WO2007051394A1 - Structure et procede de realisation de protection de confidentialite dans une application mobile - Google Patents

Structure et procede de realisation de protection de confidentialite dans une application mobile Download PDF

Info

Publication number
WO2007051394A1
WO2007051394A1 PCT/CN2006/002726 CN2006002726W WO2007051394A1 WO 2007051394 A1 WO2007051394 A1 WO 2007051394A1 CN 2006002726 W CN2006002726 W CN 2006002726W WO 2007051394 A1 WO2007051394 A1 WO 2007051394A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
privacy
user
service
layer
Prior art date
Application number
PCT/CN2006/002726
Other languages
English (en)
Chinese (zh)
Inventor
Lan Chen
Yuanping Zhou
Original Assignee
Zte Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zte Corporation filed Critical Zte Corporation
Publication of WO2007051394A1 publication Critical patent/WO2007051394A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]

Definitions

  • the present invention relates to mobile communications or, in particular, to privacy protection techniques in mobile communications.
  • BACKGROUND OF THE INVENTION In mobile applications, since the terminal is related to personal information, it is inevitable to involve protection of personal privacy. In a multi-participating mobile application, the system must ensure that either party can protect information related to its privacy, such as location information, in accordance with individual will.
  • the protection of privacy in mobile applications involves two aspects of authentication, including: Question 1: Identification of end users; Question 2: Identification of initiators and originating services. Specifically, question 1: To confirm whether the end user is the user himself or herself; Question 2: To confirm whether the requester of the information and the service used are allowed by the information provider.
  • the prior art uses a single privacy authentication module, that is, a single module method to solve the problem 2, that is, all privacy-related authentication is processed by one module, and the module needs to solve the increase and deletion of user privacy.
  • the present invention provides an architecture for implementing privacy protection in a mobile application.
  • the architecture that implements privacy protection performs distributed layer setting on privacy authentication, including: service authentication layer, providing user privacy control policy for specific services; integrated service authentication layer, providing user privacy related to user's service agreement Control policy; user privacy authentication layer, providing the user's privacy control policy for the called party to the service provider and the called user to the calling party.
  • the present invention provides a method of implementing privacy protection in a mobile application.
  • the privacy protection method performs distributed processing on the privacy authentication, and the following steps are performed: Step 1: The user initiates the use request; Step 2: The service authentication layer performs the privacy right of the specific service level according to the user's use request. Step 3: The service authentication layer passes the usage request to the integrated service authentication layer.
  • Step 4 The integrated service authentication layer performs the user and service usage agreement level according to the service authentication layer authentication result and the use request.
  • Privacy authentication Step 5: The user service authentication layer is passed through the use request of the integrated service authentication layer authentication;
  • the above steps can be flexibly performed, skipping several steps in actual use. Further, when the integrated service authentication is passed, the usage request may be deemed to have met the privacy condition, the user privacy authentication step is skipped, and the related service module is directly sent to perform the service processing.
  • the present invention provides a method of implementing privacy protection in a mobile application.
  • the privacy protection method performs distributed processing on the privacy authentication, including the following step stamps: Step 1: The user initiates the use request; Step 2: The service authentication layer performs privacy authentication at the specific service level according to the user's use request; 3: The service authentication layer passes the use request to the user privacy authentication layer; Step 4: The user privacy authentication layer initiates the integrated service authentication, and the integrated service authentication layer according to the service authentication layer authentication result and the use request Perform privacy authentication at the user and service usage protocol level; Step 5: Enter the user privacy authentication layer through the use request of the integrated service authentication layer authentication; Step 6: The user privacy authentication layer is authenticated according to the integrated service authentication layer The result and the use request are used to perform the privacy authentication of the called party to the service provider and the called user to the calling party; Step 7: Send the related service module to the request by using the authentication.
  • the above steps can be flexibly performed, skipping several steps in actual use. Further, when the integrated service authentication is passed, the usage request may be deemed to have met the privacy condition, the user privacy authentication step is skipped, and the related service module is directly sent to perform the service processing.
  • the privacy of the present invention is compared with the existing single module privacy authentication technology.
  • the protection architecture and method adopt a layered mode with clear logic, clear module relationship, high maintainability, and easy development and maintenance.
  • FIG. 1 is a schematic diagram of a prior art single module privacy authentication mode in accordance with the present invention
  • FIG. 2 is a block diagram of an architecture for implementing privacy protection in a mobile application in accordance with the present invention
  • FIG. 3 is in accordance with the present invention.
  • FIG. 4 is a flowchart of a method for implementing privacy protection in a mobile application according to the present invention
  • FIG. 5 is a schematic diagram of a privacy authentication mode according to an embodiment of the present invention
  • FIG. 7 is a flow chart of a short message manner of a service ordering process according to an embodiment of the present invention
  • FIG. 8 is a flow chart of a short message mode according to a service usage flow according to an embodiment of the present invention
  • the architecture for implementing privacy protection in a mobile application performs distributed layer setting on privacy authentication, including: a service authentication layer, which is used to provide user privacy control of a specific service, and is legal for a specific service. Authentication is performed; the integrated service authentication layer is used to provide user privacy control related to the user's service agreement; and the user privacy authentication layer is used to provide the called user to the service provider and the called user to the calling party.
  • User privacy 4 is empty.
  • the user privacy control performed by the user privacy authentication layer includes access control to any service provider/requester, division of time slots, and notification to the user when the service is in use.
  • a method for implementing privacy protection in a mobile application performs distributed processing on privacy authentication, including the following steps: Step 1: A user initiates a use request; Step 2: A service authentication layer according to a user's use request , performing privacy authentication at a specific service level; Step 3: The use authentication request passed by the service authentication layer is transferred to the integrated service authentication layer; Step 4: The integrated service authentication layer is based on the service authentication layer authentication result and the use request , the user and the business use ten-party level of privacy authentication; Step 5: The comprehensive service authentication layer authentication through the use request is not determined to meet the privacy conditions, enter the user privacy authentication layer; Step six The user privacy authentication layer performs privacy authentication on the calling party to the service provider and the called user according to the authentication result and the use request of the integrated service authentication layer; Step 7:
  • step 5 if the use request passed by the integrated service authentication layer authentication is determined to have met the privacy condition, the user privacy authentication layer is not authenticated, and the use request is directly sent to the relevant service module for processing.
  • step 6 the privacy authentication performed by the user privacy authentication layer includes access control for any service provider/excited requester, division of time slots, and notification of the user when the service is used. Referring to FIG.
  • a method for implementing privacy protection in a mobile application performs privacy authentication on distributed processing, including the following steps: Step 1: User initiates a use request; Step 2: The service authentication layer is based on The user's use request, perform privacy authentication at a specific service level; Step 3: The use authentication request passed by the service authentication layer is transferred to the user privacy authentication layer; Step 4: The user privacy authentication layer initiates the integrated service authentication, so that the integrated service authentication layer performs the privacy authentication of the user and the service use protocol level according to the service authentication layer authentication result and the use request; Step 5: Comprehensive service The use request passed by the right layer authentication enters the user privacy authentication layer if it is not determined that the privacy condition has been met; Step 6: The user privacy authentication layer performs the authentication result based on the integrated service authentication layer and the use request.
  • Step 7 The request is sent to the relevant service module through the use request of the authentication.
  • step 5 if the use request passed by the integrated service authentication layer authentication is determined to have met the privacy condition, the user privacy authentication layer is not authenticated, and the use request is directly sent to the relevant service module for processing.
  • step 6 the privacy authentication performed by the user privacy authentication layer includes access control to any service provider/requester, division of time slots, and notification of the user when the service is in use.
  • the present invention is directed to a framework mode for comprehensively and quickly solving privacy authentication problems.
  • the present invention provides an architecture for implementing privacy protection in a mobile application, including the following parts: a service authentication layer, providing a user privacy control policy for a specific service; and an integrated service authentication layer providing user privacy related to a service usage agreement of the user Control policy; user privacy authentication layer, providing the user's privacy control policy for the called party to the service provider and the called user to the calling party.
  • the arrangement of the architecture of the present invention is completely different from the prior art.
  • the architectural mode of the present invention fully considers the source of the demand, and the problem is summarized into three levels.
  • the business authentication level is directly related to the business, such as user classification, organizational structure, and this part will be processed first.
  • the first winner of this part of the demand is the service provider.
  • the integrated service authentication level is related to the subscription/use agreement logic.
  • the user privacy authentication layer is the core part of privacy authentication. It provides the most detailed user-to-service provider, called user privacy control policy for the calling party, including access control to any SP/requester, time period. Divide, whether to notify the user when the business is used, this is the last step, its execution logic has a dependency on the results of the first two steps, the first winner of this part of the demand is the business engine.
  • FIG. 5 it is a schematic diagram of a privacy authentication mode of the present invention.
  • the privacy authentication process uses the following mode: First, the user initiates a use request. In the second step, the service authentication layer (SERVICE-AUTH) performs privacy authentication at a specific service level according to the user's use request; and the third step, the service authentication layer passes the use request to the integrated service authentication layer.
  • SESOICE-AUTH service authentication layer
  • the integrated service authentication layer performs privacy authentication on the user-service agreement level according to the service authentication layer authentication result and the use request; and the fifth step, the integrated service authentication layer authentication
  • the user request authentication layer (USER_PRIVACY_AUTH) is passed through the use request; in the sixth step, the user privacy authentication layer performs the called user to the service provider and the called user to the main user according to the integrated service authentication layer authentication result and the use request.
  • the privacy authentication of the layer is called; the seventh step is to send the relevant service module to the processing through the use request of the authentication.
  • FIG. 6 it is another schematic diagram of the privacy authentication mode of the present invention.
  • the privacy authentication process uses the following mode: First, the user initiates the use.
  • the service authentication layer performs the privacy response of the specific service level according to the user's use request;
  • the third step the service authentication layer passes the use request to the user privacy authentication;
  • the user privacy authentication layer initiates the integrated service authentication, and the integrated service authentication layer performs the privacy authentication of the user and the service use protocol level according to the service authentication layer authentication result and the use request;
  • the authentication request passed by the authentication layer enters the user privacy authentication layer.
  • the user privacy authentication layer performs the called user to the service provider and the called user to the primary according to the integrated service authentication layer authentication result and the use request.
  • the privacy authentication of the layer is called; the seventh step is to send the relevant service module to the processing through the use request of the authentication.
  • the difference between the two modes shown in Fig. 5 and Fig. 6 is that the initiators of the integrated service rights are different.
  • Figure 5 is directly initiated by the service authentication layer.
  • Figure 6 is initiated by the user privacy authentication layer and can be flexibly selected according to the trust relationship.
  • Authentication related to specific services such as user grouping, organizational structure, placed in the business authentication layer; authentication related to the user/service usage agreement, such as the matching of the subscription relationship, is implemented in the integrated service authentication layer;
  • the authentication related to the trust relationship between the user/user and the user/service provider is handled in the user privacy authentication layer.
  • each of these three levels can be flexibly configured at each level, skips several levels in the actual use, and the order of each level in the process can also be adjusted.
  • the integrated service authentication when it is passed, it can be considered that the privacy condition has been met, so the user privacy authentication level can be skipped, such as finding a friend service in the virtual community, when the two parties pass the business authentication and integrated service. After authentication, they can be considered to be mutual trust, and the business can be executed immediately without having to authenticate the user.
  • the following is a detailed description of the implementation of the technical solution by referring to two specific service cases in conjunction with FIG. 7 and FIG. 8.
  • the modes adopted by the two embodiments are embodied in the manner described in FIG. 6, because the integrated service authentication in the existing network. There is a trust relationship with user privacy authentication, but no trust for business authentication.
  • the user sends a subscription request to the integrated service authentication layer
  • the integrated service authentication layer determines whether the request is a community-based service
  • the integrated service authentication layer If the integrated service authentication layer returns successfully, the subscription relationship is generated.
  • the user privacy authentication layer is required to determine whether there is a trust relationship between the master and the called party, so as to ensure that the user privacy authentication can be passed during use, but in this application. Because the users in the same community have mutual trust relationship, it is not necessary to do user privacy authentication, so you can skip this step.
  • 8 is a flow chart of a short message method in a service usage flow according to the first embodiment.
  • the user issues a usage request
  • the service authentication layer performs service-related privacy authentication on the user request
  • the user privacy authentication layer forwards the request to the integrated service authentication layer (transferred from the user privacy authentication layer because the service authentication layer is not trusted);
  • the integrated service authentication layer determines whether the service is a community service according to the service ID in the request sent by the user privacy authentication layer, and if so, whether the calling user and the called user both subscribe to the service, and then to the user.
  • the privacy authentication layer sends the discriminating result;
  • the user privacy authentication layer obtains the authentication result of the integrated service authentication layer, according to the service genus sexually decide whether to perform user privacy authentication. If it is a community-based service and the integrated service authentication layer is successfully authenticated, the user privacy authentication layer is skipped and the positioning process is directly entered.
  • the service authentication layer implements a set of user management logic and user authentication procedures
  • the integrated business authentication layer 4 generates the ordering relationship for the application for the enterprise
  • the business authentication layer establishes a set of user information and sets logical relationships for the enterprise. Privacy authentication execution steps:
  • the user authentication request is processed by the service authentication layer according to the user authentication of the application;
  • the user privacy authentication layer sends an authentication request to the integrated service authentication layer, and the integrated service authentication layer authenticates the subscription relationship between the calling party and the service (the service type must be 'enterprise application, and both the calling and the called are ordered. This business can only be passed);
  • the user privacy authentication layer ⁇ ⁇ judges whether the enterprise application is based on the authentication result of the integrated service authentication layer. If the authentication result is determined to be an enterprise application and the application is configured not to the user privacy authentication layer privacy authentication, the positioning is immediately started. If the authentication result is determined to be an enterprise application and the application is configured to perform user privacy authentication layer privacy authentication, it is determined whether to start the positioning process according to the user privacy authentication result.
  • the layered mode of the present invention is much clearer in logic, the complexity of the module is greatly reduced, the maintainability is improved, and the requirements can be clearly defined due to the clear structure. Implementation, improved development efficiency and code stability.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

La présente invention concerne une structure et un procédé de réalisation de protection de confidentialité dans une application mobile. La structure de réalisation de la protection de confidentialité fixe des couches réparties pour l’authentification de confidentialité, et implique : la couche d’authentification de service fournissant la commande de confidentialité de l’utilisateur du service particulier, l’authentification de la validité du service particulier ; la couche d’authentification de service intégrée fournissant la commande de confidentialité de l’utilisateur relative à l’utilisateur et le protocole d’usage du service ; la couche d’authentification de confidentialité de l’utilisateur fournissant la commande de confidentialité de l’utilisateur appelé au fournisseur de service et de l’utilisateur appelé à l’utilisateur appelant.
PCT/CN2006/002726 2005-11-01 2006-10-17 Structure et procede de realisation de protection de confidentialite dans une application mobile WO2007051394A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200510095135.1 2005-11-01
CNA2005100951351A CN1960559A (zh) 2005-11-01 2005-11-01 一种在移动应用中实现隐私保护的架构及其方法

Publications (1)

Publication Number Publication Date
WO2007051394A1 true WO2007051394A1 (fr) 2007-05-10

Family

ID=38005437

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/002726 WO2007051394A1 (fr) 2005-11-01 2006-10-17 Structure et procede de realisation de protection de confidentialite dans une application mobile

Country Status (2)

Country Link
CN (1) CN1960559A (fr)
WO (1) WO2007051394A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9215548B2 (en) 2010-09-22 2015-12-15 Ncc Group Security Services, Inc. Methods and systems for rating privacy risk of applications for smart phones and other mobile platforms

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002001827A2 (fr) * 2000-06-26 2002-01-03 Intel Corporation Etablissement de securite de reseau par le biais de strategies de securite de protcole internet
CN1452735A (zh) * 2000-05-19 2003-10-29 网景通信公司 自适应的多层验证系统

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1452735A (zh) * 2000-05-19 2003-10-29 网景通信公司 自适应的多层验证系统
WO2002001827A2 (fr) * 2000-06-26 2002-01-03 Intel Corporation Etablissement de securite de reseau par le biais de strategies de securite de protcole internet

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9215548B2 (en) 2010-09-22 2015-12-15 Ncc Group Security Services, Inc. Methods and systems for rating privacy risk of applications for smart phones and other mobile platforms

Also Published As

Publication number Publication date
CN1960559A (zh) 2007-05-09

Similar Documents

Publication Publication Date Title
CN102196035B (zh) 用于提供统一web服务发现的方法和系统
US7653933B2 (en) System and method of network authentication, authorization and accounting
US8365298B2 (en) Comprehensive security architecture for dynamic, web service based virtual organizations
US9603171B2 (en) Contact information management methods and apparatus
US8136144B2 (en) Apparatus and method for controlling communication through firewall, and computer program product
CN1745356A (zh) 单一签名安全服务访问
US20180109502A1 (en) System and method for providing a proxied contact management system
JP2013175226A (ja) リソースのデレゲーションを実行する方法およびシステム
WO2014071725A1 (fr) Procédé d'activation d'une carte sim logicielle, procédé et terminal d'association d'une carte sim logicielle à un réseau, et dispositif d'accès à un réseau
US8095963B2 (en) Securing resource stores with claims-based security
CN1852094A (zh) 网络业务应用账户的保护方法和系统
WO2007079698A1 (fr) Procédé et système d'authentification d'entité, procédé et système d'authentification de bout en bout et centre d'authentification
WO2016165505A1 (fr) Procédé et appareil de commande de connexion
CN112165454A (zh) 访问控制方法、装置、网关和控制台
WO2008034355A1 (fr) Procédé, dispositif et système d'authentification de service réseau
CN102893579B (zh) 用于在通信系统中发放票据的方法、节点和设备
CN113901432A (zh) 区块链身份认证方法、设备、存储介质及计算机程序产品
US8516602B2 (en) Methods, apparatuses, and computer program products for providing distributed access rights management using access rights filters
JP5697758B2 (ja) 装置間の接続の制御
WO2011040192A1 (fr) Machine virtuelle, programme de machine virtuelle, système de fourniture de services d'application et procédé de fourniture de services d'application
CN1705267A (zh) 网络上客户端使用服务端资源的方法
US8726335B2 (en) Consigning authentication method
KR20100060130A (ko) 개인정보 보호 관리 시스템 및 그 방법
US9232078B1 (en) Method and system for data usage accounting across multiple communication networks
US20090201912A1 (en) Method and system for updating the telecommunication network service access conditions of a telecommunication device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06804945

Country of ref document: EP

Kind code of ref document: A1