[go: up one dir, main page]

CN101277297B - Conversation control system and method - Google Patents

Conversation control system and method Download PDF

Info

Publication number
CN101277297B
CN101277297B CN2007100888022A CN200710088802A CN101277297B CN 101277297 B CN101277297 B CN 101277297B CN 2007100888022 A CN2007100888022 A CN 2007100888022A CN 200710088802 A CN200710088802 A CN 200710088802A CN 101277297 B CN101277297 B CN 101277297B
Authority
CN
China
Prior art keywords
authentication
subscriber equipment
equipment
session
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2007100888022A
Other languages
Chinese (zh)
Other versions
CN101277297A (en
Inventor
李超
杨智
辛阳
陈进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Beijing University of Posts and Telecommunications
Original Assignee
Huawei Technologies Co Ltd
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd, Beijing University of Posts and Telecommunications filed Critical Huawei Technologies Co Ltd
Priority to CN2007100888022A priority Critical patent/CN101277297B/en
Publication of CN101277297A publication Critical patent/CN101277297A/en
Application granted granted Critical
Publication of CN101277297B publication Critical patent/CN101277297B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

本发明提供了一种会话控制的系统和方法,该系统主要包括:服务提供端设备、认证服务器。该方法主要包括:网络中设置有认证服务器,服务提供端设备在接收到用户设备发送的会话建立请求后,向认证服务器发送所述用户设备的认证请求;所述认证服务器根据保存的认证信息对所述用户设备进行认证,向所述服务提供端设备返回认证响应。利用本发明,将设备的认证功能集中到专门的认证服务器上,可以降低服务提供端设备的复杂性,提高服务提供端设备的效率。并且可以通过认证服务器对网络中所有设备的认证信息进行统一管理。为保证会话服务安全所使用的会话密钥不在网络中进行传输,降低了用户设备和服务提供端设备面临的安全威胁。

The invention provides a session control system and method. The system mainly includes: a service provider device and an authentication server. The method mainly includes: an authentication server is set in the network, and after receiving the session establishment request sent by the user equipment, the service provider device sends the authentication request of the user equipment to the authentication server; The user equipment performs authentication, and returns an authentication response to the service provider equipment. By using the invention, the authentication function of the equipment is concentrated on a special authentication server, which can reduce the complexity of the service provider equipment and improve the efficiency of the service provider equipment. And the authentication information of all devices in the network can be managed uniformly through the authentication server. The session key used to ensure the security of the session service is not transmitted in the network, which reduces the security threats faced by the user equipment and the service provider equipment.

Description

会话控制系统和方法Session control system and method

技术领域 technical field

本发明涉及网络通信领域,尤其涉及一种会话控制系统和方法。  The invention relates to the field of network communication, in particular to a session control system and method. the

背景技术 Background technique

ITU(International Telecommunication Union,国际电信联盟)中提出的家庭网络的一般模型的结构示意图如图1所示。根据各个实体所处位置及作用的不同,图1所示的家庭网络的模型的可以分为7种,分别为:远程用户、远程终端、应用程序服务器、安全家庭网关、家庭应用程序服务器、家庭用户和家庭设备。其中家庭设备根据功能不同又被划分如下的A、B、C三类设备。  The structural diagram of the general model of the home network proposed in ITU (International Telecommunication Union, International Telecommunication Union) is shown in Figure 1. According to the location and role of each entity, the home network model shown in Figure 1 can be divided into seven types, namely: remote user, remote terminal, application server, secure home gateway, home application server, home User and Home Devices. Among them, household devices are divided into the following three types of devices: A, B, and C according to different functions. the

A类设备:具有控制功能;例如:电脑、机顶盒  Class A equipment: with control functions; for example: computers, set-top boxes

B类设备:具有桥接功能;例如:交换机(switch)、集线器(hub)  Class B equipment: with bridging function; for example: switch (switch), hub (hub)

C类设备:为其它家庭设备提供特定服务;例如:数字电视、冰箱。该C类设备没有通信接口直接连接到家庭网络,而是通过B类设备连接到家庭网络。  Class C equipment: Provides specific services for other household equipment; for example: digital TV, refrigerator. The Class C device does not have a communication interface to directly connect to the home network, but connects to the home network through the Class B device. the

IGRS(智能互连、资源共享与协同服务)体系结构的示意图如图2所示。IGRS支持各种设备通过有线局域网、无线局域网、蓝牙等网络连接,IGRS传输与网络协议基于TCP/IP协议族,设备交互消息框架基于HTTP/1.1,设备发现与资源共享平台基于IGRS基础协议,设备协同服务平台基于IGRS应用框架。 The schematic diagram of IGRS (Intelligent Interconnection, Resource Sharing and Collaborative Services) architecture is shown in Figure 2. IGRS supports various devices to be connected through wired LAN, wireless LAN, Bluetooth and other networks. The IGRS transmission and network protocol is based on the TCP/IP protocol family. The device interaction message framework is based on HTTP/1.1. The device discovery and resource sharing platform is based on the IGRS basic protocol. The collaborative service platform is based on the IGRS application framework.

IGRS设备交互模式的处理流程示意图如图3所示。该模型描述了一个IGRS设备从加入网络、发现其它IGRS设备、加入某个IGRS设备组、发现设备组内其它IGRS设备上的服务并进行服务调用,到最后退出网络的全部过程,该全部过程一共包括14个步骤:设备在线、设备(组)发现、管道创建、设备组创建与加入、服务发现、会话创建、服务使用、会话结束、设备/服务在线离线事件订约、设备/服务在线离线事件通知、设备/服务在线离线事件取消、管道断开、设备组退出与解散、设备离线。  A schematic diagram of the processing flow of the IGRS device interaction mode is shown in FIG. 3 . This model describes the entire process of an IGRS device from joining the network, discovering other IGRS devices, joining a certain IGRS device group, discovering services on other IGRS devices in the device group and making service calls, and finally exiting the network. Including 14 steps: device online, device (group) discovery, pipeline creation, device group creation and joining, service discovery, session creation, service use, session end, device/service online and offline event contract, device/service online and offline event Notification, device/service online and offline event cancellation, pipeline disconnection, device group exit and dissolution, device offline. the

基于公钥技术的三向认证技术是一种比较可靠的身份认证技术,它对设备每一步发出的信息都进行了确认。该三向认证技术的处理流程如图4所示,包括如下步骤:  The three-way authentication technology based on public key technology is a relatively reliable identity authentication technology, which confirms the information sent by the device at every step. The processing flow of the three-way authentication technology is shown in Figure 4, including the following steps:

步骤41:设备A通过随机数产生器生成一个非重复的随机数rA。  Step 41: Device A generates a non-repetitive random number rA through a random number generator. the

步骤42:设备A向设备B发出认证请求:A{tA,rA,snA}。  Step 42: Device A sends an authentication request to device B: A{tA, rA, snA}. the

其中,tA表示时间戳,一般由两个日期组成:消息的生成时间和期满时间,时间戳用来防止信息传递的延迟及抗重放攻击;snA表示设备A的序列号;A{}表示对{}里的信息利用A的私有密钥进行加密。  Among them, tA represents the time stamp, which generally consists of two dates: the generation time and the expiration time of the message, and the time stamp is used to prevent the delay of information transmission and anti-replay attack; snA represents the serial number of device A; A{} represents Use A's private key to encrypt the information in {}. the

步骤43:设备B接收到设备A的认证请求后,根据设备A的公钥,检验消息的完整性。从认证请求中提取tA、rA和snA,验证tA的有效性。然后,设备B生成一个非重复的随机数rB。  Step 43: After receiving the authentication request from device A, device B checks the integrity of the message according to the public key of device A. Extract tA, rA and snA from the authentication request, and verify the validity of tA. Then, device B generates a non-repeating random number rB. the

步骤44:设备B向设备A发出认证请求响应:B{tB,rB,rA,snB}。  Step 44: Device B sends an authentication request response to device A: B{tB, rB, rA, snB}. the

步骤45:设备A收到设备B的认证请求响应后,根据设备B的公钥,检验消息的完整性。并从认证请求响应消息中提取出tB,rB,rA和snB,然后,验证tB的有效性,检查接收到的rA和上述已经发送的rA是否一致。  Step 45: After receiving the authentication request response from device B, device A checks the integrity of the message according to device B's public key. And extract tB, rB, rA and snB from the authentication request response message, and then verify the validity of tB, and check whether the received rA is consistent with the above-mentioned sent rA. the

步骤46:上述检查接收到的rA和上述已经发送的rA是否一致的验证通过后,设备A向设备B发出响应消息:A{tA,rB}。 Step 46: After the verification of whether the received rA is consistent with the sent rA is passed, the device A sends a response message to the device B: A{tA, rB}.

步骤47:设备B收到设备A的响应消息后,从中提取tA和rB。在验证完tA的有效性后,检查接收到的rB是否与上述已经发送的rB一致。检查验证通过后,该三向认证的认证过程结束。  Step 47: After receiving the response message from device A, device B extracts tA and rB from it. After verifying the validity of tA, check whether the received rB is consistent with the above-mentioned sent rB. After the verification is passed, the authentication process of the three-way authentication ends. the

现有技术中一种基于可信赖第三方的家庭网络会话控制方案的具体处理流程如图5所示,包括如下步骤:  The specific processing flow of a home network session control scheme based on a trusted third party in the prior art is shown in Figure 5, including the following steps:

步骤51、客户端C向目标服务提供端设备S发出会话建立请求,该会话建立请求中包含用户唯一标识、安全等级信息以及根据目标服务描述中相应的访问控制描述、鉴别机制和加密算法等生成的Token;  Step 51: The client C sends a session establishment request to the target service provider device S. The session establishment request contains the user's unique identifier, security level information, and is generated according to the corresponding access control description, authentication mechanism, and encryption algorithm in the target service description. Token;

步骤52、S收到上述会话建立请求后,验证C发送的用户唯一标识、安全等级信息和用户权限等信息,在验证通过后,执行步骤53;  Step 52. After receiving the above-mentioned session establishment request, S verifies the unique user identifier, security level information, user rights and other information sent by C, and executes step 53 after the verification is passed;

步骤53、S检查C与S之间的管道安全机制是否满足S提供会话服务的访问安全机制,如果是,则直接执行步骤513;否则,执行步骤54;  Step 53, S checks whether the pipeline security mechanism between C and S satisfies the access security mechanism for S to provide session services, if yes, then directly executes step 513; otherwise, executes step 54;

步骤54、S向C返回携带管道安全机制不满足会话安全需求信息的响应消息;  Step 54, S returns to C a response message carrying the information that the pipeline security mechanism does not meet the session security requirements;

步骤55、C收到上述响应消息后,从S的服务描述所支持加密算法列表中选择适合己方的相应基于可信赖第三方的服务安全机制描述符,准备向设备组中可信赖的第三方主设备申请会话加密密钥;  Step 55. After receiving the above response message, C selects a corresponding service security mechanism descriptor based on a trusted third party that suits him from the list of encryption algorithms supported by S's service description, and prepares to send the service security mechanism descriptor to the trusted third party in the device group. The device applies for a session encryption key;

步骤56、C向主设备发送会话加密密钥请求消息,请求由C与主设备的预共享密钥加密,该请求消息中包括C的身份标识符、S的身份标识符、加密算法等信息;  Step 56, C sends a session encryption key request message to the master device, requesting to be encrypted by the pre-shared key between C and the master device, and the request message includes C's identity identifier, S's identity identifier, encryption algorithm and other information;

步骤57、主设备收到C发送的上述请求消息后,验证C的身份通过后,生成会话加密密钥;  Step 57. After receiving the above request message sent by C, the master device verifies C's identity and generates a session encryption key;

步骤58、主设备用预共享密钥将生成的会话加密密钥以及C的标识符和相应加密算法进行加密,形成密文Cipher1,同时也用主设备与S之间的预共享密钥和加密算法对S的标识符、C的标识符、C和S支持的基于可信赖第三 方的服务安全机制描述符,会话加密密钥等信息进行加密,形成密文Cipher2。然后,主设备将上述密文Cipher1、密文Cipher2一起通过会话加密密钥请求响应发送给C;  Step 58: The master device uses the pre-shared key to encrypt the generated session encryption key, the identifier of C and the corresponding encryption algorithm to form the ciphertext Cipher1, and also uses the pre-shared key between the master device and S to encrypt The algorithm encrypts information such as the identifier of S, the identifier of C, the service security mechanism descriptor based on the trusted third party supported by C and S, and the session encryption key to form the ciphertext Cipher2. Then, the master device sends the above-mentioned ciphertext Cipher1 and ciphertext Cipher2 to C through the session encryption key request response;

步骤59、C收到主设备发送的上述会话加密密钥请求响应后,提取出其中的Cipher1和Cipher2,并用与主设备的预共享密钥对Cipher1进行解密,获得会话加密密钥。因为C没有S和主设备之间的预共享密钥,所以C无法解密和修改Cipher2;  Step 59: After receiving the above session encryption key request response sent by the master device, C extracts Cipher1 and Cipher2, and decrypts Cipher1 with the pre-shared key with the master device to obtain the session encryption key. Because C does not have the pre-shared key between S and the master device, C cannot decrypt and modify Cipher2;

步骤510、C将Cipher2以及用会话加密密钥加密的C的相关信息一起发给S;  Step 510, C sends Cipher2 and C's related information encrypted with the session encryption key to S;

步骤511、S将接收到的Cipher2进行解密,得到C的相关信息和会话加密密钥,然后,验证C发送过来的相关信息;  Step 511, S decrypts the received Cipher2, obtains the relevant information of C and the session encryption key, and then verifies the relevant information sent by C;

步骤512、验证成功后,S向C发送确认信息。至此,C与S间的通信均用会话加密密钥进行加密、解密;  Step 512, after the verification is successful, S sends confirmation information to C. So far, the communication between C and S is encrypted and decrypted with the session encryption key;

步骤513、C与S开始进行会话。  Step 513, C and S start a conversation. the

在实现本发明的过程中,发明人发现上述现有技术中的家庭网络会话控制方案的缺点为:需要服务提供端设备对客户端进行验证,增加了服务提供端设备的结构复杂性、降低了服务提供端设备的效率。同时,由于服务端设备比较多,每个服务端设备都需提供认证功能,增加了整个系统的复杂性和设计成本。  In the process of realizing the present invention, the inventor found that the disadvantages of the above-mentioned home network session control scheme in the prior art are: the service provider device is required to verify the client, which increases the structural complexity of the service provider device and reduces the The efficiency of the service provider equipment. At the same time, since there are many server devices, each server device needs to provide an authentication function, which increases the complexity and design cost of the entire system. the

另外在该技术方案中,会话使用的加密密钥通过网络进行传输,增加了潜在的安全风险。  In addition, in this technical solution, the encryption key used in the session is transmitted through the network, which increases potential security risks. the

发明内容 Contents of the invention

本发明实施例的目的是提供一种会话控制的系统和方法,从而可以解决服务提供端设备结构复杂、效率低下的问题。 The purpose of the embodiments of the present invention is to provide a system and method for session control, so as to solve the problem of complex structure and low efficiency of the service provider device.

本发明实施例的目的是通过以下技术方案实现的:  The purpose of the embodiments of the present invention is achieved through the following technical solutions:

一种会话控制系统,包括:  A session control system comprising:

服务提供端设备,包括服务提供模块,用于与认证通过的用户设备进行会话,提供相应的服务;  The service provider device, including the service provider module, is used to communicate with the authenticated user device and provide corresponding services;

所述服务提供端设备还包括:认证请求处理模块,用于在接收到用户设备发送的会话建立请求后,根据所述会话建立请求发送对所述用户设备进行认证的认证请求;  The service provider device also includes: an authentication request processing module, configured to send an authentication request for authenticating the user equipment according to the session establishment request after receiving the session establishment request sent by the user equipment;

所述系统还包括认证服务器,用于在接收到所述认证请求处理模块发送的对所述用户设备进行认证的认证请求后,对所述用户设备进行认证;  The system also includes an authentication server, configured to authenticate the user equipment after receiving the authentication request sent by the authentication request processing module for authenticating the user equipment;

所述认证服务器包括:  The authentication server includes:

设备认证信息管理模块:用于保存和维护网络中用户设备的认证信息;  Equipment authentication information management module: used to save and maintain the authentication information of user equipment in the network;

设备认证处理模块:用于在接收到对所述用户设备进行认证的认证请求后,根据设备认证信息管理模块中保存的认证信息对所述用户设备进行认证;  Device authentication processing module: used to authenticate the user equipment according to the authentication information stored in the equipment authentication information management module after receiving the authentication request for authenticating the user equipment;

所述设备认证处理模块包括:  The device authentication processing module includes:

设备身份认证模块:用于在接收到对所述用户设备进行认证的认证请求后,根据所述认证请求中携带的用户设备唯一标识和所述设备认证信息管理模块保存的认证信息中的设备身份以及相应的有效期信息,对所述用户设备进行身份验证;  Device identity authentication module: after receiving the authentication request for authenticating the user equipment, according to the unique identifier of the user equipment carried in the authentication request and the device identity in the authentication information stored by the device authentication information management module and the corresponding validity period information, to authenticate the user equipment;

设备权限认证模块:用于在接收到对所述用户设备进行认证的认证请求后,根据所述认证请求中携带的用户设备权限信息和所述设备认证信息管理模块保存的认证信息中的设备权限信息,验证所述用户设备是否有使用相应服务的权限;  The device authority authentication module: after receiving the authentication request for authenticating the user equipment, according to the user equipment authority information carried in the authentication request and the equipment authority in the authentication information stored by the equipment authentication information management module information, to verify whether the user device has the right to use the corresponding service;

设备安全等级认证模块:用于在接收到对所述用户设备进行认证的认证请求后,根据所述认证请求中携带的用户设备和服务提供端设备之间当前管道安全等级信息和所述设备认证信息管理模块保存的认证信息中的相应服务所需安全等级信息,验证所述用户设备和服务提供端设备之间管道的安全等级要求是否满足相应服务的安全等级要求。  The device security level authentication module: after receiving the authentication request for authenticating the user equipment, according to the current pipeline security level information between the user equipment and the service provider device carried in the authentication request and the device authentication The security level information required by the corresponding service in the authentication information stored by the information management module verifies whether the security level requirement of the pipeline between the user equipment and the service provider device meets the security level requirement of the corresponding service. the

一种会话控制方法,会话网络中设置有独立于服务提供端设备的认证服 务器,所述方法具体包括步骤:  A session control method, the session network is provided with an authentication server independent of the service provider device, the method specifically includes the steps:

A、服务提供端设备在接收到用户设备发送的会话建立请求后,向所述认证服务器发送对所述用户设备进行认证的认证请求;  A. After receiving the session establishment request sent by the user equipment, the service provider device sends an authentication request to the authentication server to authenticate the user equipment;

B、所述认证服务器根据保存的认证信息对所述用户设备进行认证,向所述服务提供端设备返回认证响应;  B. The authentication server authenticates the user equipment according to the stored authentication information, and returns an authentication response to the service provider equipment;

C、所述服务提供端设备在所述用户设备通过认证后,与所述用户设备建立会话;  C. The service provider device establishes a session with the user equipment after the user equipment passes the authentication;

所述步骤B具体包括:  Described step B specifically comprises:

B1、所述认证服务器根据保存的认证信息中的设备身份以及相应的有效期信息和所述认证请求中携带的用户设备唯一标识,对所述用户设备进行身份验证,在该身份验证通过后,执行步骤B2;  B1. The authentication server authenticates the user equipment according to the device identity in the stored authentication information, the corresponding validity period information, and the unique identifier of the user equipment carried in the authentication request. After the authentication is passed, execute Step B2;

B2、所述认证服务器根据保存的认证信息中的设备权限信息和认证请求中携带的用户设备权限信息,验证所述用户设备是否有使用相应服务的权限;  B2. The authentication server verifies whether the user equipment has the authority to use the corresponding service according to the equipment authority information in the stored authentication information and the user equipment authority information carried in the authentication request;

B3、所述认证服务器对所述用户设备的权限验证通过后,根据保存的认证信息中的相应服务所需安全等级信息和认证请求中携带的用户设备和服务提供端设备之间当前管道安全等级信息,验证所述用户设备和服务提供端设备间管道的安全等级要求是否满足相应服务的安全等级要求,并向所述用户设备返回验证结果。  B3. After the authentication server passes the verification of the authority of the user equipment, according to the security level information required by the corresponding service in the stored authentication information and the current pipeline security level between the user equipment and the service provider equipment carried in the authentication request Information, verify whether the security level requirements of the pipeline between the user equipment and the service provider equipment meet the security level requirements of the corresponding service, and return the verification result to the user equipment. the

由上述本发明实施例提供的技术方案可以看出,本发明实施例通过采用认证服务器对网络中进行会话的双方设备进行统一认证,从而可以降低服务提供端设备的复杂性,提高服务提供端设备的效率。并且可以通过认证服务器对网络中所有设备组中的设备的认证信息进行统一管理。  It can be seen from the technical solutions provided by the above-mentioned embodiments of the present invention that the embodiments of the present invention use the authentication server to perform unified authentication on the devices of both parties in the network in the conversation, thereby reducing the complexity of the service provider device and improving the service provider device. s efficiency. In addition, the authentication information of devices in all device groups in the network can be uniformly managed through the authentication server. the

附图说明Description of drawings

图1为现有技术中ITU中提出的家庭网络的一般模型的结构示意图;  Fig. 1 is the structural representation of the general model of the family network that proposes in ITU in the prior art;

图2为现有技术中IGRS体系结构的示意图;  Fig. 2 is the schematic diagram of IGRS architecture in the prior art;

图3为现有技术中IGRS设备交互模式的处理流程示意图;  Fig. 3 is a schematic diagram of the processing flow of the IGRS equipment interaction mode in the prior art;

图4为现有技术中三向认证技术的处理流程图;  Fig. 4 is the processing flowchart of three-way authentication technology in the prior art;

图5为现有技术中一种基于可信赖第三方的家庭网络会话控制方案的具体处理流程图;  Fig. 5 is a specific processing flowchart of a home network session control scheme based on a trusted third party in the prior art;

图6为本发明实施例所述对会话设备进行认证的系统的结构示意图;  6 is a schematic structural diagram of a system for authenticating a session device according to an embodiment of the present invention;

图7为本发明实施例所述对会话设备进行认证的方法的处理流程图;  Fig. 7 is the processing flowchart of the method for authenticating the session device according to the embodiment of the present invention;

图8为本发明实施例所述利用公钥的三向认证技术生成会话密钥的处理流程图;  Fig. 8 is the processing flow chart of generating session key by three-way authentication technology using public key described in the embodiment of the present invention;

图9为本发明实施例所述客户端拆除会话的处理流程图;  Fig. 9 is the processing flowchart of the client dismantling session described in the embodiment of the present invention;

图10为本发明实施例所述服务提供端设备拆除会话的处理流程图。  Fig. 10 is a flow chart of the process of tearing down a session by the service provider device according to the embodiment of the present invention. the

具体实施方式Detailed ways

本发明实施例提供了一种会话控制的系统和方法。  Embodiments of the present invention provide a session control system and method. the

本发明实施例基于上述IGRS体系结构。在该IGRS体系结构中,IGRS的服务调用是在管道上进行的,并且管道创建时已按安全需求建立了适当的安全机制,因此,IGRS的服务调用的安全需求主要考虑服务访问时的身份鉴别,而会话的消息的保密性、完整性及鉴别性尽量选用管道的安全机制(传输加密)来保障。而只有在设备之间无法直接创建安全管道的情形下才考虑会话的消息保密性、完整性及鉴别性的安全需求,此时,需要在会话创建过程中生成客户端和服务提供端之间通信的会话加密密钥。  The embodiment of the present invention is based on the above-mentioned IGRS architecture. In this IGRS architecture, the IGRS service call is performed on the pipeline, and the appropriate security mechanism has been established according to the security requirements when the pipeline is created. Therefore, the security requirements of the IGRS service call mainly consider the identity authentication when accessing the service , and the confidentiality, integrity and authentication of the message of the session are guaranteed by the security mechanism of the pipeline (transmission encryption) as much as possible. The security requirements of session message confidentiality, integrity and authentication are only considered when a secure channel cannot be directly created between devices. At this time, communication between the client and the service provider needs to be generated during the session creation process. session encryption key. the

本发明实施例所述会话控制的系统和方法适用于各种小型局域网络,比如家庭网络。以家庭网络为例,客户端和服务提供端都是家庭成员使用的设备,通过家庭网络连接起来。下面以家庭网络为例,来说明本发明实施例所述会话控制的系统和方法。  The system and method for session control described in the embodiments of the present invention are applicable to various small local area networks, such as home networks. Taking a home network as an example, both the client and the service provider are devices used by family members and are connected through the home network. The following uses a home network as an example to describe the system and method for session control in the embodiments of the present invention. the

本发明实施例所述会话控制的系统的结构示意图如图6所示,包括:服务提供端设备和认证服务器。  The structural diagram of the session control system according to the embodiment of the present invention is shown in FIG. 6 , including: a service provider device and an authentication server. the

服务提供端设备:用于在接收到用户设备发送的会话建立请求后,向认证服务器发送所述用户设备的认证请求。与认证通过的用户设备进行会话。包括:认证请求处理模块、会话密钥生成模块和服务提供模块。  The service provider device: after receiving the session establishment request sent by the user equipment, send the authentication request of the user equipment to the authentication server. Conversation with authenticated user equipment. Including: authentication request processing module, session key generation module and service provision module. the

其中,认证请求处理模块:用于在接收到用户设备发送的会话建立请求后,向认证服务器发送携带用户设备的唯一标识、权限信息和安全等级信息 的认证请求。  Among them, the authentication request processing module: after receiving the session establishment request sent by the user equipment, send to the authentication server an authentication request carrying the unique identifier, authority information and security level information of the user equipment. the

其中,会话密钥生成模块:用于在接收到认证服务器返回的管道安全机制不满足会话安全需求信息后,和所述用户设备之间基于公钥的三向认证技术产生和交换会话密钥参数;所述服务提供端和所述用户设备分别根据所述会话密钥参数生成会话密钥。  Among them, the session key generation module: after receiving the information returned by the authentication server that the pipeline security mechanism does not meet the session security requirements, generate and exchange session key parameters with the user equipment based on the three-way authentication technology based on the public key ; The service provider and the user equipment respectively generate a session key according to the session key parameter. the

其中,服务提供模块,用于与认证通过的用户设备进行会话,提供相应的服务。  Wherein, the service providing module is configured to conduct a session with the authenticated user equipment and provide corresponding services. the

认证服务器:用于在接收到所述服务提供端设备发送的认证请求后,根据保存的认证信息对所述用户设备进行认证,向服务提供端设备返回认证响应。  Authentication server: after receiving the authentication request sent by the service provider device, authenticate the user device according to the saved authentication information, and return an authentication response to the service provider device. the

本发明实施例所述认证服务器是家庭网络中具有控制功能的A类设备,如家庭网关或家庭应用服务器。该认证服务器保存家庭网络中所有设备的身份及设备权限等认证信息,对整个家庭网络中的所有的设备进行统一认证管理。  The authentication server in the embodiment of the present invention is a type A device with a control function in a home network, such as a home gateway or a home application server. The authentication server stores authentication information such as identities and device permissions of all devices in the home network, and performs unified authentication management on all devices in the entire home network. the

本发明实施例所述认证服务器包括:设备认证信息管理模块、设备认证处理模块。  The authentication server in the embodiment of the present invention includes: a device authentication information management module and a device authentication processing module. the

设备认证信息保存模块:用于保存和维护整个家庭网络中所有设备的认证信息,该认证信息包括:设备身份、权限、安全等级等信息。  Device authentication information storage module: used to save and maintain the authentication information of all devices in the entire home network, the authentication information includes: device identity, authority, security level and other information. the

设备认证处理模块:用于在接收到服务提供端设备转发的用户设备认证请求后,根据保存的认证信息对用户设备进行身份、权限和安全等级等认证,向服务提供端设备返回携带认证结果的认证响应。包括:设备身份认证模块、设备权限认证模块和设备安全等级认证模块。  Device authentication processing module: After receiving the user device authentication request forwarded by the service provider device, it is used to authenticate the identity, authority and security level of the user device according to the stored authentication information, and return the authentication result to the service provider device. Authentication response. Including: a device identity authentication module, a device authority authentication module and a device security level authentication module. the

其中,设备身份认证模块:用于在接收到服务提供端设备转发的用户设备认证请求后,根据认证请求中携带的用户设备唯一标识和保存的认证信息中的设备身份以及相应的有效期信息,对相应用户设备进行身份认证。  Among them, the device identity authentication module: after receiving the user device authentication request forwarded by the service provider device, according to the unique identifier of the user device carried in the authentication request and the device identity in the stored authentication information and the corresponding validity period information, for The corresponding user equipment performs identity authentication. the

其中,设备权限认证模块:用于在接收到服务提供端设备转发的用户设备认证请求后,根据认证请求中携带的用户设备权限信息和保存的认证信息中的设备权限信息,验证所述用户设备是否有使用相应服务的权限。  Among them, the device authority authentication module: used to verify the user equipment according to the user equipment authority information carried in the authentication request and the equipment authority information in the stored authentication information after receiving the user equipment authentication request forwarded by the service provider device Whether there is permission to use the corresponding service. the

其中,设备安全等级认证模块:用于在接收到服务提供端设备转发的用 户设备认证请求后,根据认证请求中携带的用户设备和服务提供端之间当前管道安全等级信息和保存的认证信息中的相应服务所需安全等级信息,验证所述用户设备和服务提供端设备间管道的安全等级要求是否满足相应服务的安全等级要求。上述认证服务器仅需对服务提供端设备进行简单的验证,如验证服务提供端设备的身份,并检查服务提供端设备是否有能力提供相应的服务。  Among them, the device security level authentication module: after receiving the user device authentication request forwarded by the service provider device, according to the current pipeline security level information and the saved authentication information between the user device and the service provider carried in the authentication request According to the security level information required by the corresponding service, verify whether the security level requirements of the pipeline between the user equipment and the service provider equipment meet the security level requirements of the corresponding service. The above-mentioned authentication server only needs to perform simple verification on the service provider device, such as verifying the identity of the service provider device, and checking whether the service provider device is capable of providing corresponding services. the

本发明实施例所述会话控制的方法的处理流程如图7所示,包括如下步骤:  The processing flow of the method for session control described in the embodiment of the present invention is shown in Figure 7, including the following steps:

步骤71、客户端用户设备C通过设备初始化时建立的管道向目标服务提供端设备S发出会话建立请求,该会话建立请求中包含C的唯一标识、权限信息和安全等级信息。  Step 71: The client user device C sends a session establishment request to the target service provider device S through the channel established during device initialization, and the session establishment request includes C's unique identifier, authority information and security level information. the

步骤72、S收到上述C发送的会话建立请求后,向认证服务器发出认证请求,该认证请求中携带上述C的唯一标识、权限信息和安全等级信息;  Step 72. After receiving the session establishment request sent by the above-mentioned C, S sends an authentication request to the authentication server, and the authentication request carries the unique identifier, authority information and security level information of the above-mentioned C;

步骤73、认证服务器收到上述S发送的认证请求后,根据认证请求中携带的用户设备唯一标识和保存的认证信息中的设备身份以及相应的有效期信息,对相应用户设备进行身份验证。  Step 73: After receiving the authentication request sent by S, the authentication server performs identity verification on the corresponding user equipment according to the unique identifier of the user equipment carried in the authentication request, the device identity in the stored authentication information, and the corresponding validity period information. the

在上述身份验证通过后,根据认证请求中携带的用户设备权限信息和保存的认证信息中的设备权限信息,验证所述用户设备是否有使用相应服务的权限。  After the above authentication is passed, verify whether the user equipment has the authority to use the corresponding service according to the user equipment authority information carried in the authentication request and the equipment authority information in the stored authentication information. the

在上述权限验证通过后,根据认证请求中携带的用户设备和服务提供端之间当前管道安全等级信息和保存的认证信息中的相应服务所需安全等级信息,验证所述用户设备和服务提供端设备间管道的安全等级要求是否满足相应服务的安全等级要求。  After the above permission verification is passed, verify the user equipment and the service provider according to the security level information of the current pipeline between the user equipment and the service provider carried in the authentication request and the security level information required by the corresponding service in the stored authentication information Whether the safety level requirements of pipelines between equipment meet the safety level requirements of corresponding services. the

所述认证服务器在上述身份验证、权限认证不通过后,向所述服务提供端设备返回携带用户设备认证不通过信息的认证失败响应。  The authentication server returns to the service provider device an authentication failure response carrying information that the authentication of the user equipment fails after the above identity authentication and authority authentication fail. the

步骤74、所述认证服务器验证所述用户设备和服务提供端设备间管道的安全等级要求不满足相应服务的安全等级要求后,向所述服务提供端设备返回携带管道安全机制不满足会话安全需求信息的认证失败响应。  Step 74: After the authentication server verifies that the security level requirements of the pipe between the user equipment and the service provider device do not meet the security level requirements of the corresponding service, return to the service provider device that the security mechanism of the carrying pipe does not meet the session security requirements Authentication failure response for information. the

所述认证服务器验证所述用户设备和服务提供端设备间管道的安全等级 要求满足相应服务的安全等级要求后,向所述服务提供端设备返回携带管道安全机制满足会话安全需求信息的认证成功响应。  After the authentication server verifies that the security level of the pipeline between the user equipment and the service provider device meets the security level requirements of the corresponding service, it returns to the service provider device an authentication success response carrying the information that the pipeline security mechanism meets the session security requirements . the

步骤75、目标服务提供端设备S与认证通过的用户设备进行会话,提供相应的服务。  Step 75: The target service provider device S conducts a session with the authenticated user equipment, and provides corresponding services. the

上述本发明实施例所述认证服务器可以应用在C和S之间利用公钥技术生成会话密钥的过程中,本发明实施例所述利用公钥技术生成会话密钥的处理流程如图8所示,包括如下步骤:  The above-mentioned authentication server in the embodiment of the present invention can be applied in the process of generating a session key between C and S using public key technology. The process flow of generating a session key using public key technology in the embodiment of the present invention is shown in FIG. 8 , including the following steps:

步骤81、客户端用户设备C通过设备初始化时建立的管道向目标服务提供端设备S发出会话建立请求,该会话建立请求中包含C的唯一标识、安全等级信息以及根据目标服务描述中相应的访问控制描述、鉴别机制和加密算法等生成的Token。  Step 81: The client user device C sends a session establishment request to the target service provider device S through the channel established during device initialization, and the session establishment request includes C's unique identifier, security level information, and the corresponding access according to the target service description. Token generated by control description, authentication mechanism and encryption algorithm. the

在家庭网络中,设备之间除了基于UDP的组播查找与单播响应这一交互过程无需事先建立设备间的连接关系外,其余设备间的各种交互均建立在管道基础上。管道机制封装并简化了设备交互过程中TCP连接的创建和管理过程。  In a home network, except for the UDP-based multicast search and unicast response interaction process between devices without establishing a connection relationship between devices in advance, all other interactions between devices are based on pipes. The pipeline mechanism encapsulates and simplifies the creation and management of TCP connections during device interaction. the

步骤82、S收到上述C发送的会话建立请求后,向认证服务器发出认证请求,该认证请求中携带上述C的唯一标识、安全等级信息和用户权限信息;  Step 82. After receiving the session establishment request sent by the above-mentioned C, S sends an authentication request to the authentication server, and the authentication request carries the unique identifier, security level information and user authority information of the above-mentioned C;

步骤83、认证服务器收到上述S发送的认证请求后,检查上述认证请求中携带的C的唯一标识的有效性、安全等级信息的合法性以及用户权限信息;  Step 83: After the authentication server receives the authentication request sent by the above-mentioned S, it checks the validity of the unique identifier of C carried in the above-mentioned authentication request, the legality of the security level information and the user authority information;

步骤84、认证服务器验证上述用户唯一标识、安全等级信息和用户权限信息成功后,向S返回认证成功消息;  Step 84: After the authentication server successfully verifies the above-mentioned user unique identifier, security level information and user authority information, it returns an authentication success message to S;

步骤85、S将C的身份信息、有效期、权限保存在本地,即S在本地保存上述C的用户唯一标识、安全等级信息和用户权限信息;  Step 85, S saves C's identity information, validity period, and authority locally, that is, S stores the above-mentioned user unique identifier, security level information, and user authority information of C locally;

步骤86、S检查C与S之间的管道安全机制是否满足S提供会话服务的访问安全机制,如果是,则执行步骤812;否则,执行步骤87;  Step 86, S checks whether the pipeline security mechanism between C and S satisfies the access security mechanism for S to provide session services, if yes, then execute step 812; otherwise, execute step 87;

步骤87、S向C返回携带管道安全机制不满足会话安全需求信息的响应消息;  Step 87, S returns to C a response message carrying the information that the pipeline security mechanism does not meet the session security requirements;

步骤88、C收到上述S返回的响应消息后,C与S根据公钥的三向认证机制,互相交换会话密钥的参数信息:rC,rS,snC,snS。  Step 88: After C receives the response message returned by S, C and S exchange session key parameter information: rC, rS, snC, snS according to the public key three-way authentication mechanism. the

步骤89、S根据上述参数rC,rS,snC和snS生成C与S的会话密钥Kcs;  Step 89, S generates the session key Kcs between C and S according to the above parameters rC, rS, snC and snS;

步骤810、S向C发出会话请求成功响应;  Step 810, S sends a session request success response to C;

步骤811、C根据上述参数rC,rS,snC和snS也生成C与S的会话密钥Kcs。至此,C、S间的通信传输用Kcs进行加密、解密;  Step 811, C also generates the session key Kcs between C and S according to the above parameters rC, rS, snC and snS. So far, the communication between C and S is encrypted and decrypted with Kcs;

步骤812、C和S之间开始利用上述Kcs进行会话。  Step 812, C and S start to use the above Kcs to conduct a session. the

在上述会话密钥的生成过程中,如果会话的双方(C和S)中有一方能力不足,不能自行生成会话密钥时,则由认证服务器代替该能力不足的设备,与另一方生成会话密钥。然后由认证服务器将该会话密钥用上述能力不足的设备的公钥加密后,发送给该能力不足的设备,该能力不足的设备用它的私钥解密出会话密钥后,通过该会话密钥与另一方进行会话过程。  In the above session key generation process, if one of the two parties (C and S) in the session is not capable enough to generate a session key by itself, the authentication server will replace the device with insufficient capacity to generate a session key with the other party. key. Then the authentication server encrypts the session key with the public key of the above-mentioned device with insufficient capability, and then sends it to the device with insufficient capability. After the device with insufficient capability decrypts the session key with its private key, it passes the session key key to conduct a conversation with the other party. the

在上述会话密钥的生成过程中,如果会话的双方(C和S)都能力不足,则由认证服务器根据会话双方的序列号生成会话密钥,并分别用双方的公钥加密发送给会话双方。会话双方用各自的私钥解密后得到会话密钥,并通过该会话密钥进行会话过程。  In the above session key generation process, if both parties (C and S) of the session are not capable enough, the authentication server will generate a session key according to the serial numbers of both parties, and encrypt and send them to both parties with their public keys . The two parties in the conversation obtain the session key after decrypting with their respective private keys, and use the session key to carry out the session process. the

通过上述处理流程建立了会话密钥并开始了会话过程后,对该会话的拆除包括三种情况:客户端拆除会话、服务提供端拆除会话、异常中止会话。  After the session key is established and the session process is started through the above processing flow, there are three situations for dismantling the session: the client dismantles the session, the service provider dismantles the session, and the session is terminated abnormally. the

下面分别介绍该三种拆除会话的情况。  The three situations of tearing down the session are introduced respectively below. the

1、客户端拆除会话。  1. The client disconnects the session. the

该拆除会话的处理流程如图9所示,包括如下步骤:  The processing flow of the dismantling session is shown in Figure 9, including the following steps:

步骤91、客户端C向服务提供端设备S发送会话拆除请求;  Step 91, the client C sends a session teardown request to the service provider device S;

步骤92、服务提供端S收到客户端C发送的上述会话拆除请求后,删除保存的会话相关信息;  Step 92. After receiving the above-mentioned session teardown request sent by the client C, the service provider S deletes the saved session-related information;

步骤93、服务提供端S向客户端C发送允许会话拆除响应消息;  Step 93, the service provider S sends a response message allowing session teardown to the client C;

步骤94、客户端C收到上述允许会话拆除消息后,删除会话相关信息,会话拆除成功。  In step 94, after receiving the message of allowing the session teardown, the client C deletes the session related information, and the session teardown succeeds. the

2、服务提供端S拆除会话。  2. The service provider S disconnects the session. the

该拆除会话的处理流程如图10所示,包括如下步骤:  The processing flow of the dismantling session is shown in Figure 10, including the following steps:

步骤101、服务提供端设备S向客户端C发送会话拆除请求;  Step 101, the service provider device S sends a session teardown request to the client C;

步骤102、客户端C收到上述服务提供端S发送的会话拆除请求后,删除保存的会话相关信息;  Step 102. After receiving the session teardown request sent by the above-mentioned service provider S, the client C deletes the saved session-related information;

步骤103、客户端C向服务提供端S发送允许会话拆除响应消息;  Step 103, the client C sends a response message allowing session teardown to the service provider S;

步骤104、服务提供端S收到上述允许会话拆除消息后,删除会话相关信息,会话拆除成功。  Step 104: After receiving the above-mentioned message allowing the session teardown, the service provider S deletes the session-related information, and the session teardown succeeds. the

情况3:异常中止会话。  Case 3: The session is aborted abnormally. the

在会话创建完成后,将周期性发送会话维护请求,若一方发送的维护请求由于设备断电、断网等情况,不能在规定的响应时间内得到另一方的响应,则视会话的另一方离线,双方的会话直接断开。  After the session is created, the session maintenance request will be sent periodically. If the maintenance request sent by one party cannot get a response from the other party within the specified response time due to equipment power failure, network disconnection, etc., the other party in the session will be considered offline. , the conversation between the two parties is directly disconnected. the

综上所述,本发明实施例采用单独的认证服务器对网络中的设备进行统一认证和管理,可以降低网络中设备的复杂性,提高设备的效率,减少网络建设的成本。当会话双方设备间管道安全性不能满足会话安全需求时,通过产生的会话密钥保证会话消息传输的保密性、完整性及鉴别性。使得家庭网络中设备之间的服务得以可靠的实现,会话密钥不在网络中进行传输,降低了会话的安全风险,提高了整个家庭网络的安全性。  To sum up, the embodiment of the present invention uses a single authentication server to perform unified authentication and management on devices in the network, which can reduce the complexity of devices in the network, improve the efficiency of devices, and reduce the cost of network construction. When the security of the pipeline between the devices of both parties in the session cannot meet the security requirements of the session, the confidentiality, integrity and authentication of the session message transmission are guaranteed through the generated session key. The service between devices in the home network can be reliably realized, the session key is not transmitted in the network, the security risk of the session is reduced, and the security of the entire home network is improved. the

本发明实施例采用基于公钥的三向认证技术来产生会话密钥,会话密钥由会话双方根据相关参数信息生成,并且不在网络中传输该会话密钥。从而可以实现当会话双方设备间管道安全性不能满足会话安全需求时,通过产生的会话密钥保证会话消息传输的保密性、完整性及鉴别性。使得家庭网络中设备之间的服务得以可靠的实现,会话密钥不在网络中进行传输,降低了会话的安全风险,提高了整个家庭网络的安全性。  The embodiment of the present invention adopts the three-way authentication technology based on the public key to generate the session key, which is generated by both parties in the session according to relevant parameter information, and the session key is not transmitted in the network. Therefore, when the security of the pipeline between the devices of the two parties in the session cannot meet the security requirements of the session, the confidentiality, integrity and authentication of the session message transmission can be guaranteed through the generated session key. The service between devices in the home network can be reliably realized, the session key is not transmitted in the network, the security risk of the session is reduced, and the security of the entire home network is improved. the

以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应该以权利要求的保护范围为准。  The above is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any person skilled in the art within the technical scope disclosed in the present invention can easily think of changes or Replacement should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be determined by the protection scope of the claims. the

Claims (7)

1. conversation control system comprises:
Service providing end equipment comprises service providing module, and the subscriber equipment that is used for passing through with authentication carries out session, and corresponding service is provided;
It is characterized in that described service providing end equipment also comprises: the authentication request processing module is used for setting up the authentication request that the request transmission authenticates described subscriber equipment according to described session after request is set up in the session that receives the subscriber equipment transmission;
Described system also comprises certificate server, is used for after the authentication request that described subscriber equipment is authenticated that receives described authentication request processing module transmission described subscriber equipment being authenticated;
Described certificate server comprises:
Device authentication information management module: be used for preserving authentication information with the maintaining network subscriber equipment;
Device authentication process module: be used for after receiving the authentication request that described subscriber equipment is authenticated, described subscriber equipment being authenticated according to the authentication information of preserving in the device authentication information management module;
Described device authentication process module comprises:
Equipment identities authentication module: be used for after receiving the authentication request that described subscriber equipment is authenticated, according to equipment identities in the authentication information of unique user equipment identifier of carrying in the described authentication request and the preservation of described device authentication information management module and corresponding term of validity information, described subscriber equipment is carried out authentication;
Equipment purview certification module: be used for after receiving the authentication request that described subscriber equipment is authenticated, according to the equipment authority information in the authentication information of subscriber equipment authority information that carries in the described authentication request and the preservation of described device authentication information management module, verify whether described subscriber equipment has the authority of using respective service;
Device security grade authentication module: be used for after receiving the authentication request that described subscriber equipment is authenticated, according to the required safety level information of respective service in the authentication information of current pipe safety class information between subscriber equipment that carries in the described authentication request and the service providing end equipment and the preservation of described device authentication information management module, verify that the safe class of pipeline between described subscriber equipment and the service providing end equipment requires whether to satisfy the safe class requirement of respective service.
2. system according to claim 1 is characterized in that, described service providing end equipment also comprises:
Session secret key generating module: be used for receiving after pipe safety mechanism that described device security grade authentication module returns do not satisfy the secure session demand information, and the three-dimensional authentication techniques based on PKI produce and the exchange session key parameter between the described subscriber equipment; Described service providing end equipment and described subscriber equipment generate session key according to described session key parameter respectively.
3. system according to claim 1 and 2 is characterized in that, described system is applicable to the home network based on intelligence interconnection, resource-sharing and cooperation with service IGRS architecture.
4. a conversation controlling method is characterized in that, can be provided with the certificate server that is independent of service providing end equipment in the telephone network, and described method specifically comprises step:
A, service providing end equipment send the authentication request that described subscriber equipment is authenticated to described certificate server after request is set up in the session that receives the subscriber equipment transmission;
B, described certificate server authenticate described subscriber equipment according to the authentication information of preserving, to described service providing end equipment return authentication response;
C, described service providing end equipment are set up session with described subscriber equipment after described subscriber equipment is by authentication;
Described step B specifically comprises:
B1, described certificate server are according to the unique user equipment identifier of carrying in the equipment identities in the authentication information of preserving and corresponding term of validity information and the described authentication request, described subscriber equipment is carried out authentication, after this authentication is passed through, execution in step B2;
B2, described certificate server verify according to the subscriber equipment authority information that carries in equipment authority information in the authentication information of preserving and the authentication request whether described subscriber equipment has the authority of using respective service;
After B3, described certificate server pass through the Authority Verification of described subscriber equipment, according to current pipe safety class information between subscriber equipment that carries in required safety level information of respective service in the authentication information of preserving and the authentication request and the service providing end equipment, verify that the safe class of described subscriber equipment and service providing end pipes between devices requires whether to satisfy the safe class requirement of respective service, and return the checking result to described subscriber equipment.
5. method according to claim 4 is characterized in that, unique identification, authority information and the safety level information that comprises described subscriber equipment in the request set up in described session.
6. method according to claim 4 is characterized in that, if the safe class of described subscriber equipment and service providing end pipes between devices requires to satisfy the safe class requirement of respective service, then described step C is specially:
C1, described service providing end equipment and described subscriber equipment utilize the pipe safety mechanism between them to carry out session;
If the safe class of described subscriber equipment and service providing end pipes between devices requires not satisfy the safe class requirement of respective service, then described step C is specially:
Three-dimensional authentication techniques based on PKI between C2, described service providing end equipment and the described subscriber equipment produce and the exchange session key parameter; Described service providing end equipment and described subscriber equipment generate session key according to described session key parameter respectively, utilize described session key to carry out session.
7. method according to claim 4 is characterized in that described method also comprises;
Described certificate server to the authentication of described subscriber equipment obstructed after, return to described service providing end equipment and to carry the not authentication failure response by information of subscriber equipment authentication;
Described certificate server to the Authority Verification of described subscriber equipment obstructed after, return to described service providing end equipment and to carry the not authentication failure response by information of subscriber equipment authentication.
CN2007100888022A 2007-03-26 2007-03-26 Conversation control system and method Expired - Fee Related CN101277297B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007100888022A CN101277297B (en) 2007-03-26 2007-03-26 Conversation control system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007100888022A CN101277297B (en) 2007-03-26 2007-03-26 Conversation control system and method

Publications (2)

Publication Number Publication Date
CN101277297A CN101277297A (en) 2008-10-01
CN101277297B true CN101277297B (en) 2011-11-02

Family

ID=39996310

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007100888022A Expired - Fee Related CN101277297B (en) 2007-03-26 2007-03-26 Conversation control system and method

Country Status (1)

Country Link
CN (1) CN101277297B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102957584B (en) * 2011-08-25 2015-03-18 华为终端有限公司 Home network equipment management method, control equipment and home network equipment
CN102497354A (en) * 2011-11-08 2012-06-13 陈嘉贤 Method, system and equipment used for authenticating user identity
CN103269371B (en) * 2013-05-23 2016-06-01 中国科学院计算机网络信息中心 A kind of thing based on Anycast networking DS querying method and system
CN104283680A (en) * 2013-07-05 2015-01-14 腾讯科技(深圳)有限公司 Data transmission method, client side, server and system
CN105096229A (en) * 2015-08-17 2015-11-25 西安工业大学 Design method of smart urban information security guarantee system
CN106603461A (en) * 2015-10-14 2017-04-26 阿里巴巴集团控股有限公司 Business authentication method, apparatus and system
CN108462671A (en) * 2017-02-20 2018-08-28 沪江教育科技(上海)股份有限公司 A kind of authentication protection method and system based on reverse proxy
CN109104394B (en) * 2017-06-20 2022-01-21 华为技术有限公司 Session processing method and device
ES2950192T3 (en) * 2017-08-28 2023-10-05 Huawei Tech Co Ltd Information verification method and related device
CN112905986B (en) * 2021-04-16 2023-10-20 杭州海康威视数字技术股份有限公司 Authority authentication method, device and system and computer readable storage medium
CN119155103B (en) * 2024-11-11 2025-02-25 北京中宏立达科技发展有限公司 A multi-point secure transmission method and system with hidden services

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1747427A (en) * 2004-09-07 2006-03-15 乐金电子(天津)电器有限公司 Mobile household network system, its apparatus and control
CN1859245A (en) * 2005-11-02 2006-11-08 华为技术有限公司 Power managing method in digital household network and household network system
CN1863195A (en) * 2005-05-13 2006-11-15 中兴通讯股份有限公司 Family network system with safety registration function and method thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1747427A (en) * 2004-09-07 2006-03-15 乐金电子(天津)电器有限公司 Mobile household network system, its apparatus and control
CN1863195A (en) * 2005-05-13 2006-11-15 中兴通讯股份有限公司 Family network system with safety registration function and method thereof
CN1859245A (en) * 2005-11-02 2006-11-08 华为技术有限公司 Power managing method in digital household network and household network system

Also Published As

Publication number Publication date
CN101277297A (en) 2008-10-01

Similar Documents

Publication Publication Date Title
CN101277297B (en) Conversation control system and method
CN110581854B (en) Intelligent terminal safety communication method based on block chain
CN112235235B (en) SDP authentication protocol implementation method based on cryptographic algorithm
CN100531208C (en) Method and apparatus for performing a secure transaction in a trusted network
CN101242323A (en) Method for establishing pipeline between equipment and home network system
CN109728909A (en) Identity identifying method and system based on USBKey
CN102710605A (en) Information security management and control method under cloud manufacturing environment
CN110808834B (en) Quantum key distribution method and quantum key distribution system
JP2014529238A (en) System and method for providing secure multicast intra-cluster communication
KR20080089500A (en) Methods, systems, and authentication centers for authentication in end-to-end communications based on mobile networks
WO2008022520A1 (en) A method, system and device for achieving multi-party communication security
JP2010086529A (en) Sip signaling without requiring constant re-authentication
CN101662705A (en) Equipment authentication method of Ethernet passive optical network (EPON) and system thereof
CN102404347A (en) Mobile internet access authentication method based on public key infrastructure
CN114221765B (en) Quantum key distribution method for fusion of QKD network and classical cryptographic algorithm
US7813509B2 (en) Key distribution method
CN101304423A (en) User identity authentication method and system
CN115514474B (en) A trusted access method for industrial equipment based on cloud-edge-end collaboration
WO2010124482A1 (en) Method and system for implementing secure forking calling session in ip multi-media subsystem
CN106936788A (en) A kind of cryptographic key distribution method suitable for VOIP voice encryptions
Yuan et al. EIMAKP: Heterogeneous cross-domain authenticated key agreement protocols in the EIM system
CN117155717B (en) Authentication method based on identification password, and cross-network and cross-domain data exchange method and system
CN114928491A (en) Internet of things security authentication method, device and system based on identification cryptographic algorithm
CN104113547A (en) SIP (session initiation protocol) security protection video monitoring network access control system
CN112332986B (en) Private encryption communication method and system based on authority control

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20111102

Termination date: 20150326

EXPY Termination of patent right or utility model