WO2022247938A1 - Terminal device registration method, related device, system, and storage medium - Google Patents

Terminal device registration method, related device, system, and storage medium Download PDF

Info

Publication number
WO2022247938A1
WO2022247938A1 PCT/CN2022/095699 CN2022095699W WO2022247938A1 WO 2022247938 A1 WO2022247938 A1 WO 2022247938A1 CN 2022095699 W CN2022095699 W CN 2022095699W WO 2022247938 A1 WO2022247938 A1 WO 2022247938A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
terminal device
parameter
server
enterprise server
Prior art date
Application number
PCT/CN2022/095699
Other languages
French (fr)
Chinese (zh)
Inventor
柳亮亮
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2022247938A1 publication Critical patent/WO2022247938A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration

Definitions

  • the enterprise server and the operator server can respectively authenticate the terminal device.
  • the terminal device passes the authentication of the operator server and the terminal device passes the authentication of the enterprise server, the registration of the terminal device is successful, and the terminal device
  • the communication service can be realized through the operator server and the enterprise server. It can be seen that during the registration process of the terminal device, the cooperative authentication of the terminal device, the operator server and the enterprise server is required, which improves the registration efficiency of the terminal device.
  • the terminal device directly interacts with the enterprise server and the operator server to realize the registration process, which reduces the complexity of registering the terminal device and reduces the maintenance of the communication network difficulty and cost.
  • the authentication request message also carries an enterprise identifier corresponding to the enterprise server, and before the operator server receives the authentication request message from the terminal device, the The method further includes: the operator server acquiring the second enterprise authentication key corresponding to the enterprise identifier.
  • FIG. 3 is a flow chart of the steps of the first embodiment of the method for terminal device registration provided by the present application.
  • the enterprise server determines that the enterprise server is a legitimate server according to the first response message, the enterprise server sends an enterprise authentication message to the operator server to request to verify whether the enterprise server passes the verification.
  • FIG. 4 A flow chart of the steps of the second embodiment of the method for registering a terminal device.
  • the second enterprise authentication key of the operator server includes the second public key and the second private key. Please refer to step 402 for specific instructions, and details are not repeated here.
  • the operator server decrypts the first authentication parameter carried in the authentication request message by using the second private key, so as to obtain the first signature information and the first preset parameter.
  • the operator server decrypts the first signature information by using the first public key to obtain the first summary information (ie, the first authentication identifier).
  • the operator server performs hash calculation on the first preset parameter to obtain the second summary information.
  • the second summary information is the second authentication identifier.
  • the user who uses the terminal device needs the terminal device to be authenticated by the operator's server. If the provider server determines that the first authentication identifier is the same as the second authentication identifier, it means that the terminal device has passed the authentication of the operator server. If the operator server determines that the first authentication identifier is different from the second authentication identifier, it means that the terminal device has not passed the authentication of the operator server.
  • the operator server determines that the first authentication ID and the second authentication ID are different, the operator server sends an authentication failure response message to the enterprise server, and the authentication failure response message is used to indicate that the terminal device has not passed the operator server. authentication.
  • Step 409 the operator server sends an authentication response message to the enterprise server.
  • the operator server determines that the enterprise identifier is "enterprise identifier A3" by querying the notification address column shown in Table 2. It can be seen that the operator server sends "IP A3" IP A3" sends an authentication response message.
  • the address of the enterprise server included in the notification address column is an IP address as an example. In other examples, the address of the enterprise server included in the notification address column can also be the domain name address of the enterprise server or any other type of address etc., which are not specifically limited in this embodiment.
  • the enterprise server has started the timer. If the enterprise server has not received the authentication response message from the operator server within the duration of the timer, it means that the registration of the terminal device has failed, and the enterprise The server directly sends a response message to the terminal device to indicate that the registration of the terminal device fails.
  • the terminal device has not passed the authentication of the enterprise server. It can be seen that the terminal device has passed the authentication of the operator's server, but has not passed the authentication of the enterprise server, which means that the registration of the terminal device has not passed.
  • Step 412 the enterprise server sends an authentication failure response message to the operator server.
  • the enterprise server and the operator server can respectively authenticate the terminal device.
  • the terminal device passes the authentication of the operator server and the terminal device passes the authentication of the enterprise server, the terminal If the device is successfully registered, the terminal device can realize communication services through the operator server and the enterprise server.
  • the collaborative authentication of the terminal device, the operator server, and the enterprise server is required, which improves the terminal security.
  • Device registration efficiency During the registration process of the terminal device, there is no need to rely on the relay network, but the terminal device directly interacts with the enterprise server and the operator server to realize the registration process, which reduces the complexity of registering the terminal device and reduces the maintenance of the communication network difficulty and cost.
  • the processing unit 501 is configured to execute step 403 .
  • the transceiver unit 502 is configured to execute step 404 .
  • the network device shown in this embodiment includes: a processor 601 , a memory 602 , a bus 603 , a transceiver 604 and a network interface 606 .
  • the memory 602 may include computer storage media in the form of volatile and/or non-volatile memory, such as read-only memory and/or random access memory.
  • Memory 602 may store operating systems, application programs, other program modules, executable code, and program data.

Abstract

Disclosed in embodiments of the present invention are a terminal device registration method, a related device, a system, and a storage medium. The present invention can ensure that a user quickly goes online at an operator network, thereby quickly implementing a communication service of the user. The method comprises: an enterprise server sends, in response to a registration request message of a terminal device, a registration response message to the terminal device; the enterprise server receives an authentication response message from an operator server, the authentication response message being used for indicating that the authentication of the terminal device succeeds, and the authentication response message carrying a first parameter; the enterprise server obtains a second parameter according to the authentication response message; and if the enterprise server determines that the first parameter and the second parameter are the same, the enterprise server determines that the registration of the terminal device succeeds.

Description

一种终端设备注册的方法、相关设备、系统以及存储介质A terminal device registration method, related equipment, system and storage medium
本申请要求于2021年5月28日提交中国专利局、申请号为202110592796.4、发明名称为“一种终端设备注册的方法、相关设备、系统以及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application submitted to the China Patent Office on May 28, 2021, with the application number 202110592796.4, and the title of the invention is "a method for terminal equipment registration, related equipment, systems, and storage media", all of which The contents are incorporated by reference in this application.
技术领域technical field
本申请涉及通信领域,尤其涉及一种终端设备注册的方法、相关设备、系统以及存储介质。The present application relates to the field of communications, and in particular to a terminal device registration method, related devices, systems and storage media.
背景技术Background technique
随着物联网设备的普及和各行业通信诉求的不断发展,要求运营商网络,为千行百业提供全程全网、随时任意可达、稳定可靠、低成本的音视频业务。With the popularization of IoT devices and the continuous development of communication demands in various industries, operator networks are required to provide a full network, anytime, anywhere, stable, reliable, and low-cost audio and video services for thousands of industries.
为实现主叫用户对被叫用户的呼叫,需要主叫用户和被叫用户分别在运营商网络处开户,开户完成,再由运营商网络实现主叫用户对被叫用户的呼叫业务。In order to realize the call from the calling user to the called user, it is necessary for the calling user and the called user to open an account at the operator's network. After the account opening is completed, the operator's network realizes the call service from the calling user to the called user.
但是,主叫用户以及被叫用户在运营商网络处开户流程复杂,导致主叫用户和被叫用户无法立即在运营商网络处上线,继而导致主叫用户无法快速呼叫被叫用户。However, the account opening process of the calling user and the called user at the operator's network is complicated, resulting in the inability of the calling user and the called user to go online immediately at the operator's network, and thus causing the calling user to be unable to quickly call the called user.
发明内容Contents of the invention
本发明实施例提供了一种终端设备注册的方法、相关设备、系统以及存储介质,其能保证用户在运营商网络处快速上线,从而快速实现用户的通信业务。Embodiments of the present invention provide a method for registering a terminal device, related equipment, a system, and a storage medium, which can ensure that a user can quickly go online at an operator's network, thereby quickly realizing the communication service of the user.
第一方面,本发明实施例提供了一种终端设备注册的方法,所述方法包括:企业服务器响应终端设备的注册请求消息,向所述终端设备发送注册响应消息;所述企业服务器接收来自运营商服务器的鉴权响应消息,所述鉴权响应消息用于指示所述终端设备鉴权通过,且所述鉴权响应消息携带所述第一参数;所述企业服务器根据所述鉴权响应消息获取第二参数;若所述企业服务器确定所述第一参数和所述第二参数相同,则确定所述终端设备注册通过。In the first aspect, an embodiment of the present invention provides a method for registering a terminal device. The method includes: an enterprise server responds to a registration request message of a terminal device, and sends a registration response message to the terminal device; An authentication response message from the business server, the authentication response message is used to indicate that the terminal device has passed the authentication, and the authentication response message carries the first parameter; the enterprise server according to the authentication response message Acquire a second parameter; if the enterprise server determines that the first parameter is the same as the second parameter, then determine that the terminal device is registered successfully.
可见,企业服务器和运营商服务器能够分别对终端设备进行鉴权,在终端设备通过运营商服务器的鉴权,且终端设备通过企业服务器的鉴权的情况下,该终端设备注册成功,该终端设备即可通过运营商服务器以及企业服务器实现通信业务,可知,终端设备的注册过程中,需要终端设备、运营商服务器以及企业服务器三个设备的协同鉴权,提高了终端设备的注册效率。终端设备在注册过程中,无需借助于中继网络,而是由终端设备直接与企业服务器以及运营商服务器进行交互以实现注册过程,降低了实现终端设备注册的复杂度,降低了通信网络的维护难度和成本。It can be seen that the enterprise server and the operator server can respectively authenticate the terminal device. When the terminal device passes the authentication of the operator server and the terminal device passes the authentication of the enterprise server, the registration of the terminal device is successful, and the terminal device The communication service can be realized through the operator server and the enterprise server. It can be seen that during the registration process of the terminal device, the cooperative authentication of the terminal device, the operator server and the enterprise server is required, which improves the registration efficiency of the terminal device. During the registration process of the terminal device, there is no need to rely on the relay network, but the terminal device directly interacts with the enterprise server and the operator server to realize the registration process, which reduces the complexity of registering the terminal device and reduces the maintenance of the communication network difficulty and cost.
基于第一方面,一种可选地实现方式中,所述企业服务器响应终端设备的注册请求消息,向所述终端设备发送注册响应消息之前,所述方法还包括:所述企业服务器接收来自终端设备的注册请求消息,所述注册请求消息用于请求第一鉴权标识和第一预设参数,所述企业服务器根据第一企业鉴权密钥获取第一鉴权标识;所述企业服务器响应终端设备的注册请求消息,向所述终端设备发送注册响应消息包括:所述企业服务器向所述终端设备发送所述注册响应消息,所述注册响应消息携带所述第一鉴权标识和第一预设参数,所述 第一鉴权标识和所述第一预设参数用于获取所述第一参数。Based on the first aspect, in an optional implementation manner, the enterprise server responds to the registration request message of the terminal device, and before sending the registration response message to the terminal device, the method further includes: the enterprise server receiving A registration request message of the device, where the registration request message is used to request a first authentication ID and first preset parameters, and the enterprise server obtains the first authentication ID according to the first enterprise authentication key; the enterprise server responds A registration request message of a terminal device, sending a registration response message to the terminal device includes: the enterprise server sending the registration response message to the terminal device, the registration response message carrying the first authentication identifier and the first The preset parameter, the first authentication identifier and the first preset parameter are used to obtain the first parameter.
基于第一方面,一种可选地实现方式中,所述企业服务器根据第一企业鉴权密钥获取第一鉴权标识包括:所述企业服务器存储该第一企业鉴权密钥,运营商服务器已存储第二企业鉴权密钥,其中,第一企业鉴权密钥和第二企业鉴权密钥为对称密钥,即第一企业鉴权密钥和第二企业鉴权密钥相同。企业服务器通过第一企业鉴权密钥对第一预设参数进行加密以获取该第一鉴权标识。Based on the first aspect, in an optional implementation manner, the enterprise server acquiring the first authentication identifier according to the first enterprise authentication key includes: the enterprise server storing the first enterprise authentication key, and the operator The server has stored the second enterprise authentication key, wherein the first enterprise authentication key and the second enterprise authentication key are symmetric keys, that is, the first enterprise authentication key and the second enterprise authentication key are the same . The enterprise server encrypts the first preset parameter by using the first enterprise authentication key to obtain the first authentication identifier.
基于第一方面,一种可选地实现方式中,所述企业服务器根据第一企业鉴权密钥获取第一鉴权标识包括:所述第一企业鉴权密钥和所述第二企业鉴权密钥为非对称密钥,其中,第一企业鉴权密钥包括第一公钥和第一私钥,而第二企业鉴权密钥包括第二公钥和第二私钥,运营商服务器将该第二公钥发送给企业服务器,企业服务器将该第一公钥发送给运营商服务器。其中,第一公钥和第二私钥,以及第一私钥和第二公钥分别是成对的密钥,企业服务器对该第一预设参数进行哈希计算以获取第一摘要信息,企业服务器通过第一私钥对该第一摘要信息进行加密以获取第一签名信息,企业服务器通过第二公钥对该第一签名信息和第一预设参数进行加密以获取第一鉴权参数,所述第一鉴权标识为该第一摘要信息。Based on the first aspect, in an optional implementation manner, the enterprise server acquiring the first authentication identifier according to the first enterprise authentication key includes: the first enterprise authentication key and the second enterprise authentication key The authorization key is an asymmetric key, wherein the first enterprise authentication key includes the first public key and the first private key, and the second enterprise authentication key includes the second public key and the second private key, and the operator The server sends the second public key to the enterprise server, and the enterprise server sends the first public key to the operator server. Wherein, the first public key and the second private key, and the first private key and the second public key are paired keys respectively, and the enterprise server performs hash calculation on the first preset parameter to obtain the first summary information, The enterprise server encrypts the first summary information with the first private key to obtain the first signature information, and the enterprise server encrypts the first signature information and the first preset parameters with the second public key to obtain the first authentication parameters , the first authentication identifier is the first summary information.
可见,本方面所示的企业服务器通过加密的方式发送该第一鉴权标识,有效地提高了发送该第一鉴权标识的安全性,避免第一鉴权标识出现泄露以及被篡改的情况。It can be seen that the enterprise server shown in this aspect sends the first authentication ID in an encrypted manner, which effectively improves the security of sending the first authentication ID, and avoids leakage and tampering of the first authentication ID.
基于第一方面,一种可选地实现方式中,所述企业服务器根据所述鉴权响应消息获取第二参数包括:所述企业服务器通过第一用户鉴权密钥对第一预设参数进行计算以获取所述第二参数;若所述企业服务器确定所述第一参数和所述第二参数相同,则确定所述终端设备注册通过之后,所述方法还包括:所述企业服务器向所述运营商服务器发送第一指示消息,所述第一指示消息用于指示所述终端设备注册通过。Based on the first aspect, in an optional implementation manner, the acquiring the second parameter by the enterprise server according to the authentication response message includes: performing, by the enterprise server, the first preset parameter by using the first user authentication key Calculate to obtain the second parameter; if the enterprise server determines that the first parameter is the same as the second parameter, after determining that the terminal device is successfully registered, the method further includes: the enterprise server sends the The operator server sends a first indication message, where the first indication message is used to indicate that the terminal device is successfully registered.
基于第一方面,一种可选地实现方式中,所述第一用户鉴权密钥为所述终端设备成功登录至企业服务器的登录密码。Based on the first aspect, in an optional implementation manner, the first user authentication key is a login password for the terminal device to successfully log in to the enterprise server.
可见,因本方面所示的的第一用户鉴权密钥为登录密码,有效地提高了第一用户鉴权密钥的安全性,避免了第一用户鉴权密钥出现窃取的可能。It can be seen that because the first user authentication key shown in this aspect is a login password, the security of the first user authentication key is effectively improved, and the possibility of the first user authentication key being stolen is avoided.
基于第一方面,一种可选地实现方式中,所述鉴权响应消息还携带所述终端设备用于实现通信业务的呼叫标识,所述企业服务器通过第一用户鉴权密钥对第一预设参数进行计算以获取所述第二参数之前,所述方法还包括:所述企业服务器获取与所述呼叫标识对应的所述第一用户鉴权密钥。Based on the first aspect, in an optional implementation manner, the authentication response message also carries the call identifier used by the terminal device to implement the communication service, and the enterprise server uses the first user authentication key to pair the first Before the preset parameters are calculated to obtain the second parameter, the method further includes: obtaining, by the enterprise server, the first user authentication key corresponding to the call identifier.
基于第一方面,一种可选地实现方式中,所述第一用户鉴权密钥和第二用户鉴权密钥相同,其中,所述第二用户鉴权密钥用于获取所述第一参数。Based on the first aspect, in an optional implementation manner, the first user authentication key is the same as the second user authentication key, where the second user authentication key is used to obtain the first a parameter.
基于第一方面,一种可选地实现方式中,所述企业服务器响应终端设备的注册请求消息,向所述终端设备发送注册响应消息之前,所述方法还包括:所述企业服务器获取开户标识、第一开户密钥以及第二预设参数;所述企业服务器通过所述第一开户密钥对所述第二预设参数进行计算以获取第一开户参数;所述企业服务器向所述运营商服务器发送开户请求消息,所述开户请求消息携带所述开户标识、所述第二预设参数以及所述第一开户参数;所述企业服务器接收来自所述运营商服务器的开户确认消息,所述开户确认消息用于指示所述企业服务器开户成功。Based on the first aspect, in an optional implementation manner, the enterprise server responds to the registration request message of the terminal device, and before sending the registration response message to the terminal device, the method further includes: the enterprise server obtains the account opening identifier , a first account opening key, and a second preset parameter; the enterprise server calculates the second preset parameter through the first account opening key to obtain the first account opening parameter; the enterprise server sends the operation The merchant server sends an account opening request message, the account opening request message carries the account opening identifier, the second preset parameter, and the first account opening parameter; the enterprise server receives the account opening confirmation message from the operator server, and the The account opening confirmation message is used to indicate that the enterprise server has successfully opened an account.
基于第一方面,一种可选地实现方式中,所述企业服务器已安装的通用企业标识模块(universal enterprise identity module,UEIM)。该UEIM已内置所述开户信息,所述企业服务器通过所述第一开户密钥对所述第二预设参数进行计算以获取第一开户参数包括:企业服务器从该UEIM中读取开户信息,其中,企业服务器的处理器接口电路可直接读取该UEIM中的开户信息。Based on the first aspect, in an optional implementation manner, the enterprise server has installed a universal enterprise identity module (universal enterprise identity module, UEIM). The UEIM has built-in account opening information, and the enterprise server calculates the second preset parameter by using the first account opening key to obtain the first account opening parameter includes: the enterprise server reads the account opening information from the UEIM, Wherein, the processor interface circuit of the enterprise server can directly read the account opening information in the UEIM.
基于第一方面,一种可选地实现方式中,该UEIM为虚拟UEIM,该虚拟UEIM为软件模块,所述企业服务器通过所述第一开户密钥对所述第二预设参数进行计算以获取第一开户参数包括:企业服务器的处理器接口电路读取存储器中所存储的虚拟UEIM,以获取所述开户信息。Based on the first aspect, in an optional implementation manner, the UEIM is a virtual UEIM, and the virtual UEIM is a software module, and the enterprise server calculates the second preset parameter by using the first account opening key to Obtaining the first account opening parameters includes: the processor interface circuit of the enterprise server reads the virtual UEIM stored in the memory to obtain the account opening information.
基于第一方面,一种可选地实现方式中,所述企业服务器通过所述第一开户密钥对所述第二预设参数进行计算以获取第一开户参数包括:企业服务器从归属订户服务器接收该开户信息,或,企业服务器可从服务用户配置文件功能或引导服务器功能接收该开户信息。Based on the first aspect, in an optional implementation manner, the enterprise server calculating the second preset parameter by using the first account opening key to obtain the first account opening parameter includes: the enterprise server obtains the first account opening parameter from the home subscriber server The account opening information is received, or, the enterprise server may receive the account opening information from a service user profile function or a bootstrap server function.
第二方面,本发明实施例提供了一种终端设备注册的方法,所述方法包括:运营商服务器接收来自终端设备的鉴权请求消息,所述鉴权请求消息携带第一鉴权标识和第一参数;所述运营商服务器根据所述鉴权请求消息获取第二鉴权标识;若所述运营商服务器确定所述第一鉴权标识和所述第二鉴权标识相同,则向企业服务器发送鉴权响应消息,所述鉴权响应消息用于指示所述终端设备鉴权通过,所述鉴权响应消息携带所述第一参数。In a second aspect, an embodiment of the present invention provides a method for registering a terminal device. The method includes: the operator server receives an authentication request message from the terminal device, and the authentication request message carries the first authentication identifier and the second authentication identifier. A parameter; the operator server acquires a second authentication ID according to the authentication request message; if the operator server determines that the first authentication ID is the same as the second authentication ID, it sends the enterprise server Sending an authentication response message, where the authentication response message is used to indicate that the terminal device passes the authentication, and the authentication response message carries the first parameter.
本方面所示的有益效果的说明,请详见第一方面所示,不做赘述。For the description of the beneficial effects shown in this aspect, please refer to the first aspect for details, and will not be repeated.
基于第二方面,一种可选地实现方式中,所述运营商服务器根据所述鉴权请求消息获取第二鉴权标识包括:所述运营商服务器根据第二企业鉴权密钥获取所述第二鉴权标识。Based on the second aspect, in an optional implementation manner, the operator server obtaining the second authentication identifier according to the authentication request message includes: the operator server obtaining the The second authentication ID.
基于第二方面,一种可选地实现方式中,所述鉴权请求消息还携带与所述企业服务器对应的企业标识,所述运营商服务器接收来自终端设备的鉴权请求消息之前,所述方法还包括:所述运营商服务器获取与所述企业标识对应的所述第二企业鉴权密钥。Based on the second aspect, in an optional implementation manner, the authentication request message also carries an enterprise identifier corresponding to the enterprise server, and before the operator server receives the authentication request message from the terminal device, the The method further includes: the operator server acquiring the second enterprise authentication key corresponding to the enterprise identifier.
基于第二方面,一种可选地实现方式中,所述鉴权响应消息还携带呼叫标识,所述呼叫标识用于实现所述终端设备的通信业务。Based on the second aspect, in an optional implementation manner, the authentication response message further carries a call identifier, and the call identifier is used to implement a communication service of the terminal device.
基于第二方面,一种可选地实现方式中,若所述运营商服务器确定所述第一鉴权标识和所述第二鉴权标识相同,则向企业服务器发送鉴权响应消息之后,所述方法还包括:所述运营商服务器接收来自所述企业服务器的第一指示消息;所述运营商服务器根据所述第一指示消息,向所述终端设备发送第二指示消息,所述第二指示消息用于指示所述终端设备注册通过。Based on the second aspect, in an optional implementation manner, if the operator server determines that the first authentication identifier is the same as the second authentication identifier, after sending an authentication response message to the enterprise server, the The method further includes: the operator server receiving a first indication message from the enterprise server; the operator server sending a second indication message to the terminal device according to the first indication message, and the second indication message The indication message is used to indicate that the terminal device has successfully registered.
基于第二方面,一种可选地实现方式中,所述运营商服务器接收来自终端设备的鉴权请求消息之前,所述方法还包括:所述运营商服务器接收来自所述企业服务器的开户请求消息,所述开户请求消息携带开户标识、第二预设参数以及第一开户参数;所述运营商服务器获取与所述开户标识对应的第二开户密钥;所述运营商服务器通过所述第二开户密钥对所述第二预设参数进行计算以获取第二开户参数;若所述运营商服务器确定所述第一开户参数和所述第二开户参数相同,则向所述企业服务器发送开户确认消息,所述开户确认消息用于指示所述企业服务器开户成功。Based on the second aspect, in an optional implementation manner, before the operator server receives the authentication request message from the terminal device, the method further includes: the operator server receives the account opening request from the enterprise server message, the account opening request message carries an account opening ID, a second preset parameter, and a first account opening parameter; the operator server acquires a second account opening key corresponding to the account opening ID; The second account opening key calculates the second preset parameter to obtain the second account opening parameter; if the operator server determines that the first account opening parameter is the same as the second account opening parameter, it sends the An account opening confirmation message, where the account opening confirmation message is used to indicate that the enterprise server has successfully opened an account.
第三方面,本发明实施例提供了一种终端设备注册的方法,所述方法包括:终端设备 向企业服务器发送注册请求消息;所述终端设备接收来自所述企业服务器的注册响应消息,所述注册响应消息携带第一鉴权标识;所述终端设备根据所述注册响应消息获取第一参数;所述终端设备向运营商服务器发送鉴权请求消息,所述鉴权请求消息携带所述第一鉴权标识和所述第一参数;所述终端设备接收来自所述运营商服务器的用于指示注册通过的指示消息。In a third aspect, an embodiment of the present invention provides a method for registering a terminal device, the method comprising: the terminal device sends a registration request message to an enterprise server; the terminal device receives a registration response message from the enterprise server, and the The registration response message carries a first authentication identifier; the terminal device acquires a first parameter according to the registration response message; the terminal device sends an authentication request message to an operator server, and the authentication request message carries the first An authentication identifier and the first parameter; the terminal device receives an indication message from the operator server indicating that the registration is passed.
本方面所示的有益效果的说明,请详见第一方面所示,不做赘述。For the description of the beneficial effects shown in this aspect, please refer to the first aspect for details, and will not be repeated.
基于第三方面,一种可选地实现方式中,所述注册响应消息还携带第一预设参数,所述终端设备根据所述注册响应消息获取第一参数包括:所述终端设备通过第二用户鉴权密钥对所述第一预设参数进行计算以获取所述第一参数。Based on the third aspect, in an optional implementation manner, the registration response message further carries a first preset parameter, and the obtaining of the first parameter by the terminal device according to the registration response message includes: the terminal device passes the second The user authentication key calculates the first preset parameter to obtain the first parameter.
基于第三方面,一种可选地实现方式中,所述方法还包括:所述终端设备向所述运营商服务器发送用于实现通信业务的呼叫标识。Based on the third aspect, in an optional implementation manner, the method further includes: the terminal device sending a call identifier for implementing a communication service to the operator server.
第四方面,本发明实施例提供了一种企业服务器,包括分别与处理器耦合的存储器和收发器,所述存储器中存储了计算机程序代码,所述处理器调用并执行所述存储器中的计算机程序代码,使得所述企业服务器执行如上述第一方面任一项的步骤。In a fourth aspect, an embodiment of the present invention provides an enterprise server, including a memory and a transceiver respectively coupled to a processor, the memory stores computer program codes, and the processor invokes and executes the computer program in the memory. The program code enables the enterprise server to execute the steps in any one of the first aspect above.
本方面所示的有益效果的说明,请详见第一方面所示,不做赘述。For the description of the beneficial effects shown in this aspect, please refer to the first aspect for details, and will not be repeated.
第五方面,本发明实施例提供了一种运营商服务器,包括分别与处理器耦合的存储器和收发器,所述存储器中存储了计算机程序代码,所述处理器调用并执行所述存储器中的计算机程序代码,使得所述运营商服务器执行如上述第二方面任一项的步骤。In a fifth aspect, an embodiment of the present invention provides an operator server, including a memory and a transceiver respectively coupled to a processor, where computer program codes are stored in the memory, and the processor invokes and executes a program in the memory. The computer program code enables the operator server to execute the steps of any one of the second aspect above.
本方面所示的有益效果的说明,请详见第一方面所示,不做赘述。For the description of the beneficial effects shown in this aspect, please refer to the first aspect for details, and will not be repeated.
第六方面,本发明实施例提供了一种终端设备,包括分别与处理器耦合的存储器和收发器,所述存储器中存储了计算机程序代码,所述处理器调用并执行所述存储器中的计算机程序代码,使得所述终端设备执行如上述第三方面任一项的步骤。In a sixth aspect, an embodiment of the present invention provides a terminal device, including a memory and a transceiver respectively coupled to a processor, the memory stores computer program codes, and the processor invokes and executes the computer in the memory The program code enables the terminal device to execute the steps in any one of the third aspect above.
本方面所示的有益效果的说明,请详见第一方面所示,不做赘述。For the description of the beneficial effects shown in this aspect, please refer to the first aspect for details, and will not be repeated.
第七方面,本发明实施例提供了一种通信系统,包括企业服务器以及运营商服务器,所述企业服务器如第四方面所述,所述运营商服务器如第五方面所述。In a seventh aspect, an embodiment of the present invention provides a communication system, including an enterprise server and an operator server, the enterprise server is as described in the fourth aspect, and the operator server is as described in the fifth aspect.
第八方面,本发明实施例提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被计算机执行时能够完成第一方面、第二方面以及第三方面任一项所述的方法。In an eighth aspect, an embodiment of the present invention provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a computer, it can complete the first aspect, the second aspect and the third aspect. The method described in any one of the aspects.
在以上任一方面提供的方案中,第一参数为第一期望响应(expected response,XRES)或期望值,第二参数为第二期望响应或期望值,其中,第一参数为企业服务器期望终端设备响应的参数,第二参数为企业服务器产生的参数,通过企业服务器对第一参数和第二参数的比较,用于确定终端设备是否通过企业服务器的鉴权。In the solution provided in any of the above aspects, the first parameter is the first expected response (expected response, XRES) or expected value, and the second parameter is the second expected response or expected value, wherein the first parameter is the enterprise server expects the terminal device to respond The second parameter is a parameter generated by the enterprise server, and the enterprise server compares the first parameter and the second parameter to determine whether the terminal device has passed the authentication of the enterprise server.
附图说明Description of drawings
图1为本申请所提供的通信系统的第一种网络结构示例图;Fig. 1 is an example diagram of the first network structure of the communication system provided by the present application;
图2为本申请所提供的通信系统的第二种网络结构示例图;FIG. 2 is an example diagram of a second network structure of the communication system provided by the present application;
图3为本申请所提供的终端设备注册的方法的第一种实施例步骤流程图;FIG. 3 is a flow chart of the steps of the first embodiment of the method for terminal device registration provided by the present application;
图4为本申请所提供的终端设备注册的方法的第二种实施例步骤流程图;FIG. 4 is a flow chart of the steps of the second embodiment of the method for terminal device registration provided by the present application;
图5为本申请所提供的网络设备的一种实施例结构示例图;FIG. 5 is a structural example diagram of an embodiment of a network device provided by the present application;
图6为本申请所提供的网络设备的另一种实施例结构示例图。Fig. 6 is a structural example diagram of another embodiment of the network device provided by the present application.
具体实施方式Detailed ways
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative efforts fall within the protection scope of the present invention.
本申请提供了一种终端设备注册的方法,该方法能够保证主叫用户和被叫用户能够快速在运营商网络上线,而且避免了运营商网络获取主叫用户和被叫用户的隐私信息的情况,为更好的理解本实施例所提供的终端设备注册的方法,以下首先对申请所提供的方法所应用的网络结构进行可选地说明:This application provides a terminal device registration method, which can ensure that the calling user and the called user can quickly go online on the operator's network, and avoid the situation that the operator's network obtains the private information of the calling user and the called user , in order to better understand the terminal device registration method provided in this embodiment, the network structure to which the method provided in the application is applied is firstly described as follows:
网络结构1network structure 1
参见图1,其中,图1为本申请所提供的通信系统的第一种网络结构示例图。本实施例所示的通信系统包括依次连接的运营商网络120以及企业网络130。本实施例所示的运营商网络120的网络类型可为IP多媒体子系统(IP multimedia subsystem,IMS),其中,IMS是一种全新的多媒体业务形式,它能够满足更新颖、更多样化多媒体业务的需求。IMS是解决移动与固网融合,引入语音、数据、视频三重融合等差异化业务的重要方式。Referring to FIG. 1 , FIG. 1 is an example diagram of a first network structure of a communication system provided by the present application. The communication system shown in this embodiment includes a carrier network 120 and an enterprise network 130 connected in sequence. The network type of the operator network 120 shown in this embodiment can be IP multimedia subsystem (IP multimedia subsystem, IMS), wherein, IMS is a kind of brand-new multimedia business form, and it can satisfy newer, more diverse multimedia business needs. IMS is an important way to solve the convergence of mobile and fixed networks and introduce differentiated services such as voice, data, and video triple convergence.
本示例以运营商网络120的网络类型为IMS为例,在其他示例中,该运营商网络120的可以为其他的实时通信(real time communication,RTC)网络。In this example, the network type of the operator network 120 is IMS as an example. In other examples, the operator network 120 may be other real time communication (real time communication, RTC) network.
以下对该运营商网络120所包括的各个网元进行说明,需明确的是,本实施例对各个网元类型的说明为可选地示例性,不做限定。Each network element included in the operator network 120 will be described below. It should be noted that the description of each network element type in this embodiment is optional and exemplary, and is not limited.
本实施例所示的运营商网络120包括归属订户服务器(home subscriber server,HSS)121,HSS121负责固定、移动宽窄带各种类型接入用户的签约数据的管理维护,支持IMS业务接入鉴权、漫游登记、移动被叫路由寻址功能。The operator network 120 shown in this embodiment includes a home subscriber server (home subscriber server, HSS) 121, and the HSS 121 is responsible for the management and maintenance of subscription data of various types of fixed and mobile broadband and narrowband access users, and supports IMS service access authentication , Roaming registration, mobile called routing addressing functions.
HSS121分别连接网元122、网元123以及网元124,其中,网元122集成有多媒体资源功能控制器(multimedia resource function controller,MRFC)以及多媒体资源功能处理器(multimedia resource function processor,MRFP)。网元123为应用服务器(application server,AS)。网元124集成有查询-呼叫会话控制功能(interrogating-call session control function,I-CSCF)以及服务-呼叫会话控制功能(serving-call session control function,S-CSCF)。其中,网元可以称为设备。The HSS 121 is respectively connected to the network element 122, the network element 123 and the network element 124, wherein the network element 122 is integrated with a multimedia resource function controller (multimedia resource function controller, MRFC) and a multimedia resource function processor (multimedia resource function processor, MRFP). The network element 123 is an application server (application server, AS). The network element 124 is integrated with an interrogating-call session control function (interrogating-call session control function, I-CSCF) and a serving-call session control function (serving-call session control function, S-CSCF). Wherein, a network element may be called a device.
网元124连接网元126,其中,该网元126集成有接入会话边界控制器(session border controller,SBC)以及代理-呼叫会话控制功能(proxy-call session control function,P-CSCF)。The network element 124 is connected to the network element 126, wherein the network element 126 is integrated with an access session border controller (session border controller, SBC) and a proxy-call session control function (proxy-call session control function, P-CSCF).
以下对本实施例所示的企业网络130的结构进行说明,需明确的是,本实施例对该企业网络130的说明为可选地示例,不做限定。The structure of the enterprise network 130 shown in this embodiment will be described below. It should be noted that the description of the enterprise network 130 in this embodiment is an optional example and is not limited.
该企业网络130具体包括企业服务器131以及终端设备133,其中,企业服务器131 分别与HSS121以及终端设备133连接。该终端设备133与网元126连接。The enterprise network 130 specifically includes an enterprise server 131 and a terminal device 133 , wherein the enterprise server 131 is connected to the HSS 121 and the terminal device 133 respectively. The terminal 133 is connected to the network element 126 .
其中,该终端设备133可为智能终端、计算机中的任一设备。该终端设备133可内安装应用程序或内置IMS软件开发工具包(software development kit,SDK),以实现本申请所示的方法。Wherein, the terminal device 133 may be any device among smart terminals and computers. The terminal device 133 can install an application program or a built-in IMS software development kit (software development kit, SDK), so as to implement the method shown in this application.
网络结构2Network Structure 2
参见图2,其中,图2为本申请所提供的通信系统的第二种网络结构示例图。本示例所示的通信系统包括用户所使用的终端设备200,对终端设备200的说明可参见图1的相关说明,具体不做赘述。Referring to FIG. 2 , FIG. 2 is an example diagram of a second network structure of the communication system provided by the present application. The communication system shown in this example includes the terminal device 200 used by the user. For the description of the terminal device 200, refer to the relevant description in FIG. 1 , and details are not repeated here.
其中,终端设备200与企业服务器201连接,终端设备200与统一控制功能(unified control function,UCF)211连接。UCF211还分别与服务启用功能(service enabler function,SEF)212以及服务用户配置文件功能(service user profile function,SUPF)213连接,企业服务器201与SUPF213连接。SEF212分别与服务和应用功能(service and application function,SAF)214以及SUPF213连接。引导服务器功能(bootstrapping server function,BSF)215分别与SUPF213、UCF211以及终端设备200连接。Wherein, the terminal device 200 is connected to the enterprise server 201, and the terminal device 200 is connected to a unified control function (unified control function, UCF) 211. The UCF 211 is also respectively connected to a service enabler function (SEF) 212 and a service user profile function (SUPF) 213, and the enterprise server 201 is connected to the SUPF 213. SEF212 is respectively connected with service and application function (service and application function, SAF) 214 and SUPF213. A bootstrapping server function (bootstrapping server function, BSF) 215 is connected to SUPF 213 , UCF 211 and terminal device 200 respectively.
其中,UCF211用于执行的功能可包括:处理用户通过终端设备200注册至通信系统的过程以及对用户执行身份验证和授权的功能。与SUPF213交互以存储、更新、删除和查询主叫用户的配置文件,其中,用户配置文件可以用于注册、身份验证和授权过程。对来自终端设备200的信令消息进行处理,并根据不同的策略确定相应的信令路由。根据从SUPF213获取的用户配置文件进行对应服务的触发。随着基于服务的技术的引入,SEF212不仅将履行服务相关的支持功能,还可履行在应用层完成对用户的注册、认证、授权等功能,负责服务和应用的管理。SUPF213用于提供用户档案的维护和管理功能,主要包括根据UCF211的要求对用户相关数据进行存储、更新、删除和查询。例如,建立用户标识(ID)和用户配置文件的对应关系。SUPF213即可根据用户ID实现对用户配置文件的查询,其中,用户配置文件可由运营商或用户提供。Wherein, the functions performed by the UCF 211 may include: processing the process of the user registering to the communication system through the terminal device 200 and performing authentication and authorization functions for the user. Interacts with SUPF213 to store, update, delete and query the profile of the calling user, where the user profile can be used for registration, authentication and authorization processes. The signaling messages from the terminal device 200 are processed, and corresponding signaling routes are determined according to different strategies. Trigger the corresponding service according to the user configuration file obtained from SUPF213. With the introduction of service-based technology, SEF212 will not only perform service-related support functions, but also complete user registration, authentication, authorization and other functions at the application layer, and be responsible for service and application management. SUPF213 is used to provide maintenance and management functions of user files, mainly including storing, updating, deleting and querying user-related data according to the requirements of UCF211. For example, a corresponding relationship between a user identification (ID) and a user configuration file is established. The SUPF213 can realize the query of the user configuration file according to the user ID, wherein the user configuration file can be provided by the operator or the user.
本申请所提供的终端设备注册的方法,可以涉及两个流程,第一个流程为:企业服务器在运营商服务器处开户。第二个流程为:企业服务器在运营商服务器处开户完成后,终端设备分别在企业服务器以及运营商服务器处鉴权,以实现终端设备的注册。The terminal device registration method provided in this application may involve two processes. The first process is: the enterprise server opens an account at the operator server. The second process is: after the enterprise server opens an account at the operator server, the terminal device is authenticated at the enterprise server and the operator server respectively, so as to realize the registration of the terminal device.
实施例一Embodiment one
本实施例结合图3所示对企业服务器如何在运营商服务器处开户的过程进行说明。其中,图3为本申请所提供的终端设备注册的方法的第一种实施例步骤流程图。In this embodiment, the process of how the enterprise server opens an account at the operator server is described with reference to FIG. 3 . Wherein, FIG. 3 is a flow chart of steps in the first embodiment of the method for registering a terminal device provided in this application.
步骤301、企业服务器获取开户信息。Step 301, the enterprise server acquires account opening information.
若本实施例所示的方法应用至图1所示的通信系统,则本实施例所示的企业服务器为图1所示的企业服务器131。若本实施例所示的方法应用至图2所示的通信系统,则本实施例所示的企业服务器为图2所示的企业服务器201。If the method shown in this embodiment is applied to the communication system shown in FIG. 1 , then the enterprise server shown in this embodiment is the enterprise server 131 shown in FIG. 1 . If the method shown in this embodiment is applied to the communication system shown in FIG. 2 , then the enterprise server shown in this embodiment is the enterprise server 201 shown in FIG. 2 .
本实施例所示的方法,无需企业内的每个用户单独在运营商服务器处开户,而是由企业的企业服务器在运营商服务器处开户。企业服务器为实现在运营商服务器处开户,则本实施例所示的企业服务器需要获取用于在运营商服务器处开户的开户信息。其中,本实施 例所示的开户信息包括开户标识、第一开户密钥以及第二预设参数。该第二开户密钥可为验证密钥(Ki),该开户标识可为国际移动用户识别码(international mobile subscriber identification number,IMSI),本实施例对开户标识的具体类型不做限定,只要该开户标识具有与企业服务器的唯一对应关系即可,本实施例所示的第二预设参数可为企业服务器随机生成的任一参数,具体取值在本实施例中不做限定。In the method shown in this embodiment, each user in the enterprise does not need to open an account at the operator's server separately, but the enterprise server of the enterprise opens an account at the operator's server. In order for the enterprise server to open an account at the operator server, the enterprise server shown in this embodiment needs to obtain account opening information for opening an account at the operator server. Wherein, the account opening information shown in this embodiment includes an account opening ID, a first account opening key, and a second preset parameter. The second account opening key can be a verification key (Ki), and the account opening identification can be an international mobile subscriber identification number (IMSI). This embodiment does not limit the specific type of account opening identification, as long as the It only needs to have a unique corresponding relationship between the account opening ID and the enterprise server. The second preset parameter shown in this embodiment can be any parameter randomly generated by the enterprise server, and the specific value is not limited in this embodiment.
以下对企业服务器获取该开户信息的几种可选地方式进行示例性说明:The following are examples of several optional ways for the enterprise server to obtain the account opening information:
示例1Example 1
本示例中的企业服务器已安装的通用企业标识模块(universal enterprise identity module,UEIM)。该UEIM已内置该开户信息,企业服务器在需要开户的情况下,企业服务器可直接从该UEIM中读取开户信息。具体地,企业服务器的处理器接口电路可直接读取该UEIM中的开户信息。The enterprise server in this example has the universal enterprise identity module (UEIM) installed. The UEIM has built-in the account opening information, and when the enterprise server needs to open an account, the enterprise server can directly read the account opening information from the UEIM. Specifically, the processor interface circuit of the enterprise server can directly read the account opening information in the UEIM.
示例2Example 2
在示例1中,UEIM为安装在企业服务器中的实体硬件,而在示例2中,该UEIM可为虚拟UEIM,该虚拟UEIM为软件模块,企业服务器在需要开户的情况下,企业服务器的处理器接口电路读取存储器中所存储的虚拟UEIM,进而获取到开户信息。In example 1, the UEIM is the physical hardware installed in the enterprise server, while in example 2, the UEIM can be a virtual UEIM, which is a software module. When the enterprise server needs to open an account, the processor of the enterprise server The interface circuit reads the virtual UEIM stored in the memory, and then obtains the account opening information.
示例3Example 3
本示例中的企业服务器可从其他网元接收该开户信息,本实施例对向企业服务器发送该开户信息的主体不做限定,例如图1所示,企业服务器可从HSS接收该开户信息,又如图2所示,企业服务器可从SUPF或BSF接收该开户信息。The enterprise server in this example can receive the account opening information from other network elements. This embodiment does not limit the subject that sends the account opening information to the enterprise server. For example, as shown in FIG. 1, the enterprise server can receive the account opening information from the HSS, and As shown in Figure 2, the enterprise server may receive the account opening information from SUPF or BSF.
步骤302、企业服务器通过第一开户密钥对第二预设参数进行计算以获取第一开户参数。In step 302, the enterprise server calculates the second preset parameter by using the first account opening key to obtain the first account opening parameter.
具体地,本实施例以第一开户密钥为对称密钥为例,且企业服务器所存储的第一开户密钥和运营商服务器所存储的第二开户密钥相同为例进行示例性说明。在其他示例中,该第一开户密钥和该第二开户密钥也可为非对称密钥。Specifically, this embodiment uses an example in which the first account opening key is a symmetric key, and the first account opening key stored in the enterprise server and the second account opening key stored in the operator server are the same as an example for illustration. In other examples, the first account opening key and the second account opening key may also be asymmetric keys.
步骤303、企业服务器向运营商服务器发送开户请求消息。Step 303, the enterprise server sends an account opening request message to the operator server.
在本实施例所示的方法应用至图1所示的通信系统中的情况下,该运营商服务器为图1所示的HSS。在本实施例所示的方法应用至图2所示的通信系统中的情况下,该运营商服务器为图2所示的SUPF。In the case where the method shown in this embodiment is applied to the communication system shown in FIG. 1 , the operator server is the HSS shown in FIG. 1 . In the case where the method shown in this embodiment is applied to the communication system shown in FIG. 2 , the operator server is the SUPF shown in FIG. 2 .
企业服务器可将携带有开户标识、第二预设参数以及第一开户参数的开户请求消息发送给运营商服务器。The enterprise server may send the account opening request message carrying the account opening identifier, the second preset parameter and the first account opening parameter to the operator server.
步骤304、运营商服务器通过第二开户密钥对第二预设参数进行计算以获取第二开户参数。Step 304, the operator server calculates the second preset parameters by using the second account opening key to obtain the second account opening parameters.
本实施例所示的运营商服务器在接收到该开户请求消息的情况下,可获取第二开户密钥,以下对获取该第二开户密钥的可选方式进行说明:The operator server shown in this embodiment can obtain the second account opening key when receiving the account opening request message, and the optional methods for obtaining the second account opening key are described below:
本实施例所示的运营商服务器可预先配置开户列表,该开户列表包括不同的第二开户密钥与不同的企业服务器的开户标识的对应关系。该开户列表可参见如下的表1所示:The operator server shown in this embodiment may pre-configure an account opening list, and the account opening list includes correspondences between different second account opening keys and account opening identifiers of different enterprise servers. The account opening list can be seen in Table 1 below:
表1Table 1
开户标识Account ID 第二开户密钥Second account key
开户标识IMSI1Account ID IMSI1 第二开户密钥PA1The second account opening key PA1
开户标识IMSI2Account ID IMSI2 第二开户密钥PA2The second account opening key PA2
开户标识IMSI3Account ID IMSI3 第二开户密钥PA3The second account opening key PA3
由此可知,若运营商服务器已接收的开户请求消息所携带的开户标识为“开户标识IMSI1”,那么,运营商服务器通过查询如表1所示的开户列表,确定对应的第二开户密钥为“第二开户密钥PA1”。It can be seen from this that if the account opening identification carried by the account opening request message received by the operator server is "account opening identification IMSI1", then the operator server determines the corresponding second account opening key by querying the account opening list shown in Table 1 It is the "second account opening key PA1".
在运营商服务器获取到该第二开户密钥的情况下,运营商服务器通过已确定的该第二开户密钥对第二预设参数进行计算以获取该第二开户参数。When the operator server obtains the second account opening key, the operator server calculates the second preset parameter by using the determined second account opening key to obtain the second account opening parameter.
步骤305、运营商服务器判断第一开户参数和第二开户参数是否相同,若是,则执行步骤306,若否,则执行步骤309。Step 305 , the operator server judges whether the first account opening parameter and the second account opening parameter are the same, if yes, execute step 306 , if not, execute step 309 .
本实施例中,运营商服务器通过判断第一开户参数和第二开户参数是否相同的方式,以确定该企业服务器是否为合法服务器。具体地,若运营商服务器确定第一开户参数和第二开户参数相同,则确定企业服务器为合法服务器。若运营商服务器确定第一开户参数和第二开户参数不同,则确定企业服务器为不合法服务器。In this embodiment, the operator server determines whether the enterprise server is a legitimate server by judging whether the first account opening parameter and the second account opening parameter are the same. Specifically, if the operator server determines that the first account opening parameter is the same as the second account opening parameter, it determines that the enterprise server is a legitimate server. If the operator server determines that the first account opening parameter is different from the second account opening parameter, it determines that the enterprise server is an illegal server.
步骤306、运营商服务器向企业服务器发送第一响应消息。Step 306, the operator server sends a first response message to the enterprise server.
在运营商服务器确定第一开户参数和第二开户参数相同的情况下,向企业服务器发送该第一响应消息,该第一响应消息用于指示该企业服务器为合法服务器。When the operator server determines that the first account opening parameter and the second account opening parameter are the same, the operator server sends the first response message to the enterprise server, where the first response message is used to indicate that the enterprise server is a legitimate server.
步骤307、企业服务器向运营商服务器发送企业认证消息。Step 307, the enterprise server sends an enterprise authentication message to the operator server.
在企业服务器根据该第一响应消息以确定企业服务器为合法服务器的情况下,企业服务器向运营商服务器发送企业认证消息,以请求验证该企业服务器是否通过验证。When the enterprise server determines that the enterprise server is a legitimate server according to the first response message, the enterprise server sends an enterprise authentication message to the operator server to request to verify whether the enterprise server passes the verification.
具体地,该企业认证消息可包括如下所示的一项或多项:Specifically, the enterprise authentication message may include one or more of the following:
企业认证请求使用的域名、企业服务器的设备证书对应的电子认证服务(certificate authority,CA)证书、企业可信信息、或企业签约的业务信息。The domain name used in the enterprise authentication request, the electronic certification service (certificate authority, CA) certificate corresponding to the device certificate of the enterprise server, the trusted information of the enterprise, or the business information signed by the enterprise.
其中,企业可信信息可为企业名称、企业商标(LOGO)、与企业相关的图片(如企业营业执照的照片或扫描件)、与企业相关的音频、或与企业相关的视频等。企业签约的业务信息可为企业默认的通信业务,该默认的通信业务可为企业内的用户具有内呼的权限或企业外呼的权限,企业内呼的权限是指企业内的用户之间的呼入和呼出,企业外呼的权限为企业内部的用户和企业外部的人员之间的呼入和呼出。Among them, the credible information of the enterprise can be the name of the enterprise, the logo of the enterprise, pictures related to the enterprise (such as a photo or scanned copy of the business license of the enterprise), audio or video related to the enterprise, etc. The business information signed by the enterprise can be the default communication service of the enterprise. The default communication service can be that the users in the enterprise have the right to call in or out. The right to call in the enterprise refers to the communication between users in the enterprise Inbound and outbound, the authority of enterprise outbound calls is for inbound and outbound calls between users inside the enterprise and personnel outside the enterprise.
步骤308、运营商服务器向企业服务器发送开户确认消息。Step 308, the operator server sends an account opening confirmation message to the enterprise server.
运营商工作人员可使用运营商服务器对企业认证消息进行验证,或运营商服务器可自动对企业认证消息进行验证,具体在本实施例中不做限定。The operator's staff may use the operator's server to verify the enterprise authentication message, or the operator's server may automatically verify the enterprise's authentication message, which is not limited in this embodiment.
在确定企业认证请求使用的域名未被其他企业申请,和/或企业认证消息所包括的其他信息均真实,和/或与企业相关的音视频不涉及侵权等,本实施例对企业服务器的验证的说明为可选地说明,不做限定。运营商服务器在确定企业认证消息通过验证的情况下,向企业服务器发送用于指示企业服务器开户成功的开户确认消息。After determining that the domain name used by the enterprise authentication request has not been applied for by other enterprises, and/or other information included in the enterprise authentication message is true, and/or the audio and video related to the enterprise does not involve infringement, etc., the verification of the enterprise server in this embodiment The description of is an optional description and is not limited. When the operator server determines that the enterprise authentication message has passed the verification, it sends an account opening confirmation message to the enterprise server to indicate that the enterprise server has successfully opened an account.
步骤309、运营商服务器向企业服务器发送第二响应消息。Step 309, the operator server sends a second response message to the enterprise server.
在运营商服务器确定第一开户参数和第二开户参数不相同的情况下,向企业服务器发送该第二响应消息,该第二响应消息用于指示该企业服务器为不合法服务器。若企业服务器根据该第二响应消息确定需要重新开户,则企业服务器可重新返回执行步骤301,以重新进行开户流程。When the operator server determines that the first account opening parameter and the second account opening parameter are different, it sends the second response message to the enterprise server, where the second response message is used to indicate that the enterprise server is an illegal server. If the enterprise server determines that an account needs to be re-opened according to the second response message, the enterprise server may return to step 301 to perform the account opening process again.
本实施例所示的开户流程,由企业的企业服务器在运营商服务器处进行开户,而无需企业的每个用户单独向运营商服务器申请开户,由企业服务器负责在运营商服务器处开户,提高了开户效率,而且避免了由用户单独向运营商服务器申请开户,造成用户隐私信息(例如,用户的姓名、用户的号码、用户的身份信息或用户的邮箱地址)在开户阶段泄露的情况,提高了用户隐私信息的安全。In the account opening process shown in this embodiment, the enterprise server of the enterprise opens an account at the operator server, without the need for each user of the enterprise to apply to the operator server for account opening, and the enterprise server is responsible for opening an account at the operator server, which improves Account opening efficiency, and avoiding the situation where the user applies for account opening to the operator's server alone, causing user privacy information (such as the user's name, user number, user identity information or user email address) to leak during the account opening stage, improving Security of user privacy information.
实施例二Embodiment two
本实施例结合图4所示对企业服务器在运营商服务器开户完成后,用户如何在企业服务器以及运营商服务器处鉴权,以实现用户注册的过程进行说明,其中,图4为本申请所提供的终端设备注册的方法的第二种实施例步骤流程图。In this embodiment, after the enterprise server opens an account at the operator server as shown in FIG. 4, how the user authenticates at the enterprise server and the operator server to realize the process of user registration is described, wherein FIG. A flow chart of the steps of the second embodiment of the method for registering a terminal device.
步骤401、终端设备向企业服务器发送注册请求消息。Step 401, the terminal device sends a registration request message to the enterprise server.
本实施例所示的企业服务器可应用至图1或图2所示的通信系统,具体说明请参见实施例一所示,具体不做赘述。The enterprise server shown in this embodiment can be applied to the communication system shown in FIG. 1 or FIG. 2 . For specific description, please refer to Embodiment 1, and details are not repeated here.
用户为实现通过通信网络进行通信业务,则用户需要通过企业服务器的鉴权以及通过运营商服务器的鉴权。其中,本实施例所示的运营商服务器可应用至图1或图2所示的通信系统,具体说明请参见实施例一所示,具体不做赘述。In order for the user to perform communication services through the communication network, the user needs to pass the authentication of the enterprise server and the authentication of the operator server. Wherein, the operator server shown in this embodiment can be applied to the communication system shown in FIG. 1 or FIG. 2 . For specific description, please refer to Embodiment 1, and details are not repeated here.
为此,用户使用终端设备登录至企业服务器。其中,登录方式可为用户使用终端设备输入登录用户名以及对应的登录密码。终端设备在确定用户已成功登录至企业服务器,终端设备向企业服务器发送该注册请求消息。To do this, the user logs on to the corporate server using a terminal device. Wherein, the login method may be that the user uses a terminal device to input a login user name and a corresponding login password. After the terminal device determines that the user has successfully logged in to the enterprise server, the terminal device sends the registration request message to the enterprise server.
例如,若企业服务器确定用户登录所使用的登录密码与企业服务器预先存储的与该用户对应的登录密码一致,则确定该用户登录成功。企业服务器向终端设备发送登录成功指示消息,终端设备根据该登录成功指示消息,向企业服务器发送该注册请求消息。若企业服务器确定用户登录所使用的登录密码与企业服务器预先存储的与用户对应的登录密码不一致,则确定该用户登录失败。企业服务器向终端设备发送登录失败指示消息,终端设备根据该登录失败指示消息提示用户重新输入登录用户名和/或登录密码。For example, if the enterprise server determines that the login password used by the user to log in is consistent with the login password corresponding to the user stored in advance by the enterprise server, then it is determined that the user has successfully logged in. The enterprise server sends a login success indication message to the terminal device, and the terminal device sends the registration request message to the enterprise server according to the login success indication message. If the enterprise server determines that the login password used by the user to log in is inconsistent with the login password corresponding to the user stored in advance by the enterprise server, it determines that the user has failed to log in. The enterprise server sends a login failure indication message to the terminal device, and the terminal device prompts the user to re-enter the login user name and/or login password according to the login failure indication message.
步骤402、企业服务器向终端设备发送注册响应消息。Step 402, the enterprise server sends a registration response message to the terminal device.
本实施例中,在企业服务器接收到该注册请求消息的情况下,该企业服务器向终端设备发送携带第一鉴权标识和第一预设参数的注册响应消息。In this embodiment, when the enterprise server receives the registration request message, the enterprise server sends a registration response message carrying the first authentication identifier and the first preset parameters to the terminal device.
其中,所述第一鉴权标识可为第一令牌(token),以下对企业服务器获取该第一鉴权标识的可选方式进行说明:Wherein, the first authentication identifier may be a first token (token), and an optional manner for the enterprise server to obtain the first authentication identifier is described below:
获取第一鉴权标识的方式1Method 1 for obtaining the first authentication ID
该方式以该第一鉴权标识为企业服务器根据第一企业鉴权密钥获取到的token为例,且本示例所示的企业服务器存储该第一企业鉴权密钥,而运营商服务器已存储第二企业鉴 权密钥,其中,第一企业鉴权密钥和第二企业鉴权密钥为对称密钥,即第一企业鉴权密钥和第二企业鉴权密钥相同。企业服务器通过第一企业鉴权密钥对第一预设参数进行加密以获取该第一鉴权标识,其中,该第一预设参数可为企业服务器随机生成的随机数,本示例对该第一预设参数的取值不做限定,在其他示例中,该第一预设参数也可为企业服务器预先存储的任意参数。In this method, the first authentication identifier is the token obtained by the enterprise server according to the first enterprise authentication key as an example, and the enterprise server shown in this example stores the first enterprise authentication key, and the operator server has The second enterprise authentication key is stored, wherein the first enterprise authentication key and the second enterprise authentication key are symmetric keys, that is, the first enterprise authentication key and the second enterprise authentication key are the same. The enterprise server encrypts the first preset parameter with the first enterprise authentication key to obtain the first authentication identifier, wherein the first preset parameter can be a random number randomly generated by the enterprise server. The value of a preset parameter is not limited, and in other examples, the first preset parameter may also be any parameter pre-stored by the enterprise server.
获取第一鉴权标识的方式2Method 2 of obtaining the first authentication ID
该方式以该第一鉴权标识为企业服务器根据第一企业鉴权密钥获取到的token为例,且本示例所示的第一企业鉴权密钥和第二企业鉴权密钥为非对称密钥。具体地,第一企业鉴权密钥包括第一公钥和第一私钥,而第二企业鉴权密钥包括第二公钥和第二私钥,运营商服务器将该第二公钥发送给企业服务器,企业服务器将该第一公钥发送给运营商服务器。其中,第一公钥和第二私钥,以及第一私钥和第二公钥分别是成对的密钥,可以相互解密。In this method, the first authentication identifier is the token obtained by the enterprise server according to the first enterprise authentication key as an example, and the first enterprise authentication key and the second enterprise authentication key shown in this example are not Symmetric key. Specifically, the first enterprise authentication key includes a first public key and a first private key, and the second enterprise authentication key includes a second public key and a second private key, and the operator server sends the second public key to To the enterprise server, the enterprise server sends the first public key to the operator server. Wherein, the first public key and the second private key, and the first private key and the second public key are paired keys, which can be mutually decrypted.
企业服务器对该第一预设参数进行哈希计算以获取第一摘要信息,企业服务器通过第一私钥对该第一摘要信息进行加密以获取第一签名信息。企业服务器通过第二公钥对该第一签名信息和第一预设参数进行加密以获取第一鉴权参数。本示例下的第一鉴权标识为该第一摘要信息,可知,企业服务器通过加密的方式发送该第一摘要信息。可见,所述企业服务器通过加密的方式发送该第一鉴权标识,有效地提高了发送该第一鉴权标识的安全性,避免第一鉴权标识出现泄露以及被篡改的情况。The enterprise server performs hash calculation on the first preset parameter to obtain the first summary information, and the enterprise server encrypts the first summary information with the first private key to obtain the first signature information. The enterprise server encrypts the first signature information and the first preset parameters with the second public key to obtain the first authentication parameters. The first authentication identifier in this example is the first summary information, and it can be seen that the enterprise server sends the first summary information in an encrypted manner. It can be seen that the enterprise server sends the first authentication ID in an encrypted manner, which effectively improves the security of sending the first authentication ID, and avoids leakage and tampering of the first authentication ID.
获取第一鉴权标识的方式3Method 3 of obtaining the first authentication ID
在开户阶段,若运营商服务器确定企业服务器的企业认证消息通过验证的情况下,向企业服务器发放该第一令牌,对运营商服务器确定企业服务器的企业认证消息通过验证的具体说明,请参见实施例一所示,具体不做赘述。In the account opening stage, if the operator server determines that the enterprise server's enterprise authentication message has passed the verification, it will issue the first token to the enterprise server. For specific instructions on the operator server's determination that the enterprise server's enterprise authentication message has passed the verification, please refer to As shown in Embodiment 1, details are not described in detail.
可选地,企业服务器启动计时器,该计时器的计时起始时刻为所述企业服务器发送完成该注册响应消息的时刻。Optionally, the enterprise server starts a timer, and the start time of the timer is the moment when the enterprise server sends the registration completion response message.
步骤403、终端设备根据注册响应消息获取第一参数。Step 403, the terminal device obtains the first parameter according to the registration response message.
本实施例中,在终端设备接收到来自企业服务器的第一鉴权标识和第一预设参数的情况下,所述终端设备通过第二用户鉴权密钥对该第一预设参数进行计算以获取第一参数。其中,该第二用户鉴权密钥可为终端设备登录企业服务器的登录密码。In this embodiment, when the terminal device receives the first authentication identifier and the first preset parameter from the enterprise server, the terminal device uses the second user authentication key to calculate the first preset parameter to get the first parameter. Wherein, the second user authentication key may be a login password for the terminal device to log in to the enterprise server.
具体地,终端设备成功接收到注册响应消息的情况下,终端设备提示用户输入用于登录企业服务器的登录密码,在该登录密码能够成功登录企业服务器的情况下,终端设备确定该登录密码为该第二用户鉴权密钥。Specifically, when the terminal device successfully receives the registration response message, the terminal device prompts the user to input a login password for logging in to the enterprise server, and if the login password can successfully log in to the enterprise server, the terminal device determines that the login password is the The second user authentication key.
本实施例所示的所述第一参数还可称之为第一期望响应(expected response,XRES)或期望值,可知,所述第一参数为企业服务器期望终端设备响应的参数。The first parameter shown in this embodiment may also be referred to as a first expected response (expected response, XRES) or an expected value. It can be seen that the first parameter is a parameter that the enterprise server expects the terminal device to respond to.
本实施例对该第二用户鉴权密钥的说明为可选地示例,在其他示例中,该第二用户鉴权密钥也可为该终端设备预先存储的密钥。The description of the second user authentication key in this embodiment is an optional example, and in other examples, the second user authentication key may also be a key pre-stored in the terminal device.
步骤404、终端设备向转发网元发送鉴权请求消息。Step 404, the terminal device sends an authentication request message to the forwarding network element.
若本实施例所示的方法应用至图1所示的通信系统,则本实施例所示的转发网元为图1所示的P-CSCF或SBC。若本实施例所示的方法应用至图2所示的通信系统,则本实施例所示的转发网元为图2所示的UCF。If the method shown in this embodiment is applied to the communication system shown in FIG. 1 , then the forwarding network element shown in this embodiment is the P-CSCF or SBC shown in FIG. 1 . If the method shown in this embodiment is applied to the communication system shown in FIG. 2 , then the forwarding network element shown in this embodiment is the UCF shown in FIG. 2 .
本实施例所示的终端设备向其已登记的转发网元发送该鉴权请求消息,具体的,该终端设备预先存储其已登记的转发网元的地址,终端设备向已登记的转发网元的地址,发送该鉴权请求消息。其中,终端设备已存储的转发网元的地址可为转发网元的网际互连协议(internet protocol,IP)地址。又如,该转发网元的地址可为域名地址或者其他任意类型的地址等,具体在本实施例中不做限定。The terminal device shown in this embodiment sends the authentication request message to its registered forwarding network element. Specifically, the terminal device pre-stores the address of its registered forwarding network element, and the terminal device sends the registered forwarding network element address to send the authentication request message. Wherein, the address of the forwarding network element stored in the terminal device may be an Internet Protocol (internet protocol, IP) address of the forwarding network element. In another example, the address of the forwarding network element may be a domain name address or any other type of address, which is not limited in this embodiment.
该鉴权请求消息携带该第一参数、第一鉴权标识、呼叫标识以及企业标识。其中,所述呼叫标识为所述终端设备用于实现通信业务的标识,该通信业务包括但不限于主叫业务,被叫业务、补充业务、智能业务、彩铃业务或彩振业务等。该呼叫标识可为用户的真实号码,或用户的邮箱地址,或用户标识。其中,用户标识在登录至企业服务器上的所有标识中,具有全局唯一性,可知,登录至企业服务器上的不同的用户,对应不同的用户标识。企业标识为与企业服务器对应的标识,可知,不同的企业服务器对应不同的企业标识,例如,该企业标识可为企业的域名地址。The authentication request message carries the first parameter, the first authentication identifier, the call identifier and the enterprise identifier. Wherein, the call identifier is an identifier used by the terminal device to implement communication services, and the communication services include but not limited to calling service, called service, supplementary service, intelligent service, color ring back tone service or color ring tone service, etc. The call identifier can be the user's real number, or the user's email address, or the user identifier. Wherein, the user ID has global uniqueness among all IDs logged in to the enterprise server, and it can be seen that different users who log in to the enterprise server correspond to different user IDs. The enterprise identifier is an identifier corresponding to the enterprise server. It can be known that different enterprise servers correspond to different enterprise identifiers. For example, the enterprise identifier may be the domain name address of the enterprise.
步骤405、转发网元向运营商服务器发送鉴权请求消息。Step 405, the forwarding network element sends an authentication request message to the operator server.
具体地,转发网元根据鉴权请求消息获取运营商服务器的地址,转发网元向该运营商服务器的地址发送该鉴权请求消息,以保证运营商服务器能够接收到该鉴权请求消息。Specifically, the forwarding network element obtains the address of the operator server according to the authentication request message, and the forwarding network element sends the authentication request message to the address of the operator server to ensure that the operator server can receive the authentication request message.
例如,转发网元可预先配置转发地址列表,该转发地址列表包括不同的企业标识和不同的运营商服务器的地址的对应关系,例如表2所示:For example, the forwarding network element can be pre-configured with a forwarding address list, and the forwarding address list includes correspondences between different enterprise identities and addresses of different operator servers, as shown in Table 2 for example:
表2Table 2
企业标识Corporate logo 运营商服务器的IP地址The IP address of the carrier's server
企业标识A1Corporate identity A1 IP F1IP F1
企业标识A2Corporate Identity A2 IP F2IP F2
企业标识A3Corporate Identity A3 IP F3IP F3
例如,转发网元接收到鉴权请求消息的情况下,从该鉴权请求消息中获取的企业标识为“企业标识A3”,转发网元查询如表2所示的该转发地址列表以获取对应的运营商服务器的地址为“IP F3”。本实施例以运营商服务器的地址为IP地址为例,在其他示例中,该运营商服务器的地址还可为域名地址或者其他任意类型的地址等,具体在本实施例中不做限定。For example, when the forwarding network element receives the authentication request message, the enterprise identifier obtained from the authentication request message is "enterprise identifier A3", and the forwarding network element queries the forwarding address list shown in Table 2 to obtain the corresponding The address of the operator's server is "IP F3". In this embodiment, the address of the operator server is an IP address as an example. In other examples, the address of the operator server may also be a domain name address or any other type of address, which is not specifically limited in this embodiment.
步骤406、运营商服务器根据鉴权请求消息获取第二鉴权标识。Step 406, the operator server obtains the second authentication identifier according to the authentication request message.
本实施例中,在运营商服务器接收到该鉴权请求消息的情况下,该运营商服务器根据该鉴权请求消息获取第二鉴权标识,该第二鉴权标识可为第二token,以下对运营商服务器获取该第二鉴权标识的可选方式进行说明:In this embodiment, when the operator server receives the authentication request message, the operator server obtains a second authentication identifier according to the authentication request message, and the second authentication identifier can be a second token, as follows An optional way for the operator server to obtain the second authentication ID is described:
方式1way 1
本方式基于企业服务器根据步骤402所示的获取第一鉴权标识的方式1为例,此种示例下,该鉴权请求消息还携带第一预设参数。运营商服务器已存储第二企业鉴权密钥,该第二企业鉴权密钥和第一企业鉴权密钥相同,具体说明请详见步骤402所示,不做赘述。运营商服务器根据该第二企业鉴权密钥对鉴权请求消息所携带的第一预设参数进行加密以获取第二鉴权标识。This method is based on the example of method 1 in which the enterprise server obtains the first authentication identifier shown in step 402. In this example, the authentication request message also carries the first preset parameter. The operator's server has stored the second enterprise authentication key, which is the same as the first enterprise authentication key. Please refer to step 402 for details, and will not be repeated here. The operator server encrypts the first preset parameter carried in the authentication request message according to the second enterprise authentication key to obtain the second authentication identifier.
方式2way 2
本方式基于企业服务器根据步骤402所示的获取第一鉴权标识的方式2为例,此种示例下,运营商服务器的第二企业鉴权密钥包括第二公钥和第二私钥,具体说明请详见步骤402所示,具体不做赘述。运营商服务器通过第二私钥对鉴权请求消息所携带的第一鉴权参数解密,以获取第一签名信息和第一预设参数。运营商服务器通过第一公钥对第一签名信息解密以获取第一摘要信息(即第一鉴权标识)。运营商服务器对第一预设参数进行哈希计算以获取第二摘要信息,本示例中,该第二摘要信息为第二鉴权标识。This method is based on the example of method 2 in which the enterprise server obtains the first authentication identifier shown in step 402. In this example, the second enterprise authentication key of the operator server includes the second public key and the second private key. Please refer to step 402 for specific instructions, and details are not repeated here. The operator server decrypts the first authentication parameter carried in the authentication request message by using the second private key, so as to obtain the first signature information and the first preset parameter. The operator server decrypts the first signature information by using the first public key to obtain the first summary information (ie, the first authentication identifier). The operator server performs hash calculation on the first preset parameter to obtain the second summary information. In this example, the second summary information is the second authentication identifier.
方式3way 3
本方式基于企业服务器根据步骤402所示的获取第一鉴权标识的方式3为例,此种示例下,运营商服务器已预先配置鉴权列表,所述鉴权列表包括企业标识和第二鉴权标识的对应关系。运营商服务器从鉴权请求消息获取到企业标识,通过查询鉴权列表的方式以获取对应的第二鉴权标识。This method is based on the example of method 3 in which the enterprise server obtains the first authentication ID shown in step 402. In this example, the operator server has pre-configured an authentication list, and the authentication list includes the The corresponding relationship of the right identifier. The operator server obtains the enterprise ID from the authentication request message, and obtains the corresponding second authentication ID by querying the authentication list.
本实施例所示的运营商服务器可对来自不同的企业的用户进行鉴权,为此,运营商服务器可预先配置鉴权标识列表,该鉴权标识列表可参见表3所示:The operator server shown in this embodiment can authenticate users from different enterprises. For this reason, the operator server can be pre-configured with an authentication identification list. The authentication identification list can be referred to in Table 3:
表3table 3
企业标识Corporate logo 鉴权标识Authentication ID
企业标识A1Corporate identity A1 鉴权标识G1Authentication ID G1
企业标识A2Corporate Identity A2 鉴权标识G2Authentication ID G2
企业标识A3Corporate Identity A3 鉴权标识G3Authentication mark G3
例如,若运营商服务器确定鉴权请求消息所携带的企业标识为“企业标识A3”,则运营商服务器通过查询如表3所示的鉴权标识列表以确定对应的“鉴权标识G3”为第二鉴权标识,对企业标识的具体说明,请详见步骤404,具体不做赘述。For example, if the operator server determines that the enterprise identifier carried in the authentication request message is "enterprise identifier A3", the operator server queries the authentication identifier list shown in Table 3 to determine that the corresponding "authentication identifier G3" is For the second authentication identifier, please refer to step 404 for a specific description of the enterprise identifier, and details are not repeated here.
步骤407、运营商服务器判断第一鉴权标识和第二鉴权标识是否相同,若否,则执行步骤408,若是,则执行步骤409。Step 407, the operator server judges whether the first authentication ID and the second authentication ID are the same, if not, execute step 408, and if yes, execute step 409.
本实施例中,使用终端设备的用户为实现通信业务,则需要终端设备通过运营商服务器的鉴权,为此,运营商服务器判断第一鉴权标识和第二鉴权标识是否相同,若运营商服务器确定第一鉴权标识和第二鉴权标识相同,则说明终端设备通过运营商服务器的鉴权。若运营商服务器确定第一鉴权标识和第二鉴权标识不同,则说明终端设备未通过运营商服务器的鉴权。In this embodiment, in order to realize the communication service, the user who uses the terminal device needs the terminal device to be authenticated by the operator's server. If the provider server determines that the first authentication identifier is the same as the second authentication identifier, it means that the terminal device has passed the authentication of the operator server. If the operator server determines that the first authentication identifier is different from the second authentication identifier, it means that the terminal device has not passed the authentication of the operator server.
步骤408、运营商服务器向企业服务器发送鉴权失败响应消息。Step 408, the operator server sends an authentication failure response message to the enterprise server.
在运营商服务器确定第一鉴权标识和第二鉴权标识不同的情况下,运营商服务器向企业服务器发送鉴权失败响应消息,该鉴权失败响应消息用于指示终端设备未通过运营商服务器的鉴权。In the case that the operator server determines that the first authentication ID and the second authentication ID are different, the operator server sends an authentication failure response message to the enterprise server, and the authentication failure response message is used to indicate that the terminal device has not passed the operator server. authentication.
步骤409、运营商服务器向企业服务器发送鉴权响应消息。Step 409, the operator server sends an authentication response message to the enterprise server.
在运营商服务器确定第一鉴权标识和第二鉴权标识相同的情况下,运营商服务器向企业服务器发送鉴权响应消息,该鉴权响应消息用于指示终端设备通过运营商服务器的鉴权。其中,该鉴权响应消息携带所述第一参数以及呼叫标识。When the operator server determines that the first authentication ID and the second authentication ID are the same, the operator server sends an authentication response message to the enterprise server, and the authentication response message is used to instruct the terminal device to pass the authentication of the operator server. . Wherein, the authentication response message carries the first parameter and the call identifier.
运营商服务器为向企业服务器发送该鉴权响应消息,则运营商服务器需要获取该企业服务器的地址,以向该企业服务器的地址发送该鉴权响应消息。例如,运营商服务器可预先配置通知地址列表,该通知地址列表包括不同的企业标识和不同的企业服务器的地址的对应关系,例如表4所示:In order for the operator server to send the authentication response message to the enterprise server, the operator server needs to obtain the address of the enterprise server to send the authentication response message to the address of the enterprise server. For example, the operator server may pre-configure a notification address list, which includes correspondences between different enterprise identifiers and addresses of different enterprise servers, as shown in Table 4 for example:
表4Table 4
企业标识Corporate logo 企业服务器的IP地址IP address of the enterprise server
企业标识A1Corporate identity A1 IP A1IP A1
企业标识A2Corporate Identity A2 IP A2IP A2
企业标识A3Corporate Identity A3 IP A3IP A3
例如,若运营商服务器确定企业标识为“企业标识A3”,则运营商服务器通过查询如表2所示的通知地址列以确定对应的IP地址为“IP A3”,可知,运营商服务器向“IP A3”发送鉴权响应消息。本实施例以通知地址列所包括的企业服务器的地址为IP地址为例,在其他示例中,该通知地址列所包括的企业服务器的地址还可为企业服务器的域名地址或者其他任意类型的地址等,具体在本实施例中不做限定。For example, if the operator server determines that the enterprise identifier is "enterprise identifier A3", the operator server determines that the corresponding IP address is "IP A3" by querying the notification address column shown in Table 2. It can be seen that the operator server sends "IP A3" IP A3" sends an authentication response message. In this embodiment, the address of the enterprise server included in the notification address column is an IP address as an example. In other examples, the address of the enterprise server included in the notification address column can also be the domain name address of the enterprise server or any other type of address etc., which are not specifically limited in this embodiment.
步骤410、企业服务器根据鉴权响应消息获取第二参数。Step 410, the enterprise server obtains the second parameter according to the authentication response message.
以下对企业服务器获取该第二参数的过程进行说明:The process of obtaining the second parameter by the enterprise server is described below:
首先,企业服务器获取第一用户鉴权密钥,具体地,本实施例所示的鉴权响应消息携带所述呼叫标识,该企业服务器已配置用户鉴权密钥列表,如表5所示:First, the enterprise server acquires the first user authentication key. Specifically, the authentication response message shown in this embodiment carries the call identifier, and the enterprise server has configured a list of user authentication keys, as shown in Table 5:
表5table 5
呼叫标识call identification 用户鉴权密钥user authentication key
呼叫标识C1Call ID C1 用户鉴权密钥D1User authentication key D1
呼叫标识C2Call ID C2 用户鉴权密钥D2User authentication key D2
呼叫标识C3Call ID C3 用户鉴权密钥D3User authentication key D3
企业服务器为实现对登录至企业服务器上的不同的用户进行鉴权,则企业服务器所配置如表5所示的用户鉴权密钥列表,包括了不同的用户鉴权密钥和不同用户的呼叫标识的对应关系。In order for the enterprise server to authenticate different users who log in to the enterprise server, the enterprise server configures the user authentication key list shown in Table 5, which includes different user authentication keys and different user call ID correspondence.
可知,若企业服务器确定鉴权响应消息所携带的呼叫标识为“呼叫标识C2”,则企业服务器确定对应的第一用户鉴权密钥为“用户鉴权密钥D2”。It can be seen that if the enterprise server determines that the call identifier carried in the authentication response message is "call identifier C2", then the enterprise server determines that the corresponding first user authentication key is "user authentication key D2".
本实施例所示的第二用户鉴权密钥和第一用户鉴权密钥相同,对第一用户鉴权密钥的说明,请参见上述步骤403所示的对第二用户鉴权密钥的说明,具体不做赘述。The second user authentication key shown in this embodiment is the same as the first user authentication key. For the description of the first user authentication key, please refer to the second user authentication key shown in step 403 above. , without going into details.
其次,所述企业服务器通过第一用户鉴权密钥对第一预设参数进行计算以获取所述第二参数。Secondly, the enterprise server calculates the first preset parameter by using the first user authentication key to obtain the second parameter.
具体地,该鉴权响应消息携带的该第一预设参数,或,企业服务器获取已配置预设参数列表,如表6所示:Specifically, the first preset parameter carried in the authentication response message, or, the enterprise server acquires a list of configured preset parameters, as shown in Table 6:
表6Table 6
呼叫标识call identification 第一预设参数The first default parameter
呼叫标识C1Call ID C1 第一预设参数E1The first preset parameter E1
呼叫标识C2Call ID C2 第一预设参数E2The first preset parameter E2
呼叫标识C3Call ID C3 第一预设参数E3The first preset parameter E3
企业服务器所配置如表6所示的预设参数列表,包括了不同的呼叫标识和不同的预设参数的对应关系。可知,若企业服务器确定鉴权响应消息所携带的呼叫标识为“呼叫标识C2”,则企业服务器确定对应的第一预设参数为“第一预设参数E2”。The preset parameter list configured by the enterprise server, as shown in Table 6, includes the corresponding relationship between different call identities and different preset parameters. It can be seen that if the enterprise server determines that the call identifier carried in the authentication response message is "call identifier C2", then the enterprise server determines that the corresponding first preset parameter is "first preset parameter E2".
本实施例所示的第二参数还可称之为第二期望响应或期望值,可知,第二参数为企业服务器产生的参数,通过企业服务器对第一参数和第二参数的比较,以确定终端设备是否通过企业服务器的鉴权。The second parameter shown in this embodiment can also be referred to as the second expected response or expected value. It can be seen that the second parameter is a parameter generated by the enterprise server, and the enterprise server compares the first parameter with the second parameter to determine the terminal Whether the device has passed the authentication of the enterprise server.
可选地,在步骤402中,企业服务器已启动计时器,若在计时器的计时时长内,企业服务器尚未接收到来自运营商服务器的所述鉴权响应消息,则说明终端设备注册失败,企业服务器直接向终端设备发送用于指示终端设备注册失败的响应消息。Optionally, in step 402, the enterprise server has started the timer. If the enterprise server has not received the authentication response message from the operator server within the duration of the timer, it means that the registration of the terminal device has failed, and the enterprise The server directly sends a response message to the terminal device to indicate that the registration of the terminal device fails.
步骤411、企业服务器判断第一参数和第二参数是否相同,若否,则执行步骤412,若是,则执行步骤413。Step 411 , the enterprise server judges whether the first parameter and the second parameter are the same, if not, execute step 412 , and if yes, execute step 413 .
由步骤409所示可知,鉴权响应消息携带所述第一参数,企业服务器判断该第一参数和第二参数是否相同,若第一参数和第二参数相同,则说明该终端设备通过企业服务器的鉴权。可知,终端设备已通过运营商服务器的鉴权,且已通过企业服务器的鉴权,则说明该终端设备注册通过。As can be seen from step 409, the authentication response message carries the first parameter, and the enterprise server judges whether the first parameter and the second parameter are the same, if the first parameter and the second parameter are the same, it means that the terminal device passes the enterprise server authentication. It can be seen that the terminal device has passed the authentication of the operator's server and the enterprise server, which means that the terminal device has passed the registration.
若第一参数和第二参数不相同,则说明该终端设备未通过企业服务器的鉴权。可知,终端设备已通过运营商服务器的鉴权,但未通过企业服务器的鉴权,则说明该终端设备注册未通过。If the first parameter is different from the second parameter, it means that the terminal device has not passed the authentication of the enterprise server. It can be seen that the terminal device has passed the authentication of the operator's server, but has not passed the authentication of the enterprise server, which means that the registration of the terminal device has not passed.
步骤412、企业服务器向运营商服务器发送鉴权失败响应消息。Step 412, the enterprise server sends an authentication failure response message to the operator server.
在企业服务器确定第一参数和第二参数不相同,则企业服务器向运营商服务器发送该鉴权失败响应消息,该鉴权失败响应消息用于指示该终端设备未通过企业服务器的鉴权。When the enterprise server determines that the first parameter and the second parameter are different, the enterprise server sends the authentication failure response message to the operator server, where the authentication failure response message is used to indicate that the terminal device has not passed the authentication of the enterprise server.
步骤413、企业服务器向运营商服务器发送第一指示消息。Step 413, the enterprise server sends a first indication message to the operator server.
在企业服务器确定第一参数和第二参数相同,则企业服务器向运营商服务器发送该第一指示消息,所述第一指示消息用于指示所述终端设备注册通过。When the enterprise server determines that the first parameter is the same as the second parameter, the enterprise server sends the first indication message to the operator server, where the first indication message is used to indicate that the terminal device is successfully registered.
步骤414、运营商服务器向转发网元发送第二指示消息。Step 414, the operator server sends a second indication message to the forwarding network element.
运营商服务器接收到来自企业服务器的第一指示消息的情况下,则确定该终端设备注册通过。运营商服务器登记该终端设备与通信业务相关的信息,以实现后续终端设备的通信业务,与通信业务相关的信息可为呼叫标识、企业服务器的地址、转发网元的地址、企业标识等,具体在本实施例中不做限定,只要运营商服务器能够根据与通信业务相关的信息,为终端设备提供通信业务即可。When the operator server receives the first indication message from the enterprise server, it determines that the terminal device is successfully registered. The operator's server registers the information related to the communication service of the terminal device to realize the communication service of the subsequent terminal device. The information related to the communication service can be the call ID, the address of the enterprise server, the address of the forwarding network element, the enterprise identification, etc. There is no limitation in this embodiment, as long as the operator server can provide the communication service for the terminal device according to the information related to the communication service.
运营商服务器成功登记该终端设备与通信业务相关的信息后,即可向转发网元发送该第二指示消息,该第二指示消息用于通知终端设备,该终端设备注册通过。After the operator server successfully registers the communication service-related information of the terminal device, it can send the second indication message to the forwarding network element, where the second indication message is used to notify the terminal device that the terminal device has passed the registration.
步骤415、转发网元向终端设备发送第二指示消息。Step 415, the forwarding network element sends the second indication message to the terminal device.
终端设备接收到来自转发网元的第二指示消息的情况下,终端设备确定注册通过,终端设备即可使用图1或图2所示的通信网络实现通信业务。When the terminal device receives the second indication message from the forwarding network element, the terminal device determines that the registration is passed, and the terminal device can use the communication network shown in FIG. 1 or FIG. 2 to implement communication services.
采用本实施例所示的方法,企业服务器和运营商服务器能够分别对终端设备进行鉴权,在终端设备通过运营商服务器的鉴权,且终端设备通过企业服务器的鉴权的情况下,该终端设备注册成功,该终端设备即可通过运营商服务器以及企业服务器实现通信业务,可知,终端设备的注册过程中,需要终端设备、运营商服务器以及企业服务器三个设备的协同鉴权,提高了终端设备的注册效率。终端设备在注册过程中,无需借助于中继网络,而是由终端设备直接与企业服务器以及运营商服务器进行交互以实现注册过程,降低了实现终端设备注册的复杂度,降低了通信网络的维护难度和成本。Using the method shown in this embodiment, the enterprise server and the operator server can respectively authenticate the terminal device. When the terminal device passes the authentication of the operator server and the terminal device passes the authentication of the enterprise server, the terminal If the device is successfully registered, the terminal device can realize communication services through the operator server and the enterprise server. It can be seen that during the registration process of the terminal device, the collaborative authentication of the terminal device, the operator server, and the enterprise server is required, which improves the terminal security. Device registration efficiency. During the registration process of the terminal device, there is no need to rely on the relay network, but the terminal device directly interacts with the enterprise server and the operator server to realize the registration process, which reduces the complexity of registering the terminal device and reduces the maintenance of the communication network difficulty and cost.
实施例三Embodiment Three
本实施例结合图5所示对执行上述呼叫处理方法的网络设备的结构进行说明:In this embodiment, the structure of the network device performing the above-mentioned call processing method is described in conjunction with FIG. 5:
网络设备500具体包括:处理单元501和收发单元502,其中,处理单元501与收发单元502连接。The network device 500 specifically includes: a processing unit 501 and a transceiver unit 502 , where the processing unit 501 is connected to the transceiver unit 502 .
若本实施例所示的网络设备500为企业服务器,则处理单元501用于执行实施例一或实施例二中,任一实施例中由企业服务器执行的处理功能。收发单元502用于执行实施例一或实施例二中,任一实施例中由企业服务器执行的收发功能。If the network device 500 shown in this embodiment is an enterprise server, the processing unit 501 is configured to execute the processing function performed by the enterprise server in either embodiment 1 or embodiment 2. The transceiving unit 502 is configured to perform the transceiving function performed by the enterprise server in either embodiment 1 or 2.
例如,在实施例一中,所述处理单元501用于执行步骤301以及步骤302。所述收发单元502用于执行步骤303、步骤307以及步骤309。又如,在实施例二中,所述处理单元501用于执行步骤410以及步骤411。所述收发单元502用于执行步骤402、步骤412以及步骤413。For example, in Embodiment 1, the processing unit 501 is configured to execute step 301 and step 302 . The transceiver unit 502 is configured to execute step 303 , step 307 and step 309 . As another example, in Embodiment 2, the processing unit 501 is configured to execute step 410 and step 411 . The transceiver unit 502 is configured to execute step 402 , step 412 and step 413 .
若本实施例所示的网络设备500为运营商服务器,则处理单元501用于执行实施例一或实施例二中,任一实施例中由运营商服务器执行的处理功能。收发单元502用于执行实施例一或实施例二中,任一实施例中由运营商服务器执行的收发功能。If the network device 500 shown in this embodiment is an operator server, the processing unit 501 is configured to execute the processing function performed by the operator server in either embodiment 1 or embodiment 2. The transceiving unit 502 is configured to perform the transceiving function performed by the operator's server in the first embodiment or the second embodiment.
例如,在实施例一中,所述处理单元501用于执行步骤301以及步骤302。所述收发单元502用于执行步骤306、步骤307以及步骤308。又如,在实施例二中,所述处理单元501用于执行步骤304以及步骤305。又如,在实施例二中,所述处理单元501用于执行步骤406以及步骤407。所述收发单元502用于执行步骤408、步骤409以及步骤414。For example, in Embodiment 1, the processing unit 501 is configured to execute step 301 and step 302 . The transceiving unit 502 is configured to perform step 306 , step 307 and step 308 . As another example, in Embodiment 2, the processing unit 501 is configured to execute step 304 and step 305 . As another example, in Embodiment 2, the processing unit 501 is configured to execute step 406 and step 407 . The transceiver unit 502 is configured to execute step 408 , step 409 and step 414 .
若本实施例所示的网络设备500为终端设备,则处理单元501用于执行实施例二中,任一实施例中由终端设备执行的处理功能。收发单元502用于执行实施例二中,任一实施例中由终端设备执行的收发功能。If the network device 500 shown in this embodiment is a terminal device, the processing unit 501 is configured to execute the processing function performed by the terminal device in any embodiment in Embodiment 2. The transceiving unit 502 is configured to execute the transceiving function performed by the terminal device in any embodiment in the second embodiment.
例如,在实施例二中,所述处理单元501用于执行步骤403。所述收发单元502用于执行步骤404。For example, in Embodiment 2, the processing unit 501 is configured to execute step 403 . The transceiver unit 502 is configured to execute step 404 .
若本实施例所示的网络设备500为转发网元,则处理单元501用于执行实施例二中,任一实施例中由转发网元执行的处理功能。收发单元502用于执行实施例二中,任一实施例中由转发网元执行的收发功能。If the network device 500 shown in this embodiment is a forwarding network element, the processing unit 501 is configured to execute the processing function performed by the forwarding network element in the second embodiment or any one of the embodiments. The transceiving unit 502 is configured to perform the transceiving function performed by the forwarding network element in any embodiment in the second embodiment.
例如,在实施例二中,所述收发单元502用于执行步骤405以及步骤415。For example, in Embodiment 2, the transceiving unit 502 is configured to perform step 405 and step 415 .
实施例四Embodiment Four
本实施例结合图6所示,对执行上述呼叫处理方法的网络设备的结构进行说明:其中, 本实施例所示的网络设备可为上述实施例一至实施例三中,任一实施例所示的企业服务器。本实施例所示的网络设备还可为上述实施例一至实施例三中,任一实施例所示的运营商服务器。而且实施例一至实施例三中,任一实施例所示的终端设备也可采用本实施例所示的结构。In this embodiment, the structure of the network device that executes the above call processing method is described in combination with that shown in FIG. enterprise server. The network device shown in this embodiment may also be the operator server shown in any one of the above-mentioned first to third embodiments. Moreover, in Embodiment 1 to Embodiment 3, the terminal device shown in any embodiment may also adopt the structure shown in this embodiment.
具体地,本实施例所示的网络设备包括:处理器601、存储器602、总线603、收发器604以及网络接口606。Specifically, the network device shown in this embodiment includes: a processor 601 , a memory 602 , a bus 603 , a transceiver 604 and a network interface 606 .
具体的,存储器602可以包括以易失性和/或非易失性存储器形式的计算机存储媒体,如只读存储器和/或随机存取存储器。存储器602可以存储操作系统、应用程序、其他程序模块、可执行代码和程序数据。Specifically, the memory 602 may include computer storage media in the form of volatile and/or non-volatile memory, such as read-only memory and/or random access memory. Memory 602 may store operating systems, application programs, other program modules, executable code, and program data.
收发器604可以用于向网络设备输入命令和信息,该收发器604可以通过总线603连接至处理器601。收发器604还可以用于网络设备输出或输入信息。The transceiver 604 can be used to input commands and information to network devices, and the transceiver 604 can be connected to the processor 601 through the bus 603 . Transceiver 604 may also be used to output or input information to network devices.
网络设备可以通过网络接口606连接到通信网络中,在联网环境下,网络设备中存储的计算机执行指令可以存储在远程存储设备中,而不限于在本地存储。The network device can be connected to the communication network through the network interface 606. In a networked environment, the computer-executed instructions stored in the network device can be stored in a remote storage device, not limited to local storage.
当网络设备中的处理器601执行存储器602中存储的可执行代码或应用程序时,网络设备可以执行以上方法实施例中的任一侧的方法操作,具体执行过程参见上述方法实施例,在此不再赘述。When the processor 601 in the network device executes the executable code or application program stored in the memory 602, the network device can perform the method operations on any side of the above method embodiments. For the specific execution process, refer to the above method embodiments, here No longer.
以上所述,以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。As mentioned above, the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still understand the foregoing The technical solutions recorded in each embodiment are modified, or some of the technical features are replaced equivalently; and these modifications or replacements do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (30)

  1. 一种终端设备注册的方法,其特征在于,所述方法包括:A method for terminal device registration, characterized in that the method includes:
    企业服务器响应终端设备的注册请求消息,向所述终端设备发送注册响应消息;The enterprise server sends a registration response message to the terminal device in response to the registration request message of the terminal device;
    所述企业服务器接收来自运营商服务器的鉴权消息,所述鉴权消息用于指示所述终端设备鉴权通过,且所述鉴权消息携带第一参数;The enterprise server receives an authentication message from an operator server, the authentication message is used to indicate that the terminal device is authenticated, and the authentication message carries a first parameter;
    所述企业服务器根据所述鉴权消息获取第二参数;The enterprise server obtains the second parameter according to the authentication message;
    若所述企业服务器确定所述第一参数和所述第二参数相同,则确定所述终端设备注册通过。If the enterprise server determines that the first parameter is the same as the second parameter, it determines that the terminal device is successfully registered.
  2. 根据权利要求1所述的方法,其特征在于,所述企业服务器响应终端设备的注册请求消息,向所述终端设备发送注册响应消息之前,所述方法还包括:The method according to claim 1, wherein the enterprise server responds to the registration request message of the terminal device, and before sending the registration response message to the terminal device, the method further comprises:
    所述企业服务器根据第一企业鉴权密钥获取第一鉴权标识;The enterprise server obtains the first authentication identifier according to the first enterprise authentication key;
    所述企业服务器响应终端设备的注册请求消息,向所述终端设备发送注册响应消息包括:The enterprise server responds to the registration request message of the terminal device, and sends the registration response message to the terminal device including:
    所述企业服务器向所述终端设备发送所述注册响应消息,所述注册响应消息携带所述第一鉴权标识和第一预设参数,所述第一鉴权标识和所述第一预设参数用于获取所述第一参数。The enterprise server sends the registration response message to the terminal device, the registration response message carries the first authentication identifier and first preset parameters, and the first authentication identifier and the first preset parameter is used to obtain the first parameter.
  3. 根据权利要求2所述的方法,其特征在于,所述第一鉴权标识为第一令牌token或对所述第一预设参数进行哈希计算所获取的第一摘要信息。The method according to claim 2, wherein the first authentication identifier is a first token or first summary information obtained by performing hash calculation on the first preset parameter.
  4. 根据权利要求1至3任一项所述的方法,其特征在于,所述企业服务器根据所述鉴权消息获取第二参数包括:The method according to any one of claims 1 to 3, wherein the enterprise server obtaining the second parameter according to the authentication message includes:
    所述企业服务器通过第一用户鉴权密钥对第一预设参数进行计算以获取所述第二参数;The enterprise server calculates the first preset parameter through the first user authentication key to obtain the second parameter;
    若所述企业服务器确定所述第一参数和所述第二参数相同,则确定所述终端设备注册通过之后,所述方法还包括:If the enterprise server determines that the first parameter is the same as the second parameter, after determining that the terminal device is successfully registered, the method further includes:
    所述企业服务器向所述运营商服务器发送第一指示消息,所述第一指示消息用于指示所述终端设备注册通过。The enterprise server sends a first indication message to the operator server, where the first indication message is used to indicate that the terminal device is successfully registered.
  5. 根据权利要求4所述的方法,其特征在于,所述鉴权消息还携带所述终端设备用于实现通信业务的呼叫标识,所述企业服务器通过第一用户鉴权密钥对第一预设参数进行计算以获取所述第二参数之前,所述方法还包括:The method according to claim 4, wherein the authentication message also carries a call identifier used by the terminal device to realize the communication service, and the enterprise server uses the first user authentication key to pair the first preset Before the parameter is calculated to obtain the second parameter, the method further includes:
    所述企业服务器获取与所述呼叫标识对应的所述第一用户鉴权密钥。The enterprise server acquires the first user authentication key corresponding to the call identifier.
  6. 根据权利要求4或5所述的方法,其特征在于,所述第一用户鉴权密钥和第二用户鉴权密钥相同,其中,所述第二用户鉴权密钥用于获取所述第一参数。The method according to claim 4 or 5, wherein the first user authentication key is the same as the second user authentication key, wherein the second user authentication key is used to obtain the first parameter.
  7. 根据权利要求1至6任一项所述的方法,其特征在于,所述企业服务器响应终端设 备的注册请求消息,向所述终端设备发送注册响应消息之前,所述方法还包括:The method according to any one of claims 1 to 6, wherein the enterprise server responds to the registration request message of the terminal device, and before sending the registration response message to the terminal device, the method further comprises:
    所述企业服务器获取开户标识、第一开户密钥以及第二预设参数;The enterprise server acquires an account opening identifier, a first account opening key, and a second preset parameter;
    所述企业服务器通过所述第一开户密钥对所述第二预设参数进行计算以获取第一开户参数;The enterprise server calculates the second preset parameter by using the first account opening key to obtain the first account opening parameter;
    所述企业服务器向所述运营商服务器发送开户请求消息,所述开户请求消息携带所述开户标识、所述第二预设参数以及所述第一开户参数;The enterprise server sends an account opening request message to the operator server, the account opening request message carrying the account opening identifier, the second preset parameter, and the first account opening parameter;
    所述企业服务器接收来自所述运营商服务器的开户确认消息,所述开户确认消息用于指示所述企业服务器开户成功。The enterprise server receives an account opening confirmation message from the operator server, where the account opening confirmation message is used to indicate that the enterprise server has successfully opened an account.
  8. 一种终端设备注册的方法,其特征在于,所述方法包括:A method for terminal device registration, characterized in that the method includes:
    运营商服务器接收来自终端设备的鉴权请求消息,所述鉴权请求消息携带第一鉴权标识和第一参数;The operator server receives an authentication request message from the terminal device, where the authentication request message carries a first authentication identifier and a first parameter;
    所述运营商服务器根据所述鉴权请求消息获取第二鉴权标识;The operator server acquires a second authentication identifier according to the authentication request message;
    若所述运营商服务器确定所述第一鉴权标识和所述第二鉴权标识相同,则向企业服务器发送鉴权消息,所述鉴权消息用于指示所述终端设备鉴权通过,所述鉴权消息携带所述第一参数。If the operator server determines that the first authentication identifier is the same as the second authentication identifier, it sends an authentication message to the enterprise server, where the authentication message is used to indicate that the terminal device has passed the authentication, so The authentication message carries the first parameter.
  9. 根据权利要求8所述的方法,其特征在于,所述运营商服务器根据所述鉴权请求消息获取第二鉴权标识包括:The method according to claim 8, wherein the operator server acquiring the second authentication identifier according to the authentication request message comprises:
    所述运营商服务器根据第二企业鉴权密钥获取所述第二鉴权标识。The operator server acquires the second authentication identifier according to the second enterprise authentication key.
  10. 根据权利要求9所述的方法,其特征在于,所述第二鉴权标识为第二令牌token或对所述鉴权请求消息所携带的第一预设参数进行哈希计算所获取的第二摘要信息。The method according to claim 9, wherein the second authentication identifier is a second token token or the second token obtained by performing hash calculation on the first preset parameter carried in the authentication request message. 2. Summary information.
  11. 根据权利要求9或10所述的方法,其特征在于,所述鉴权请求消息还携带与所述企业服务器对应的企业标识,所述运营商服务器接收来自终端设备的鉴权请求消息之前,所述方法还包括:The method according to claim 9 or 10, wherein the authentication request message also carries an enterprise identification corresponding to the enterprise server, and before the operator server receives the authentication request message from the terminal device, the The method also includes:
    所述运营商服务器获取与所述企业标识对应的所述第二企业鉴权密钥。The operator server acquires the second enterprise authentication key corresponding to the enterprise identifier.
  12. 根据权利要求11所述的方法,其特征在于,所述鉴权消息还携带呼叫标识,所述呼叫标识用于实现所述终端设备的通信业务。The method according to claim 11, wherein the authentication message further carries a call identifier, and the call identifier is used to realize the communication service of the terminal device.
  13. 根据权利要求8至12任一项所述的方法,其特征在于,若所述运营商服务器确定所述第一鉴权标识和所述第二鉴权标识相同,则向企业服务器发送鉴权消息之后,所述方法还包括:The method according to any one of claims 8 to 12, wherein if the operator server determines that the first authentication identifier is the same as the second authentication identifier, then send an authentication message to the enterprise server Afterwards, the method also includes:
    所述运营商服务器接收来自所述企业服务器的第一指示消息;The operator server receives a first indication message from the enterprise server;
    所述运营商服务器根据所述第一指示消息,向所述终端设备发送第二指示消息,所述第二指示消息用于指示所述终端设备注册通过。The operator server sends a second indication message to the terminal device according to the first indication message, where the second indication message is used to indicate that the terminal device passes registration.
  14. 根据权利要求8至13任一项所述的方法,其特征在于,所述运营商服务器接收来自终端设备的鉴权请求消息之前,所述方法还包括:The method according to any one of claims 8 to 13, wherein before the operator server receives the authentication request message from the terminal device, the method further includes:
    所述运营商服务器接收来自所述企业服务器的开户请求消息,所述开户请求消息携带开户标识、第二预设参数以及第一开户参数;The operator server receives an account opening request message from the enterprise server, where the account opening request message carries an account opening identifier, a second preset parameter, and a first account opening parameter;
    所述运营商服务器获取与所述开户标识对应的第二开户密钥;The operator server acquires a second account opening key corresponding to the account opening identifier;
    所述运营商服务器通过所述第二开户密钥对所述第二预设参数进行计算以获取第二开户参数;The operator server calculates the second preset parameters by using the second account opening key to obtain second account opening parameters;
    若所述运营商服务器确定所述第一开户参数和所述第二开户参数相同,则向所述企业服务器发送开户确认消息,所述开户确认消息用于指示所述企业服务器开户成功。If the operator server determines that the first account opening parameter is the same as the second account opening parameter, it sends an account opening confirmation message to the enterprise server, where the account opening confirmation message is used to indicate that the enterprise server has successfully opened an account.
  15. 一种终端设备注册的方法,其特征在于,所述方法包括:A method for terminal device registration, characterized in that the method comprises:
    终端设备向企业服务器发送注册请求消息;The terminal device sends a registration request message to the enterprise server;
    所述终端设备接收来自所述企业服务器的注册响应消息,所述注册响应消息携带第一鉴权标识;The terminal device receives a registration response message from the enterprise server, where the registration response message carries a first authentication identifier;
    所述终端设备根据所述注册响应消息获取第一参数;The terminal device acquires a first parameter according to the registration response message;
    所述终端设备向运营商服务器发送鉴权请求消息,所述鉴权请求消息携带所述第一鉴权标识和所述第一参数;The terminal device sends an authentication request message to an operator server, where the authentication request message carries the first authentication identifier and the first parameter;
    所述终端设备接收来自所述运营商服务器的用于指示注册通过的指示消息。The terminal device receives an indication message from the operator server for indicating successful registration.
  16. 根据权利要求15所述的方法,其特征在于,所述注册响应消息还携带第一预设参数,所述终端设备根据所述注册响应消息获取第一参数包括:The method according to claim 15, wherein the registration response message also carries a first preset parameter, and the obtaining of the first parameter by the terminal device according to the registration response message includes:
    所述终端设备通过第二用户鉴权密钥对所述第一预设参数进行计算以获取所述第一参数。The terminal device calculates the first preset parameter by using the second user authentication key to obtain the first parameter.
  17. 根据权利要求15或16所述的方法,其特征在于,所述方法还包括:The method according to claim 15 or 16, wherein the method further comprises:
    所述终端设备向所述运营商服务器发送用于实现通信业务的呼叫标识。The terminal device sends the call identifier used to realize the communication service to the operator server.
  18. 一种终端设备注册的方法,其特征在于,所述方法包括:A method for terminal device registration, characterized in that the method comprises:
    终端设备向企业服务器发送注册请求消息;The terminal device sends a registration request message to the enterprise server;
    所述企业服务器响应所述注册请求消息,向所述终端设备发送注册响应消息,所述注册响应消息携带第一鉴权标识;The enterprise server sends a registration response message to the terminal device in response to the registration request message, where the registration response message carries a first authentication identifier;
    所述终端设备根据所述注册响应消息获取第一参数;The terminal device acquires a first parameter according to the registration response message;
    所述终端设备向所述运营商服务器发送鉴权请求消息,所述鉴权请求消息携带所述第一鉴权标识和所述第一参数;The terminal device sends an authentication request message to the operator server, where the authentication request message carries the first authentication identifier and the first parameter;
    所述运营商服务器根据所述鉴权请求消息获取第二鉴权标识;The operator server acquires a second authentication identifier according to the authentication request message;
    若所述运营商服务器确定所述第一鉴权标识和所述第二鉴权标识相同,则向所述企业服务器发送鉴权消息,所述鉴权消息用于指示所述终端设备鉴权通过,所述鉴权消息携带 所述第一参数;If the operator server determines that the first authentication ID is the same as the second authentication ID, it sends an authentication message to the enterprise server, where the authentication message is used to indicate that the terminal device has passed the authentication , the authentication message carries the first parameter;
    所述企业服务器根据所述鉴权消息获取第二参数;The enterprise server obtains the second parameter according to the authentication message;
    若所述企业服务器确定所述第一参数和所述第二参数相同,则确定所述终端设备注册通过。If the enterprise server determines that the first parameter is the same as the second parameter, it determines that the terminal device is successfully registered.
  19. 根据权利要求18所述的方法,其特征在于,所述企业服务器响应所述注册请求消息,向所述终端设备发送注册响应消息之前,所述方法还包括:The method according to claim 18, wherein before the enterprise server responds to the registration request message and sends a registration response message to the terminal device, the method further comprises:
    所述企业服务器根据第一企业鉴权密钥获取所述第一鉴权标识;The enterprise server acquires the first authentication identifier according to the first enterprise authentication key;
    所述企业服务器响应所述注册请求消息,向所述终端设备发送注册响应消息包括:The enterprise server responds to the registration request message, and sending the registration response message to the terminal device includes:
    所述企业服务器向所述终端设备发送所述注册响应消息,所述注册响应消息携带所述第一鉴权标识和第一预设参数,所述第一鉴权标识和所述第一预设参数用于获取所述第一参数;The enterprise server sends the registration response message to the terminal device, the registration response message carries the first authentication identifier and first preset parameters, and the first authentication identifier and the first preset The parameter is used to obtain the first parameter;
    所述终端设备接收所述注册响应消息。The terminal device receives the registration response message.
  20. 根据权利要求19所述的方法,其特征在于,所述终端设备根据所述注册响应消息获取第一参数包括:The method according to claim 19, wherein the acquiring the first parameter by the terminal device according to the registration response message comprises:
    所述终端设备通过第二用户鉴权密钥对所述第一预设参数进行计算以获取所述第一参数。The terminal device calculates the first preset parameter by using the second user authentication key to obtain the first parameter.
  21. 根据权利要求19或20所述的方法,其特征在于,所述企业服务器根据所述鉴权消息获取第二参数包括:The method according to claim 19 or 20, wherein the enterprise server obtaining the second parameter according to the authentication message comprises:
    所述企业服务器通过第一用户鉴权密钥对所述第一预设参数进行计算以获取所述第二参数;The enterprise server calculates the first preset parameter through the first user authentication key to obtain the second parameter;
    若所述企业服务器确定所述第一参数和所述第二参数相同,则确定所述终端设备注册通过之后,所述方法还包括:If the enterprise server determines that the first parameter is the same as the second parameter, after determining that the terminal device is successfully registered, the method further includes:
    所述企业服务器向所述运营商服务器发送第一指示消息,所述第一指示消息用于指示所述终端设备注册通过;The enterprise server sends a first indication message to the operator server, where the first indication message is used to indicate that the terminal device is successfully registered;
    所述运营商服务器接收所述第一指示消息。The operator server receives the first indication message.
  22. 根据权利要求21所述的方法,其特征在于,所述鉴权消息还携带所述终端设备用于实现通信业务的呼叫标识,所述企业服务器通过第一用户鉴权密钥对所述第一预设参数进行计算以获取所述第二参数之前,所述方法还包括:The method according to claim 21, wherein the authentication message also carries a call identifier used by the terminal device to implement communication services, and the enterprise server uses the first user authentication key to authenticate the first Before calculating the preset parameters to obtain the second parameters, the method further includes:
    所述企业服务器获取与所述呼叫标识对应的所述第一用户鉴权密钥。The enterprise server acquires the first user authentication key corresponding to the call identifier.
  23. 根据权利要求18至22任一项所述的方法,其特征在于,所述企业服务器响应所述注册请求消息,向所述终端设备发送注册响应消息之前,所述方法还包括:The method according to any one of claims 18 to 22, wherein, before the enterprise server responds to the registration request message and sends a registration response message to the terminal device, the method further includes:
    所述企业服务器获取开户标识、第一开户密钥以及第二预设参数;The enterprise server acquires an account opening identifier, a first account opening key, and a second preset parameter;
    所述企业服务器通过所述第一开户密钥对所述第二预设参数进行计算以获取第一开户 参数;The enterprise server calculates the second preset parameters through the first account opening key to obtain the first account opening parameters;
    所述企业服务器向所述运营商服务器发送开户请求消息,所述开户请求消息携带所述开户标识、所述第二预设参数以及所述第一开户参数;The enterprise server sends an account opening request message to the operator server, the account opening request message carrying the account opening identifier, the second preset parameter, and the first account opening parameter;
    所述运营商服务器接收所述开户请求消息;The operator server receives the account opening request message;
    所述运营商服务器获取与所述开户标识对应的第二开户密钥;The operator server acquires a second account opening key corresponding to the account opening identifier;
    所述运营商服务器通过所述第二开户密钥对所述第二预设参数进行计算以获取第二开户参数;The operator server calculates the second preset parameters by using the second account opening key to obtain second account opening parameters;
    若所述运营商服务器确定所述第一开户参数和所述第二开户参数相同,则向所述企业服务器发送开户确认消息,所述开户确认消息用于指示所述企业服务器开户成功;If the operator server determines that the first account opening parameter and the second account opening parameter are the same, then send an account opening confirmation message to the enterprise server, where the account opening confirmation message is used to indicate that the enterprise server has successfully opened an account;
    所述企业服务器接收所述开户确认消息。The enterprise server receives the account opening confirmation message.
  24. 根据权利要求18至23任一项所述的方法,其特征在于,所述第一鉴权标识为第一令牌token或对第一预设参数进行哈希计算所获取的第一摘要信息;The method according to any one of claims 18 to 23, wherein the first authentication identifier is a first token token or first abstract information obtained by performing hash calculation on first preset parameters;
    所述第二鉴权标识为第二令牌token或对所述鉴权请求消息所携带的第一预设参数进行哈希计算所获取的第二摘要信息。The second authentication identifier is a second token or second summary information obtained by performing hash calculation on the first preset parameter carried in the authentication request message.
  25. 一种企业服务器,其特征在于,包括分别与处理器耦合的存储器和收发器,所述存储器中存储了计算机程序代码,所述处理器调用并执行所述存储器中的计算机程序代码,使得所述企业服务器执行如权利要求1-7任一项的步骤。An enterprise server is characterized in that it includes a memory and a transceiver respectively coupled to a processor, the memory stores computer program codes, and the processor invokes and executes the computer program codes in the memory, so that the The enterprise server executes the steps according to any one of claims 1-7.
  26. 一种运营商服务器,其特征在于,包括分别与处理器耦合的存储器和收发器,所述存储器中存储了计算机程序代码,所述处理器调用并执行所述存储器中的计算机程序代码,使得所述运营商服务器执行如权利要求8-14任一项的步骤。An operator server, characterized in that it includes a memory and a transceiver respectively coupled to a processor, the memory stores computer program codes, and the processor invokes and executes the computer program codes in the memory, so that the The operator server executes the steps according to any one of claims 8-14.
  27. 一种终端设备,其特征在于,包括分别与处理器耦合的存储器和收发器,所述存储器中存储了计算机程序代码,所述处理器调用并执行所述存储器中的计算机程序代码,使得终端设备执行如权利要求15-17任一项所述的步骤。A terminal device, characterized in that it includes a memory and a transceiver respectively coupled to a processor, the memory stores computer program codes, and the processor invokes and executes the computer program codes in the memory, so that the terminal device Execute the steps as described in any one of claims 15-17.
  28. 一种通信系统,其特征在于,所述通信系统包括终端设备、企业服务器以及运营商服务器,所述通信系统用于执行如权利要求18-24任一项所述的步骤。A communication system, characterized in that the communication system includes a terminal device, an enterprise server, and an operator server, and the communication system is used to execute the steps according to any one of claims 18-24.
  29. 一种通信系统,其特征在于,包括企业服务器以及运营商服务器,所述企业服务器如权利要求25所述,所述运营商服务器如权利要求26所述。A communication system, characterized by comprising an enterprise server and an operator server, the enterprise server as claimed in claim 25, and the operator server as claimed in claim 26.
  30. 一种计算机可读存储介质,其特征在于,A computer-readable storage medium, characterized in that,
    所述计算机可读存储介质存储有计算机程序,所述计算机程序被计算机执行时能够完成权利要求1至24任一项所述的方法。The computer-readable storage medium stores a computer program, and when the computer program is executed by a computer, the method described in any one of claims 1 to 24 can be completed.
PCT/CN2022/095699 2021-05-28 2022-05-27 Terminal device registration method, related device, system, and storage medium WO2022247938A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110592796.4A CN115412912A (en) 2021-05-28 2021-05-28 Method for registering terminal equipment, related equipment, system and storage medium
CN202110592796.4 2021-05-28

Publications (1)

Publication Number Publication Date
WO2022247938A1 true WO2022247938A1 (en) 2022-12-01

Family

ID=84155526

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/095699 WO2022247938A1 (en) 2021-05-28 2022-05-27 Terminal device registration method, related device, system, and storage medium

Country Status (2)

Country Link
CN (1) CN115412912A (en)
WO (1) WO2022247938A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008089699A1 (en) * 2007-01-23 2008-07-31 Huawei Technologies Co., Ltd. A method and a system for authenticating a user terminal in ims network
CN101568111A (en) * 2008-04-21 2009-10-28 华为技术有限公司 Method and equipment for registering usual service interface system
CN101674580A (en) * 2008-09-12 2010-03-17 上海顶竹通讯技术有限公司 Method for accessing mobile core network by utilizing fixed network
CN102026179A (en) * 2010-12-31 2011-04-20 北京普天和平通信技术有限公司 Method for initializing, registering and authenticating industry application mobile terminal, and communication system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008089699A1 (en) * 2007-01-23 2008-07-31 Huawei Technologies Co., Ltd. A method and a system for authenticating a user terminal in ims network
CN101568111A (en) * 2008-04-21 2009-10-28 华为技术有限公司 Method and equipment for registering usual service interface system
CN101674580A (en) * 2008-09-12 2010-03-17 上海顶竹通讯技术有限公司 Method for accessing mobile core network by utilizing fixed network
CN102026179A (en) * 2010-12-31 2011-04-20 北京普天和平通信技术有限公司 Method for initializing, registering and authenticating industry application mobile terminal, and communication system

Also Published As

Publication number Publication date
CN115412912A (en) 2022-11-29

Similar Documents

Publication Publication Date Title
US20220337632A1 (en) System and method for connecting a communication to a client
US10742631B2 (en) Using an IP multimedia subsystem for HTTP session authentication
US10470103B2 (en) System and method for authentication of a communication device
KR100985869B1 (en) A method for verifying a first identity and a second identity of an entity
RU2414086C2 (en) Application authentication
WO2017028593A1 (en) Method for making a network access device access a wireless network access point, network access device, application server, and non-volatile computer readable storage medium
US9648006B2 (en) System and method for communicating with a client application
US20110138453A1 (en) Single sign-on in mixed http and sip environments
CN111050314A (en) Client registration method, device and system
CN103391539B (en) The account-opening method of internet protocol multi-media sub-system IMS, Apparatus and system
US11765164B2 (en) Server-based setup for connecting a device to a local area network
JP2007528650A5 (en)
US20160365984A1 (en) Service provider certificate management
US9369873B2 (en) Network application function authorisation in a generic bootstrapping architecture
KR20100034321A (en) Network id based federation and single sign on authentication method
US20110173687A1 (en) Methods and Arrangements for an Internet Multimedia Subsystem (IMS)
US8769623B2 (en) Grouping multiple network addresses of a subscriber into a single communication session
CN103067337A (en) Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system
KR20150058534A (en) Transmitting authentication information
CN111327416A (en) Internet of things equipment access method and device and Internet of things platform
WO2019114320A1 (en) Ims user registration method and device
US10893414B1 (en) Selective attestation of wireless communications
US20080235185A1 (en) Communication system and method of accessing therefor
WO2022247938A1 (en) Terminal device registration method, related device, system, and storage medium
EP1871083A1 (en) A method for implementing the card number calling service

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22810662

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE