CN113727057B - Network access authentication method, device and equipment for multimedia conference terminal and storage medium - Google Patents

Network access authentication method, device and equipment for multimedia conference terminal and storage medium Download PDF

Info

Publication number
CN113727057B
CN113727057B CN202111011882.8A CN202111011882A CN113727057B CN 113727057 B CN113727057 B CN 113727057B CN 202111011882 A CN202111011882 A CN 202111011882A CN 113727057 B CN113727057 B CN 113727057B
Authority
CN
China
Prior art keywords
terminal
network
access authentication
certificate
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111011882.8A
Other languages
Chinese (zh)
Other versions
CN113727057A (en
Inventor
任旭斌
张舒黎
周泽恒
段品言
周小东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Westone Information Industry Inc
Original Assignee
Chengdu Westone Information Industry Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Westone Information Industry Inc filed Critical Chengdu Westone Information Industry Inc
Priority to CN202111011882.8A priority Critical patent/CN113727057B/en
Publication of CN113727057A publication Critical patent/CN113727057A/en
Application granted granted Critical
Publication of CN113727057B publication Critical patent/CN113727057B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/14Systems for two-way working
    • H04N7/15Conference systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/14Systems for two-way working
    • H04N7/15Conference systems
    • H04N7/155Conference systems involving storage of or access to video conference sessions

Abstract

The present disclosure relates to a method, an apparatus, a device and a storage medium for authenticating access to a network of a multimedia conference terminal, where the method is applied to a network management device, and the method includes: when receiving a network access authentication request of a second terminal serving as a non-chief virtual terminal, generating a second network key of the second terminal, encrypting response related information by using a first network key of a first terminal serving as the chief virtual terminal, which is obtained in advance, to obtain response related encrypted second information, returning a network access authentication response message carrying the information to the second terminal, decrypting the response related second information carried by the second terminal to obtain the second network key, returning a network access authentication completion message, and determining whether to allow the second terminal to access the network by using the network management equipment based on the information carried in the network access authentication completion message. The authentication management and control of terminal network access are realized, so that only the terminal passing authentication can be allowed to access the network, and the security of the multimedia conference is improved.

Description

Network access authentication method, device and equipment for multimedia conference terminal and storage medium
Technical Field
The disclosure relates to the technical field of computer application, and in particular relates to a method, a device, equipment and a storage medium for network access authentication of a multimedia conference terminal.
Background
With the rapid development of computer technology and network technology, the application range of multimedia conferences such as audio and video is becoming wider and wider. The multimedia conference is carried out by depending on a network, and has the characteristics of high efficiency, low cost, rapidness, convenience and the like. Users can join the multimedia conference through various terminals.
However, since the multimedia conference has a certain privacy, if any terminal can join, risks such as confidential leakage are likely to occur, and security is low, so that not all terminals can join, and only preset legal terminals can join. The network access is a premise that the terminal joins the multimedia conference, and in order to improve the security of the multimedia conference, how to authenticate, manage and control the network access of the terminal is a technical problem which needs to be solved by the person skilled in the art at present.
Disclosure of Invention
The invention aims to provide a network access authentication method, device and equipment for a multimedia conference terminal and a storage medium, so as to authenticate, manage and control the network access of the terminal in the multimedia conference and improve the security of the multimedia conference.
In order to solve the technical problems, the present disclosure provides the following technical solutions:
a multimedia conference terminal network access authentication method applied to a network management device, the network management device obtaining a root network key and a first network key of a first terminal in advance, the method comprising:
generating a second network key of a second terminal based on the root network key under the condition that a network access authentication request message sent by the second terminal is received, wherein the second terminal and the first terminal share a password module, the first terminal is a head virtual terminal which is accessed to the network, the second terminal is any non-head virtual terminal, and the network access authentication request message carries a random number of the second terminal;
encrypting response related information by using the first network key to obtain response related encrypted second information, wherein the response related information comprises the second network key, the random number of the second terminal and the random number of the network management device;
returning a network access authentication response message to the second terminal, wherein the network access authentication response message carries the response related encrypted second information so that the second terminal decrypts the response related second information to obtain the second network key, and sends a network access authentication completion message to the network management equipment, and the network access authentication completion message carries the random number of the second terminal and the random number of the network management equipment;
And under the condition that the network access authentication completion message sent by the second terminal is received, determining whether to allow the second terminal to access the network or not based on information carried in the network access authentication completion message.
In a specific embodiment of the present disclosure, the network access authentication request message carries certificate related information, and when receiving the network access authentication request message sent by the second terminal, the method further includes:
if the certificate related information comprises marking information of the certificate to be transferred, carrying the certificate of the network management equipment in the network access authentication response message;
or if the network management certificate serial number included in the certificate related information is different from the actual certificate serial number of the network management device, carrying the certificate of the network management device in the network access authentication response message.
In a specific embodiment of the present disclosure, the network access authentication request message carries supporting information of a secure interaction mechanism version, and when receiving the network access authentication request message sent by the second terminal, the method further includes:
and carrying response information of the safety interaction mechanism version in the network access authentication response message so that the second terminal and the network management equipment interact based on the same safety interaction mechanism version.
In a specific embodiment of the disclosure, the network management device obtains a broadcast key in advance, and the response-related information further includes the broadcast key.
In a specific embodiment of the present disclosure, the network access authentication response message further carries certificate related information, so that the second terminal determines, based on the certificate related information, whether to carry the certificate of the first terminal in the network access authentication completion message.
In a specific embodiment of the present disclosure, the network access authentication completion message carries a certificate of the first terminal, and before determining whether to allow the second terminal to access the network based on the information carried in the network access authentication completion message, the method further includes:
determining whether a certificate of the first terminal is valid;
and if so, executing the step of determining whether to allow the second terminal to access the network based on the information carried in the network access authentication completion message.
In a specific embodiment of the present disclosure, in a case where it is determined that the certificate of the first terminal is valid, further includes:
and caching the certificate of the first terminal locally.
A multimedia conference terminal access authentication apparatus, which operates in a network management device, the network management device obtaining a root network key and a first network key of a first terminal in advance, the apparatus comprising:
The network key generation module is used for generating a second network key of a second terminal based on the root network key under the condition that a network access authentication request message sent by the second terminal is received, wherein the second terminal and the first terminal share a password module, the first terminal is a head virtual terminal which is accessed to the network, the second terminal is any non-head virtual terminal, and the network access authentication request message carries a random number of the second terminal;
an encryption information obtaining module, configured to encrypt response related information by using the first network key, to obtain response related encrypted second information, where the response related information includes the second network key, a random number of the second terminal, and a random number of the network management device;
a response information return module, configured to return an access authentication response message to the second terminal, where the access authentication response message carries the response-related encrypted second information, so that the second terminal decrypts the response-related second information to obtain the second network key, and sends an access authentication completion message to the network management device, where the access authentication completion message carries a random number of the second terminal and a random number of the network management device;
And the network access judging module is used for determining whether the second terminal is allowed to access the network or not based on the information carried in the network access authentication completion message under the condition that the network access authentication completion message sent by the second terminal is received.
A multimedia conference terminal network access authentication device, comprising:
a memory for storing a computer program;
and the processor is used for realizing the step of the network access authentication method of the multimedia conference terminal when executing the computer program.
A computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the multimedia conference terminal access authentication method of any of the above.
By applying the technical scheme provided by the embodiment of the disclosure, when receiving the network access authentication request of the second terminal serving as the non-chief virtual terminal, the network management device generates a second network key of the second terminal, encrypts response related information comprising the second network key, a random number of the second terminal and a random number of the network management device by using the first network key of the first terminal serving as the chief virtual terminal obtained in advance to obtain response related encrypted second information, returns a network access authentication response message carrying the information to the second terminal, decrypts the response related second information carried in the response related information to obtain the second network key, returns a network access authentication completion message, and determines whether to allow the second terminal to access the network based on the information carried in the network access authentication completion message. The authentication management and control of terminal network access are realized, so that only the terminal passing authentication can be allowed to access the network, and the security of the multimedia conference is improved.
Drawings
The accompanying drawings are included to provide a further understanding of the disclosure, and are incorporated in and constitute a part of this specification, illustrate the disclosure and together with the description serve to explain, but do not limit the disclosure. In the drawings:
fig. 1 is a flowchart of an implementation of a method for authenticating a multimedia conference terminal to a network in an embodiment of the disclosure;
fig. 2 is a schematic diagram of a specific flow of network access authentication of a multimedia conference terminal in an embodiment of the disclosure;
fig. 3 is a schematic structural diagram of a network access authentication device of a multimedia conference terminal in an embodiment of the disclosure;
fig. 4 is a schematic structural diagram of a network access authentication device for a multimedia conference terminal according to an embodiment of the disclosure.
Detailed Description
The core of the present disclosure is to provide a network access authentication method for a multimedia conference terminal, which can be applied to a network management device, and the network management device can perform authentication management and control on a terminal to be accessed to a network related to a multimedia conference. The network management device may obtain the root network key in advance. Specifically, the network management device may generate the root network key itself, or may perform key management by the key management device, and after the network management device accesses the network, apply for obtaining the root network key from the key management device, or may, of course, obtain the root network key by other manners. In order to ensure the security of the key, the network management device can obtain the root network key after restarting the access network, and the root network keys obtained at different moments are different.
The network management equipment authenticates the terminal to be accessed to the network, and only if the authentication passes, the terminal is allowed to access to the network, so that the terminal accessing to the network is authenticated and controlled, and the security of the multimedia conference is improved.
In practical application, a plurality of virtual terminals can be deployed on one entity device, and share one cryptographic module, wherein the first virtual terminal applying for network access is a first virtual terminal, and the subsequent virtual terminals applying for network access are non-first virtual terminals. The network management device can execute a fast network access authentication process for the non-chief virtual terminal under the condition that the network access authentication of the chief virtual terminal passes.
In the embodiment of the disclosure, the first terminal is the first-origin virtual terminal of the network, and the second terminal is any non-first-origin virtual terminal. In the network access authentication process of the first terminal, the network management device may obtain a first network key of the first terminal.
Specifically, the network management device performs network access authentication on the first terminal by referring to the following procedures:
generating a first network key of the first terminal based on a root network key obtained in advance under the condition that an access authentication request message sent by the first terminal is received;
Encrypting the network management identifier of the network management equipment and the first network key by using the public key of the first terminal to obtain first information encrypted by the network key;
returning a network access authentication response message to the first terminal, wherein the network access authentication response message carries network key encryption first information and network management signature first information, so that the first terminal performs signature verification based on the network management signature first information, after verification is passed, the network key encryption first information is decrypted to obtain a first network key and a network management identifier, and a network access authentication completion message is sent to network management equipment, wherein the network access authentication completion message carries the network management identifier and the terminal signature first information;
and under the condition that the network access authentication completion message sent by the first terminal is received, determining whether to allow the first terminal to access the network or not based on the information carried in the network access authentication completion message.
If the first terminal is determined to be allowed to access the network, the first terminal is successful in accessing the network, and the network management equipment obtains a first network key of the first terminal, so that a rapid network access authentication process can be performed on any other non-chief virtual terminal sharing a password module with the first terminal.
In order that those skilled in the art will better understand the present disclosure, the disclosure will be described in further detail with reference to the drawings and detailed description. It will be apparent that the described embodiments are merely some, but not all embodiments of the present disclosure. Based on the embodiments in this disclosure, all other embodiments that a person of ordinary skill in the art would obtain without making any inventive effort are within the scope of protection of this disclosure.
Referring to fig. 1, a flowchart of an implementation of a method for authenticating a multimedia conference terminal to access a network according to an embodiment of the disclosure may include the following steps:
s110: and under the condition that the network access authentication request message sent by the second terminal is received, generating a second network key of the second terminal based on the root network key, wherein the network access authentication request message carries the random number of the second terminal.
The second terminal is any non-chief virtual terminal to be accessed to the network, and the first terminal sharing a password module with the second terminal is used as the chief virtual terminal to be accessed to the network.
When the second terminal has network access requirement, a network access authentication request message can be sent to the network management equipment, and the network access authentication request message can carry the random number of the second terminal. The random number may be generated by the second terminal invoking a cryptographic module.
After receiving the network access authentication request message sent by the second terminal, the network management device may generate a second network key of the second terminal based on the root network key. Specifically, the root network key may be acted on by a key derivation function to generate a second network key of the second terminal.
S120: and encrypting the response related information by using the first network key to obtain response related encrypted second information, wherein the response related information comprises the second network key, the random number of the second terminal and the random number of the network management device.
The network management device obtains a first network key of the first terminal in advance, and generates a second network key of the second terminal when receiving an access authentication request message sent by the second terminal. The response-related encrypted second information including the second network key, the random number of the second terminal, and the random number of the network management device may be encrypted using the first network key to obtain response-related encrypted second information.
Wherein, the random number of the network management device can be generated by the network management device calling the key module. The second terminal and the network management device can call different cipher modules, and the random numbers generated by calling the cipher modules at different moments are different.
S130: and returning a network access authentication response message to the second terminal, wherein the network access authentication response message carries response related encrypted second information so that the second terminal decrypts the response related second information to obtain a second network key, and sending a network access authentication completion message to the network management equipment, wherein the network access authentication completion message carries the random number of the second terminal and the random number of the network management equipment.
After obtaining the response-related encrypted second information, the network management device may return an authentication response message to the second terminal. The response-related encrypted second information is carried in the network access authentication response message.
Because the response related second information is obtained after the response related information is encrypted by using the first network key, and the second terminal and the first terminal share the password module, the second terminal can obtain the first network key of the first terminal in advance for different virtual terminals arranged on the same entity device, so that after receiving the network access authentication response message returned by the network management device, the second terminal can decrypt the response related second information carried by the first network key to obtain the second network key, the random number of the second terminal, the random number of the network management device and other information. The correctness of the information can be determined according to whether the obtained random number of the second terminal is the same as the random number of the second terminal carried in the network access authentication request message, and the network management equipment can be authenticated. If the authentication is passed, the second terminal may send a network access authentication completion message to the network management device, where the network access authentication completion message carries the random number of the second terminal and the random number of the network management device.
S140: and under the condition that the network access authentication completion message sent by the second terminal is received, determining whether to allow the second terminal to access the network or not based on the information carried in the network access authentication completion message.
After receiving the network access authentication completion message sent by the second terminal, the network management device can determine whether to allow the second terminal to access the network based on the information carried in the network access authentication completion message. The authentication can be performed by the random number of the second terminal and the random number of the network management device carried therein. If the random number of the second terminal and the random number of the network management device carried in the network access authentication completion message are respectively the same as the random number of the second terminal and the random number of the network management device carried in the network access authentication response message, the authentication of the second terminal can be determined to pass.
Based on the authentication result, it may be determined whether the second terminal is allowed to access the network.
Specifically, if the verification result is that the verification is passed, it may be determined that the second terminal is allowed to access the network, and after the second terminal accesses the network, operations such as browsing the multimedia conference, joining the multimedia conference and the like may be further performed. If the verification result is that the verification is not passed, the second terminal is not allowed to access the network, verification failure prompt information can be returned to the second terminal, the second terminal can resend the access authentication request information, and the authentication process is repeatedly executed.
The mutual authentication reliability can be enhanced by the transfer of the random number.
When the method provided by the embodiment of the disclosure is applied, the network management equipment generates the second network key of the second terminal when receiving the network access authentication request of the second terminal serving as the non-chief virtual terminal, encrypts response related information comprising the second network key, the random number of the second terminal and the random number of the network management equipment by using the first network key of the first terminal serving as the chief virtual terminal obtained in advance to obtain response related encrypted second information, returns the network access authentication response message carrying the information to the second terminal, decrypts the response related second information carried by the second terminal to obtain the second network key, returns the network access authentication completion message, and determines whether to allow the second terminal to access the network or not based on the information carried in the network access authentication completion message. The authentication management and control of terminal network access are realized, so that only the terminal passing authentication can be allowed to access the network, and the security of the multimedia conference is improved.
In one embodiment of the present disclosure, the network access authentication request message carries certificate related information, and in the case of receiving the network access authentication request message sent by the second terminal, the method may further include the following steps:
If the certificate related information comprises marking information which needs to transmit the certificate, carrying the certificate of the network management equipment in the network access authentication response message;
or if the network management certificate serial number included in the certificate related information is different from the actual certificate serial number of the network management device, carrying the certificate of the network management device in the network access authentication response message.
In the embodiment of the present disclosure, the network access authentication request message may carry information related to a certificate, where the information related to the certificate may include tag information of whether to transfer the certificate, a network management certificate serial number, a chief virtual terminal identifier, a certificate serial number of the first terminal, and so on.
When the second terminal has network access requirements, if the local terminal does not store the certificate of the network management equipment, the network access authentication request message can carry the marking information of the certificate to be transferred, and if the local terminal stores the certificate of the network management equipment, the network access authentication request message can carry the marking information of the certificate not to be transferred, the locally stored network management certificate serial number, the first terminal certificate serial number, the head virtual terminal identification and other certificate related information. The first terminal and the second terminal are different virtual terminals carried on the same entity device, and can commonly use certificates of the entity device. Namely, the certificate of the first terminal and the certificate of the second terminal are both the certificates of the entity equipment.
When the network management device receives the network access authentication request message sent by the second terminal, if the certificate related information includes the mark information of the certificate to be transferred, the first terminal can be considered to require the network management device to transfer the certificate, and the network management device can carry the certificate of the network management device in the network access authentication response message returned to the first terminal.
If the network management certificate serial number included in the certificate related information is different from the actual certificate serial number of the network management device, the certificate of the network management device can be considered to be updated, and the network management device can carry the certificate of the network management device in the network access authentication response message.
Of course, if the certificate related information includes the flag information that does not need to transmit the certificate, but the network management certificate serial number included in the certificate related information is different from the actual certificate serial number of the network management device, the certificate of the network management device may also be carried in the network access authentication response message. So that the second terminal can authenticate the network management device based on the certificate of the network management device and confirm the validity of the network access authentication response message. After the second terminal receives the certificate of the network management equipment, the certificate can be locally cached, so that the transfer of the certificate can be reduced, and network resources are saved.
In one embodiment of the present disclosure, the network access authentication response message may further carry certificate related information, so that the second terminal determines, based on the certificate related information, whether to carry the certificate of the first terminal in the network access authentication completion message.
In the embodiment of the disclosure, the network management device may further carry certificate related information in the network access authentication response message returned to the second terminal. The certificate related information may include flag information of whether to transfer the certificate, a certificate serial number of the first terminal, and the like.
It will be appreciated that the larger the amount of certificate data, the more network resources will be consumed for online delivery. Therefore, in the embodiment of the present disclosure, both the terminal and the network management device may perform the transfer of the certificate when it is determined that the transfer of the certificate is required.
The network management device may determine whether the second terminal needs to send the certificate according to information carried in the network access authentication request message or locally stored information.
Specifically, after receiving the network access authentication request message sent by the second terminal, the network management device may first determine whether the network access authentication request message carries the certificate of the first terminal, and if not, may further determine whether the local of the network management device caches the certificate of the first terminal. If the local cache is available, the certificate of the first terminal, namely the certificate of the second terminal, is obtained before, but whether the certificate is valid needs to be further determined, namely whether the certificate of the first terminal cached locally is valid or not can be further determined, and if the certificate is invalid or the certificate of the first terminal is not cached locally, the mark information of the certificate needing to be transferred can be carried in the network access authentication response message returned to the second terminal.
In addition, if the network management device locally stores the certificate of the first terminal, the network access authentication response message may carry the mark information that does not need to transmit the certificate, and the certificate related information such as the certificate serial number of the first terminal.
After receiving the network access authentication response message, the second terminal can determine whether the certificate of the first terminal is carried in the network access authentication completion message based on the certificate related information carried in the network access authentication response message. If the network access authentication response message carries the marking information of the certificate to be transferred, the second terminal can carry the certificate of the first terminal in the network access authentication completion message, or if the serial number of the certificate of the first terminal carried in the network access authentication response message is different from the serial number of the certificate of the first terminal stored locally, the certificate of the first terminal is considered to be updated, and the certificate of the first terminal can be carried in the network access authentication completion message.
In one embodiment of the present disclosure, the authentication completion message carries a certificate of the first terminal, and before determining whether to allow the second terminal to access the network based on the information carried in the authentication completion message, the method may further include the steps of:
And determining whether the certificate of the first terminal is valid, and if so, executing the step of determining whether to allow the second terminal to access the network based on the information carried in the access authentication completion message.
In the embodiment of the present disclosure, when the network management server receives the network access authentication completion message returned by the second terminal, if the network access authentication completion message carries the certificate of the first terminal, it may be determined whether the certificate of the first terminal is valid. Specifically, the determination of the validity of the certificate may be performed by a certificate server. If so, the operation of determining whether to allow the second terminal to access the network based on the information carried in the access authentication completion message may be continued. If the second terminal is invalid, the second terminal is possibly an illegal terminal, the second terminal is directly determined not to be allowed to access the network, and corresponding error prompt information is returned to the second terminal.
Meanwhile, the certificate of the first terminal can be locally cached under the condition that the certificate of the first terminal is determined to be valid. Thus, the transfer of certificates can be reduced, and network resources are saved.
In one embodiment of the present disclosure, the network access authentication request message carries supporting information of a secure interaction mechanism version, and when receiving the network access authentication request message sent by the second terminal, the method may further include the following steps:
And carrying response information of the safety interaction mechanism version in the network access authentication response message so that the second terminal and the network management equipment interact based on the same safety interaction mechanism version.
In the embodiment of the present disclosure, when there is a network access requirement, the second terminal may carry supporting information of the secure interaction mechanism version, that is, the secure interaction mechanism version supported by itself, in the network access authentication request message sent to the network management device, and there may be one or more secure interaction mechanism versions.
After receiving the network access authentication request message sent by the second terminal, the network management device can determine the security interaction mechanism version to be used currently based on the supporting information of the security interaction mechanism version carried in the network access authentication request message, and carry the response information of the security interaction mechanism version in the network access authentication response message, so that the second terminal and the network management device interact based on the same security interaction version, and the problems of misjudgment and the like of network access authentication management and control caused by different security interaction versions are avoided.
For example, the secure interaction mechanism is updated, the version of the secure interaction mechanism supported by the second terminal is v1.0 and v2.0, and the network management device determines that the version of the secure interaction mechanism currently required to be used is v2.0, wherein the response information of v2.0 can be carried in the network access authentication response message, so that the second terminal and the network management device interact based on the secure interaction mechanism of v 2.0.
In one embodiment of the present disclosure, the network management device obtains the broadcast key in advance, and the response-related information further includes the broadcast key.
The network management device may obtain the broadcast key after first accessing the network or after restarting the access network. Specifically, the network management device itself may automatically generate the broadcast key, or may apply for obtaining the broadcast key from the key management device. The broadcast keys obtained at different times may be different.
When the network management device receives the network access authentication request message sent by the second terminal, the first network key can be used for encrypting the response related information further comprising the broadcast key to obtain response related encrypted second information, and after the network access authentication response message is returned to the second terminal, the second terminal decrypts the response related encrypted second information carried in the network access authentication response message, so that the broadcast key can be obtained. And the subsequent encryption and decryption processing of the broadcast information by using the broadcast key is convenient, so that the transmission safety of the broadcast information is improved.
For ease of understanding, specific implementations of embodiments of the present disclosure are described with reference to fig. 2.
The second terminal is assumed to be a terminal B, the network management equipment is a network manager M, the key management equipment is a secret manager, the terminal B is any one non-first virtual terminal, and the terminal A is a first virtual terminal.
S1: after the network manager M accesses the network, the network manager M can apply a root network key NK-root and a broadcast key BK to the secret manager;
s2: the terminal B sends a network access authentication request message to the network manager M, wherein the network access authentication request message can carry auxiliary information Info and identification ID of the terminal B B And the random number R of terminal B B . It may be agreed that the first network access authentication request message sent by the terminal B does not carry a certificate; the auxiliary information Info is extensible and can comprise the following contents: version of secure interaction mechanism supported by terminal side, authentication type identification (1 entity terminal, 2 virtual terminal, 3Quick network access), certificate related information (whether to transfer a certificate, a counter-end certificate serial number, a home-end certificate serial number, and a chief virtual terminal identifier); terminal B random number R B The random number generated by the terminal B calling the cryptographic module;
s3: after receiving the network access authentication request message, the network manager M determines that the certificate Cert of the terminal A is not cached locally A Or locally cached certificate Cert of terminal a A If invalid, returning error information to the terminal B; cert (Cert) A For the encryption certificate and/or signature certificate of the terminal A, the terminal A and the terminal B share the certificate of the bearing equipment;
s4: the terminal B receives the error information, resends the network access authentication request message, and adds a certificate in the network access authentication request message;
S5: the network manager M receives the network access authentication request message and verifies the certificate Cert A If valid, generates a network key NK of terminal B based on the root network key B
S6: the network manager M returns a network access authentication response message to the terminal B, wherein the network access authentication response message carries auxiliary information Info and uses a network key NK of the terminal A obtained in advance A Random number R for network manager M M Random number R of terminal B B Identification ID of terminal B B Ciphertext obtained by encrypting the splicing result of the broadcast key BK and certificate Cert of network manager M M Etc. Wherein Cert M For the signed certificate and/or the encrypted certificate of the network manager M, whether to transfer the certificate can be determined based on the Info carried in the received network access authentication request message;
s7: after receiving the network access authentication response message, the terminal B decrypts the ciphertext carried in the message, verifies the identity, and after the verification is passed, sends a network access authentication completion message to the network manager M, wherein the network access authentication completion message can carry auxiliary information Info and use a network key NK of the terminal A A Random number R for network manager M M Random number R of terminal B B Ciphertext obtained by encryption, and the like;
s8: after receiving the network access authentication completion message, the network manager M decrypts the ciphertext carried by the network access authentication completion message according to the decryption Secret obtained random number R of network manager M M Random number R of terminal B B And determining whether the terminal B is allowed to access the network, and finishing the identity authentication process.
In the method, the network management equipment authenticates the terminal to be accessed to the network, and the terminal is allowed to access to the network only if the authentication passes, so that the access terminal can be effectively controlled, and the security of the multimedia conference is improved.
Corresponding to the above method embodiment, the present disclosure further provides a multimedia conference terminal network access authentication device, which operates in a network management device, where the network management device obtains the root network key and the first network key of the first terminal in advance, and the multimedia conference terminal network access authentication device described below and the multimedia conference terminal network access authentication method described above can be referred to correspondingly.
Referring to fig. 3, the apparatus may include the following modules:
the network key generating module 310 is configured to generate, based on the root network key, a second network key of the second terminal when receiving a network access authentication request message sent by the second terminal, where the second terminal shares a cryptographic module with the first terminal, the first terminal is a first-party virtual terminal that has been accessed to the network, the second terminal is any non-first-party virtual terminal, and the network access authentication request message carries a random number of the second terminal;
An encryption information obtaining module 320, configured to encrypt response related information using the first network key to obtain response related encrypted second information, where the response related information includes the second network key, a random number of the second terminal, and a random number of the network management device;
a response information returning module 330, configured to return a network access authentication response message to the second terminal, where the network access authentication response message carries response-related encrypted second information, so that the second terminal decrypts the response-related second information to obtain a second network key, and sends a network access authentication completion message to the network management device, where the network access authentication completion message carries a random number of the second terminal and a random number of the network management device;
the network access determination module 340 is configured to determine whether to allow the second terminal to access the network based on information carried in the network access authentication completion message when the network access authentication completion message sent by the second terminal is received.
By applying the device provided by the embodiment of the disclosure, when receiving the network access authentication request of the second terminal serving as the non-chief virtual terminal, the network management equipment generates the second network key of the second terminal, encrypts response related information comprising the second network key, the random number of the second terminal and the random number of the network management equipment by using the first network key of the first terminal serving as the chief virtual terminal obtained in advance to obtain response related encrypted second information, returns the network access authentication response message carrying the information to the second terminal, decrypts the response related second information carried by the second terminal to obtain the second network key, returns the network access authentication completion message, and determines whether to allow the second terminal to access the network based on the information carried in the network access authentication completion message. The authentication management and control of terminal network access are realized, so that only the terminal passing authentication can be allowed to access the network, and the security of the multimedia conference is improved.
In a specific embodiment of the present disclosure, the network access authentication request message carries certificate related information, and the apparatus further includes a certificate carrying determination module, configured to:
under the condition that the network access authentication request message sent by the second terminal is received, if the certificate related information comprises marking information of the certificate to be transferred, the certificate of the network management equipment is carried in the network access authentication response message;
or if the network management certificate serial number included in the certificate related information is different from the actual certificate serial number of the network management device, carrying the certificate of the network management device in the network access authentication response message.
In a specific embodiment of the present disclosure, the network access authentication request message carries supporting information of a secure interaction mechanism version, and the apparatus further includes an interaction version carrying determination module, configured to:
and under the condition that the network access authentication request message sent by the second terminal is received, carrying response information of the safety interaction mechanism version in the network access authentication response message so that the second terminal and the network management equipment interact based on the same safety interaction mechanism version.
In one embodiment of the present disclosure, the network management device obtains the broadcast key in advance, and the response-related information further includes the broadcast key.
In a specific embodiment of the present disclosure, the network access authentication response message further carries certificate related information, so that the second terminal determines, based on the certificate related information, whether to carry the certificate of the first terminal in the network access authentication completion message.
In a specific embodiment of the present disclosure, the network access authentication completion message carries a certificate of the first terminal, and the apparatus further includes a certificate validity determining module, configured to:
determining whether the certificate of the first terminal is valid before determining whether to allow the second terminal to access the network based on information carried in the access authentication completion message;
if so, the network access decision module 340 is triggered to perform the step of determining whether to allow the second terminal to access the network based on the information carried in the network access authentication completion message.
In a specific embodiment of the disclosure, the method further includes a certificate caching module for:
and in the case that the certificate of the first terminal is determined to be valid, locally caching the certificate of the first terminal.
The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.
Corresponding to the above method embodiment, the embodiment of the present disclosure further provides a multimedia conference terminal network access authentication device, including:
a memory for storing a computer program;
and the processor is used for realizing the step of the network access authentication method of the multimedia conference terminal when executing the computer program.
Referring to fig. 4, a block diagram of a multimedia conference terminal access authentication device 400 is shown according to an exemplary embodiment. For example, the multimedia conference terminal access authentication device 400 may be provided as a server. Referring to fig. 4, the multimedia conference terminal access authentication device 400 includes a processor 410, which may be one or more in number, and a memory 420 for storing a computer program executable by the processor 410. The computer program stored in memory 420 may include one or more modules each corresponding to a set of instructions. Further, the processor 410 may be configured to execute the computer program to perform the multimedia conference terminal access authentication method described above.
In addition, the multimedia conference terminal access authentication device 400 may further include a power supply component 430 and a communication component 440, the power supply component 430 may be configured to perform power management of the multimedia conference terminal access authentication device 400, and the communication component 440 may be configured to enable communication, e.g., wired or wireless communication, of the multimedia conference terminal access authentication device 400. In addition, the multimedia conference terminal access authentication device 400 may further include an input/output (I/O) interface 450. The multimedia conference terminal access authentication device 400 may operate based on an operating system stored in the memory 420, such as Windows server (tm), mac OS XTM, unixTM, linuxTM, etc.
In another exemplary embodiment, there is also provided a computer readable storage medium including program instructions which, when executed by a processor, implement the steps of the multimedia conference terminal access authentication method described above. For example, the computer readable storage medium may be the memory 420 including program instructions described above, which are executable by the processor 410 of the multimedia conference terminal access authentication device 400 to perform the multimedia conference terminal access authentication method described above.
The preferred embodiments of the present disclosure have been described in detail above with reference to the accompanying drawings, but the present disclosure is not limited to the specific details of the above embodiments, and various simple modifications may be made to the technical solutions of the present disclosure within the scope of the technical concept of the present disclosure, and all the simple modifications belong to the protection scope of the present disclosure. For example, the information carried in the message may be changed to information that is transmitted separately.
In addition, the specific technical features described in the above specific embodiments may be combined in any suitable manner, for example, the network access authentication request message carries information such as the identifier of the first terminal and the random number, where the specific technical features are not contradictory. The various possible combinations are not described further in this disclosure in order to avoid unnecessary repetition.
Moreover, any combination between the various embodiments of the present disclosure is possible as long as it does not depart from the spirit of the present disclosure, which should also be construed as the disclosure of the present disclosure.

Claims (10)

1. A multimedia conference terminal access authentication method, characterized by being applied to a network management device, the network management device obtaining a root network key and a first network key of a first terminal in advance, the method comprising:
generating a second network key of a second terminal based on the root network key under the condition that a network access authentication request message sent by the second terminal is received, wherein the second terminal and the first terminal share a password module, the first terminal is a head virtual terminal which is accessed to the network, the second terminal is any non-head virtual terminal, and the network access authentication request message carries a random number of the second terminal;
encrypting response related information by using the first network key to obtain response related encrypted second information, wherein the response related information comprises the second network key, the random number of the second terminal and the random number of the network management device;
returning a network access authentication response message to the second terminal, wherein the network access authentication response message carries the response related encrypted second information so that the second terminal decrypts the response related second information to obtain the second network key, and sends a network access authentication completion message to the network management equipment, and the network access authentication completion message carries the random number of the second terminal and the random number of the network management equipment;
And under the condition that the network access authentication completion message sent by the second terminal is received, determining whether to allow the second terminal to access the network or not based on information carried in the network access authentication completion message.
2. The method according to claim 1, wherein the network access authentication request message carries certificate related information, and when receiving the network access authentication request message sent by the second terminal, the method further comprises:
if the certificate related information comprises marking information of the certificate to be transferred, carrying the certificate of the network management equipment in the network access authentication response message;
or if the network management certificate serial number included in the certificate related information is different from the actual certificate serial number of the network management device, carrying the certificate of the network management device in the network access authentication response message.
3. The method of claim 1, wherein the network access authentication request message carries supporting information of a secure interaction mechanism version, and further comprising, in the case of receiving the network access authentication request message sent by the second terminal:
and carrying response information of the safety interaction mechanism version in the network access authentication response message so that the second terminal and the network management equipment interact based on the same safety interaction mechanism version.
4. The method of claim 1, wherein the network management device obtains a broadcast key in advance, and wherein the response-related information further includes the broadcast key.
5. The method according to any one of claims 1 to 4, wherein the network entry authentication response message further carries certificate related information, so that the second terminal determines whether to carry the certificate of the first terminal in the network entry authentication completion message based on the certificate related information.
6. The method according to claim 5, wherein the network access authentication completion message carries a certificate of the first terminal, and before the determining whether to allow the second terminal to access the network based on the information carried in the network access authentication completion message, further comprises:
determining whether a certificate of the first terminal is valid;
and if so, executing the step of determining whether to allow the second terminal to access the network based on the information carried in the network access authentication completion message.
7. The method according to claim 6, wherein in case it is determined that the certificate of the first terminal is valid, further comprising:
and caching the certificate of the first terminal locally.
8. A multimedia conference terminal access authentication apparatus, operable in a network management device, the network management device obtaining a root network key and a first network key of a first terminal in advance, the apparatus comprising:
the network key generation module is used for generating a second network key of a second terminal based on the root network key under the condition that a network access authentication request message sent by the second terminal is received, wherein the second terminal and the first terminal share a password module, the first terminal is a head virtual terminal which is accessed to the network, the second terminal is any non-head virtual terminal, and the network access authentication request message carries a random number of the second terminal;
an encryption information obtaining module, configured to encrypt response related information by using the first network key, to obtain response related encrypted second information, where the response related information includes the second network key, a random number of the second terminal, and a random number of the network management device;
a response information return module, configured to return an access authentication response message to the second terminal, where the access authentication response message carries the response-related encrypted second information, so that the second terminal decrypts the response-related second information to obtain the second network key, and sends an access authentication completion message to the network management device, where the access authentication completion message carries a random number of the second terminal and a random number of the network management device;
And the network access judging module is used for determining whether the second terminal is allowed to access the network or not based on the information carried in the network access authentication completion message under the condition that the network access authentication completion message sent by the second terminal is received.
9. A multimedia conference terminal network access authentication apparatus, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the multimedia conference terminal access authentication method according to any one of claims 1 to 7 when executing said computer program.
10. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the multimedia conference terminal access authentication method according to any of claims 1 to 7.
CN202111011882.8A 2021-08-31 2021-08-31 Network access authentication method, device and equipment for multimedia conference terminal and storage medium Active CN113727057B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111011882.8A CN113727057B (en) 2021-08-31 2021-08-31 Network access authentication method, device and equipment for multimedia conference terminal and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111011882.8A CN113727057B (en) 2021-08-31 2021-08-31 Network access authentication method, device and equipment for multimedia conference terminal and storage medium

Publications (2)

Publication Number Publication Date
CN113727057A CN113727057A (en) 2021-11-30
CN113727057B true CN113727057B (en) 2023-05-23

Family

ID=78679778

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111011882.8A Active CN113727057B (en) 2021-08-31 2021-08-31 Network access authentication method, device and equipment for multimedia conference terminal and storage medium

Country Status (1)

Country Link
CN (1) CN113727057B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010074561A (en) * 2008-09-18 2010-04-02 Pioneer Electronic Corp Conference controller, conference system, conference control method, program therefor, and recording medium recording the program
US9071967B1 (en) * 2013-05-31 2015-06-30 Amazon Technologies, Inc. Wireless credential sharing
CN105357223A (en) * 2015-12-07 2016-02-24 山东山大华天软件有限公司 Three dimensional cooperation conference system based on instant messaging protocol and realization method thereof
KR101674616B1 (en) * 2016-03-21 2016-11-09 (주)한위드정보기술 system for providing the remote video conference based virtualization
CN110933112A (en) * 2019-12-26 2020-03-27 视联动力信息技术股份有限公司 Network access authentication method, device and storage medium
CN111835691A (en) * 2019-04-22 2020-10-27 中国移动通信有限公司研究院 Authentication information processing method, terminal and network equipment

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080120370A1 (en) * 2006-11-22 2008-05-22 Brian Chan Virtual Meeting Server Discovery
US9838373B2 (en) * 2010-11-29 2017-12-05 Biocatch Ltd. System, device, and method of detecting a remote access user
US8860777B2 (en) * 2011-12-22 2014-10-14 Verizon Patent And Licensing Inc. Multi-enterprise video conference service
US10291597B2 (en) * 2014-08-14 2019-05-14 Cisco Technology, Inc. Sharing resources across multiple devices in online meetings

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010074561A (en) * 2008-09-18 2010-04-02 Pioneer Electronic Corp Conference controller, conference system, conference control method, program therefor, and recording medium recording the program
US9071967B1 (en) * 2013-05-31 2015-06-30 Amazon Technologies, Inc. Wireless credential sharing
CN105357223A (en) * 2015-12-07 2016-02-24 山东山大华天软件有限公司 Three dimensional cooperation conference system based on instant messaging protocol and realization method thereof
KR101674616B1 (en) * 2016-03-21 2016-11-09 (주)한위드정보기술 system for providing the remote video conference based virtualization
CN111835691A (en) * 2019-04-22 2020-10-27 中国移动通信有限公司研究院 Authentication information processing method, terminal and network equipment
CN110933112A (en) * 2019-12-26 2020-03-27 视联动力信息技术股份有限公司 Network access authentication method, device and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
魏枫 ; 张捷 ; 段惠卿 ; .视频会议流媒体录播技术研究与开发.信息安全与通信保密.2009,(第07期),全文. *

Also Published As

Publication number Publication date
CN113727057A (en) 2021-11-30

Similar Documents

Publication Publication Date Title
US9832183B2 (en) Key management using quasi out of band authentication architecture
CN108566381A (en) A kind of security upgrading method, device, server, equipment and medium
EP1376976A1 (en) Methods for authenticating potential members invited to join a group
US20120137132A1 (en) Shared secret establishment and distribution
US20110131640A1 (en) Secure transfer of data
KR20010108150A (en) Authentication enforcement using decryption and authentication in a single transaction in a secure microprocessor
WO2002093824A2 (en) Authentication method
TW201926943A (en) Data transmission method and system
WO2022135391A1 (en) Identity authentication method and apparatus, and storage medium, program and program product
WO2013044766A1 (en) Service access method and device for cardless terminal
CN113727059B (en) Network access authentication method, device and equipment for multimedia conference terminal and storage medium
CN104901967A (en) Registration method for trusted device
WO2023174350A1 (en) Identity authentication method, apparatus and device, and storage medium
CN115473655B (en) Terminal authentication method, device and storage medium for access network
KR102171377B1 (en) Method of login control
CN116244750A (en) Secret-related information maintenance method, device, equipment and storage medium
JP4499575B2 (en) Network security method and network security system
CN113727057B (en) Network access authentication method, device and equipment for multimedia conference terminal and storage medium
CN116233832A (en) Verification information sending method and device
CN114553426B (en) Signature verification method, key management platform, security terminal and electronic equipment
CN113656788B (en) Conference participation authentication method, device and equipment for multimedia conference terminal and storage medium
CN113660285A (en) Multimedia conference on-line terminal control method, device, equipment and storage medium
JP2000261428A (en) Authentication device in decentralized processing system
CN115801252B (en) Safe cloud desktop system combined with quantum encryption technology
CN113676468B (en) Three-party enhanced authentication system design method based on message verification technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant