of the other side are continuously verified mutually at each stage of the network access interaction process of the video networking equipment and the server, the verification purposes and effects at each stage are different, potential safety hazards caused by network access information leakage can be effectively prevented, the security of the interaction process is greatly improved, and the safe network access of the video networking equipment is realized.
With reference to the foregoing embodiment, in an implementation manner, the present application further provides a method for acquiring security verification information sent by a server, which may specifically include the following steps:
receiving a network access equipment query message sent by a server, and extracting security verification information from the network access equipment query message;
on the basis, feeding back the first parameter information to the server may include:
and sending a response message responding to the network access equipment inquiry message to the server, wherein the response message carries the first parameter information.
In this embodiment, in the device query phase, the server may send a network access device query message to the video network device, where the message carries the security verification information. After the video networking equipment receives the network access equipment query message, the security verification information is extracted from the network access equipment query message.
When it is determined that the security verification information is matched with the security level of the video networking device, the video networking device may send a network access device query response message to the server in response to the network access device query message, where the network access device query response message carries the first parameter information. After receiving the network access device query response message, the server may extract the first parameter information from the network access device query response message.
In combination with the above embodiments, in one implementation, the security verification information includes at least any one or more of the following parameters: a security protocol version number, device cryptographic capabilities, and a suite of algorithms. On the basis, the application also provides a method for verifying whether the security verification information is matched with the security level of the video networking equipment. Specifically, the method may comprise the steps of:
and verifying whether the security level of the video networking equipment is consistent with that of the server or not according to each parameter carried in the security verification information, and if so, determining that the security verification information is matched with the security level of the video networking equipment.
In this embodiment, the security protocol version number refers to a version number of a video networking protocol currently used by the server, the device cryptographic capability refers to a cryptographic capability level of the server, and the algorithm suite refers to an algorithm used in the server to verify each item of verification information.
In this embodiment, the security verification information may carry one or more parameters, which may be specifically set according to actual requirements. Illustratively, when the device password capability of the server is carried in the security verification information, the video network device compares the device password capability with the device password capability of the video network device, and if the device password capability of the server is consistent with the password capability of the video network device, the security level of the server is matched with the security level of the video network device.
Further illustratively, when the security verification information carries the security protocol version number, the device password capability and the algorithm suite of the server, the video networking device compares the security protocol version number of the server with the security protocol version number of the video networking device, compares the device password capability of the server with the device password capability of the video networking device, compares the algorithm suite of the server with the algorithm suite of the video networking device, and if the comparison results are consistent, the security level of the server is matched with the security level of the video networking device.
Besides the consistency, the version number of the security protocol can also indicate that the version number of the security protocol passes verification if the version number of the security protocol of the server is compatible with the version number of the security protocol of the video networking device. For device password capability, in addition to the case of consistency, if the device password capability of the server is compatible with the device password capability of the video network device, it may also indicate that the device password capability is verified.
In this embodiment, the video networking device verifies the security verification information sent by the server, so that the video networking access process is only performed under the condition that the security levels of the video networking device and the security verification information are matched, and the security of the network access environment is further ensured.
With reference to the foregoing embodiment, in an implementation manner, the present application further provides a method for generating first parameter information according to identity information of a video networking device, which may specifically include the following steps:
generating first parameter information according to the security verification information, second verification information of the server and the video networking equipment and second validity verification information; and the second validity verification information is used for verifying the validity of the first parameter information, and is obtained according to the interaction information of the server and the video network equipment in the equipment inquiry stage and the information prestored in the video network equipment.
In this embodiment, the video network device may obtain the security authentication information, the second authentication information of the server, and the second authentication information of the video network device from the historical interaction information with the server and the pre-stored information. And then generating second validity verification information according to the security verification information, the second verification information of the server and the second verification information of the video networking equipment according to a preset algorithm. Then, the video network device generates first parameter information based on the security verification information, the second verification information of the server, the second verification information of the video network device and the second validity verification information.
After receiving the second validity verification information, the server may verify the validity of the first parameter information according to the second validity verification information, and if the verification result is valid, continue to perform the subsequent steps.
The second verification information of the server may adopt any information that can characterize the characteristics of the server, such as an address of the server, a server identifier, and the like, and the second verification information of the video networking device may adopt any information that can characterize the characteristics of the video networking device, such as an address of the video networking device, a device identifier, a device certificate, and the like, which is not limited in this embodiment.
In one embodiment, the second authentication information includes dynamic authentication information and static authentication information. On the basis, generating the first parameter information according to the security verification information, the second verification information of the server and the video network device, and the second validity verification information may include the following steps:
acquiring a random number of a server as dynamic verification information of the server;
generating a random number of the video networking equipment, and taking the generated random number as dynamic verification information of the video networking equipment;
acquiring an identifier of a server as static verification information of the server;
acquiring a device certificate of the video network device as static verification information of the video network device;
carrying out encryption operation on the security verification information, the random numbers of the server and the video networking equipment and the identification of the server to obtain a first digital signature, and taking the first digital signature as second validity verification information;
and calculating and generating the security verification information, the random numbers of the server and the video network equipment, the identification of the server, the first digital signature and the equipment certificate of the video network equipment into first parameter information.
In this embodiment, a random number may be employed as the dynamic authentication information. The video network device can obtain the random number of the server from the network access device inquiry message sent by the server, and the random number of the server is used as the dynamic verification information of the server. Meanwhile, the video network equipment generates a random number as dynamic verification information of the video network equipment when responding to the network access equipment inquiry message.
For each of the three network access phases of the present application, the server and the video networking device may generate a random number each time they interact with each other. For example, the server may carry the random number generated by the server in a network access device query message sent to the network access device, and the network access device may return a network access device query response message to the server when responding to the network access device query message, and carry the random number generated by the server and the random number generated by the network access device in the message. In the next stage, the server may carry the random number regenerated by the server in the message sent to the video network device, and the video network device also regenerates a random number of the video network device in response to the message, and so on. That is, each of the three phases the server and the video network appliance generate different random numbers. The random number of the application can be used as a nonce to ensure that the message is not replayed.
In this embodiment, in order to enable the server to perform relatively comprehensive verification on the video networking device, the first parameter information may also carry static verification information of the server and static verification information of the video networking device. The identifier of the server can be used as the static authentication information of the server, and the device certificate of the video network device can be used as the static authentication information of the video network device. The identifier of the server may be obtained from the network access device query message, and the device certificate of the video network device may be obtained from information pre-stored in the video network device.
And then, the video network equipment carries out encryption operation on the security verification information, the random number of the server, the random number of the video network equipment and the identification of the server to obtain a first digital signature, and the first digital signature is used as second validity verification information. The encryption operation method may be any operation method for calculating a digital signature, and this embodiment does not specifically limit this.
And finally, the video network equipment calculates the security verification information, the random numbers of the server and the video network equipment, the identification of the server, the first digital signature and the equipment certificate of the video network equipment to generate first parameter information, writes the first parameter information into a network access equipment query response message, and sends the network access equipment query response message to the server.
In this embodiment, when the video networking device generates the first parameter information for the server to verify the identity of the video networking device, the first parameter information not only relates to the respective dynamic verification information of the server and the video networking device, but also relates to the respective static verification information of the server and the video networking device, so that the coverage of the verification information is improved, the server can comprehensively verify the video networking device, and the security of a network access environment is ensured.
With reference to the foregoing embodiment, in an implementation manner, the obtaining the validity verification information sent by the server may include:
and receiving a network access equipment authentication message sent by the server, and extracting validity verification information from the network access equipment authentication message.
On the basis, the second parameter information is fed back to the server, and the method comprises the following steps:
and sending a response message responding to the network access equipment authentication message to the server, wherein the response message carries the second parameter information.
In this embodiment, in the device authentication phase, the server may send a network access device authentication message to the video network device, where the message carries the validity verification information. And after the video networking equipment receives the network access equipment authentication message, extracting the legality verification information from the network access equipment authentication message.
And when the server is verified to be legal according to the legality verification information, the video network equipment can respond to the network access equipment authentication message and send a network access equipment authentication response message to the server, wherein the network access equipment authentication response message carries second parameter information. After receiving the network access device authentication response message, the server may extract the second parameter information from the network access device authentication response message.
In combination with the above embodiments, in one implementation, in the device authentication phase, the first verification information may include two types, that is, dynamic verification information and static verification information. On the basis, the application also provides a method for verifying the server to be legal according to the legality verification information. Specifically, the method may comprise the steps of:
verifying whether the validity verification information is valid according to the first validity verification information;
and when the dynamic verification information and the static verification information of the video networking equipment are valid, verifying whether the dynamic verification information and the static verification information of the video networking equipment are consistent with corresponding information stored in the video networking equipment, and if so, determining that the server is a legal server.
In the application, the first verification information in the device authentication phase and the second verification information in the device query phase both include two types of dynamic verification information and static verification information, but the specific contents of the two types of dynamic verification information and static verification information are different.
After receiving the validity verification information, the video networking equipment firstly verifies whether the validity verification information is valid according to first validity verification information in the validity verification information. And when the verification result is valid, further verifying whether the static verification information of the dynamic verification information of the video network equipment is consistent with the corresponding information stored in the video network equipment, and if so, determining that the server is a legal server.
In one embodiment, the first validity verification information is a second digital signature, the dynamic verification information of the server is a random number of the server, the dynamic verification information of the video network device is a random number of the video network device, and the static verification information of the video network device includes an identifier and a device certificate of the video network device.
On this basis, verifying whether the validity verification information is valid according to the first validity verification information may include:
carrying out encryption calculation on respective random numbers of the server and the video networking equipment and the identification of the video networking equipment;
and if the calculation result is the same as the second digital signature, determining that the validity verification information is valid.
Correspondingly, verifying whether the dynamic verification information and the static verification information of the video network equipment are consistent with the corresponding information stored in the video network equipment, comprises the following steps:
and verifying whether the random number of the video network equipment, the identification of the video network equipment and the equipment certificate are consistent with corresponding information stored in the video network equipment.
In this embodiment, in the first authentication information, the random number of the server is different from the random number of the server in the first authentication information, and the random number of the video network device is the random number carried by the video network device in the network access inquiry response message.
And the video network equipment encrypts and calculates the random numbers of the server and the video network equipment and the identification of the video network equipment according to a signature calculation method negotiated with the server in advance, and if the calculation result is the same as the second digital signature, the validity verification information can be determined to be valid.
Then, the video networking equipment verifies whether the random number of the video networking equipment is the same as the random number of the video networking equipment carried in the network access inquiry response message, verifies whether the identification of the video networking equipment is the same as the identification of the video networking equipment, verifies whether the equipment certificate is the same as the equipment certificate of the networking equipment stored in the video networking equipment, and if the three pieces of equipment pass the verification, the server can be determined to be a legal server.
In the embodiment, the video networking equipment verifies the legality verification information to ensure the legality of the server, so that the illegal server can be prevented from stealing the networking information, and the security of the networking environment is improved.
With reference to the above embodiment, in an implementation, generating the second parameter information according to the respective historical interaction information of the server and the video network device may include:
carrying out message authentication code calculation on respective random numbers of the server and the video networking equipment, the identification of the video networking equipment and the identification of the server; and determining the calculation result as second parameter information.
In this embodiment, the network access device regenerates a random number for the network access device that is different from the random number for the network access device in the network access query response message. Then, the video network device performs MAC (Message Authentication Code) calculation on the random number of the server, the random number of the new video network device, the identifier of the video network device, and the identifier of the server in the validity verification information, and uses the calculation result as second parameter information.
And then, the video network equipment responds to the network access equipment authentication message to send a network access equipment authentication response message to the server, wherein the network access equipment authentication response message carries second parameter information, the random number of the new video network equipment, the random number of the server in the validity verification information, the identifier of the video network equipment and the identifier of the server.
The second parameter information can be understood as an information integrity identifier in the device authentication phase, and is used for protecting the integrity of the random number of the server, the random number of the new video network device, the identifier of the video network device and the identifier of the server in the validity verification information.
In this embodiment, the video networking device generates the second parameter information according to the historical interaction information with the server, so that the server can verify the validity of the video networking device according to the second parameter information, and the secure network access of the video networking device is ensured.
With reference to the foregoing embodiment, in an implementation manner, the validity verification information further carries a connection key. On this basis, the method further comprises:
and performing key dispersion on the connection key to obtain a connection sub-key.
Correspondingly, the message authentication code calculation is carried out on the random numbers of the server and the video network equipment, the identification of the video network equipment and the identification of the server, and comprises the following steps:
and performing message authentication code calculation on the random numbers of the server and the video network equipment, the identification of the video network equipment and the identification of the server by using the connection subkey.
In this embodiment, the server issues the connection key to the video networking device through the validity verification information, and the video networking device may perform key dispersion on the connection key in any key dispersion manner to obtain the connection sub-key. Then, the video network device may perform MAC calculation on the random number of the server and the video network device, the identifier of the video network device, and the identifier of the server according to the connection subkey, to obtain second parameter information.
With reference to the foregoing embodiment, in an implementation manner, the present application further provides a method for obtaining an information integrity identifier sent by a server, which may specifically include:
and receiving a login message of the network access equipment sent by the server, and extracting an information integrity identifier from the login message of the network access equipment.
In this embodiment, in the device login phase, the server may send a network access device login message to the video network device, where the message carries the information integrity identifier. After the video networking equipment receives the network access equipment login message, the information integrity identifier is extracted from the network access equipment login message.
In combination with the above embodiments, in one implementation, the target information includes: the random numbers of the server and the video network equipment, the identification of the server and the video network equipment and the video network address are extracted from the login message of the network access equipment. On the basis, the application also provides a method for verifying the integrity of the target information. Specifically, the method may include:
carrying out message authentication code calculation on respective random numbers of the server and the video network equipment, respective identifications of the server and the video network equipment and video network addresses;
and when the calculation result is the same as the information integrity mark, determining that the target information is the complete information.
In this embodiment, the login message of the network access device carries the random number of the server and the identifier of the video network device, the identifier of the server and the identifier of the video network device, the address of the video network, and the information integrity identifier. And the video network equipment performs message authentication code calculation on the random numbers of the server and the video network equipment, the identifications of the server and the video network equipment and the video network address in the network access equipment login message, and if the calculation result is the same as the information integrity identification, the target information received by the video network equipment is represented as complete information.
The video network address is used when the server sends the video network address to the video network equipment for video network service after the video network equipment accesses the network. In the video network, after the video network equipment is accessed to the network, the server allocates a video network address for the video network equipment to use when the video network equipment subsequently performs video network service.
In this embodiment, the integrity of the received target information is verified, so that the video networking device can perform video networking services according to the complete target information.
With reference to the foregoing embodiment, in an implementation manner, when determining to successfully access the network of the internet of view, the method of the present application may further include:
carrying out message authentication code calculation on respective random numbers, video networking addresses and network access equipment login messages of the server and the video networking equipment to obtain message authentication codes;
and feeding back a response message responding to the login message of the network access equipment to the server, wherein the response message carries a message authentication code which is used for the interaction between the video network equipment and the server after the video network equipment successfully accesses the network.
In this embodiment, after determining to access the network, the video networking device may further perform MAC operation according to a random number newly generated by the video networking device, the random number of the server in the network access device login message, the video networking address, and the network access device login message, to obtain the message authentication code. And then responding to the login message of the network access equipment, and feeding back a login response message of the network access equipment to the server, wherein the message carries a message authentication code, a random number newly generated by the video network equipment, the random number of the server in the login message of the network access equipment, a video network address and the login message of the network access equipment. After receiving the login response message of the network access equipment, the server verifies the message authentication code, if the verification is passed, the server determines that the video network equipment obtains a correct video network address, the network access is successful, and in the subsequent step, the server can interact with the video network equipment based on the correct video network address.
In one embodiment, the video network device can also perform message authentication code calculation on the random numbers, the video network addresses and the network access device login messages of the server and the video network device respectively by using the connection sub-key obtained in the device authentication phase. Of course, the video network device may also perform the message authentication code calculation by using another key negotiated with the server in advance, and this embodiment is not particularly limited to this.
With reference to the foregoing embodiments, in one implementation manner, the frame structure of various response messages sent by the terminal device includes: the device comprises an exchange protocol header, a public message header, a management message header and a management message load, wherein the management message load comprises a plurality of information element fields, and the plurality of information element fields are at least used for carrying one or more of identity authentication information, key management information, handshake interaction information and message authentication codes.
The interaction between the server and the video networking equipment at each stage in the application can be carried out based on a video networking safety management protocol. In other words, the network access device query message, the response message of the network access device query message, the network access device authentication message, the response message of the network access device authentication message, the network access device login message, and the response message of the network access device login message in the foregoing embodiments may all be transmitted based on the video networking security management protocol. The details of the video networking security management protocol will be described below.
Fig. 3 is a diagram illustrating a frame structure of a video networking security management protocol according to an embodiment of the present application. Referring to fig. 3, a frame structure of a security management protocol for video networking includes a management plane protocol header and a protocol payload. The management plane protocol header further specifically includes: a protocol header, a common message header, and a management message header. The switching protocol header further includes a switching identification field, a destination address field, a destination sub-address field, a source address field, and a source sub-address field. The common message header further comprises a type identification field, a reserved bit field, a message number field and a security classification identification field. The management message header further includes a packet sequence number field, a transaction identification field, and a reserved bit field. The protocol payload, i.e., the management message payload, includes a plurality of information element fields.
The exchange protocol header is mainly used for network addressing and message forwarding. The exchange identifier is used to indicate the packet type of the packet of the switching protocol of the video network, and different packet types determine the address types of the destination address and the source address and also determine the type of the video network transmission protocol in the protocol payload, as shown in table 1 below:
exchange sign (1 byte) Packet type Source address type Type of destination address Type of transport protocol
0x10 Class 0 connection package Link address Link address Connection protocol
0x11 Class 1 connection bag Unicast address Unicast address Unicast protocol
0x12 Class 2 connection bag Multicast address Multicast address Multicast protocol
0xXX N-type connection bag Link/unicast/multicast addresses Link/unicast/multicast addresses Security protocol
TABLE 1
The security protocol is a video networking security management protocol in the present application.
The public message header comprises fields such as type identification, reserved bits, secret level identification, message number and the like. The type identifier is used for identifying a protocol type, in this application, a video networking security management protocol. The message number is a safety interaction extension message number, and a specific value range is adopted to represent the message type used by the safety interaction process. Wherein the security level identification is used for indicating the message source domain and the privacy level of the message content. Data of the high-security source domain is not allowed to flow into the low-security destination domain, high-security messages are not allowed to flow into the low-security destination domain, and reserved bits are used for filling out the security protocol version number. The relationship between the security level identification and the level of secrecy of the message origin domain and the message content can be shown in table 2 below:
security level identification (1.5 bytes) Message origin field Domain of message destination Message content
0x000 Without secret involvement Without secret involvement Without secret involvement
0x111 Absolute secret Absolute secret Absolute secret
0x222 Secret Secret Secret
0x333 Secrets Secrets Secrets
TABLE 2
The management message header includes fields such as a packet sequence number, a transaction identification, and a reserved bit. The packet sequence number and the transaction identifier jointly form a unique identification code of each message, and the message replay attack can be identified by combining the protection of the message authentication code. Wherein the transaction identifier corresponds to a dynamic identifier of the message and can be used to associate related messages. The use scene is as follows:
1. when the sending end sends a response message of a certain command message, the transaction identifier in the response message can be set to be the same as the transaction identifier in the command message, so that the receiving end can distinguish the command message corresponding to the response message according to the transaction identifier.
2. When a message needs to be fragmented, the sending end can set the transaction identifiers of all fragments of the same message to be the same numerical value, so that the receiving end can distinguish the message corresponding to the message fragments according to the transaction identifiers.
The management message load comprises fields of identity authentication, key management, handshake interaction, message authentication codes and the like, wherein the identity authentication is used for carrying identity information, such as an identifier of a server, a random number of the server, an identifier of video networking equipment, a random number of the video networking equipment and the like, the key management is used for carrying keys required by network access, such as a connection key and the like, the handshake interaction is used for carrying information generated by the server and the video networking equipment in a handshake interaction stage, the message authentication codes are used for carrying message authentication codes, the message authentication codes can be used for protecting the integrity of signaling messages, and a protection range can comprise an exchange protocol header and a protocol load. The remaining information element fields may be used to carry security verification information, digital signatures, device certificates, video network addresses, and other message content.
In the device query, device authentication and device login stages, the random number of the server, the random number of the video network device, the identification of the server, the identification of the video network device, the video network address and the network access device login message are considered when the message authentication code is calculated, and the information in the exchange protocol header can be considered when the message authentication code is calculated in actual implementation, so that the message authentication code can protect the information in the exchange protocol header, and the message integrity protection range is expanded.
Fig. 4 is an interaction diagram of a secure network access method based on a management plane protocol according to an embodiment of the present application. The secure network entry method of the present application will be described in detail with reference to fig. 4 in a specific embodiment.
Step 1: the server firstly sends a network access equipment inquiry message to the server, wherein the message carries security verification information and a random number of the server, and the security verification information comprises: the security protocol version number, the equipment password capability, the algorithm suite and the like are configured by a system administrator according to the security capability of the video networking equipment.
Step 2: after receiving the network access equipment inquiry message, the video network equipment verifies each item of the security verification information one by one to determine whether the security level of the video network equipment is matched with the security level of the server. If not, the correctness of the password service cannot be ensured, and the session with the server is terminated.
If the received message is matched with the network access equipment, the network access equipment generates a network access equipment inquiry response message, and the message at least carries security configuration information, a random number generated by the network access equipment (the random number is used as a nonce to ensure that the message is not replayed), a random number of a server in the network access equipment inquiry message, a unique identifier of the server, digital signatures of all field contents and an equipment certificate of the network access equipment.
And step 3: after the server receives the network access inquiry response message and verifies that the digital signature in the network access inquiry response message is accurate and correct, whether the security configuration information, the random number of the server, the identification of the server and the equipment certificate of the video networking equipment are consistent with the pre-stored corresponding information or not is verified to confirm the identity of the video networking equipment, if so, the identity of the video networking equipment is correct, and any check failure can terminate the session.
And after the identity of the video networking equipment is verified to be correct, the server generates a network access equipment authentication message and sends the network access equipment authentication message to the video networking equipment. The network access equipment authentication message carries encrypted content which takes the video network equipment encryption public key as an encryption key, a random number newly generated by the server, the random number of the video network equipment and the identification of the video network equipment in the network access inquiry response message, digital signatures of all field contents and equipment certificates of the video network equipment. Wherein the encrypted content has a connection key.
And 4, step 4: after the network access equipment authentication message is received by the video network equipment, and the digital signature in the network access equipment authentication message is verified to be accurate and correct, whether the random number of the video network equipment, the identification of the video network equipment and the equipment certificate of the video network equipment are consistent with the corresponding prestored information is verified to determine the legality of the server, if so, the server is legal, and the session is terminated when any check fails.
When the server is verified to be legal, the video networking equipment decrypts the encrypted content by using the encrypted public key to obtain a connection key, performs key dispersion on the connection key to obtain a connection sub-key, and then performs MAC operation on the newly generated random number of the video networking equipment, the random number of the server in the network access equipment authentication message, the identifier of the video networking equipment and the identifier of the server by using the connection sub-key to obtain a first message authentication code. And then, the video network equipment sends a network access equipment authentication response message to the server, wherein the message carries the newly generated random number of the video network equipment, the random number of the server in the network access equipment authentication message, the identifier of the video network equipment, the identifier of the server and the first message authentication code. And the first message authentication code is written into a message authentication code field of the network access equipment authentication response message.
And 5: after the server receives the network access equipment authentication response message, MAC operation is carried out on the random number of the video network equipment, the random number of the server, the identification of the video network equipment and the identification of the server in the network access equipment authentication response message by using the connection sub-key, and if the value obtained by calculation is the same as the value of the message authentication code in the network access equipment authentication response message, verification is passed.
After the verification is passed, the server performs MAC operation on the newly generated random number of the server, the random number of the video network equipment in the network access equipment authentication response message, the identification of the video network equipment, the identification of the server and the video network address allocated to the video network equipment by using the connection sub-key, so as to obtain a second message authentication code. And then, the server sends a network access device login message to the video network device, wherein the message carries the newly generated random number of the server, the random number of the video network device in the network access device authentication response message, the identifier of the video network device, the identifier of the server, the video network address and a second message authentication code. And the second message authentication code is written into a message authentication code field of the login message of the network access equipment.
Step 6: after the video network equipment receives the network access equipment login message, MAC operation is carried out on the random number of the server, the random number of the video network equipment, the identification of the server and the video network address by using the connection sub-key, if the calculation result is the same as the message authentication code, verification is passed, and the received information is complete. And then, the video networking equipment imports the video networking address into the local for use in subsequent video networking service, so far, the video networking equipment has successfully accessed the video networking.
Then, the video networking device can also generate a login response message of the networking device, wherein the message carries a random number newly generated by the video networking device, a random number of a server in the login message of the networking device, a video networking address, a login message of the networking device and a third message authentication code, wherein the third message authentication code is written into a message authentication code field of the login response message of the networking device, and the third message authentication code is obtained by performing MAC operation on the random number newly generated by the video networking device, the random number of the server in the login message of the networking device, the video networking address and the login message of the networking device by using a connection sub-key. And after receiving the login response message of the network access equipment, the server verifies the third message authentication code, if the verification is passed, the server determines that the video network equipment obtains a correct video network address and successfully accesses the network, and in the subsequent step, the server can interact with the video network equipment based on the correct video network address.
By the method, the identity and the legality of the other side are continuously mutually verified in the network access interaction process of the video networking equipment and the server, potential safety hazards caused by network access information leakage can be effectively prevented, the security of the interaction process is greatly improved, and the safe network access of the video networking equipment is realized.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Based on the same inventive concept, the application also provides a secure network access device 500 based on the management plane protocol, which is applied to video networking equipment. Fig. 5 is a block diagram illustrating a secure network access device based on a management plane protocol according to an embodiment of the present application. Referring to fig. 5, the apparatus 500 of the present application may include:
the query module 501 is configured to, in an equipment query stage, obtain security verification information sent by a server, generate first parameter information at least according to identity information of a video networking device when it is determined that the security verification information matches a security level of the video networking device, and feed the first parameter information back to the server, so that the server verifies an identity of the video networking device according to the first parameter information, where the security verification information includes one or more parameters used to characterize the security level of the server;
the authentication module 502 is configured to, in an equipment authentication stage, obtain validity verification information sent by a server, generate second parameter information according to historical interaction information between the server and the video networking equipment when verifying that the server is valid according to the validity verification information, and feed the second parameter information back to the server, so that the server verifies the validity of the video networking equipment according to the second parameter information, where the validity verification information at least includes first validity verification information and first verification information of the server and the video networking equipment, and the first validity verification information is used to verify the validity of the validity verification information;
the login module 503 is configured to, in the device login stage, obtain an information integrity identifier sent by the server, and when the target information is verified to be the integrity information according to the information integrity identifier, determine that the network access to the video network is successful, where the information integrity identifier is used to protect the integrity of the target information.
Optionally, the query module 501 includes:
the first receiving module is used for receiving the network access equipment query message sent by the server and extracting the security verification information from the network access equipment query message;
and the first sending module is used for responding to the network access equipment inquiry message and sending a network access equipment inquiry response message to the server, wherein the network access equipment inquiry response message carries the first parameter information.
Optionally, the security verification information comprises at least any one or more of the following parameters: a security protocol version number, a device cryptographic capability, and an algorithm suite;
the query module 501 further includes: and the first verification module is used for verifying whether the security level of the video networking equipment is consistent with that of the server or not according to each parameter carried in the security verification information, and when the security level of the video networking equipment is consistent with that of the server, the security verification information is determined to be matched with that of the video networking equipment.
Optionally, the query module 501 further includes: the generation module is used for generating first parameter information according to the security verification information, second verification information of the server and the video networking equipment and second validity verification information; the second validity verification information is used to verify the validity of the first parameter information.
Optionally, the second authentication information includes dynamic authentication information and static authentication information; the generation module comprises: the first calculation submodule is used for carrying out encryption operation on the security verification information, the dynamic verification information of the server, the dynamic verification information of the video networking equipment and the static verification information of the server to obtain a first digital signature, and taking the first digital signature as second validity verification information;
the generation submodule is used for calculating and generating first parameter information according to the security verification information, the dynamic verification information of the server, the dynamic verification information of the video networking equipment, the static verification information of the server, the first digital signature and the static verification information of the video networking equipment;
the dynamic verification information of the server is a random number of the server acquired in advance; the dynamic verification information of the video networking equipment is a random number generated by the video networking equipment; the static verification information of the server is the identifier of the server acquired in advance; the static verification information of the video network equipment is a device certificate of the video network equipment which is acquired in advance.
Optionally, the authentication module 502 comprises: the second receiving module is used for receiving the network access equipment authentication message sent by the server and extracting the validity verification information from the network access equipment authentication message;
and the second sending module is used for responding to the network access equipment authentication message and sending a network access equipment authentication response message to the server, wherein the network access equipment authentication response message carries second parameter information.
Optionally, the first authentication information includes: dynamic authentication information and static authentication information;
the authentication module 502 further includes: the second verification module is used for verifying whether the validity verification information is valid or not according to the first validity verification information;
and the third verification module is used for verifying whether the dynamic verification information and the static verification information of the video network equipment are consistent with the corresponding information stored in the video network equipment when the dynamic verification information and the static verification information are effective, and determining that the server is a legal server when the dynamic verification information and the static verification information are consistent with the corresponding information stored in the video network equipment.
Optionally, the first validity verification information is a second digital signature, the dynamic verification information of the server is a random number of the server, the dynamic verification information of the video networking device is a random number of the video networking device, and the static verification information of the video networking device includes an identifier and a device certificate of the video networking device;
the second authentication module includes: the second calculation submodule is used for carrying out encryption calculation on respective random numbers of the server and the video networking equipment and the identification of the video networking equipment;
the determining submodule is used for determining that the validity verification information is valid if the calculation result is the same as the second digital signature;
the third authentication module includes: and the verification sub-module is used for verifying whether the random number of the video networking equipment, the identification of the video networking equipment and the equipment certificate are consistent with corresponding information stored in the video networking equipment.
Optionally, the authentication module 502 further comprises: the first calculation module is used for calculating the random numbers of the server and the video network equipment, the identification of the video network equipment and the identification of the server;
and the determining module is used for determining the calculation result as the second parameter information.
Optionally, the validity verification information also carries a connection key; the apparatus 500 further comprises: the distributed module is used for carrying out key distribution on the connection key to obtain a connection sub-key;
the first calculation module includes: and the third calculation submodule is used for calculating the message authentication code of the random number of the server and the video network equipment, the identification of the video network equipment and the identification of the server by using the connection sub-key.
Optionally, the login module 503 includes: and the third receiving module is used for receiving the login message of the network access equipment sent by the server and extracting the information integrity identifier from the login message of the network access equipment.
Optionally, the target information includes: random numbers of the server and the video network equipment, identifications of the server and the video network equipment and video network addresses, wherein the video network addresses are extracted from the login messages of the network access equipment;
the login module 503 includes: and the fourth verification module is used for calculating the message authentication codes of the random numbers of the server and the video network equipment, the identifications of the server and the video network equipment and the video network addresses, and determining that the target information is complete information when the calculation result is the same as the information integrity identification.
Optionally, the apparatus 500 further comprises: the second calculation module is used for calculating the message authentication code of the random number, the video networking address and the network access equipment login message of the server and the video networking equipment to obtain a message authentication code;
and the third sending module is used for responding to the login message of the network access equipment and feeding back the login response message of the network access equipment to the server, wherein the login response message of the network access equipment carries a message authentication code, and the message authentication code is used for interaction between the video network equipment and the server after the video network equipment is successfully accessed to the network.
Optionally, the frame structure of the network access device query message includes: exchange protocol header, common message header, management message header and management message payload; the management message load comprises a plurality of information element fields, and the plurality of information element fields are at least used for carrying identity authentication information, key management information, handshake interaction information and message authentication codes.
Based on the same inventive concept, the present application provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, and when the processor executes the computer program, the electronic device implements the steps in the management plane protocol-based secure network access method according to any of the embodiments of the present application.
Based on the same inventive concept, the present application provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps in the management plane protocol-based secure network access method according to any of the embodiments of the present application.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The video networking is an important milestone for network development, is a real-time network, can realize high-definition video real-time transmission, and pushes a plurality of internet applications to high-definition video, and high-definition faces each other.
The video networking adopts a real-time high-definition video exchange technology, can integrate required services such as dozens of services of video, voice, pictures, characters, communication, data and the like on a system platform on a network platform, such as high-definition video conference, video monitoring, intelligent monitoring analysis, emergency command, digital broadcast television, delayed television, network teaching, live broadcast, VOD on demand, television mail, Personal Video Recorder (PVR), intranet (self-office) channels, intelligent video broadcast control, information distribution and the like, and realizes high-definition quality video broadcast through a television or a computer.
To better understand the embodiments of the present invention, the following description refers to the internet of view:
some of the technologies applied in the video networking are as follows:
network Technology (Network Technology)
Network technology innovation in video networking has improved over traditional Ethernet (Ethernet) to face the potentially enormous video traffic on the network. Unlike pure network Packet Switching (Packet Switching) or network Circuit Switching (Circuit Switching), the Packet Switching is adopted by the technology of the video networking to meet the Streaming requirement. The video networking technology has the advantages of flexibility, simplicity and low price of packet switching, and simultaneously has the quality and safety guarantee of circuit switching, thereby realizing the seamless connection of the whole network switching type virtual circuit and the data format.
Switching Technology (Switching Technology)
The video network adopts two advantages of asynchronism and packet switching of the Ethernet, eliminates the defects of the Ethernet on the premise of full compatibility, has end-to-end seamless connection of the whole network, is directly communicated with a user terminal, and directly bears an IP data packet. The user data does not require any format conversion across the entire network. The video networking is a higher-level form of the Ethernet, is a real-time exchange platform, can realize the real-time transmission of the whole-network large-scale high-definition video which cannot be realized by the existing Internet, and pushes a plurality of network video applications to high-definition and unification.
Server Technology (Server Technology)
The server technology on the video networking and unified video platform is different from the traditional server, the streaming media transmission of the video networking and unified video platform is established on the basis of connection orientation, the data processing capacity of the video networking and unified video platform is independent of flow and communication time, and a single network layer can contain signaling and data transmission. For voice and video services, the complexity of video networking and unified video platform streaming media processing is much simpler than that of data processing, and the efficiency is greatly improved by more than one hundred times compared with that of a traditional server.
Storage Technology (Storage Technology)
The super-high speed storage technology of the unified video platform adopts the most advanced real-time operating system in order to adapt to the media content with super-large capacity and super-large flow, the program information in the server instruction is mapped to the specific hard disk space, the media content is not passed through the server any more, and is directly sent to the user terminal instantly, and the general waiting time of the user is less than 0.2 second. The optimized sector distribution greatly reduces the mechanical motion of the magnetic head track seeking of the hard disk, the resource consumption only accounts for 20% of that of the IP internet of the same grade, but concurrent flow which is 3 times larger than that of the traditional hard disk array is generated, and the comprehensive efficiency is improved by more than 10 times.
Network Security Technology (Network Security Technology)
The structural design of the video network completely eliminates the network security problem troubling the internet structurally by the modes of independent service permission control each time, complete isolation of equipment and user data and the like, generally does not need antivirus programs and firewalls, avoids the attack of hackers and viruses, and provides a structural carefree security network for users.
Service Innovation Technology (Service Innovation Technology)
The unified video platform integrates services and transmission, and is not only automatically connected once whether a single user, a private network user or a network aggregate. The user terminal, the set-top box or the PC are directly connected to the unified video platform to obtain various multimedia video services in various forms. The unified video platform adopts a menu type configuration table mode to replace the traditional complex application programming, can realize complex application by using very few codes, and realizes infinite new service innovation.
Networking of the video network is as follows:
the video network is a centralized control network structure, and the network can be a tree network, a star network, a ring network and the like, but on the basis of the centralized control node, the whole network is controlled by the centralized control node in the network.
Fig. 6 is a networking diagram of a video network according to an embodiment of the present application. As shown in fig. 6, the video network is divided into an access network and a metropolitan network.
The devices of the access network part can be mainly classified into 3 types: node server, access switch, terminal (including various set-top boxes, coding boards, memories, etc.). The node server is connected to an access switch, which may be connected to a plurality of terminals and may be connected to an ethernet network.
The node server is a node which plays a centralized control function in the access network and can control the access switch and the terminal. The node server can be directly connected with the access switch or directly connected with the terminal.
Similarly, devices of the metropolitan network portion may also be classified into 3 types: a metropolitan area server, a node switch and a node server. The metro server is connected to a node switch, which may be connected to a plurality of node servers.
The node server is a node server of the access network part, namely the node server belongs to both the access network part and the metropolitan area network part.
The metropolitan area server is a node which plays a centralized control function in the metropolitan area network and can control a node switch and a node server. The metropolitan area server can be directly connected with the node switch or directly connected with the node server.
Therefore, the whole video network is a network structure with layered centralized control, and the network controlled by the node server and the metropolitan area server can be in various structures such as tree, star and ring.
The access network part can form a unified video platform (the part in the dotted circle), and a plurality of unified video platforms can form a video network; each unified video platform may be interconnected via metropolitan area and wide area video networking.
Video networking device classification
1.1 devices in the video network of the embodiment of the present invention can be mainly classified into 3 types: servers, switches (including ethernet gateways), terminals (including various set-top boxes, code boards, memories, etc.). The video network as a whole can be divided into a metropolitan area network (or national network, global network, etc.) and an access network.
1.2 wherein the devices of the access network part can be mainly classified into 3 types: node servers, access switches (including ethernet gateways), terminals (including various set-top boxes, code boards, memories, etc.).
The specific hardware structure of each access network device is as follows:
a node server:
fig. 7 is a schematic diagram illustrating a hardware structure of a node server according to an embodiment of the present application. As shown in fig. 7, the system mainly includes a network interface module 701, a switching engine module 702, a CPU module 703, and a disk array module 704;
the network interface module 701, the CPU module 703 and the disk array module 704 enter the switching engine module 702; the switching engine module 702 performs an operation of looking up the address table 705 on the incoming packet, thereby obtaining the direction information of the packet; and stores the packet in a corresponding queue of the packet buffer 706 based on the packet's steering information; if the queue of the packet buffer 706 is nearly full, discard; the switching engine module 702 polls all packet buffer queues for forwarding if the following conditions are met: 1) the port send buffer is not full; 2) the queue packet counter is greater than zero. The disk array module 704 mainly implements control over the hard disk, including initialization, read-write, and other operations; the CPU module 703 is mainly responsible for protocol processing with an access switch and a terminal (not shown in the figure), configuring an address table 705 (including a downlink protocol packet address table, an uplink protocol packet address table, and a data packet address table), and configuring the disk array module 704.
The access switch:
fig. 8 is a schematic diagram illustrating a hardware structure of an access switch according to an embodiment of the present application. As shown in fig. 8, the network interface module mainly includes a network interface module (a downlink network interface module 801, an uplink network interface module 802), a switching engine module 803, and a CPU module 804;
wherein, the packet (uplink data) coming from the downlink network interface module 801 enters the packet detection module 805; the packet detection module 805 detects whether the Destination Address (DA), the Source Address (SA), the packet type, and the packet length of the packet meet the requirements, and if so, allocates a corresponding stream identifier (stream-id) and enters the switching engine module 803, otherwise, discards the stream identifier; the packet (downstream data) coming from the upstream network interface module 802 enters the switching engine module 803; the incoming data packet from the CPU module 804 enters the switching engine module 803; the switching engine module 803 performs an operation of looking up the address table 806 on the incoming packet, thereby obtaining the direction information of the packet; if the packet entering the switching engine module 803 is from the downstream network interface to the upstream network interface, the packet is stored in a queue of the corresponding packet buffer 807 in association with a stream-id; if the queue of the packet buffer 807 is nearly full, it is discarded; if the packet entering the switching engine module 803 is not from the downlink network interface to the uplink network interface, the data packet is stored in the queue of the corresponding packet buffer 807 according to the packet guiding information; if the queue of the packet buffer 807 is nearly full, it is discarded.
The switching engine module 803 polls all packet buffer queues, which in this embodiment of the invention is divided into two cases:
if the queue is from the downlink network interface to the uplink network interface, the following conditions are met for forwarding: 1) the port send buffer is not full; 2) the queued packet counter is greater than zero; 3) obtaining a token generated by a code rate control module;
if the queue is not from the downlink network interface to the uplink network interface, the following conditions are met for forwarding: 1) the port send buffer is not full; 2) the queue packet counter is greater than zero.
The rate control module 808 is configured by the CPU module 804, and generates tokens for packet buffer queues from all downlink network interfaces to uplink network interfaces at programmable intervals to control the rate of uplink forwarding.
The CPU module 804 is mainly responsible for protocol processing with the node server, configuration of the address table 806, and configuration of the code rate control module 808.
Ethernet protocol conversion gateway
Fig. 9 is a schematic diagram of a hardware structure of an ethernet protocol conversion gateway according to an embodiment of the present application. As shown in fig. 9, the system mainly includes a network interface module (a downlink network interface module 901 and an uplink network interface module 902), a switching engine module 903, a CPU module 904, a packet detection module 905, a rate control module 908, an address table 906, a packet buffer 907, a MAC adding module 909, and a MAC deleting module 910.
Wherein, the data packet coming from the downlink network interface module 901 enters the packet detection module 905; the packet detection module 905 detects whether the ethernet MAC DA, the ethernet MAC SA, the ethernet length or frame type, the video network destination address DA, the video network source address SA, the video network packet type, and the packet length of the packet meet the requirements, and if so, allocates a corresponding stream identifier (stream-id); then, the MAC deleting module 910 subtracts MAC DA, MAC SA, length or frame type (2 byte), and enters the corresponding receiving buffer, otherwise, discards it;
the downlink network interface module 901 detects the sending buffer of the port, and if there is a packet, obtains the ethernet MAC DA of the corresponding terminal according to the destination address DA of the packet, adds the ethernet MAC DA of the terminal, the MAC SA of the ethernet protocol gateway, and the ethernet length or frame type, and sends the packet.
The other modules in the ethernet protocol gateway function similarly to the access switch.
A terminal:
the system mainly comprises a network interface module, a service processing module and a CPU module; for example, the set-top box mainly comprises a network interface module, a video and audio coding and decoding engine module and a CPU module; the coding board mainly comprises a network interface module, a video and audio coding engine module and a CPU module; the memory mainly comprises a network interface module, a CPU module and a disk array module.
1.3 devices of the metropolitan area network part can be mainly classified into 2 types: node server, node exchanger, metropolitan area server. The node switch mainly comprises a network interface module, a switching engine module and a CPU module; the metropolitan area server mainly comprises a network interface module, a switching engine module and a CPU module.
2. Video networking packet definition
2.1 Access network packet definition
The data packet of the access network mainly comprises the following parts: destination Address (DA), Source Address (SA), reserved bytes, payload (pdu), CRC.
As shown in the following table, the data packet of the access network mainly includes the following parts:
DA SA Reserved Payload CRC
wherein:
the Destination Address (DA) is composed of 8 bytes (byte), the first byte represents the type of the data packet (such as various protocol packets, multicast data packets, unicast data packets, etc.), there are 256 possibilities at most, the second byte to the sixth byte are metropolitan area network addresses, and the seventh byte and the eighth byte are access network addresses;
the Source Address (SA) is also composed of 8 bytes (byte), defined as the same as the Destination Address (DA);
the reserved byte consists of 2 bytes;
the payload part has different lengths according to the types of different datagrams, and is 64 bytes if the datagram is various protocols, and is 32 + 1024 = 1056 bytes if the datagram is a unicast datagram, and is of course not limited to the above 2 types;
the CRC consists of 4 bytes and is calculated in accordance with the standard ethernet CRC algorithm.
2.2 metropolitan area network packet definition
The topology of a metropolitan area network is a graph and there may be 2, or even more than 2, connections between two devices, i.e., there may be more than 2 connections between a node switch and a node server, a node switch and a node switch, and a node switch and a node server. However, the metro network address of the metro network device is unique, and in order to accurately describe the connection relationship between the metro network devices, parameters are introduced in the embodiment of the present invention: a label to uniquely describe a metropolitan area network device.
In this specification, the definition of the Label is similar to that of the Label of MPLS (Multi-Protocol Label Switch), and assuming that there are two connections between the device a and the device B, there are 2 labels for the packet from the device a to the device B, and 2 labels for the packet from the device B to the device a. The label is classified into an incoming label and an outgoing label, and assuming that the label (incoming label) of the packet entering the device a is 0x0000, the label (outgoing label) of the packet leaving the device a may become 0x 0001. The network access process of the metro network is a network access process under centralized control, that is, address allocation and label allocation of the metro network are both dominated by the metro server, and the node switch and the node server are both passively executed, which is different from label allocation of MPLS, and label allocation of MPLS is a result of mutual negotiation between the switch and the server.
As shown in the following table, the data packet of the metro network mainly includes the following parts:
DA SA Reserved label (R) Payload CRC
Namely Destination Address (DA), Source Address (SA), Reserved byte (Reserved), tag, payload (pdu), CRC. The format of the tag may be defined by reference to the following: the tag is 32 bits with the upper 16 bits reserved and only the lower 16 bits used, and its position is between the reserved bytes and payload of the packet.
Based on the characteristics of the video network, one of the core concepts of the embodiments of the present invention is provided, wherein a protocol of the video network is followed, and the video network device completes network access sequentially through a device query stage, a device authentication stage, and a device login stage. After the server verifies that the identity of the video network equipment is accurate according to the first parameter information, the server enters an equipment authentication stage, legality verification information is sent to the video network equipment, and when the video network equipment verifies that the server is legal according to the video network equipment, second parameter information is generated and fed back to the server. And after verifying that the video network equipment is legal according to the second parameter information, the server enters an equipment login stage and sends an information integrity identifier to the video network equipment, the video network equipment verifies the integrity of the target information according to the information integrity identifier, and when the target information is complete information, the server determines that the video network equipment is successfully accessed.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.
The method, the device, the equipment and the medium for the secure video communication based on the management plane protocol are introduced in detail, and a specific example is applied in the text to explain the principle and the implementation mode of the invention, and the description of the embodiment is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (12)

1. A secure video communication method based on a management plane protocol is applied to video networking equipment and comprises the following steps:
in an equipment query phase, acquiring security verification information sent by a server, generating first parameter information at least according to identity information of video networking equipment when the security verification information is determined to be matched with the security level of the video networking equipment, and feeding the first parameter information back to the server so that the server verifies the identity of the video networking equipment according to the first parameter information, wherein the security verification information comprises one or more parameters for representing the security level of the server;
in the equipment authentication stage, obtaining legality verification information sent by the server, generating second parameter information according to historical interaction information between the server and the video network equipment when verifying that the server is legal according to the legality verification information, and feeding back the second parameter information to the server so as to ensure that the server verifies the legality of the video network equipment according to the second parameter information, wherein the legality verification information at least comprises validity verification information and first verification information of the server and the video network equipment, the validity verification information is used for verifying the validity of the legality verification information, and the first verification information is used for ensuring that the video network equipment is consistent with corresponding information stored in the video network equipment according to the first verification information, verifying the legality of the server;
and in the equipment login stage, acquiring an information integrity identifier sent by the server, and determining successful network access to the video network when target information is verified to be complete information according to the information integrity identifier, wherein the information integrity identifier is used for protecting the integrity of the target information.
2. The method of claim 1, wherein the obtaining the security verification information sent by the server comprises:
receiving a network access equipment query message sent by the server, and extracting the security verification information from the network access equipment query message;
the feeding back the first parameter information to the server includes:
and sending a response message responding to the network access equipment inquiry message to the server, wherein the response message carries the first parameter information.
3. The method according to claim 1 or 2, wherein the security verification information comprises at least any one or more of the following parameters:
a security protocol version number, a device cryptographic capability, and an algorithm suite;
the determining that the security verification information matches the security level of the video networking device comprises:
and verifying whether the security level of the video networking equipment is consistent with the security level of the server or not according to each parameter carried in the security verification information, and if so, determining that the security verification information is matched with the security level of the video networking equipment.
4. The method of claim 1, wherein the obtaining the validity verification information sent by the server comprises:
receiving a network access equipment authentication message sent by the server, and extracting the validity verification information from the network access equipment authentication message;
the feeding back the second parameter information to the server includes:
and sending a response message responding to the network access equipment authentication message to the server, wherein the response message carries the second parameter information.
5. The method according to claim 1 or 4, wherein the first authentication information comprises: dynamic authentication information and static authentication information;
the verifying that the server is legal according to the legality verifying information comprises the following steps:
verifying whether the validity verification information is valid or not according to the validity verification information;
and if the dynamic verification information and the static verification information of the video networking equipment are valid, verifying whether the dynamic verification information and the static verification information are consistent with corresponding information stored in the video networking equipment, and if so, determining that the server is a legal server.
6. The method of claim 1, wherein the obtaining the information integrity indicator sent by the server comprises:
and receiving a login message of the network access equipment sent by the server, and extracting the information integrity identifier from the login message of the network access equipment.
7. The method of claim 6, wherein the target information comprises: the random numbers of the server and the video network equipment, the identifications of the server and the video network equipment and a video network address are obtained by extracting from the network access equipment login message;
the verifying that the target information is complete information according to the information integrity identifier comprises:
and performing message authentication code calculation on the random numbers of the server and the video network equipment, the identifiers of the server and the video network equipment and the video network addresses, and determining that the target information is complete information when the calculation result is the same as the information integrity identifier.
8. The method of claim 7, wherein upon determining successful network entry into the video network, the method further comprises:
carrying out message authentication code calculation on respective random numbers of the server and the video networking equipment, the video networking address and the network access equipment login message to obtain a message authentication code;
and feeding back a response message responding to the login message of the network access equipment to the server, wherein the response message carries the message authentication code which is used for interaction between the video network equipment and the server after the video network equipment successfully accesses the network.
9. The method of claim 2, 4 or 8, wherein the frame structure of the response message sent by the video networking device to the server comprises: exchange protocol header, common message header, management message header and management message payload; the management message payload comprises a plurality of information element fields; the plurality of information element fields are at least used for carrying one or more of identity authentication information, key management information, handshake interaction information and message authentication codes.
10. A secure video communication apparatus based on management plane protocol, the apparatus being applied to a video networking device, the apparatus comprising:
the system comprises an inquiry module, a security verification module and a security verification module, wherein the inquiry module is used for acquiring security verification information sent by a server in an equipment inquiry stage, generating first parameter information at least according to identity information of video networking equipment when the security verification information is determined to be matched with the security level of the video networking equipment, and feeding the first parameter information back to the server so that the server verifies the identity of the video networking equipment according to the first parameter information, wherein the security verification information comprises one or more parameters for representing the security level of the server;
an authentication module, configured to, in an equipment authentication phase, obtain legitimacy verification information sent by the server, generate second parameter information according to historical interaction information between the server and the video networking equipment when verifying that the server is legitimate according to the legitimacy verification information, and feed back the second parameter information to the server, so that the server verifies the legitimacy of the video networking equipment according to the second parameter information, where the legitimacy verification information at least includes validity verification information and first verification information of the server and the video networking equipment, the validity verification information is used to verify the validity of the legitimacy verification information, and the first verification information is used to make the video networking equipment verify the validity of the corresponding information stored in the video networking equipment according to the first verification information, verifying the legality of the server;
and the login module is used for acquiring the information integrity identifier sent by the server in the equipment login stage, and determining successful network access to the video network when the target information is verified to be the complete information according to the information integrity identifier, wherein the information integrity identifier is used for protecting the integrity of the target information.
11. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of a method for secure video communication based on a management plane protocol according to any one of claims 1 to 9.
12. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing performs the steps of a method for secure video communication based on management plane protocol as claimed in any of claims 1 to 9.
CN202011574372.7A 2020-12-28 2020-12-28 Secure video communication method, device, equipment and medium based on management plane protocol Active CN112291072B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011574372.7A CN112291072B (en) 2020-12-28 2020-12-28 Secure video communication method, device, equipment and medium based on management plane protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011574372.7A CN112291072B (en) 2020-12-28 2020-12-28 Secure video communication method, device, equipment and medium based on management plane protocol

Publications (2)

Publication Number Publication Date
CN112291072A CN112291072A (en) 2021-01-29
CN112291072B true CN112291072B (en) 2021-03-26

Family

ID=74426472

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011574372.7A Active CN112291072B (en) 2020-12-28 2020-12-28 Secure video communication method, device, equipment and medium based on management plane protocol

Country Status (1)

Country Link
CN (1) CN112291072B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113727059B (en) * 2021-08-31 2023-10-24 成都卫士通信息产业股份有限公司 Network access authentication method, device and equipment for multimedia conference terminal and storage medium
CN114553592B (en) * 2022-03-23 2024-03-22 深圳市美科星通信技术有限公司 Method, equipment and storage medium for equipment identity verification

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106105139A (en) * 2014-03-07 2016-11-09 微软技术许可有限责任公司 The automatic detection of the authentication method being carried out by gateway
CN110719247A (en) * 2018-07-11 2020-01-21 视联动力信息技术股份有限公司 Terminal network access method and device
CN111800378A (en) * 2020-05-21 2020-10-20 视联动力信息技术股份有限公司 Login authentication method, device, system and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140267752A1 (en) * 2012-03-19 2014-09-18 Jingle Huang Cloud technology surveillance

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106105139A (en) * 2014-03-07 2016-11-09 微软技术许可有限责任公司 The automatic detection of the authentication method being carried out by gateway
CN110719247A (en) * 2018-07-11 2020-01-21 视联动力信息技术股份有限公司 Terminal network access method and device
CN111800378A (en) * 2020-05-21 2020-10-20 视联动力信息技术股份有限公司 Login authentication method, device, system and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于云概念的视联网安全平台设计;冯骏涛等;《有线电视技术》;20190831(第8期);第67-69页 *

Also Published As

Publication number Publication date
CN112291072A (en) 2021-01-29

Similar Documents

Publication Publication Date Title
CN110430043B (en) Authentication method, system and device and storage medium
CN109743170B (en) Method and device for logging in streaming media and encrypting data transmission
CN108023858B (en) A kind of view networking network management safety certifying method and its system
CN110012322B (en) Method and system for initiating video networking service
CN112291072B (en) Secure video communication method, device, equipment and medium based on management plane protocol
CN110661784B (en) User authentication method, device and storage medium
CN111107060B (en) Login request processing method, server, electronic equipment and storage medium
CN111786778A (en) Method and device for updating key
CN112203149B (en) Video networking software updating method and device based on domestic password
CN110719247B (en) Terminal network access method and device
CN112333210B (en) Method and equipment for realizing data communication function of video network
CN109151519B (en) Configuration distribution method and system based on video network
CN110535856B (en) User authentication method, device and storage medium
CN111556376B (en) Digital certificate signing and issuing method and device and computer readable storage medium
CN109376507B (en) Data security management method and system
CN112291592B (en) Control plane protocol-based secure video communication method, device, equipment and medium
CN110022353B (en) Service sharing method and video networking system
CN108965219B (en) Data processing method and device based on video network
CN110049007B (en) Video networking transmission method and device
CN110661783B (en) Terminal registration method, device and storage medium
CN109587436B (en) Video networking conference management platform login method and device
CN111654728B (en) Certificate updating method and device
CN109698966B (en) Method and device for logging in streaming media and interactively encrypting data
CN110620936B (en) Video network video backup method and device, electronic equipment and storage medium
CN110995646A (en) Fingerprint data acquisition method and device based on video network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant