CN115037470A - Method, device and system for authenticating calling information - Google Patents

Method, device and system for authenticating calling information Download PDF

Info

Publication number
CN115037470A
CN115037470A CN202110253128.9A CN202110253128A CN115037470A CN 115037470 A CN115037470 A CN 115037470A CN 202110253128 A CN202110253128 A CN 202110253128A CN 115037470 A CN115037470 A CN 115037470A
Authority
CN
China
Prior art keywords
ssgw
iam message
calling
parameter
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110253128.9A
Other languages
Chinese (zh)
Inventor
史敏锐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202110253128.9A priority Critical patent/CN115037470A/en
Priority to PCT/CN2021/114577 priority patent/WO2022183694A1/en
Publication of CN115037470A publication Critical patent/CN115037470A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The disclosure discloses a method, a device and a system for authenticating calling information, and relates to the technical field of telecommunication network signaling. The method comprises the following steps: receiving a first IAM message sent by an LS, wherein the first IAM message comprises calling information; generating a calling signature parameter based on the calling information; adding the calling signature parameter and the SSGW certificate parameter acquired from the CA of the local domain into the first IAM message, and recombining the first IAM message into a second IAM message; and sending the second IAM message to a target domain, wherein after the target domain verifies the second IAM message, the calling signature parameter and the SSGW certificate parameter in the second IAM message are removed, a third IAM message is generated, and the third IAM message is sent to a next node. The method and the device can ensure the authenticity, the non-tamper property and the traceability of the calling information on the premise of not changing the signaling of the existing LS transmission.

Description

Method, device and system for authenticating calling information
Technical Field
The present disclosure relates to the field of telecommunication network signaling technologies, and in particular, to a method, an apparatus, and a system for caller information authentication.
Background
Telecommunications operators traditionally have network infrastructure, including access networks, core networks and service networks. UE (User Equipment) is connected through a UNI (User Network Interface), and the UE is regarded as an untrusted party by the Network, so the UNI must consider and satisfy many security requirements, such as providing mechanisms such as Authentication, authorization, and AKA (Authentication and key Agreement).
The operator Network entities are connected via NNIs (Network-Network Interface). The relationship between network entities is considered trusted based on the closeness and isolation of the telecommunications network. Similarly, network entities between different operators are also connected through NNI, and are considered to be trusted, but the trust relationship is based on business contracts or agreements rather than security technologies. Based on such trust relationships as described above, security measures and policies against NNIs are not typically enforced.
Nowadays, telecommunication networks are increasingly open. The user equipment is accessed to the network through NNI, for example, through SIP (Session Initiation Protocol), signaling number seven, Diameter (Protocol cluster), and the like. In this case NNI signaling for control and management may be abused, resulting in the calling number associated with the subscriber being illegally acquired, spoofed, tampered, and traceable.
Disclosure of Invention
One technical problem to be solved by the present disclosure is to provide a method, an apparatus, and a system for authenticating caller information, which can ensure authenticity, tamper resistance, and traceability of caller information.
According to an aspect of the present disclosure, a method for authenticating caller information is provided, including: receiving a first IAM message sent by a Local Switch (LS), wherein the first IAM message comprises calling information; generating a calling signature parameter based on the calling information; adding the calling signature parameter and the signaling security gateway SSGW certificate parameter acquired from the certificate authority CA of the local domain into the first IAM message, and recombining the first IAM message into a second IAM message; and sending the second IAM message to a target domain, wherein after the target domain verifies the second IAM message, the calling signature parameter and the SSGW certificate parameter in the second IAM message are removed, a third IAM message is generated, and the third IAM message is sent to a next node.
In some embodiments, obtaining the SSGW certificate parameters from the CA of the domain includes: after encrypting the SSGW identification, sending the encrypted SSGW identification to a CA (certificate Authority) so that the CA generates a random number to sign the SSGW identification after verifying the SSGW identification; receiving a CA signature and an encrypted random number sent by a CA; if the CA signature is verified to be valid, and the encrypted random number is decrypted, the random number is sent to the CA, wherein the SSGW certificate parameter is generated after the CA compares the received random number with the generated random number; and receiving SSGW certificate parameters sent by the CA.
In some embodiments, verifying the CA signature comprises: decrypting the CA signature by using a CA public key, wherein the CA encrypts the random number by using an SSGW public key, and encrypts the encrypted random number by using a CA private key to obtain the CA signature; and if the CA signature can be decrypted, determining that the CA signature is valid.
In some embodiments, the SSGW certificate parameters include one or more of an SSGW identification, an SSGW public key, a validity time, a version number, and an algorithm.
In some embodiments, generating the caller signature parameters based on the caller information comprises: carrying out Hash operation on the calling information to obtain a Hash value; and generating a calling signature parameter after encrypting the hash value.
According to another aspect of the present disclosure, a method for authenticating caller information is further provided, including: receiving a second IAM message sent by a source domain, wherein the second IAM message comprises calling information, calling signature parameters and signaling security gateway SSGW certificate parameters in the first IAM message; after the calling party signature parameter and the SSGW certificate parameter are verified, whether calling party information in the second IAM message is tampered or not is judged; if the calling information in the second IAM message is determined not to be tampered, removing the calling signature parameter and the SSGW certificate parameter in the second IAM message, and generating a third IAM message; and sending the third IAM message to the next node.
In some embodiments, validating the SSGW certificate parameters comprises: acquiring SSGW certificate parameters from a Certificate Authority (CA) of the local domain, wherein the CA of the local domain acquires the SSGW certificate parameters from the CA of the source domain through a bridge CA; and if the SSGW certificate parameter acquired from the CA of the local domain is consistent with the SSGW certificate parameter in the second IAM message, determining that the SSGW certificate parameter passes the verification.
In some embodiments, verifying the caller signature parameters comprises: and decrypting the calling signature parameter, and if the hash value can be obtained through decryption, determining that the calling signature parameter passes verification.
In some embodiments, determining whether the caller information in the second IAM message is tampered comprises: extracting the calling information in the second IAM message, and performing hash operation on the extracted calling information; judging whether the hash value obtained by calculation is consistent with the hash value obtained by decrypting the calling signature parameter; and if the calling information in the second IAM message is consistent with the calling information in the second IAM message, determining that the calling information in the second IAM message is not tampered.
In some embodiments, the second IAM message is rejected if either of the caller signature parameter and the SSGW certificate parameter is not verified or it is determined that the caller information in the second IAM message is tampered with.
According to another aspect of the present disclosure, there is also provided a caller information authentication apparatus, including: the local exchange LS receives a first IAM message sent by the local exchange LS, wherein the first IAM message comprises calling information; a caller signature generation unit configured to generate a caller signature parameter based on the caller information; an SSGW certificate acquisition unit configured to acquire signaling security gateway SSGW certificate parameters from a certificate authority CA of the local domain; the IAM message recombining unit is configured to add the calling party signature parameter and the SSGW certificate parameter to the first IAM message and recombine the first IAM message into a second IAM message; and an IAM message sending unit configured to send the second IAM message to a destination domain, wherein after the destination domain verifies the second IAM message, the calling signature parameter and the SSGW certificate parameter in the second IAM message are removed, a third IAM message is generated, and the third IAM message is sent to a next node.
According to another aspect of the present disclosure, there is also provided a caller information authentication apparatus, including: an IAM message receiving unit configured to receive a second IAM message sent by a source domain, where the second IAM message includes caller information, a caller signature parameter, and a signaling security gateway SSGW certificate parameter in the first IAM message; the IAM message verification unit is configured to verify the calling signature parameter and the SSGW certificate parameter and then judge whether the calling information in the second IAM message is tampered; and an IAM message generating unit configured to remove the caller signature parameter and the SSGW certificate parameter in the second IAM message and generate a third IAM message if it is determined that the caller information in the second IAM message is not tampered; and the IAM message forwarding unit is configured to send the third IAM message to the next node.
According to another aspect of the present disclosure, there is also provided a caller information authentication system, including: the caller information authentication device.
In some embodiments, the caller information authentication system further comprises: and the CA is positioned in the source domain and is configured to receive the encrypted SSGW identification sent by the calling information authentication device of the domain, generate a random number for CA signature after the SSGW identification is verified, send the CA signature and the encrypted random number to the calling information authentication device of the domain, receive the random number sent by the calling information authentication device of the domain, compare the generated random number with the received random number, generate SSGW certificate parameters and send the SSGW certificate parameters to the calling information authentication device of the domain.
In some embodiments, the caller information authentication system further comprises: and the CA positioned in the destination domain is configured to acquire the SSGW certificate parameters from the CA in the source domain through the bridge CA and send the SSGW certificate parameters to the calling information authentication device in the local domain.
According to another aspect of the present disclosure, there is also provided a caller information authentication apparatus, including: a memory; and a processor coupled to the memory, the processor configured to perform the caller information authentication method as described above based on instructions stored in the memory.
According to another aspect of the present disclosure, a non-transitory computer-readable storage medium is also presented, on which computer program instructions are stored, which instructions, when executed by a processor, implement the caller information authentication method described above.
In the embodiment of the disclosure, the source domain generates the calling signature parameter based on the calling information, signs the IAM message by using the calling signature parameter and the certificate issued by the CA, routes the reassembled IAM message to the destination domain, and directs the message to the destination after the security of the message is detected by the destination domain.
Other features of the present disclosure and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The present disclosure may be more clearly understood from the following detailed description, taken with reference to the accompanying drawings, in which:
fig. 1 is a flow diagram of some embodiments of a caller information authentication method of the present disclosure.
Fig. 2 is a flowchart illustrating another embodiment of a method for caller information authentication according to the present disclosure.
Fig. 3 is a flowchart illustrating another embodiment of a method for caller information authentication according to the present disclosure.
Fig. 4 is a flowchart illustrating another embodiment of a method for authenticating caller information according to the present disclosure.
Fig. 5 is a schematic structural diagram of some embodiments of the caller information authentication apparatus of the present disclosure.
Fig. 6 is a schematic structural diagram of another embodiment of the caller information authentication apparatus according to the present disclosure.
Fig. 7 is a schematic structural diagram of another embodiment of the caller information authentication apparatus according to the present disclosure.
Fig. 8 is a schematic structural diagram of some embodiments of a caller information authentication system of the present disclosure.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
To make the objects, technical solutions and advantages of the present disclosure more apparent, the present disclosure will be described in further detail below with reference to specific embodiments and the accompanying drawings.
Fig. 1 is a flow diagram of some embodiments of a method of caller information authentication of the present disclosure. This embodiment is performed by an SSGW (signaling Security Gateway) located in the source domain.
In step 110, a first IAM (initial Address Message) sent by a LS (Local Switch) is received, where the first IAM Message includes calling information.
In some embodiments, the LS is the source or destination of the call, and the SSGW and the LS in the same security domain are internal trusted nodes.
In some embodiments, the calling information is a calling number.
At step 120, caller signature parameters are generated based on the caller information.
In some embodiments, the SSGW performs hash operation on the calling information to obtain a hash value, and encrypts the hash value to generate a calling signature parameter.
In some embodiments, the SSGW decodes the first IAM message, extracts an original parameter of the message, that is, a calling number, performs HASH operation on the calling number to obtain a HASH value, and encrypts the HASH value using a private key of the SSGW to generate the calling signature parameter.
In step 130, the caller signature parameter and SSGW Certificate parameter obtained from CA (Certificate Authority) of the local domain are added to the first IAM message and reassembled into the second IAM message.
In some embodiments, the SSGW encrypts the SSGW identifier and sends it to the CA, so that the CA generates a random number to sign with the CA after verifying the SSGW identifier. And the SSGW receives the CA signature and the encrypted random number sent by the CA, and sends the random number to the CA after decrypting the encrypted random number if the CA signature is verified to be valid, wherein the SSGW certificate parameters are generated after the CA compares the received random number with the generated random number. And the SSGW receives the SSGW certificate parameter sent by the CA.
In step 140, the second IAM message is sent to the destination domain, where the destination domain removes the caller signature parameter and the SSGW certificate parameter from the second IAM message after verifying the second IAM message, generates a third IAM message, and sends the third IAM message to the next node.
In some embodiments, the SSGW of the source domain routes the second IAM message to the destination domain over the Sa interface. The second IAM message is an ISUP (Integrated Services Digital Network User Part, ISDN User Part, Integrated Services Digital Network User Part) message.
In some embodiments, the SSGW of the destination domain receives the second IAM message sent by the source domain, verifies the caller signature parameter and the SSGW certificate parameter, determines whether the caller information in the second IAM message is tampered, and if it is determined that the caller information in the second IAM message is not tampered, removes the caller signature parameter and the SSGW certificate parameter in the second IAM message, generates a third IAM message, and sends the third IAM message to the next node.
In some embodiments, the next node is an LS.
In the above embodiment, the calling signature parameter is generated based on the calling information, the IAM message is signed by using the calling signature parameter and the certificate issued by the CA, the reassembled IAM message is routed to the destination domain, and after the security of the message is detected by the destination domain, the message is directed to the destination, so that the authenticity, the tamper resistance and the traceability of the calling information can be ensured on the premise of not changing the signaling of the existing LS transmission.
Fig. 2 is a flowchart illustrating another embodiment of a method for caller information authentication according to the present disclosure. In this embodiment, the SSGW obtains SSGW certificate parameters from the CA. Storing public key P of CA in SSGW C And generating a self public and private key pair (P) O ,Q O ) Storing its own private key Q in CA C
In step 210, the SSGW sends the CA a public key P with the CA C The encrypted SSGW identifies a.
In some embodiments, the SSGW identity a is a signaling code or global title code of the SSWG, and the SSGW identity a is fixedly allocated in advance.
In step 220, CA utilizes private key Q C And decrypting the encrypted SSGW identification A to finish verification.
In step 230, CA generates a random number N S And utilizes the public key P of SSGW O For random number N S Encrypting to obtain EN S
In step 240, CA utilizes private key Q C To EN S Encrypting to obtain a CA signature EN _ Sig s
In some embodiments, the CA signature EN _ Sig s The encoding is as follows:
Figure BDA0002960109350000081
in step 250, CA will EN S And EN _ Sig s And sending the data to the SSGW.
In step 260, the SSGW pairs EN _ Sig s And (6) carrying out verification.
In some embodiments, the SSGW utilizes the CA public key P C For EN _ Sig s Decryption is performed if the EN _ Sig can be decrypted s Then EN _ Sig is determined s Is effective.
In step 270, ifEN_Sig s Valid, then SSGW utilizes private key Q O To EN S Decrypting to obtain a random number N S
In step 280, the SSGW combines the random number N S And sending the data to the CA.
In step 290, CA determines the received random number N S And a generated random number N S If they are consistent, the random number N is considered S Validation, generation of SSGW certificate parameter C S
In some embodiments, the SSGW is identified A, SSGW public key P using a correlation algorithm O Effective time V A Encrypting based on the encrypted data and SSGW identification A, SSGW public key P O Effective time V A The SSGW certificate parameter is obtained.
In some embodiments, the SSGW certificate parameters include the SSGW identification A, SSGW public key P O Effective time V A One or more of a version number and an algorithm.
In some embodiments, the SSGW certificate parameter encoding is as follows:
Figure BDA0002960109350000091
in step 2100, the CA validates SSGW certificate parameter C S And sending to the SSGW.
In the above embodiment, the CA receives the request of the SSGW for the digital certificate, authenticates the SSGW that sent the request, binds the public key to the corresponding SSGW, and issues the digital certificate including the public key and the owner identity to the SSGW, where the public key included in the digital certificate belongs to the network entity SSGW labeled in the certificate, so that the SSGW can sign the IAM message using the digital certificate. In addition, the digital certificate is also a confirmation or verification of the CA.
Fig. 3 is a flowchart illustrating another embodiment of a method for authenticating caller information according to the present disclosure. This embodiment is performed by the SSGW located in the destination domain.
In step 310, a second IAM message sent by the source domain is received, where the second IAM message includes the caller information, the caller signature parameter, and the SSGW certificate parameter in the first IAM message.
In step 320, after the caller signature parameter and the SSGW certificate parameter are verified, it is determined whether the caller information in the second IAM message is tampered.
In some embodiments, the caller signature parameter is decrypted, and if the caller signature parameter can be decrypted to obtain the hash value, it is determined that the caller signature parameter is verified.
In some embodiments, the SSGW obtains the SSGW certificate parameter from the CA in the local domain, where the CA in the local domain obtains the SSGW certificate parameter from the CA in the source domain through the bridge CA, and if the SSGW certificate parameter obtained from the CA in the local domain is consistent with the SSGW certificate parameter in the second IAM message, it is determined that the SSGW certificate parameter passes verification.
In some embodiments, the CAs may cross-certify each other.
In some embodiments, the calling information in the second IAM message is extracted, and the extracted calling information is subjected to a hash operation; judging whether the hash value obtained by calculation is consistent with the hash value obtained by decrypting the calling signature parameter; and if the calling information in the second IAM message is consistent with the calling information in the first IAM message, determining that the calling information in the second IAM message is not tampered.
In step 330, if it is determined that the calling information in the second IAM message is not tampered, the calling signature parameter and the SSGW certificate parameter in the second IAM message are removed, and a third IAM message is generated.
At step 340, a third IAM message is sent to the next node.
In some embodiments, the next node refers to the LS of the destination domain.
In the above embodiment, the SSGW in the destination domain performs security check such as authentication, verification, and decryption on the received second IAM message, and directs the message to the destination after checking the message, so as to effectively control interaction with an entity outside the network, and solve the problem that signaling attack is difficult to identify and prevent.
Fig. 4 is a flowchart illustrating a calling number authentication method according to another embodiment of the disclosure.
In step 410, the SSGW located in the destination domain receives the second IAM message transmitted by the source domain.
In some embodiments, the SSGW located in the destination domain receives the second IAM message sent by the SSGW of the source domain.
In step 420, the SSGW determines that the message is destined for the home network, and decodes the second IAM message.
In some embodiments, the second IAM message is transmitted if the second IAM message needs to be forwarded to another network.
In step 430, it is determined whether the SSGW certificate parameter is valid, if so, step 440 is performed, otherwise, step 480 is performed.
In step 440, it is determined whether the caller signature parameter is valid, if so, step 450 is performed, otherwise, step 480 is performed.
In some embodiments, the public key of the SSGW in the source domain is used to decrypt the calling signature parameter, and if the hash value can be obtained through decryption, it is determined that the calling signature parameter is valid.
In step 450, it is determined whether the caller id is tampered, if not, step 460 is executed, and if so, step 480 is executed.
In some embodiments, the calling number in the second IAM message is extracted, hash operation is performed on the calling number to obtain a hash value, and if the hash value obtained through calculation is consistent with the hash value obtained after decryption is performed on the calling signature parameter, it is determined that the calling signal is not tampered.
In step 460, the calling signature parameter and the SSGW certificate parameter in the second IAM message are removed to obtain the calling number of the third IAM message.
In step 470, the third IAM message is sent to the LS of the home domain.
At step 480, it is determined whether to screen the call, if so, step 490 is performed, otherwise, step 460 is performed.
At step 490, the call is released.
And if any one of the calling party signature parameter and the SSGW certificate parameter is not verified, or the calling number in the second IAM message is determined to be tampered, rejecting the second IAM message.
In the above embodiment, the security of the calling number can be ensured.
Fig. 5 is a schematic structural diagram of some embodiments of the caller information authentication apparatus of the present disclosure. The caller id authentication device in this embodiment may be a separate device, or may be integrated into an existing device, such as an SSGW located in the source domain. The caller information authentication apparatus includes: an IAM message acquiring unit 510, a caller signature generating unit 520, an SSGW certificate acquiring unit 530, an IAM message recombining unit 540, and an IAM message transmitting unit 550.
The IAM message obtaining unit 510 is configured to receive a first IAM message sent by the LS, where the first IAM message includes the caller information.
The caller signature generation unit 520 is configured to generate caller signature parameters based on the caller information.
In some embodiments, the hash operation is performed on the caller information to obtain a hash value, and after the hash value is encrypted, the caller signature parameter is generated.
The SSGW certificate acquisition unit 530 is configured to acquire SSGW certificate parameters from the CA of the local domain.
In some embodiments, the SSGW identifier is encrypted and then sent to the CA, so that the CA generates a random number to sign with the CA after verifying the SSGW identifier; receiving a CA signature and an encrypted random number sent by a CA; if the CA signature is verified to be valid, and the encrypted random number is decrypted, the random number is sent to the CA, wherein the CA compares the received random number with the generated random number to generate SSGW certificate parameters; and receiving SSGW certificate parameters sent by the CA.
In some embodiments, the SSGW certificate acquisition unit is configured to decrypt the CA signature using the CA public key, wherein the CA encrypts the random number using the SSGW public key, and encrypts the encrypted random number using the CA private key to obtain the CA signature; and if the CA signature can be decrypted, determining that the CA signature is valid.
In some embodiments, the SSGW certificate parameters include one or more of an SSGW identification, an SSGW public key, a validity time, a version number, and an algorithm.
The IAM message reassembly unit 540 is configured to add the caller signature parameter and the SSGW certificate parameter to the first IAM message, and reassemble into the second IAM message.
The IAM message sending unit 550 is configured to send the second IAM message to the destination domain, where after the destination domain verifies the second IAM message, the calling signature parameter and the SSGW certificate parameter in the second IAM message are removed, a third IAM message is generated, and the first IAM message is sent to the next node.
In the above embodiment, based on the calling information, a calling signature parameter is generated, an IAM message is signed by using a certificate issued by a CA, the reassembled IAM message is routed to a destination domain, and after security detection is performed on the message by the destination domain, the message is directed to the destination, so that authenticity, non-tamper-ability and traceability of the calling information can be ensured on the premise of not changing the signaling of the existing LS transmission.
Fig. 6 is a schematic structural diagram of another embodiment of the caller information authentication apparatus according to the present disclosure. The caller id authentication device in this embodiment may be a separate device, or may be integrated into an existing device, such as an SSGW located in a destination domain. The caller information authentication apparatus includes: the IAM message receiving unit 610, the IAM message authenticating unit 620, the IAM message generating unit 630, and the IAM message forwarding unit 640.
The IAM message receiving unit 610 is configured to receive a second IAM message sent by the source domain, where the second IAM message includes the caller information, the caller signature parameter, and the SSGW certificate parameter in the first IAM message, and the caller information is, for example, a caller number.
The IAM message verifying unit 620 is configured to verify the caller signature parameter and the SSGW certificate parameter, and then determine whether the caller information in the second IAM message is tampered.
In some embodiments, IAM message verification unit 620 is configured to decrypt the caller signature parameter, and if the decryption results in a hash value, determine that the caller signature parameter is verified.
In some embodiments, the IAM message verifying unit 620 is configured to obtain the SSGW certificate parameter from the CA in the local domain, where the CA in the local domain obtains the SSGW certificate parameter from the CA in the source domain through the bridge CA, and if the SSGW certificate parameter obtained from the CA in the local domain is consistent with the SSGW certificate parameter in the second IAM message, it is determined that the SSGW certificate parameter is verified.
In some embodiments, the IAM message verification unit 620 is configured to extract the caller information in the second IAM message and perform a hash operation on the extracted caller information; judging whether the hash value obtained by calculation is consistent with the hash value obtained by decrypting the calling signature parameter; and if the calling information in the second IAM message is consistent with the calling information in the first IAM message, determining that the calling information in the second IAM message is not tampered.
The IAM message generating unit 630 is configured to remove the caller signature parameter and the SSGW certificate parameter in the second IAM message and generate a third IAM message if it is determined that the caller information in the second IAM message is not tampered.
The IAM message forwarding unit 640 is configured to send the third IAM message to the next node.
In some embodiments, the IAM message forwarding unit 640 is further configured to reject the second IAM message if any one of the caller signature parameter and the SSGW certificate parameter is not verified or the caller information in the second IAM message is determined to be tampered with.
In the above embodiment, the caller id authentication apparatus in the destination domain performs security checks such as authentication, verification, and decryption on the received second IAM message, and directs the message to the destination after checking the message, thereby ensuring authenticity, tamper resistance, and traceability of the caller id.
In some embodiments, if the SSGW of the destination domain determines that the received second IAM message needs to be forwarded to another network, the SSGW of the destination domain passes through the second IAM message.
Fig. 7 is a schematic structural diagram of another embodiment of the caller information authentication apparatus according to the present disclosure. The caller information authentication device can be located in a source domain or a destination domain. The caller information authentication apparatus 700 includes a memory 710 and a processor 720. Wherein: the memory 710 may be a magnetic disk, flash memory, or any other non-volatile storage medium. The memory is used to store instructions in the embodiments corresponding to fig. 1-4. Coupled to memory 710, processor 720 may be implemented as one or more integrated circuits, such as a microprocessor or microcontroller. The processor 720 is configured to execute instructions stored in the memory.
In some embodiments, processor 720 is coupled to memory 710 through a BUS BUS 730. Caller information authentication device 700 may also be connected to an external storage system 750 via storage interface 740 for the purpose of invoking external data, and may also be connected to a network or another computer system (not shown) via network interface 760. And will not be described in detail herein.
In this embodiment, the authenticity, the non-tamper property and the traceability of the calling information can be ensured by storing the data instruction in the memory and processing the instruction by the processor.
In other embodiments of the present disclosure, a caller information authentication system is protected, comprising a caller information authentication device located in a source domain and a caller information authentication device located in a destination domain.
In some embodiments, the system further includes a CA in the source domain, configured to receive the encrypted SSGW identifier sent by the caller information authentication device in the local domain, generate a random number to sign with the CA after verifying the SSGW identifier, send the CA signature and the encrypted random number to the caller information authentication device in the local domain, receive the random number sent by the caller information authentication device in the local domain, compare the generated random number with the received random number, generate SSGW certificate parameters, and send the SSGW certificate parameters to the caller information authentication device in the local domain.
In some embodiments, the caller information authentication system further comprises a CA located in the destination domain, and is configured to obtain SSGW certificate parameters from a CA in the source domain through the bridge CA, and send the SSGW certificate parameters to the caller information authentication apparatus in the local domain.
The following description of the caller id authentication system will be given by the caller id authentication device taking SSGW as an example.
Fig. 8 is a schematic structural diagram of some embodiments of a caller information authentication system of the present disclosure. In this embodiment, the information interaction includes an SSGW, a CA, and a plurality of LS located in a network where operator a is located, and an SSGW, a CA, and a plurality of LS located in a network where operator B is located, where the CA located in the network where operator a is located and the CA located in the network where operator B is located perform information interaction through a bridge CA.
In this embodiment, a signaling ISUP/BICC (bearer Independent Call Control) between the SSGW of the source domain and the SSGW of the destination domain is extended, where the extended parameters include a certificate parameter and a signature parameter, and these two parameters are carried in an IAM message, as shown below.
Figure BDA0002960109350000151
In some embodiments, the above security mechanism may not be employed for message interactions between the carrier-internal LS, i.e. LS belonging to the same security domain, which may be considered trusted.
In the related art, ISUP lacks a cognitive recognition mechanism, and a receiving end entity completes passive receiving and processing of a sending end message, while in this embodiment, the SSGW signs the message by using a calling signature parameter and a certificate issued by a CA, and routes the message to another security domain through a Sa interface. All incoming ISUP messages from another domain are security checked by the SSGW, including authentication, verification, decryption, etc. After checking the message by the SSGW of the destination domain, the SSGW shall direct the message to the destination LS. If the message does not comply with the security policy, the SSGW will block or discard the message. The network entity realizing signaling interaction carries out mutual authentication on the calling number, establishes credible calling number transmission and can ensure the calling number to be real, untrustworthy and traceable.
In other embodiments, a computer-readable storage medium has stored thereon computer program instructions which, when executed by a processor, implement the steps of the method in the embodiments corresponding to fig. 1-4. As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, apparatus, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Thus far, the present disclosure has been described in detail. Some details well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
Although some specific embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are for purposes of illustration only and are not intended to limit the scope of the present disclosure. It will be appreciated by those skilled in the art that modifications may be made to the above embodiments without departing from the scope and spirit of the present disclosure. The scope of the present disclosure is defined by the appended claims.

Claims (17)

1. A caller information authentication method comprising:
receiving a first initial address message IAM sent by a local switch LS, wherein the first IAM comprises calling information;
generating a calling signature parameter based on the calling information;
adding the calling signature parameter and a Signaling Security Gateway (SSGW) certificate parameter acquired from a Certificate Authority (CA) of the local domain to a first IAM message, and recombining the first IAM message into a second IAM message; and
and sending the second IAM message to a destination domain, wherein after the destination domain verifies the second IAM message, the calling signature parameter and the SSGW certificate parameter in the second IAM message are removed, a third IAM message is generated, and the third IAM message is sent to a next node.
2. The caller information authentication method as claimed in claim 1, wherein the acquiring SSGW certificate parameters from the CA of the local domain comprises:
after encrypting the SSGW identification, sending the encrypted SSGW identification to the CA so that the CA generates a random number to sign a CA after verifying the SSGW identification;
receiving a CA signature and an encrypted random number sent by the CA;
if the CA signature is verified to be valid, and the encrypted random number is decrypted, the random number is sent to a CA, wherein the SSGW certificate parameter is generated after the CA compares the received random number with the generated random number; and
and receiving the SSGW certificate parameter sent by the CA.
3. The caller information authentication method as claimed in claim 2, wherein verifying the CA signature comprises:
decrypting the CA signature by using a CA public key, wherein the CA encrypts a random number by using an SSGW public key, and encrypts the encrypted random number by using a CA private key to obtain the CA signature; and
if the CA signature can be decrypted, determining that the CA signature is valid.
4. A caller information authentication method according to claim 2,
the SSGW certificate parameter comprises one or more of an SSGW identification, an SSGW public key, a valid time, a version number and an algorithm.
5. The caller information authentication method as claimed in any one of claims 1 to 4, wherein generating caller signature parameters based on the caller information comprises:
carrying out hash operation on the calling information to obtain a hash value; and
and after the hash value is encrypted, generating the calling signature parameter.
6. A caller information authentication method comprising:
receiving a second Initial Address Message (IAM) message sent by a source domain, wherein the second IAM message comprises calling information, calling signature parameters and Signaling Security Gateway (SSGW) certificate parameters in the first IAM message;
after the calling party signature parameter and the SSGW certificate parameter are verified, whether calling party information in the second IAM message is tampered or not is judged;
if the calling information in the second IAM message is determined not to be tampered, removing the calling signature parameter and the SSGW certificate parameter in the second IAM message, and generating a third IAM message; and
and sending the third IAM message to a next node.
7. The caller information authentication method as claimed in claim 6, wherein verifying the SSGW certificate parameter comprises:
acquiring SSGW certificate parameters from a Certificate Authority (CA) of the local domain, wherein the CA of the local domain acquires the SSGW certificate parameters from the CA of a source domain through a bridge CA; and
and if the SSGW certificate parameter acquired from the CA of the local domain is consistent with the SSGW certificate parameter in the second IAM message, determining that the SSGW certificate parameter passes the verification.
8. The caller information authentication method as claimed in claim 6, wherein verifying the caller signature parameter comprises:
and decrypting the calling signature parameter, and if the hash value can be obtained through decryption, determining that the calling signature parameter passes verification.
9. The caller information authentication method according to claim 8, wherein determining whether the caller information in the second IAM message is tampered comprises:
extracting calling information in the second IAM message, and performing hash operation on the extracted calling information;
judging whether the hash value obtained by calculation is consistent with the hash value obtained by decrypting the calling signature parameter; and
and if so, determining that the calling information in the second IAM message is not tampered.
10. A caller information authentication method according to any one of claims 6 to 9,
and if any one of the calling party signature parameter and the SSGW certificate parameter is not verified, or the calling party information in the second IAM message is determined to be tampered, rejecting the second IAM message.
11. A caller information authentication apparatus comprising:
the system comprises an IAM message acquisition unit, a local exchange LS and a local exchange, wherein the IAM message acquisition unit is configured to receive a first initial address message IAM sent by the local exchange LS, and the first IAM message comprises calling information;
a caller signature generation unit configured to generate a caller signature parameter based on the caller information;
an SSGW certificate acquisition unit configured to acquire signaling security gateway SSGW certificate parameters from a certificate authority CA of the local domain;
an IAM message recombining unit configured to add the calling party signature parameter and the SSGW certificate parameter to a first IAM message and recombine the first IAM message and the SSGW certificate parameter into a second IAM message; and
an IAM message sending unit, configured to send the second IAM message to a destination domain, where the destination domain removes the caller signature parameter and the SSGW certificate parameter in the second IAM message after verifying the second IAM message, generates a third IAM message, and sends the third IAM message to a next node.
12. A caller information authentication apparatus comprising:
an IAM message receiving unit configured to receive a second initial address message IAM sent by a source domain, where the second IAM message includes calling information, a calling signature parameter, and a signaling security gateway SSGW certificate parameter in the first IAM message;
an IAM message verifying unit configured to verify the caller signature parameter and the SSGW certificate parameter, and then determine whether the caller information in the second IAM message is tampered;
an IAM message generating unit, configured to remove the caller signature parameter and the SSGW certificate parameter in the second IAM message and generate a third IAM message if it is determined that the caller information in the second IAM message is not tampered; and
an IAM message forwarding unit configured to send the third IAM message to a next node.
13. A caller information authentication system comprising:
the caller information authentication apparatus of claim 11; and
the caller information authentication apparatus as claimed in claim 12.
14. The caller information authentication system as claimed in claim 13, further comprising:
the CA is positioned in the source domain and is configured to receive the encrypted SSGW identification sent by the calling information authentication device of the local domain, generate a random number for CA signature after the SSGW identification is verified, send the CA signature and the encrypted random number to the calling information authentication device of the local domain, receive the random number sent by the calling information authentication device of the local domain, compare the generated random number with the received random number, generate SSGW certificate parameters and send the SSGW certificate parameters to the calling information authentication device of the local domain.
15. A caller information authentication system as claimed in claim 13 or 14, further comprising:
and the CA positioned in the destination domain is configured to acquire the SSGW certificate parameters from the CA of the source domain through the bridge CA and send the SSGW certificate parameters to the calling information authentication device of the local domain.
16. A caller information authentication apparatus comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the caller information authentication method of any one of claims 1 to 10 based on instructions stored in the memory.
17. A non-transitory computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the caller information authentication method of any one of claims 1 to 10.
CN202110253128.9A 2021-03-03 2021-03-03 Method, device and system for authenticating calling information Pending CN115037470A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202110253128.9A CN115037470A (en) 2021-03-03 2021-03-03 Method, device and system for authenticating calling information
PCT/CN2021/114577 WO2022183694A1 (en) 2021-03-03 2021-08-25 Calling information authentication method, apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110253128.9A CN115037470A (en) 2021-03-03 2021-03-03 Method, device and system for authenticating calling information

Publications (1)

Publication Number Publication Date
CN115037470A true CN115037470A (en) 2022-09-09

Family

ID=83117763

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110253128.9A Pending CN115037470A (en) 2021-03-03 2021-03-03 Method, device and system for authenticating calling information

Country Status (2)

Country Link
CN (1) CN115037470A (en)
WO (1) WO2022183694A1 (en)

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9241013B2 (en) * 2007-01-30 2016-01-19 Alcatel Lucent Caller name authentication to prevent caller identity spoofing
US9060057B1 (en) * 2013-03-07 2015-06-16 Serdar Artun Danis Systems and methods for caller ID authentication, spoof detection and list based call handling
CN105704711A (en) * 2014-11-25 2016-06-22 中兴通讯股份有限公司 Method for ensuring call communication security, device and user terminal
CN105790942A (en) * 2014-12-17 2016-07-20 中兴通讯股份有限公司 Method and system for secure call and terminals
US10447481B2 (en) * 2016-03-14 2019-10-15 Arizona Board Of Regents On Behalf Of Arizona State University Systems and methods for authenticating caller identity and call request header information for outbound telephony communications
CN109861946B (en) * 2017-11-30 2021-07-23 中国电信股份有限公司 Method and system for verifying calling number and call receiving equipment
US11133938B2 (en) * 2019-04-17 2021-09-28 Verizon Patent And Licensing Inc. Validating and securing caller identification to prevent identity spoofing
CN112865975B (en) * 2019-11-12 2024-07-09 中国电信股份有限公司 Message security interaction method and system and signaling security gateway device

Also Published As

Publication number Publication date
WO2022183694A1 (en) 2022-09-09

Similar Documents

Publication Publication Date Title
US7958362B2 (en) User authentication based on asymmetric cryptography utilizing RSA with personalized secret
CN106656503B (en) Method for storing cipher key, data encryption/decryption method, electric endorsement method and its device
CN104735068B (en) Method based on the close SIP safety certification of state
CN102036242B (en) Access authentication method and system in mobile communication network
CN109861946B (en) Method and system for verifying calling number and call receiving equipment
US11722595B2 (en) Systems and methods for processing calls
CN110069918A (en) A kind of efficient double factor cross-domain authentication method based on block chain technology
US11349660B2 (en) Secure self-identification of a device
WO2007073659A1 (en) Terminal access method based on h.323 protocol applied to packet network
CN113411190A (en) Key deployment, data communication, key exchange and security reinforcement method and system
US20200267542A1 (en) Guaranteeing Authenticity And Integrity In Signalling Exchange Between Mobile Networks
US8406223B2 (en) Mechanism for protecting H.323 networks for call set-up functions
JP4783340B2 (en) Protecting data traffic in a mobile network environment
CN110929231A (en) Digital asset authorization method and device and server
US10893414B1 (en) Selective attestation of wireless communications
CN110839036B (en) Attack detection method and system for SDN (software defined network)
CN103905448B (en) Towards the camera-shooting and recording device entity authentication method of city security protection
CN110572392A (en) Identity authentication method based on HyperLegger network
Du et al. {UCBlocker}: Unwanted call blocking using anonymous authentication
CN113722749A (en) Data processing method and device for block chain BAAS service based on encryption algorithm
CN110839037A (en) Attack scene mining method and system for SDN network
WO2022183694A1 (en) Calling information authentication method, apparatus and system
Modares et al. Enhancing security in mobile IPv6
CN116155483A (en) Block chain signing machine safety design method and signing machine
CN112865975B (en) Message security interaction method and system and signaling security gateway device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination