[go: up one dir, main page]

WO2018108022A1 - Multi-network integration security and authentication method and system - Google Patents

Multi-network integration security and authentication method and system Download PDF

Info

Publication number
WO2018108022A1
WO2018108022A1 PCT/CN2017/115055 CN2017115055W WO2018108022A1 WO 2018108022 A1 WO2018108022 A1 WO 2018108022A1 CN 2017115055 W CN2017115055 W CN 2017115055W WO 2018108022 A1 WO2018108022 A1 WO 2018108022A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
password
network convergence
data
convergence module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2017/115055
Other languages
French (fr)
Chinese (zh)
Inventor
翁印嵩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of WO2018108022A1 publication Critical patent/WO2018108022A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Definitions

  • the present invention relates to the field of network and telephone communication, and in particular, to a method and system for security and authentication of multi-network convergence.
  • the secure transmission of any information needs to be encrypted, and it is better to use dynamic encryption, but the transmission of the dynamic password itself is a difficult point; in addition, the device connected to the Internet also needs to rely on the routing of the IP address. Communication, but the IP address is often dynamic, so how to inform the other party's own IP address and related identity authentication has become a key point.
  • Figure 1 shows a common method of implementing related functional applications through a third-party cloud or server.
  • the gateway (GateWay) A the user terminal B can also access the Internet; the related application software is developed by the cloud C, and both ends A and B of the communication are registered to the cloud C, and then the A or B is registered.
  • the communication is initiated to the cloud; the whole process is completed by the cloud C to complete the security authentication of A and B, and finally the communication link of A to C to B or A to B is constructed, and then B is controlled by 200.
  • various Internet-based security authentication algorithms are difficult to guarantee security. For example, the transmission of the dynamic password itself is a difficult point, and it is easy to recruit hackers to eavesdrop, intercept or tamper. Therefore, the security method shown in Fig. 2 has been developed.
  • the cloud or server C sends a short message verification code through a short message service (SMS) of the telecommunication network, and then enters the short message verification code when the user B logs in to the cloud C, thereby completing the identity authentication process.
  • SMS short message service
  • the SMS verification code must be sent in clear code, so it is not absolutely safe.
  • the above methods must be mediated and managed by Cloud C. When faced with attacks from insiders in the cloud, it is completely ineffective.
  • the technical problem to be solved by the present invention is to provide a secure and reliable multi-network convergence-based security and authentication method and system that does not require third-party cloud participation.
  • the technical solution adopted by the present invention to solve the technical problem is to construct a security and authentication method for multi-network convergence, including the following steps:
  • S1 setting a multi-network convergence module and connecting to the Internet and the telecommunication network
  • the multi-network convergence module performs security information interaction with the user end on the basis of the identity of the telecommunication network through the channel of the telecommunication network.
  • the method includes:
  • the multi-network convergence module generates a dynamic password (Kd), and then encrypts the dynamic password (Kd) with a registration password (Kr) to generate first data (D1), and passes the first data (D1) Transmitting a channel of the telecommunication network to the user terminal;
  • S2-2 the UE receives the first data (D1) transmitted from the telecommunication network, identifies a CID signal, and decrypts the first data (D1) with the registration password (Kr) to obtain the dynamic password. (Kd);
  • S2-3 The UE generates the second data (D2) by using the dynamic password (Kd) encrypted user password (Ku), and sends the second data (D2) to the channel through the telecommunication network.
  • Multi-network fusion module Multi-network fusion module
  • the multi-network convergence module receives the second data (D2) transmitted from the telecommunication network, identifies a CID signal, and decrypts the second data (D2) by using the dynamic password (Kd) to obtain a
  • the user password (Ku) is compared with the user password (Ku) retained in the multi-network convergence module, and if the same, the IP address of the multi-network convergence module is sent to the user terminal; or the user terminal Exchanging its IP address with the multi-network convergence module;
  • the UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address.
  • the method includes:
  • S2-1 The multi-network convergence module sends information to the user end
  • S2-2 the user end receives the information, identifies a CID signal, and calls back the multi-network convergence module;
  • the multi-network convergence module receives the callback, identifies a CID signal, and picks up the phone, and establishes channel communication with the user end of the telecommunication network;
  • the multi-network convergence module randomly generates a dynamic password (Kd), encrypts the dynamic password (Kd) with a registration password (Kr), generates first data (D1), and then the first data (D1) Transmitting to the user terminal through a channel of the telecommunication network;
  • S2-5 the client decrypts the first data (D1) with the registration password (Kr) to obtain the dynamic password (Kd);
  • S2-6 The UE generates the second data (D2) by using the dynamic password (Kd) encrypted user password (Ku), and sends the second data (D2) to the channel through the telecommunication network.
  • Multi-network fusion module Multi-network fusion module
  • the multi-network convergence module decrypts the second data (D2) by using the dynamic password (Kd) to obtain the user password (Ku), and the user password stored in the multi-network convergence module (Ku) Comparing, if the same, sending the IP address of the multi-network convergence module to the user end; or, the user terminal and the multi-network convergence module exchange their IP addresses;
  • S2-8 The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address.
  • the method includes:
  • S2-1 The multi-network convergence module calls the user end
  • S2-2 the user end receives the call signal, identifies a CID signal, and picks up the phone, and establishes channel communication of the telecommunication network with the multi-network convergence module;
  • the multi-network convergence module randomly generates a dynamic password (Kd), encrypts the dynamic password (Kd) with a registration password (Kr), generates first data (D1), and then the first data (D1) Transmitting to the user terminal through a channel of the telecommunication network;
  • S2-4 The client decrypts the first data (D1) with the registration password (Kr) to obtain the dynamic password (Kd);
  • S2-5 the UE generates the second data (D2) by using the dynamic password (Kd) encrypted user password (Ku), and sends the second data (D2) to the channel through the telecommunication network.
  • Multi-network fusion module Multi-network fusion module
  • the multi-network convergence module decrypts the second data (D2) by using the dynamic password (Kd) to obtain the user password (Ku), and the user password stored in the multi-network fusion module (Ku) Comparing, if the same, sending the IP address of the multi-network convergence module to the user end; or, the user terminal and the multi-network convergence module exchange their IP addresses;
  • S2-7 The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address.
  • the method includes:
  • S2-1 The UE sends information to the multi-network convergence module.
  • S2-2 the multi-network convergence module receives the information, identifies a CID signal, and calls back the user terminal;
  • S2-3 The user end receives the callback, identifies a CID signal, and picks up the phone, and establishes channel communication of the telecommunication network with the multi-network convergence module;
  • the multi-network convergence module randomly generates a dynamic password (Kd), encrypts the dynamic password (Kd) with a registration password (Kr), generates first data (D1), and then the first data (D1) Transmitting to the user terminal through a channel of the telecommunication network;
  • S2-5 the client decrypts the first data (D1) with the registration password (Kr) to obtain the dynamic password (Kd);
  • S2-6 The UE generates the second data (D2) by using the dynamic password (Kd) encrypted user password (Ku), and sends the second data (D2) to the channel through the telecommunication network.
  • Multi-network fusion module Multi-network fusion module
  • the multi-network convergence module decrypts the second data (D2) by using the dynamic password (Kd) to obtain the user password (Ku), and the user password stored in the multi-network convergence module (Ku) Comparing, if the same, sending the IP address of the multi-network convergence module to the user end; or, the user terminal and the multi-network convergence module exchange their IP addresses;
  • S2-8 The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address.
  • the method includes:
  • S2-1 The UE calls the multi-network convergence module
  • the multi-network convergence module receives the call, identifies a CID signal, and picks up the phone, and establishes channel communication with the user end of the telecommunication network;
  • the multi-network convergence module randomly generates a dynamic password (Kd), encrypts the dynamic password (Kd) with a registration password (Kr), generates first data (D1), and then the first data (D1) Transmitting to the user terminal through a channel of the telecommunication network;
  • S2-4 The client decrypts the first data (D1) with the registration password (Kr) to obtain the dynamic password (Kd);
  • S2-5 the UE generates the second data (D2) by using the dynamic password (Kd) encrypted user password (Ku), and sends the second data (D2) to the channel through the telecommunication network.
  • Multi-network fusion module Multi-network fusion module
  • the multi-network convergence module decrypts the second data (D2) by using the dynamic password (Kd) to obtain the user password (Ku), and the user password stored in the multi-network fusion module (Ku) Comparing, if the same, sending the IP address of the multi-network convergence module to the user end; or, the user terminal and the multi-network convergence module exchange their IP addresses;
  • S2-7 The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address.
  • the method includes:
  • S2-1 The multi-network convergence module sends information to the user end
  • S2-2 the UE receives information transmitted through the telecommunication network, identifies the CID signal, and calls back the multi-network convergence module;
  • the multi-network convergence module identifies the CID signal and off-hook, and establishes channel communication with the user end of the telecommunication network;
  • the multi-network convergence module randomly generates a dynamic password (Kd), and then sends the dynamic password (Kd) to the user end through a channel of the telecommunication network;
  • the UE sends its IP address to the multi-network convergence module; or the multi-network convergence module exchanges its IP address with the user terminal;
  • S2-6 The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address.
  • the registration password (Kr) is generated when the client is registered with the multi-network convergence module, the password (Kr) is a key pair, and the key pair includes a first key (K1) And a second key (K2);
  • the dynamic password (Kd) and the user password (Ku) are first calculated to obtain an intermediate code (Kdu). Reusing the second key (K2) to encrypt the intermediate code (Kdu) to generate second data (D2);
  • the present invention also provides a multi-network convergence security and authentication system, comprising a multi-network convergence module that simultaneously connects an Internet and a telecommunication network, and a user terminal; the multi-network convergence module passes the channel of the telecommunication network, and is in the identity of the telecommunication
  • the authentication is based on the security information exchange with the client.
  • the multi-network fusion module includes an algorithm module and a control logic module; the algorithm module communicates with the outside world through a channel of the telecommunication network, and instructs an action of the control logic module; the control logic module is used to be
  • the control object is logically connected to the Internet or logically connected to the telecommunications network.
  • the multi-network convergence module is disposed in a personal computer, a tablet computer and/or a home gateway; the user terminal is a smart phone, a tablet computer and/or a personal computer.
  • the invention carries out security information interaction with the user end through the channel of the telecommunication network and the identity authentication of the telecommunication.
  • the whole process does not require the participation of the third party cloud, avoids the defects of the prior art, and has the advantages of being safe and reliable and difficult to be attacked by humans. .
  • FIG. 1 is a schematic diagram of a prior art communication implemented by a third party cloud or server
  • FIG. 2 is a schematic diagram of a prior art technology for implementing communication through a short message service
  • FIG. 3 is a schematic diagram of an embodiment of a multi-network convergence security and authentication system of the present invention.
  • FIG. 4 is a schematic diagram of a first embodiment of a method for security and authentication of multi-network convergence according to the present invention
  • FIG. 5 is a schematic diagram of a second embodiment of a method for security and authentication of multi-network convergence according to the present invention.
  • FIG. 6 is a schematic diagram of a third embodiment of a method for security and authentication of multi-network convergence according to the present invention.
  • FIG. 7 is a schematic diagram of a fourth embodiment of a method for security and authentication of multi-network convergence according to the present invention.
  • FIG. 8 is a schematic diagram of a fifth embodiment of a method for security and authentication of multi-network convergence according to the present invention.
  • FIG. 9 is a schematic diagram of a sixth embodiment of a method for security and authentication of multi-network convergence according to the present invention.
  • FIG. 10 is a schematic diagram of a seventh embodiment of a method for security and authentication of multi-network convergence according to the present invention.
  • FIG. 11 is a schematic diagram of an eighth embodiment of a method for security and authentication of multi-network convergence according to the present invention.
  • FIG. 12 is a schematic diagram of a ninth embodiment of a method for security and authentication of multi-network convergence according to the present invention.
  • FIG. 13 is a schematic diagram of a tenth embodiment of a method for security and authentication of multi-network convergence according to the present invention.
  • FIG. 14 is a schematic diagram of an embodiment of an encryption method of a multi-network convergence security and authentication method of the present invention.
  • FIG. 3 it is an embodiment of the multi-network convergence security and authentication system of the present invention, including a multi-network convergence module 100 for simultaneously connecting an Internet and a telecommunication network, and a user terminal UU.
  • the multi-network convergence module 100 performs security information interaction with the user terminal UU based on the identity of the telecommunication network through the channel of the telecommunication network, for example, identification by the calling number of the telecommunication or identity authentication issued by the telecommunication operator. Based on the certificate, such as SIM card, eSIM or U-key.
  • the multi-network convergence module 100 includes an algorithm module 110 and a control logic module 120.
  • the algorithm module 110 communicates with the outside world through the channel of the telecommunication network, and instructs the action of the control logic module 120.
  • the control logic module 120 is configured to logically connect the controlled object, such as the device to be controlled or the information 200, to the Internet or logic. Connected to the telecommunications network so that these devices or information can be logically controlled or interacted via the Internet or telecommunications network.
  • the multi-network convergence module 100 can be disposed in a personal computer, a tablet computer, and/or a home gateway; the user terminal UU can be a smart phone, a tablet computer, and/or a personal computer.
  • the multi-network convergence security and authentication method of the present invention can be used in the above system.
  • a multi-network convergence module is set, and the Internet and the telecommunication network are connected at the same time; the multi-network convergence module passes the channel of the telecommunication network to the telecommunication
  • the identity authentication is based on the security information exchange with the client.
  • the security information may be an encrypted password, an IP address of the Internet, or the like.
  • the multi-network convergence module 100 is installed, and the Internet and the telecommunication network are simultaneously connected.
  • the multi-network convergence module can be placed in any Internet device, such as, but not limited to, the following devices: PC, tablet, home gateway, and the like.
  • the client UU can be a smartphone, a tablet, a PC, or the like.
  • the channel of the telecommunications network can be a wired or wireless channel.
  • the multi-network convergence module When the multi-network convergence module needs to contact the user end, the multi-network convergence module generates a dynamic password Kd, then encrypts the dynamic password Kd with the registration code Kr to generate the first data D1, and sends the first data D1 to the client through the channel of the telecommunication network. ;
  • the client receives the first data D1 transmitted from the telecommunication network, identifies the CID signal, and decrypts the first data D1 with the registration code Kr to obtain the dynamic password Kd;
  • the user end generates the second data D2 by using the dynamic password Kd to encrypt the user password Ku, and sends the second data D2 to the multi-network fusion module through the channel of the telecommunication network;
  • the multi-network convergence module receives the second data D2 transmitted from the telecommunication network, identifies the CID signal, and decrypts the second data D2 with the dynamic password Kd to obtain the user password Ku, and compares it with the user password Ku retained in the multi-network fusion module, if the same Sending the IP address to the client; or, the client exchanges its IP address with the multi-network convergence module;
  • the client and the multi-network convergence module communicate with the dynamic password Kd via the Internet (such as IP routing and information interaction) according to the obtained IP address.
  • the switch of the telecommunication network when the first data D1 and the second data D2 are transmitted through the telecommunication network, the switch of the telecommunication network generates a CID signal, and the CID signal is obtained by turning on the caller ID service at the user end and the multi-network convergence module.
  • the multi-network convergence module 100 is provided, and the Internet and the telecommunication network are simultaneously connected.
  • the multi-network convergence module can be placed in any Internet device, such as, but not limited to, the following devices: PC, tablet, home gateway, and the like.
  • the client can be a smartphone, a tablet, a PC, or the like.
  • the channel of the telecommunications network can be a wired or wireless channel.
  • the multi-network convergence module When the multi-network convergence module needs to contact the user end, the multi-network convergence module sends information to the user end;
  • the UE receives the information transmitted through the telecommunication network, identifies the CID signal, and calls back the multi-network convergence module;
  • the multi-network convergence module identifies the CID signal and picks up the phone through the callback transmitted by the telecommunication network, and establishes channel communication with the user end of the telecommunication network;
  • the multi-network convergence module randomly generates the dynamic password Kd, encrypts the dynamic password Kd with the registration code Kr, generates the first data D1, and then sends the first data D1 to the user end through the channel of the telecommunication network;
  • the user decrypts the first data D1 with the registration code Kr to obtain the dynamic password Kd;
  • the user end generates the second data D2 by using the dynamic password Kd to encrypt the user password Ku, and sends the second data D2 to the multi-network fusion module through the channel of the telecommunication network;
  • the multi-network convergence module decrypts the second data D2 with the dynamic password Kd to obtain the user password Ku, and compares it with the user password Ku stored by the multi-network fusion module, and if the same, sends the IP address to the user; or, the client and the multi-network
  • the fusion module exchanges its IP address;
  • the client and the multi-network convergence module communicate with the dynamic password Kd via the Internet (such as IP routing and information interaction) according to the obtained IP address.
  • the switch of the telecommunication network when transmitting information and calling back through the telecommunication network, the switch of the telecommunication network generates a CID signal, and the CID signal is obtained by opening the caller ID service at the user end and the multi-network convergence module.
  • FIG. 6 it is a third embodiment of the multi-network convergence security and authentication method of the present invention.
  • the multi-network convergence module 100 is provided, and the Internet and the telecommunication network are simultaneously connected.
  • the multi-network convergence module can be placed in any Internet device, such as, but not limited to, the following devices: PC, tablet, home gateway, and the like.
  • the client can be a smartphone, a tablet, a PC, or the like.
  • the channel of the telecommunications network can be a wired or wireless channel.
  • the multi-network convergence module calls the user end
  • the UE receives the call signal, identifies the CID signal, and picks up the phone, and establishes channel communication of the telecommunication network with the multi-network convergence module;
  • the multi-network convergence module randomly generates the dynamic password Kd, encrypts the dynamic password Kd with the registration code Kr, generates the first data D1, and then sends the first data D1 to the user end through the channel of the telecommunication network;
  • the user decrypts the first data D1 with the registration code Kr to obtain the dynamic password Kd;
  • the user end generates the second data D2 by using the dynamic password Kd to encrypt the user password Ku, and sends the second data D2 to the multi-network fusion module through the channel of the telecommunication network;
  • the multi-network convergence module decrypts the second data D2 with the dynamic password Kd to obtain the user password Ku, and compares it with the user password Ku stored by the multi-network fusion module, and if the same, sends the IP address to the user; or, the client and the multi-network
  • the fusion module exchanges its IP address;
  • the client and the multi-network convergence module communicate with the dynamic password Kd via the Internet (such as IP routing and information interaction) according to the obtained IP address.
  • the switch of the telecommunication network when the call signal is transmitted through the telecommunication network, the switch of the telecommunication network generates a CID signal, and the CID signal is obtained by turning on the caller ID service at the user end and the multi-network convergence module.
  • the multi-network convergence module 100 is provided, and the Internet and the telecommunication network are simultaneously connected.
  • the multi-network convergence module can be placed in any Internet device, such as, but not limited to, the following devices: PC, tablet, home gateway, and the like.
  • the client can be a smartphone, a tablet, a PC, or the like.
  • the channel of the telecommunications network can be a wired or wireless channel.
  • the user When the user needs to contact the multi-network convergence module, the user sends the information to the multi-network convergence module.
  • the multi-network convergence module receives the information transmitted through the telecommunication network, identifies the CID signal, and calls back to the user terminal;
  • the UE receives the callback transmitted through the telecommunication network, identifies the CID signal, and picks up the phone, and establishes channel communication of the telecommunication network with the multi-network convergence module;
  • the multi-network convergence module randomly generates the dynamic password Kd, encrypts the dynamic password Kd with the registration code Kr, generates the first data D1, and then sends the first data D1 to the user end through the channel of the telecommunication network;
  • the user decrypts the first data D1 with the registration code Kr to obtain the dynamic password Kd;
  • the user end generates the second data D2 by using the dynamic password Kd to encrypt the user password Ku, and sends the second data D2 to the multi-network fusion module through the channel of the telecommunication network;
  • the multi-network convergence module decrypts the second data D2 with the dynamic password Kd to obtain the user password Ku, and compares it with the user password Ku stored by the multi-network fusion module, and if the same, sends the IP address to the user; or, the client and the multi-network
  • the fusion module exchanges its IP address;
  • the client and the multi-network convergence module communicate with the dynamic password Kd via the Internet (such as IP routing and information interaction) according to the obtained IP address.
  • the switch of the telecommunication network when transmitting information and calling back through the telecommunication network, the switch of the telecommunication network generates a CID signal, and the CID signal is obtained by opening the caller ID service at the user end and the multi-network convergence module.
  • the multi-network convergence module 100 is provided, and the Internet and the telecommunication network are simultaneously connected.
  • the multi-network convergence module can be placed in any Internet device, such as, but not limited to, the following devices: PC, tablet, home gateway, and the like.
  • the client can be a smartphone, a tablet, a PC, or the like.
  • the channel of the telecommunications network can be a wired or wireless channel.
  • the UE calls the multi-network convergence module.
  • the multi-network convergence module receives the call transmitted through the telecommunication network, identifies the CID signal, and picks up the phone, and establishes channel communication with the user end of the telecommunication network;
  • the multi-network convergence module randomly generates the dynamic password Kd, encrypts the dynamic password Kd with the registration code Kr, generates the first data D1, and then sends the first data D1 to the user end through the channel of the telecommunication network;
  • the user decrypts the first data D1 with the registration code Kr to obtain the dynamic password Kd;
  • the user end generates the second data D2 by using the dynamic password Kd to encrypt the user password Ku, and sends the second data D2 to the multi-network fusion module through the channel of the telecommunication network;
  • the multi-network convergence module decrypts the second data D2 with the dynamic password Kd to obtain the user password Ku, and compares it with the user password Ku stored by the multi-network fusion module, and if the same, sends the IP address to the user; or, the client and the multi-network
  • the fusion module exchanges its IP address;
  • the client and the multi-network convergence module communicate with the dynamic password Kd via the Internet (such as IP routing and information interaction) according to the obtained IP address.
  • FIG. 9 it is a sixth embodiment of the multi-network convergence security and authentication method of the present invention.
  • the multi-network convergence module 100 is provided, and the Internet and the telecommunication network are simultaneously connected.
  • the multi-network convergence module is disposed in a home gateway and connected to the telecommunication network through the PSTN.
  • the client is a smartphone using a 4G network.
  • the smartphone UU registers with the multi-network convergence module 100 of the home gateway, the key pair K1 and K2 are generated, and the user sets his own user password Ku; Ku is stored in the home gateway, and K1 and K2 are stored at both ends. In the machine.
  • the multi-network convergence module 100 When the home gateway detects that there is a situation that needs to contact the user, the multi-network convergence module 100 will send information to the mobile phone UU through the PSTN;
  • the mobile phone UU receives the information transmitted through the telecommunication network, recognizes the CID signal and confirms that it is the information sent by the home gateway, and then calls back to the multi-network convergence module 100 through the 4G and PSTN networks;
  • the multi-network convergence module 100 After the multi-network convergence module 100 recognizes the CID signal and confirms that it is an incoming call of the user's mobile phone UU, it picks up the phone and establishes channel communication with the user end to establish a telecommunication network;
  • the multi-network convergence module randomly generates a dynamic password Kd, encrypts Kd with one of the key pairs K1, generates D1, and sends D1 to the mobile phone UU;
  • the UU After receiving the D1, the UU decrypts with K1 to obtain Kd;
  • Kd will calculate the password to generate the intermediate code Kdu, UU then K2 encrypts Kdu to generate D2, and then sends D2 to the multi-network fusion module 100;
  • the multi-network convergence module 100 decrypts K2 to obtain Kdu, and then calculates K with Kd, and compares this Ku with the password Ku set by the user in the memory. If they are the same, it indicates that the security authentication is passed. Can exchange IP addresses;
  • the UU When the UU obtains the IP address of the home gateway, it can initiate an Internet connection based on this address. Once the connection is established, both parties can communicate, and all communications will be encrypted by the dynamic password Kd. When a connection is made again, different dynamic passwords are generated, so security is guaranteed.
  • FIG. 10 it is a seventh embodiment of the multi-network convergence security and authentication method of the present invention.
  • the multi-network convergence module 100 is provided, and the Internet and the telecommunication network are connected at the same time.
  • the multi-network convergence module 100 is placed in a tablet computer, which is connected to the Internet through WiFi, and simultaneously connects to the wireless network of the telecommunications through 4G; the user terminal UU is a 4G tablet computer.
  • the user terminal UU When registering with the multi-network convergence module 100, the user terminal UU generates the registration password Kr, and the user sets its own user password Ku; the Ku is stored in the tablet where the multi-network convergence module 100 is located, and the Kr is stored at both ends of the machine. in.
  • the multi-network convergence module 100 When the multi-network convergence module 100 detects that there is a situation that needs to contact the user, the multi-network convergence module 100 will send information to the UU through 4G;
  • the UU receives the information transmitted through the 4G network, identifies the CID signal, and confirms the information sent by the multi-network convergence module 100, and then calls back to the multi-network convergence module 100 through the 4G network;
  • the multi-network convergence module 100 receives the callback transmitted through the 4G network, identifies the CID signal, and confirms that it is the incoming call of the user terminal UU, picks up the phone, and establishes channel communication with the user end to establish a telecommunication network.
  • the user terminal UU randomly generates a dynamic password Kd, encrypts Kd with Kr, generates D1, and sends D1 to the multi-network fusion module 100;
  • the multi-network convergence module 100 After receiving the D1, the multi-network convergence module 100 decrypts with Kr to obtain Kd;
  • the user inputs his own user password Ku, UU encrypts Ku with Kd to generate D2, and then sends D2 to the multi-network fusion module 100.
  • the multi-network convergence module 100 After receiving the D2, the multi-network convergence module 100 decrypts and obtains Ku by Kd, and compares the Ku with the password Ku set by the user in the memory. If they are the same, it indicates that the security authentication is passed, and the two parties can exchange IP addresses;
  • the Internet connection can be initiated according to the address. Once the connection is established, the two parties can communicate, and all communication will be encrypted by the dynamic password Kd.
  • FIG. 11 it is an eighth embodiment of the multi-network convergence security and authentication method of the present invention, wherein the multi-network convergence module 100 is placed in a PC, and the PC is connected to the Internet through an optical fiber, and at the same time
  • the PSTN is connected to the telecommunications network;
  • the client UU is also a PC and is connected to the respective networks via optical fibers and PSTNs.
  • the registration password Kr is generated, and the user sets its own user password Ku; the Ku is stored in the PC where the multi-network convergence module 100 is located, and the Kr is stored in the machines at both ends. .
  • the user terminal UU When the user terminal UU needs to contact the PC where the multi-network convergence module 100 is located, the user terminal UU will call the multi-network convergence module 100 through the PSTN;
  • the multi-network convergence module 100 receives the call transmitted through the PSTN network, recognizes the CID signal, and confirms that it is an incoming call of the user terminal UU, and picks up the phone.
  • the multi-network convergence module 100 generates a password Kd, encrypts Kd with Kr, generates D1, and sends D1 to the UU;
  • the UU After receiving the D1, the UU decrypts with Kr to obtain Kd;
  • the user inputs his own user password Ku, and the UU encrypts Ku with Kd to generate D2, and then transmits D2 to the multi-network fusion module 100.
  • the multi-network convergence module 100 After receiving the D2, the multi-network convergence module 100 decrypts and obtains Ku by Kd, and compares the Ku with the password Ku set by the user in the memory. If they are the same, it indicates that the security authentication is passed, and the two parties can exchange IP addresses;
  • the Internet connection can be initiated according to the address. Once the connection is established, the two parties can communicate, and all communications will be encrypted by the password Kd.
  • FIG. 12 it is a ninth embodiment of the multi-network convergence security and authentication method of the present invention, wherein the multi-network convergence module 100 is placed in a PC, and the PC is respectively connected to the Internet and the PSTN network; the user terminal UU It is a smartphone using a 4G network.
  • the PC is connected to the Internet through a NAT (Network Address Translation) device.
  • IP1 is an intranet address
  • IP3:xx the required public network address and port number
  • the first solution is that in the seventh step, the UU sends its public network address IP2 to the multi-network convergence module 100, and the multi-network convergence module 100 initiates the first data packet connection to the IP2.
  • the IP3:xx automatically configured by the NAT is advertised to the UU, and the UU initiates communication to the multi-network convergence module 100 according to the address; the second solution is to develop a new protocol for the NAT, which allows multi-network convergence.
  • the device where the module 100 is located applies for a public network address and port number to the NAT in advance.
  • the NAT reserves the IP3:xx for the multi-network convergence module 100, and the multi-network convergence module 100 can send the IP3:xx in the seventh step. Give UU.
  • FIG. 13 it is a tenth embodiment of the multi-network convergence security and authentication method of the present invention, wherein the multi-network convergence module 100 is provided, and the Internet and the telecommunication network are simultaneously connected.
  • the multi-network convergence module can be placed in any Internet device, such as, but not limited to, the following devices: PC, tablet, home gateway, and the like.
  • the client can be a smartphone, a tablet, a PC, or the like.
  • the channel of the telecommunications network can be a wired or wireless channel.
  • the multi-network convergence module When the multi-network convergence module needs to contact the user end, the multi-network convergence module sends information to the user end;
  • the UE receives the information transmitted through the telecommunication network, identifies the CID signal, and calls back the multi-network convergence module;
  • the multi-network convergence module identifies the CID signal and picks up the phone through the callback transmitted by the telecommunication network, and establishes channel communication with the user end of the telecommunication network;
  • the multi-network convergence module randomly generates a dynamic password Kd, and sends the dynamic password Kd to the user end through the channel of the telecommunication network;
  • the client sends its IP address to the multi-network convergence module; or, the multi-network convergence module exchanges its IP address with the client; the client and the multi-network convergence module communicate with the dynamic password Kd via the Internet according to the obtained IP address.
  • the switch of the telecommunication network when transmitting information and calling back through the telecommunication network, the switch of the telecommunication network generates a CID signal, and the CID signal is obtained by opening the caller ID service at the user end and the multi-network convergence module.
  • FIG. 14 it is an embodiment of a key pair encryption method, which can be used in all the foregoing embodiments to generate a key pair when the UE is registered with the multi-network convergence module, and the key pair includes the first key K1. And a second key K2;
  • the first key K1 is used to encrypt the dynamic password Kd to generate the first data D1;
  • the user decrypts the first data D1 with the first key K1 to obtain the dynamic password Kd;
  • the user In the step of the user terminal generating the second data D2 by using the dynamic password Kd to encrypt the user password Ku, the user first calculates the dynamic code Kd and the user password Ku to obtain the intermediate code Kdu, and encrypts and generates the second data D2 using the second key K2. ;
  • the multi-network fusion module In the step of the multi-network convergence module decrypting the second data D2 with the dynamic password Kd to obtain the user password Ku, the multi-network fusion module first decrypts the second data D2 with the second key K2 to obtain Kdu, and then uses the dynamic password Kd to Kdu. Perform an operation to obtain the user password Ku.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a multi-network integration security and authentication method, comprising the following steps: S1. providing a multi-network integration module, same being simultaneously connected to the Internet and a telecommunication network; and S2. the multi-network integration module carrying out, based on the identity authentication of telecommunication and by means of a channel of a telecommunication network, secure information exchange with a user terminal. In the present invention, by means of a channel of a telecommunication network, secure information exchange is carried out, based on the identity authentication of telecommunication, with a user terminal, wherein the whole process does not require the participation of a third-party cloud end. The present invention avoids the defects in the existing technology, and has the advantages of being secure, reliable and difficult to attack artificially.

Description

多网融合的安全与认证方法及系统Multi-network convergence security and authentication method and system 技术领域Technical field

本发明涉及网络、电话通信领域,特别的,涉及多网融合的安全与认证方法及系统。The present invention relates to the field of network and telephone communication, and in particular, to a method and system for security and authentication of multi-network convergence.

背景技术Background technique

随着技术的发展,通过互联网对各种设备进行远程遥控或者对各种信息进行远程存储正变得越来越流行,例如智能家居的控制、物联网的相关应用等,但安全性却一直是一个困扰。人们运用了各种现代的技术如:VPN、各种复杂的加密算法、各种庞大的云服务等等,这不仅增加了复杂性也增加了用户的使用成本,而且由于互联网的开放性,安全问题始终没有得到完全解决。如何能为普通用户构造一个既安全又成本低廉的控制方法,就成为我们要面对的一个问题。With the development of technology, remote control of various devices via the Internet or remote storage of various information is becoming more and more popular, such as control of smart homes, related applications of the Internet of Things, etc., but security has always been A trouble. People use a variety of modern technologies such as: VPN, various complex encryption algorithms, various huge cloud services, etc., which not only increases the complexity but also increases the user's use cost, and because of the openness of the Internet, security The problem has not been completely solved. How to construct a safe and low-cost control method for ordinary users becomes a problem we have to face.

其中,任何信息的安全传递都需要进行加密,而且最好是动态加密的方法,但动态密码本身的传递却是一个难点;此外,连接到互联网上的设备也需要依托于IP地址的路由来进行通信,但IP地址往往也是动态的,所以如何告知对方自己的IP地址以及相关的身份认证也就成了一个关键点。Among them, the secure transmission of any information needs to be encrypted, and it is better to use dynamic encryption, but the transmission of the dynamic password itself is a difficult point; in addition, the device connected to the Internet also needs to rely on the routing of the IP address. Communication, but the IP address is often dynamic, so how to inform the other party's own IP address and related identity authentication has become a key point.

图1为常用方法,即通过第三方的云端或服务器来实现相关的功能应用。如相关设备200经由网关(GateWay)A接入互联网,用户终端B也可接入互联网;由云端C开发相关的应用软件,通信的两端A和B要注册到云端C,然后A或B登录到云端发起通信;整个过程由云端C来完成A与B的安全认证,最终构建A到C到B或者A到B的通信链路,再由B去控制200。由于互联网的特性,目前各种基于互联网的安全认证算法都很难保证安全性,例如动态密码本身的传递就是一个难点,很容易招到黑客的窃听、截取或者篡改。因此,又发展出了如图2所示的安全方法。Figure 1 shows a common method of implementing related functional applications through a third-party cloud or server. If the related device 200 accesses the Internet via the gateway (GateWay) A, the user terminal B can also access the Internet; the related application software is developed by the cloud C, and both ends A and B of the communication are registered to the cloud C, and then the A or B is registered. The communication is initiated to the cloud; the whole process is completed by the cloud C to complete the security authentication of A and B, and finally the communication link of A to C to B or A to B is constructed, and then B is controlled by 200. Due to the characteristics of the Internet, various Internet-based security authentication algorithms are difficult to guarantee security. For example, the transmission of the dynamic password itself is a difficult point, and it is easy to recruit hackers to eavesdrop, intercept or tamper. Therefore, the security method shown in Fig. 2 has been developed.

图2所示,云端或服务器C通过电信网络的短信服务(SMS)发送短信验证码,再由用户端B登录到云端C时输入该短信验证码,从而完成身份认证的过程。但是,该短信验证码一定是用明码发送,所以并不是绝对安全的。而且以上方法都要通过云端C的中介和管理,当面对云端内部人的攻击时,则完全无效了。As shown in FIG. 2, the cloud or server C sends a short message verification code through a short message service (SMS) of the telecommunication network, and then enters the short message verification code when the user B logs in to the cloud C, thereby completing the identity authentication process. However, the SMS verification code must be sent in clear code, so it is not absolutely safe. Moreover, the above methods must be mediated and managed by Cloud C. When faced with attacks from insiders in the cloud, it is completely ineffective.

技术问题technical problem

本发明要解决的技术问题在于,提供一种无需第三方云端参与的、安全可靠的基于多网融合的安全与认证方法及系统。The technical problem to be solved by the present invention is to provide a secure and reliable multi-network convergence-based security and authentication method and system that does not require third-party cloud participation.

技术解决方案Technical solution

本发明解决其技术问题所采用的技术方案是:构造一种多网融合的安全与认证方法,包括以下步骤:The technical solution adopted by the present invention to solve the technical problem is to construct a security and authentication method for multi-network convergence, including the following steps:

S1:设置多网融合模块,同时连接互联网和电信网络;S1: setting a multi-network convergence module and connecting to the Internet and the telecommunication network;

S2:所述多网融合模块通过所述电信网络的信道,以电信的身份认证为基础与用户端进行安全信息交互。S2: The multi-network convergence module performs security information interaction with the user end on the basis of the identity of the telecommunication network through the channel of the telecommunication network.

优选的,在所述步骤S2中,包括:Preferably, in the step S2, the method includes:

S2-1:多网融合模块生成动态密码(Kd),然后用注册密码(Kr)加密所述动态密码(Kd)生成第一数据(D1),并把所述第一数据(D1)通过所述电信网络的信道发送给所述用户端;S2-1: the multi-network convergence module generates a dynamic password (Kd), and then encrypts the dynamic password (Kd) with a registration password (Kr) to generate first data (D1), and passes the first data (D1) Transmitting a channel of the telecommunication network to the user terminal;

S2-2:所述用户端接收从所述电信网络传送的所述第一数据(D1),识别CID信号并用所述注册密码(Kr)解密所述第一数据(D1)得到所述动态密码(Kd);S2-2: the UE receives the first data (D1) transmitted from the telecommunication network, identifies a CID signal, and decrypts the first data (D1) with the registration password (Kr) to obtain the dynamic password. (Kd);

S2-3:所述用户端用所述动态密码(Kd)加密用户密码(Ku)生成第二数据(D2),并将所述第二数据(D2)通过所述电信网络的信道发送至所述多网融合模块;S2-3: The UE generates the second data (D2) by using the dynamic password (Kd) encrypted user password (Ku), and sends the second data (D2) to the channel through the telecommunication network. Multi-network fusion module;

S2-4:所述多网融合模块接收从所述电信网络传送的所述第二数据(D2),识别CID信号并用所述动态密码(Kd)解密所述第二数据(D2),得到所述用户密码(Ku),并与所述多网融合模块中保留的用户密码(Ku)进行比较,如果相同则将多网融合模块的IP地址发送给所述用户端;或者,所述用户端与所述多网融合模块交换其IP地址; S2-4: The multi-network convergence module receives the second data (D2) transmitted from the telecommunication network, identifies a CID signal, and decrypts the second data (D2) by using the dynamic password (Kd) to obtain a The user password (Ku) is compared with the user password (Ku) retained in the multi-network convergence module, and if the same, the IP address of the multi-network convergence module is sent to the user terminal; or the user terminal Exchanging its IP address with the multi-network convergence module;

S2-5:所述用户端与所述多网融合模块根据得到的所述IP地址与所述动态密码(Kd)通过互联网进行通信。S2-5: The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address.

优选的,在所述步骤S2中,包括:Preferably, in the step S2, the method includes:

S2-1:多网融合模块发送信息给用户端;S2-1: The multi-network convergence module sends information to the user end;

S2-2:所述用户端接收所述信息,识别CID信号并回叫所述多网融合模块;S2-2: the user end receives the information, identifies a CID signal, and calls back the multi-network convergence module;

S2-3:所述多网融合模块接收所述回叫,识别CID信号并摘机,与所述用户端建立电信网络的信道通讯;S2-3: The multi-network convergence module receives the callback, identifies a CID signal, and picks up the phone, and establishes channel communication with the user end of the telecommunication network;

S2-4:所述多网融合模块随机产生动态密码(Kd),用注册密码(Kr)加密所述动态密码(Kd),生成第一数据(D1),然后将所述第一数据(D1)通过所述电信网络的信道发送给所述用户端;S2-4: The multi-network convergence module randomly generates a dynamic password (Kd), encrypts the dynamic password (Kd) with a registration password (Kr), generates first data (D1), and then the first data (D1) Transmitting to the user terminal through a channel of the telecommunication network;

S2-5:所述用户端用所述注册密码(Kr)解密所述第一数据(D1)得到所述动态密码(Kd);S2-5: the client decrypts the first data (D1) with the registration password (Kr) to obtain the dynamic password (Kd);

S2-6:所述用户端用所述动态密码(Kd)加密用户密码(Ku)生成第二数据(D2),并将所述第二数据(D2)通过所述电信网络的信道发送至所述多网融合模块;S2-6: The UE generates the second data (D2) by using the dynamic password (Kd) encrypted user password (Ku), and sends the second data (D2) to the channel through the telecommunication network. Multi-network fusion module;

S2-7:所述多网融合模块用所述动态密码(Kd)解密第二数据(D2)得到所述用户密码(Ku),并与所述多网融合模块存储的所述用户密码(Ku)进行比较,如果相同则将所述多网融合模块的IP地址发送给所述用户端;或者,所述用户端与所述多网融合模块交换其IP地址;S2-7: The multi-network convergence module decrypts the second data (D2) by using the dynamic password (Kd) to obtain the user password (Ku), and the user password stored in the multi-network convergence module (Ku) Comparing, if the same, sending the IP address of the multi-network convergence module to the user end; or, the user terminal and the multi-network convergence module exchange their IP addresses;

S2-8:所述用户端与所述多网融合模块根据得到的所述IP地址与所述动态密码(Kd)通过互联网进行通信。S2-8: The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address.

优选的,在所述步骤S2中,包括:Preferably, in the step S2, the method includes:

S2-1:多网融合模块呼叫用户端;S2-1: The multi-network convergence module calls the user end;

S2-2:所述用户端接收所述呼叫信号,识别CID信号并摘机,与所述多网融合模块建立电信网络的信道通讯;S2-2: the user end receives the call signal, identifies a CID signal, and picks up the phone, and establishes channel communication of the telecommunication network with the multi-network convergence module;

S2-3:所述多网融合模块随机产生动态密码(Kd),用注册密码(Kr)加密所述动态密码(Kd),生成第一数据(D1),然后将所述第一数据(D1)通过所述电信网络的信道发送给所述用户端;S2-3: The multi-network convergence module randomly generates a dynamic password (Kd), encrypts the dynamic password (Kd) with a registration password (Kr), generates first data (D1), and then the first data (D1) Transmitting to the user terminal through a channel of the telecommunication network;

S2-4:所述用户端用所述注册密码(Kr)解密所述第一数据(D1)得到所述动态密码(Kd);S2-4: The client decrypts the first data (D1) with the registration password (Kr) to obtain the dynamic password (Kd);

S2-5:所述用户端用所述动态密码(Kd)加密用户密码(Ku)生成第二数据(D2),并将所述第二数据(D2)通过所述电信网络的信道发送至所述多网融合模块;S2-5: the UE generates the second data (D2) by using the dynamic password (Kd) encrypted user password (Ku), and sends the second data (D2) to the channel through the telecommunication network. Multi-network fusion module;

S2-6:所述多网融合模块用所述动态密码(Kd)解密第二数据(D2)得到所述用户密码(Ku),并与所述多网融合模块存储的所述用户密码(Ku)进行比较,如果相同则将所述多网融合模块的IP地址发送给所述用户端;或者,所述用户端与所述多网融合模块交换其IP地址;S2-6: The multi-network convergence module decrypts the second data (D2) by using the dynamic password (Kd) to obtain the user password (Ku), and the user password stored in the multi-network fusion module (Ku) Comparing, if the same, sending the IP address of the multi-network convergence module to the user end; or, the user terminal and the multi-network convergence module exchange their IP addresses;

S2-7:所述用户端与所述多网融合模块根据得到的所述IP地址与所述动态密码(Kd)通过互联网进行通信。S2-7: The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address.

优选的,在所述步骤S2中,包括:Preferably, in the step S2, the method includes:

S2-1:用户端发送信息给多网融合模块;S2-1: The UE sends information to the multi-network convergence module.

S2-2:所述多网融合模块接收所述信息,识别CID信号并回叫所述用户端;S2-2: the multi-network convergence module receives the information, identifies a CID signal, and calls back the user terminal;

S2-3:所述用户端接收所述回叫,识别CID信号并摘机,与所述多网融合模块建立电信网络的信道通讯;S2-3: The user end receives the callback, identifies a CID signal, and picks up the phone, and establishes channel communication of the telecommunication network with the multi-network convergence module;

S2-4:所述多网融合模块随机产生动态密码(Kd),用注册密码(Kr)加密所述动态密码(Kd),生成第一数据(D1),然后将所述第一数据(D1)通过所述电信网络的信道发送给所述用户端;S2-4: The multi-network convergence module randomly generates a dynamic password (Kd), encrypts the dynamic password (Kd) with a registration password (Kr), generates first data (D1), and then the first data (D1) Transmitting to the user terminal through a channel of the telecommunication network;

S2-5:所述用户端用所述注册密码(Kr)解密所述第一数据(D1)得到所述动态密码(Kd);S2-5: the client decrypts the first data (D1) with the registration password (Kr) to obtain the dynamic password (Kd);

S2-6:所述用户端用所述动态密码(Kd)加密用户密码(Ku)生成第二数据(D2),并将所述第二数据(D2)通过所述电信网络的信道发送至所述多网融合模块;S2-6: The UE generates the second data (D2) by using the dynamic password (Kd) encrypted user password (Ku), and sends the second data (D2) to the channel through the telecommunication network. Multi-network fusion module;

S2-7:所述多网融合模块用所述动态密码(Kd)解密第二数据(D2)得到所述用户密码(Ku),并与所述多网融合模块存储的所述用户密码(Ku)进行比较,如果相同则将所述多网融合模块的IP地址发送给所述用户端;或者,所述用户端与所述多网融合模块交换其IP地址;S2-7: The multi-network convergence module decrypts the second data (D2) by using the dynamic password (Kd) to obtain the user password (Ku), and the user password stored in the multi-network convergence module (Ku) Comparing, if the same, sending the IP address of the multi-network convergence module to the user end; or, the user terminal and the multi-network convergence module exchange their IP addresses;

S2-8:所述用户端与所述多网融合模块根据得到的所述IP地址与所述动态密码(Kd)通过互联网进行通信。S2-8: The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address.

优选的,在所述步骤S2中,包括:Preferably, in the step S2, the method includes:

S2-1:用户端呼叫多网融合模块;S2-1: The UE calls the multi-network convergence module;

S2-2:所述多网融合模块接收所述呼叫,识别CID信号并摘机,与所述用户端建立电信网络的信道通讯;S2-2: The multi-network convergence module receives the call, identifies a CID signal, and picks up the phone, and establishes channel communication with the user end of the telecommunication network;

S2-3:所述多网融合模块随机产生动态密码(Kd),用注册密码(Kr)加密所述动态密码(Kd),生成第一数据(D1),然后将所述第一数据(D1)通过所述电信网络的信道发送给所述用户端;S2-3: The multi-network convergence module randomly generates a dynamic password (Kd), encrypts the dynamic password (Kd) with a registration password (Kr), generates first data (D1), and then the first data (D1) Transmitting to the user terminal through a channel of the telecommunication network;

S2-4:所述用户端用所述注册密码(Kr)解密所述第一数据(D1)得到所述动态密码(Kd);S2-4: The client decrypts the first data (D1) with the registration password (Kr) to obtain the dynamic password (Kd);

S2-5:所述用户端用所述动态密码(Kd)加密用户密码(Ku)生成第二数据(D2),并将所述第二数据(D2)通过所述电信网络的信道发送至所述多网融合模块;S2-5: the UE generates the second data (D2) by using the dynamic password (Kd) encrypted user password (Ku), and sends the second data (D2) to the channel through the telecommunication network. Multi-network fusion module;

S2-6:所述多网融合模块用所述动态密码(Kd)解密第二数据(D2)得到所述用户密码(Ku),并与所述多网融合模块存储的所述用户密码(Ku)进行比较,如果相同则将所述多网融合模块的IP地址发送给所述用户端;或者,所述用户端与所述多网融合模块交换其IP地址;S2-6: The multi-network convergence module decrypts the second data (D2) by using the dynamic password (Kd) to obtain the user password (Ku), and the user password stored in the multi-network fusion module (Ku) Comparing, if the same, sending the IP address of the multi-network convergence module to the user end; or, the user terminal and the multi-network convergence module exchange their IP addresses;

S2-7:所述用户端与所述多网融合模块根据得到的所述IP地址与所述动态密码(Kd)通过互联网进行通信。S2-7: The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address.

优选的,在所述步骤S2中,包括:Preferably, in the step S2, the method includes:

S2-1:多网融合模块发送信息给用户端;S2-1: The multi-network convergence module sends information to the user end;

S2-2:所述用户端接收通过电信网络传送的信息,识别CID信号并回叫所述多网融合模块;S2-2: the UE receives information transmitted through the telecommunication network, identifies the CID signal, and calls back the multi-network convergence module;

S2-3:所述多网融合模块识别CID信号并摘机,与所述用户端建立电信网络的信道通讯;S2-3: The multi-network convergence module identifies the CID signal and off-hook, and establishes channel communication with the user end of the telecommunication network;

S2-4:所述多网融合模块随机产生动态密码(Kd),然后将所述动态密码(Kd)通过所述电信网络的信道发送给所述用户端;S2-4: The multi-network convergence module randomly generates a dynamic password (Kd), and then sends the dynamic password (Kd) to the user end through a channel of the telecommunication network;

S2-5:所述用户端将其IP地址发送给所述多网融合模块;或者,所述多网融合模块与所述用户端交换其IP地址;S2-5: The UE sends its IP address to the multi-network convergence module; or the multi-network convergence module exchanges its IP address with the user terminal;

S2-6:所述用户端与所述多网融合模块根据得到的所述IP地址与所述动态密码(Kd)通过互联网进行通信。 S2-6: The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address.

优选的,所述注册密码(Kr)为所述用户端在与所述多网融合模块注册时产生,该密码(Kr)为密钥对,所述密钥对包括第一密钥(K1)以及第二密钥(K2);Preferably, the registration password (Kr) is generated when the client is registered with the multi-network convergence module, the password (Kr) is a key pair, and the key pair includes a first key (K1) And a second key (K2);

在用注册密码(Kr)加密所述动态密码(Kd)生成第一数据(D1)的步骤中,使用第一密钥(K1)加密所述动态密码(Kd)生成第一数据(D1);In the step of generating the first data (D1) by encrypting the dynamic password (Kd) with a registration password (Kr), encrypting the dynamic password (Kd) using the first key (K1) to generate first data (D1);

在用所述注册密码(Kr)解密所述第一数据(D1)得到所述动态密码(Kd)的步骤中,用所述第一密钥(K1)解密所述第一数据(D1)得到所述动态密码(Kd);In the step of decrypting the first data (D1) with the registration password (Kr) to obtain the dynamic password (Kd), decrypting the first data (D1) with the first key (K1) to obtain The dynamic password (Kd);

在用所述动态密码(Kd)加密用户密码(Ku)生成第二数据(D2)的步骤中,先将所述动态密码(Kd)和用户密码(Ku)运算,得到中间码(Kdu),再使用所述第二密钥(K2)加密所述中间码(Kdu)生成第二数据(D2);In the step of generating the second data (D2) by encrypting the user password (Ku) with the dynamic password (Kd), the dynamic password (Kd) and the user password (Ku) are first calculated to obtain an intermediate code (Kdu). Reusing the second key (K2) to encrypt the intermediate code (Kdu) to generate second data (D2);

在用所述动态密码(Kd)解密所述第二数据(D2),得到所述用户密码(Ku)的步骤中,先用所述第二密钥(K2)解密所述第二数据(D2),得到中间码(Kdu),再用所述动态密码(Kd)对所述中间码(Kdu)进行运算,得到所述用户密码(Ku)。In the step of decrypting the second data (D2) with the dynamic password (Kd) to obtain the user password (Ku), first decrypting the second data (D2) with the second key (K2) And obtaining an intermediate code (Kdu), and computing the intermediate code (Kdu) with the dynamic password (Kd) to obtain the user password (Ku).

本发明还提供一种多网融合的安全与认证系统,包括同时连接互联网和电信网络的多网融合模块、以及用户端;所述多网融合模块通过所述电信网络的信道,以电信的身份认证为基础与用户端进行安全信息交互。The present invention also provides a multi-network convergence security and authentication system, comprising a multi-network convergence module that simultaneously connects an Internet and a telecommunication network, and a user terminal; the multi-network convergence module passes the channel of the telecommunication network, and is in the identity of the telecommunication The authentication is based on the security information exchange with the client.

优选的,所述多网络融合模块包括算法模块、以及控制逻辑模块;所述算法模块通过电信网络的信道与外界通信,并指令所述控制逻辑模块的动作;所述控制逻辑模块用于将被控对象逻辑连接到互联网上或者逻辑连接到电信网上。Preferably, the multi-network fusion module includes an algorithm module and a control logic module; the algorithm module communicates with the outside world through a channel of the telecommunication network, and instructs an action of the control logic module; the control logic module is used to be The control object is logically connected to the Internet or logically connected to the telecommunications network.

优选的,所述多网融合模块设置在个人电脑、平板电脑和/或家庭网关中;所述用户端为智能手机、平板电脑和/或个人电脑。Preferably, the multi-network convergence module is disposed in a personal computer, a tablet computer and/or a home gateway; the user terminal is a smart phone, a tablet computer and/or a personal computer.

有益效果Beneficial effect

本发明通过电信网络的信道,以电信的身份认证为基础与用户端进行安全信息交互,整个过程无需第三方云端的参与,避免了现有技术的缺陷,具有安全可靠、难以被人为攻击的优点。The invention carries out security information interaction with the user end through the channel of the telecommunication network and the identity authentication of the telecommunication. The whole process does not require the participation of the third party cloud, avoids the defects of the prior art, and has the advantages of being safe and reliable and difficult to be attacked by humans. .

附图说明DRAWINGS

下面将结合附图及实施例对本发明作进一步说明,附图中:The present invention will be further described below in conjunction with the accompanying drawings and embodiments, in which:

图1是现有技术通过第三方的云端或服务器来实现通讯的示意图;1 is a schematic diagram of a prior art communication implemented by a third party cloud or server;

图2是现有技术通过短信服务来实现通讯的技术示意图;2 is a schematic diagram of a prior art technology for implementing communication through a short message service;

图3是本发明的多网融合的安全与认证系统的一个实施例的示意图;3 is a schematic diagram of an embodiment of a multi-network convergence security and authentication system of the present invention;

图4是本发明的多网融合的安全与认证方法的第一实施例的示意图;4 is a schematic diagram of a first embodiment of a method for security and authentication of multi-network convergence according to the present invention;

图5是本发明的多网融合的安全与认证方法的第二实施例的示意图;5 is a schematic diagram of a second embodiment of a method for security and authentication of multi-network convergence according to the present invention;

图6是本发明的多网融合的安全与认证方法的第三实施例的示意图;6 is a schematic diagram of a third embodiment of a method for security and authentication of multi-network convergence according to the present invention;

图7是本发明的多网融合的安全与认证方法的第四实施例的示意图;7 is a schematic diagram of a fourth embodiment of a method for security and authentication of multi-network convergence according to the present invention;

图8是本发明的多网融合的安全与认证方法的第五实施例的示意图;8 is a schematic diagram of a fifth embodiment of a method for security and authentication of multi-network convergence according to the present invention;

图9是本发明的多网融合的安全与认证方法的第六实施例的示意图;9 is a schematic diagram of a sixth embodiment of a method for security and authentication of multi-network convergence according to the present invention;

图10是本发明的多网融合的安全与认证方法的第七实施例的示意图;10 is a schematic diagram of a seventh embodiment of a method for security and authentication of multi-network convergence according to the present invention;

图11是本发明的多网融合的安全与认证方法的第八实施例的示意图;11 is a schematic diagram of an eighth embodiment of a method for security and authentication of multi-network convergence according to the present invention;

图12是本发明的多网融合的安全与认证方法的第九实施例的示意图;12 is a schematic diagram of a ninth embodiment of a method for security and authentication of multi-network convergence according to the present invention;

图13是本发明的多网融合的安全与认证方法的第十实施例的示意图;13 is a schematic diagram of a tenth embodiment of a method for security and authentication of multi-network convergence according to the present invention;

图14是本发明的多网融合的安全与认证方法的加密方法的一个实施例的示意图。14 is a schematic diagram of an embodiment of an encryption method of a multi-network convergence security and authentication method of the present invention.

本发明的最佳实施方式BEST MODE FOR CARRYING OUT THE INVENTION

如图3所示,是本发明的多网融合的安全与认证系统的一个实施例,包括同时连接互联网和电信网络的多网融合模块100、以及用户端UU。其中,多网融合模块100通过电信网络的信道,以电信的身份认证为基础与用户端UU进行安全信息交互,例如,以电信的主叫号码识别或者以电信运营商所签发的用于身份鉴别的证书为基础,例如SIM卡,eSIM或U-key等。As shown in FIG. 3, it is an embodiment of the multi-network convergence security and authentication system of the present invention, including a multi-network convergence module 100 for simultaneously connecting an Internet and a telecommunication network, and a user terminal UU. The multi-network convergence module 100 performs security information interaction with the user terminal UU based on the identity of the telecommunication network through the channel of the telecommunication network, for example, identification by the calling number of the telecommunication or identity authentication issued by the telecommunication operator. Based on the certificate, such as SIM card, eSIM or U-key.

在本实施例中,该多网融合模块100包括算法模块110和一个控制逻辑模块120。其中,算法模块110通过电信网络的信道与外界通信,并指令控制逻辑模块120的动作;控制逻辑模块120用于将被控对象,如待控制的设备或者信息200,逻辑连接到互联网上或者逻辑连接到电信网上,从而使得这些设备或信息在逻辑上可以通过互联网或电信网进行控制或交互。In this embodiment, the multi-network convergence module 100 includes an algorithm module 110 and a control logic module 120. The algorithm module 110 communicates with the outside world through the channel of the telecommunication network, and instructs the action of the control logic module 120. The control logic module 120 is configured to logically connect the controlled object, such as the device to be controlled or the information 200, to the Internet or logic. Connected to the telecommunications network so that these devices or information can be logically controlled or interacted via the Internet or telecommunications network.

其中,多网融合模块100可以设置在个人电脑、平板电脑和/或家庭网关中;用户端UU可以为智能手机、平板电脑和/或个人电脑。The multi-network convergence module 100 can be disposed in a personal computer, a tablet computer, and/or a home gateway; the user terminal UU can be a smart phone, a tablet computer, and/or a personal computer.

在本发明的多网融合的安全与认证方法可用于上述系统中,在其一个实施例中,设置多网融合模块,同时连接互联网和电信网络;多网融合模块通过电信网络的信道,以电信的身份认证为基础与用户端进行安全信息交互。其中,安全信息可以为加密的密码、互联网的IP地址等。The multi-network convergence security and authentication method of the present invention can be used in the above system. In one embodiment, a multi-network convergence module is set, and the Internet and the telecommunication network are connected at the same time; the multi-network convergence module passes the channel of the telecommunication network to the telecommunication The identity authentication is based on the security information exchange with the client. The security information may be an encrypted password, an IP address of the Internet, or the like.

如图4所示,是本发明的多网融合的安全与认证方法的第一实施例,设置多网融合模块100,同时连接互联网和电信网络。其中,多网融合模块可置于任何互联网设备中,如,但不限于以下设备:PC、平板电脑、家庭网关等。用户端UU可以是智能手机、平板电脑、PC等。电信网络的信道可以是有线的或者无线的信道。As shown in FIG. 4, it is a first embodiment of the multi-network convergence security and authentication method of the present invention. The multi-network convergence module 100 is installed, and the Internet and the telecommunication network are simultaneously connected. The multi-network convergence module can be placed in any Internet device, such as, but not limited to, the following devices: PC, tablet, home gateway, and the like. The client UU can be a smartphone, a tablet, a PC, or the like. The channel of the telecommunications network can be a wired or wireless channel.

在多网融合模块需要联系用户端时,多网融合模块生成动态密码Kd,然后用注册码Kr加密动态密码Kd生成第一数据D1,并把第一数据D1通过电信网络的信道发送给用户端;When the multi-network convergence module needs to contact the user end, the multi-network convergence module generates a dynamic password Kd, then encrypts the dynamic password Kd with the registration code Kr to generate the first data D1, and sends the first data D1 to the client through the channel of the telecommunication network. ;

用户端接收从电信网络传送的第一数据D1,识别CID信号并用注册码Kr解密第一数据D1得到动态密码Kd;The client receives the first data D1 transmitted from the telecommunication network, identifies the CID signal, and decrypts the first data D1 with the registration code Kr to obtain the dynamic password Kd;

用户端用动态密码Kd加密用户密码Ku生成第二数据D2,并将第二数据D2通过电信网络的信道发送至多网融合模块;The user end generates the second data D2 by using the dynamic password Kd to encrypt the user password Ku, and sends the second data D2 to the multi-network fusion module through the channel of the telecommunication network;

多网融合模块接收从电信网络传送的第二数据D2,识别CID信号并用动态密码Kd解密第二数据D2,得到用户密码Ku,并与多网融合模块中保留的用户密码Ku进行比较,如果相同则将IP地址发送给用户端;或者,用户端与多网融合模块交换其IP地址; The multi-network convergence module receives the second data D2 transmitted from the telecommunication network, identifies the CID signal, and decrypts the second data D2 with the dynamic password Kd to obtain the user password Ku, and compares it with the user password Ku retained in the multi-network fusion module, if the same Sending the IP address to the client; or, the client exchanges its IP address with the multi-network convergence module;

用户端与多网融合模块根据得到的IP地址与动态密码Kd通过互联网进行通信(如IP路由及信息交互)。The client and the multi-network convergence module communicate with the dynamic password Kd via the Internet (such as IP routing and information interaction) according to the obtained IP address.

可以理解的,上述信息交换均可以使用动态密码Kd进行加密。It can be understood that the above information exchange can be encrypted by using the dynamic password Kd.

可以理解的,在通过电信网络传送第一数据D1和第二数据D2时,电信网络的交换机会产生CID信号,并在用户端和多网融合模块开通来电显示业务即可获得该CID信号。It can be understood that, when the first data D1 and the second data D2 are transmitted through the telecommunication network, the switch of the telecommunication network generates a CID signal, and the CID signal is obtained by turning on the caller ID service at the user end and the multi-network convergence module.

如图5所示,是本发明的多网融合的安全与认证方法的第二实施例,设置多网融合模块100,同时连接互联网和电信网络。其中,多网融合模块可置于任何互联网设备中,如,但不限于以下设备:PC、平板电脑、家庭网关等。用户端可以是智能手机、平板电脑、PC等。电信网络的信道可以是有线的或者无线的信道。As shown in FIG. 5, it is a second embodiment of the multi-network convergence security and authentication method of the present invention. The multi-network convergence module 100 is provided, and the Internet and the telecommunication network are simultaneously connected. The multi-network convergence module can be placed in any Internet device, such as, but not limited to, the following devices: PC, tablet, home gateway, and the like. The client can be a smartphone, a tablet, a PC, or the like. The channel of the telecommunications network can be a wired or wireless channel.

在多网融合模块需要联系用户端时,多网融合模块发送信息给用户端;When the multi-network convergence module needs to contact the user end, the multi-network convergence module sends information to the user end;

用户端接收通过电信网络传送的信息,识别CID信号并回叫多网融合模块;The UE receives the information transmitted through the telecommunication network, identifies the CID signal, and calls back the multi-network convergence module;

多网融合模块通过电信网络传送的回叫,识别CID信号并摘机,与用户端建立电信网络的信道通讯;The multi-network convergence module identifies the CID signal and picks up the phone through the callback transmitted by the telecommunication network, and establishes channel communication with the user end of the telecommunication network;

多网融合模块随机产生动态密码Kd,用注册码Kr加密动态密码Kd,生成第一数据D1,然后将第一数据D1通过电信网络的信道发送给用户端;The multi-network convergence module randomly generates the dynamic password Kd, encrypts the dynamic password Kd with the registration code Kr, generates the first data D1, and then sends the first data D1 to the user end through the channel of the telecommunication network;

用户端用注册码Kr解密第一数据D1得到动态密码Kd;The user decrypts the first data D1 with the registration code Kr to obtain the dynamic password Kd;

用户端用动态密码Kd加密用户密码Ku生成第二数据D2,并将第二数据D2通过电信网络的信道发送至多网融合模块;The user end generates the second data D2 by using the dynamic password Kd to encrypt the user password Ku, and sends the second data D2 to the multi-network fusion module through the channel of the telecommunication network;

多网融合模块用动态密码Kd解密第二数据D2得到用户密码Ku,并与多网融合模块存储的用户密码Ku进行比较,如果相同则将IP地址发送给用户端;或者,用户端与多网融合模块交换其IP地址;The multi-network convergence module decrypts the second data D2 with the dynamic password Kd to obtain the user password Ku, and compares it with the user password Ku stored by the multi-network fusion module, and if the same, sends the IP address to the user; or, the client and the multi-network The fusion module exchanges its IP address;

用户端与多网融合模块根据得到的IP地址与动态密码Kd通过互联网进行通信(如IP路由及信息交互)。The client and the multi-network convergence module communicate with the dynamic password Kd via the Internet (such as IP routing and information interaction) according to the obtained IP address.

可以理解的,上述信息交换均可以使用动态密码Kd进行加密。It can be understood that the above information exchange can be encrypted by using the dynamic password Kd.

可以理解的,在通过电信网络传送信息和回叫时,电信网络的交换机会产生CID信号,并在用户端和多网融合模块开通来电显示业务即可获得该CID信号。It can be understood that when transmitting information and calling back through the telecommunication network, the switch of the telecommunication network generates a CID signal, and the CID signal is obtained by opening the caller ID service at the user end and the multi-network convergence module.

如图6所示,是本发明的多网融合的安全与认证方法的第三实施例,设置多网融合模块100,同时连接互联网和电信网络。其中,多网融合模块可置于任何互联网设备中,如,但不限于以下设备:PC、平板电脑、家庭网关等。用户端可以是智能手机、平板电脑、PC等。电信网络的信道可以是有线的或者无线的信道。As shown in FIG. 6, it is a third embodiment of the multi-network convergence security and authentication method of the present invention. The multi-network convergence module 100 is provided, and the Internet and the telecommunication network are simultaneously connected. The multi-network convergence module can be placed in any Internet device, such as, but not limited to, the following devices: PC, tablet, home gateway, and the like. The client can be a smartphone, a tablet, a PC, or the like. The channel of the telecommunications network can be a wired or wireless channel.

在多网融合模块需要联系用户端时,多网融合模块呼叫用户端;When the multi-network convergence module needs to contact the user end, the multi-network convergence module calls the user end;

用户端接收呼叫信号,识别CID信号并摘机,与多网融合模块建立电信网络的信道通讯;The UE receives the call signal, identifies the CID signal, and picks up the phone, and establishes channel communication of the telecommunication network with the multi-network convergence module;

多网融合模块随机产生动态密码Kd,用注册码Kr加密动态密码Kd,生成第一数据D1,然后将第一数据D1通过电信网络的信道发送给用户端;The multi-network convergence module randomly generates the dynamic password Kd, encrypts the dynamic password Kd with the registration code Kr, generates the first data D1, and then sends the first data D1 to the user end through the channel of the telecommunication network;

用户端用注册码Kr解密第一数据D1得到动态密码Kd;The user decrypts the first data D1 with the registration code Kr to obtain the dynamic password Kd;

用户端用动态密码Kd加密用户密码Ku生成第二数据D2,并将第二数据D2通过电信网络的信道发送至多网融合模块;The user end generates the second data D2 by using the dynamic password Kd to encrypt the user password Ku, and sends the second data D2 to the multi-network fusion module through the channel of the telecommunication network;

多网融合模块用动态密码Kd解密第二数据D2得到用户密码Ku,并与多网融合模块存储的用户密码Ku进行比较,如果相同则将IP地址发送给用户端;或者,用户端与多网融合模块交换其IP地址;The multi-network convergence module decrypts the second data D2 with the dynamic password Kd to obtain the user password Ku, and compares it with the user password Ku stored by the multi-network fusion module, and if the same, sends the IP address to the user; or, the client and the multi-network The fusion module exchanges its IP address;

用户端与多网融合模块根据得到的IP地址与动态密码Kd通过互联网进行通信(如IP路由及信息交互)。The client and the multi-network convergence module communicate with the dynamic password Kd via the Internet (such as IP routing and information interaction) according to the obtained IP address.

可以理解的,上述信息交换均可以使用动态密码Kd进行加密。It can be understood that the above information exchange can be encrypted by using the dynamic password Kd.

可以理解的,在通过电信网络传送呼叫信号时,电信网络的交换机会产生CID信号,并在用户端和多网融合模块开通来电显示业务即可获得该CID信号。It can be understood that when the call signal is transmitted through the telecommunication network, the switch of the telecommunication network generates a CID signal, and the CID signal is obtained by turning on the caller ID service at the user end and the multi-network convergence module.

如图7所示,是本发明的多网融合的安全与认证方法的第四实施例,设置多网融合模块100,同时连接互联网和电信网络。其中,多网融合模块可置于任何互联网设备中,如,但不限于以下设备:PC、平板电脑、家庭网关等。用户端可以是智能手机、平板电脑、PC等。电信网络的信道可以是有线的或者无线的信道。As shown in FIG. 7, it is a fourth embodiment of the multi-network convergence security and authentication method of the present invention. The multi-network convergence module 100 is provided, and the Internet and the telecommunication network are simultaneously connected. The multi-network convergence module can be placed in any Internet device, such as, but not limited to, the following devices: PC, tablet, home gateway, and the like. The client can be a smartphone, a tablet, a PC, or the like. The channel of the telecommunications network can be a wired or wireless channel.

在用户端需要联系多网融合模块时,用户端发送信息给多网融合模块;When the user needs to contact the multi-network convergence module, the user sends the information to the multi-network convergence module.

多网融合模块接收通过电信网络传送的信息,识别CID信号并回叫用户端;The multi-network convergence module receives the information transmitted through the telecommunication network, identifies the CID signal, and calls back to the user terminal;

用户端接收通过电信网络传送的回叫,识别CID信号并摘机,与多网融合模块建立电信网络的信道通讯;The UE receives the callback transmitted through the telecommunication network, identifies the CID signal, and picks up the phone, and establishes channel communication of the telecommunication network with the multi-network convergence module;

多网融合模块随机产生动态密码Kd,用注册码Kr加密动态密码Kd,生成第一数据D1,然后将第一数据D1通过电信网络的信道发送给用户端;The multi-network convergence module randomly generates the dynamic password Kd, encrypts the dynamic password Kd with the registration code Kr, generates the first data D1, and then sends the first data D1 to the user end through the channel of the telecommunication network;

用户端用注册码Kr解密第一数据D1得到动态密码Kd;The user decrypts the first data D1 with the registration code Kr to obtain the dynamic password Kd;

用户端用动态密码Kd加密用户密码Ku生成第二数据D2,并将第二数据D2通过电信网络的信道发送至多网融合模块;The user end generates the second data D2 by using the dynamic password Kd to encrypt the user password Ku, and sends the second data D2 to the multi-network fusion module through the channel of the telecommunication network;

多网融合模块用动态密码Kd解密第二数据D2得到用户密码Ku,并与多网融合模块存储的用户密码Ku进行比较,如果相同则将IP地址发送给用户端;或者,用户端与多网融合模块交换其IP地址;The multi-network convergence module decrypts the second data D2 with the dynamic password Kd to obtain the user password Ku, and compares it with the user password Ku stored by the multi-network fusion module, and if the same, sends the IP address to the user; or, the client and the multi-network The fusion module exchanges its IP address;

用户端与多网融合模块根据得到的IP地址与动态密码Kd通过互联网进行通信(如IP路由及信息交互)。The client and the multi-network convergence module communicate with the dynamic password Kd via the Internet (such as IP routing and information interaction) according to the obtained IP address.

可以理解的,上述信息交换均可以使用动态密码Kd进行加密。It can be understood that the above information exchange can be encrypted by using the dynamic password Kd.

可以理解的,在通过电信网络传送信息和回叫时,电信网络的交换机会产生CID信号,并在用户端和多网融合模块开通来电显示业务即可获得该CID信号。It can be understood that when transmitting information and calling back through the telecommunication network, the switch of the telecommunication network generates a CID signal, and the CID signal is obtained by opening the caller ID service at the user end and the multi-network convergence module.

如图8所示,是本发明的多网融合的安全与认证方法的第五实施例,设置多网融合模块100,同时连接互联网和电信网络。其中,多网融合模块可置于任何互联网设备中,如,但不限于以下设备:PC、平板电脑、家庭网关等。用户端可以是智能手机、平板电脑、PC等。电信网络的信道可以是有线的或者无线的信道。As shown in FIG. 8, it is a fifth embodiment of the multi-network convergence security and authentication method of the present invention. The multi-network convergence module 100 is provided, and the Internet and the telecommunication network are simultaneously connected. The multi-network convergence module can be placed in any Internet device, such as, but not limited to, the following devices: PC, tablet, home gateway, and the like. The client can be a smartphone, a tablet, a PC, or the like. The channel of the telecommunications network can be a wired or wireless channel.

在用户端需要联系多网融合模块时,用户端呼叫多网融合模块;When the user needs to contact the multi-network convergence module, the UE calls the multi-network convergence module.

多网融合模块接收通过电信网络传送的呼叫,识别CID信号并摘机,与用户端建立电信网络的信道通讯;The multi-network convergence module receives the call transmitted through the telecommunication network, identifies the CID signal, and picks up the phone, and establishes channel communication with the user end of the telecommunication network;

多网融合模块随机产生动态密码Kd,用注册码Kr加密动态密码Kd,生成第一数据D1,然后将第一数据D1通过电信网络的信道发送给用户端;The multi-network convergence module randomly generates the dynamic password Kd, encrypts the dynamic password Kd with the registration code Kr, generates the first data D1, and then sends the first data D1 to the user end through the channel of the telecommunication network;

用户端用注册码Kr解密第一数据D1得到动态密码Kd;The user decrypts the first data D1 with the registration code Kr to obtain the dynamic password Kd;

用户端用动态密码Kd加密用户密码Ku生成第二数据D2,并将第二数据D2通过电信网络的信道发送至多网融合模块;The user end generates the second data D2 by using the dynamic password Kd to encrypt the user password Ku, and sends the second data D2 to the multi-network fusion module through the channel of the telecommunication network;

多网融合模块用动态密码Kd解密第二数据D2得到用户密码Ku,并与多网融合模块存储的用户密码Ku进行比较,如果相同则将IP地址发送给用户端;或者,用户端与多网融合模块交换其IP地址;The multi-network convergence module decrypts the second data D2 with the dynamic password Kd to obtain the user password Ku, and compares it with the user password Ku stored by the multi-network fusion module, and if the same, sends the IP address to the user; or, the client and the multi-network The fusion module exchanges its IP address;

用户端与多网融合模块根据得到的IP地址与动态密码Kd通过互联网进行通信(如IP路由及信息交互)。The client and the multi-network convergence module communicate with the dynamic password Kd via the Internet (such as IP routing and information interaction) according to the obtained IP address.

可以理解的,上述信息交换均可以使用动态密码Kd进行加密。It can be understood that the above information exchange can be encrypted by using the dynamic password Kd.

如图9所示,是本发明的多网融合的安全与认证方法的第六实施例,设置多网融合模块100,同时连接互联网和电信网络。其中,多网融合模块设置于一家庭网关中,并通过PSTN与电信网连接。用户端是使用4G网络的智能手机。As shown in FIG. 9, it is a sixth embodiment of the multi-network convergence security and authentication method of the present invention. The multi-network convergence module 100 is provided, and the Internet and the telecommunication network are simultaneously connected. The multi-network convergence module is disposed in a home gateway and connected to the telecommunication network through the PSTN. The client is a smartphone using a 4G network.

智能手机UU在与家庭网关的多网融合模块100注册时,生成了密钥对K1和K2,并且用户设置了自己的用户密码Ku;Ku存储于家庭网关中,K1和K2则存储在两端机器中。When the smartphone UU registers with the multi-network convergence module 100 of the home gateway, the key pair K1 and K2 are generated, and the user sets his own user password Ku; Ku is stored in the home gateway, and K1 and K2 are stored at both ends. In the machine.

当家庭网关监测到有情况需要联系用户时,多网融合模块100将通过PSTN发送信息给手机UU;When the home gateway detects that there is a situation that needs to contact the user, the multi-network convergence module 100 will send information to the mobile phone UU through the PSTN;

手机UU接收通过电信网络传送的信息,识别CID信号并确认是家庭网关发来的信息后,就通过4G和PSTN网络回叫多网融合模块100;The mobile phone UU receives the information transmitted through the telecommunication network, recognizes the CID signal and confirms that it is the information sent by the home gateway, and then calls back to the multi-network convergence module 100 through the 4G and PSTN networks;

多网融合模块100识别CID信号并确认是用户手机UU的来电后,摘机,与用户端建立电信网络的信道通讯;After the multi-network convergence module 100 recognizes the CID signal and confirms that it is an incoming call of the user's mobile phone UU, it picks up the phone and establishes channel communication with the user end to establish a telecommunication network;

然后多网融合模块随机生成一个动态密码Kd,用密钥对之一的K1加密Kd,产生D1,并把D1发送给手机UU;Then the multi-network convergence module randomly generates a dynamic password Kd, encrypts Kd with one of the key pairs K1, generates D1, and sends D1 to the mobile phone UU;

UU收到D1后用K1进行解密得到Kd;After receiving the D1, the UU decrypts with K1 to obtain Kd;

然后用户输入自己的用户密码Ku,Kd将对此密码进行运算产生中间码Kdu,UU再用K2对Kdu加密生成D2,然后将D2发送给多网融合模块100;Then the user enters his own user password Ku, Kd will calculate the password to generate the intermediate code Kdu, UU then K2 encrypts Kdu to generate D2, and then sends D2 to the multi-network fusion module 100;

多网融合模块100收到D2后,用K2解密得到Kdu,再与Kd运算得出Ku,并将此Ku与内存中的用户所设密码Ku比较,如果相同,就表明安全认证获得通过,双方可以交换IP地址;After receiving the D2, the multi-network convergence module 100 decrypts K2 to obtain Kdu, and then calculates K with Kd, and compares this Ku with the password Ku set by the user in the memory. If they are the same, it indicates that the security authentication is passed. Can exchange IP addresses;

当UU获得家庭网关的IP地址后,就可以根据这个地址发起互联网的连接,一旦连接建立,双方就可进行通信,而所有通信都将由动态密码Kd予以加密。当重新进行一次连接的时候,又会产生不同的动态密码,所以安全性得到了保障。When the UU obtains the IP address of the home gateway, it can initiate an Internet connection based on this address. Once the connection is established, both parties can communicate, and all communications will be encrypted by the dynamic password Kd. When a connection is made again, different dynamic passwords are generated, so security is guaranteed.

如图10所示,是本发明的多网融合的安全与认证方法的第七实施例,设置多网融合模块100,同时连接互联网和电信网络。其中,多网融合模块100被置于一个平板电脑中,该平板电脑通过WiFi连接到互联网中,同时又通过4G连接电信的无线网络;用户端UU则是一4G的平板电脑。As shown in FIG. 10, it is a seventh embodiment of the multi-network convergence security and authentication method of the present invention. The multi-network convergence module 100 is provided, and the Internet and the telecommunication network are connected at the same time. The multi-network convergence module 100 is placed in a tablet computer, which is connected to the Internet through WiFi, and simultaneously connects to the wireless network of the telecommunications through 4G; the user terminal UU is a 4G tablet computer.

用户端UU在与多网融合模块100注册时,生成了注册密码Kr,并且用户设置了自己的用户密码Ku;Ku存储于多网融合模块100所在的平板电脑中,Kr则存储在两端机器中。When registering with the multi-network convergence module 100, the user terminal UU generates the registration password Kr, and the user sets its own user password Ku; the Ku is stored in the tablet where the multi-network convergence module 100 is located, and the Kr is stored at both ends of the machine. in.

当多网融合模块100监测到有情况需要联系用户时,多网融合模块100将通过4G发送信息给UU;When the multi-network convergence module 100 detects that there is a situation that needs to contact the user, the multi-network convergence module 100 will send information to the UU through 4G;

UU接收通过4G网络传送的信息,识别CID信号并确认是多网融合模块100发来的信息后,就通过4G网络回叫多网融合模块100;The UU receives the information transmitted through the 4G network, identifies the CID signal, and confirms the information sent by the multi-network convergence module 100, and then calls back to the multi-network convergence module 100 through the 4G network;

多网融合模块100接收通过4G网络传送的回叫,识别CID信号并确认是用户端UU的来电后,摘机, 与用户端建立电信网络的信道通讯。The multi-network convergence module 100 receives the callback transmitted through the 4G network, identifies the CID signal, and confirms that it is the incoming call of the user terminal UU, picks up the phone, and establishes channel communication with the user end to establish a telecommunication network.

然后,用户端UU随机生成一个动态密码Kd,用Kr加密Kd,产生D1,并把D1发送给多网融合模块100;Then, the user terminal UU randomly generates a dynamic password Kd, encrypts Kd with Kr, generates D1, and sends D1 to the multi-network fusion module 100;

多网融合模块100收到D1后用Kr进行解密得到Kd;After receiving the D1, the multi-network convergence module 100 decrypts with Kr to obtain Kd;

用户输入自己的用户密码Ku,UU用Kd将Ku加密生成D2,然后也将D2发送给多网融合模块100。The user inputs his own user password Ku, UU encrypts Ku with Kd to generate D2, and then sends D2 to the multi-network fusion module 100.

多网融合模块100收到D2后,用Kd解密得到Ku,并将此Ku与内存中的用户所设密码Ku比较,如果相同,就表明安全认证获得通过,双方可以交换IP地址;After receiving the D2, the multi-network convergence module 100 decrypts and obtains Ku by Kd, and compares the Ku with the password Ku set by the user in the memory. If they are the same, it indicates that the security authentication is passed, and the two parties can exchange IP addresses;

当UU获得多网融合模块100所在的平板电脑的IP地址后,就可以根据这个地址发起互联网的连接,一旦连接建立,双方就可进行通信,而所有通信都将由动态密码Kd予以加密。When the UU obtains the IP address of the tablet where the multi-network convergence module 100 is located, the Internet connection can be initiated according to the address. Once the connection is established, the two parties can communicate, and all communication will be encrypted by the dynamic password Kd.

如图11所示,是本发明的多网融合的安全与认证方法的第八实施例,其中,多网融合模块100被置于一个PC中,该PC通过光纤连接到互联网中,同时又通过PSTN连接到电信网络;用户端UU也是一个PC,并分别通过光纤和PSTN连接到各自网络中。As shown in FIG. 11, it is an eighth embodiment of the multi-network convergence security and authentication method of the present invention, wherein the multi-network convergence module 100 is placed in a PC, and the PC is connected to the Internet through an optical fiber, and at the same time The PSTN is connected to the telecommunications network; the client UU is also a PC and is connected to the respective networks via optical fibers and PSTNs.

用户端UU在与多网融合模块100注册时,生成了注册密码Kr,并且用户设置了自己的用户密码Ku;Ku存储于多网融合模块100所在的PC中,Kr则存储在两端机器中。When the user UU registers with the multi-network convergence module 100, the registration password Kr is generated, and the user sets its own user password Ku; the Ku is stored in the PC where the multi-network convergence module 100 is located, and the Kr is stored in the machines at both ends. .

当用户端UU需要联系多网融合模块100所在的PC时,用户端UU将通过PSTN呼叫多网融合模块100;When the user terminal UU needs to contact the PC where the multi-network convergence module 100 is located, the user terminal UU will call the multi-network convergence module 100 through the PSTN;

多网融合模块100接收通过PSTN网络传送的呼叫,识别CID信号并确认是用户端UU的来电后,摘机。The multi-network convergence module 100 receives the call transmitted through the PSTN network, recognizes the CID signal, and confirms that it is an incoming call of the user terminal UU, and picks up the phone.

然后,多网融合模块100生成密码Kd,用Kr加密Kd,产生D1,并把D1发送给UU;Then, the multi-network convergence module 100 generates a password Kd, encrypts Kd with Kr, generates D1, and sends D1 to the UU;

UU收到D1后用Kr进行解密得到Kd;After receiving the D1, the UU decrypts with Kr to obtain Kd;

用户输入自己的用户密码Ku,UU用Kd将Ku加密生成D2,随后将D2发送给多网融合模块100。The user inputs his own user password Ku, and the UU encrypts Ku with Kd to generate D2, and then transmits D2 to the multi-network fusion module 100.

多网融合模块100收到D2后,用Kd解密得到Ku,并将此Ku与内存中的用户所设密码Ku比较,如果相同,就表明安全认证获得通过,双方可以交换IP地址;After receiving the D2, the multi-network convergence module 100 decrypts and obtains Ku by Kd, and compares the Ku with the password Ku set by the user in the memory. If they are the same, it indicates that the security authentication is passed, and the two parties can exchange IP addresses;

当UU获得多网融合模块100所在PC的IP地址后,就可以根据这个地址发起互联网的连接,一旦连接建立,双方就可进行通信,而所有通信都将由密码Kd予以加密。When the UU obtains the IP address of the PC where the multi-network convergence module 100 is located, the Internet connection can be initiated according to the address. Once the connection is established, the two parties can communicate, and all communications will be encrypted by the password Kd.

如图12所示,是本发明的多网融合的安全与认证方法的第九实施例,其中,多网融合模块100被置于一PC中,该PC分别连接互联网和PSTN网;用户端UU则是一使用4G网络的智能手机。As shown in FIG. 12, it is a ninth embodiment of the multi-network convergence security and authentication method of the present invention, wherein the multi-network convergence module 100 is placed in a PC, and the PC is respectively connected to the Internet and the PSTN network; the user terminal UU It is a smartphone using a 4G network.

其中,PC是通过NAT(网络地址转换)设备连接到互联网上的,IP1是一个内网地址,而所要的公网地址及端口号是IP3:xx,即需要把IP3:xx通知给UU。这可以有两种解决方案,第一种方案是在第7步时,UU把它的公网地址IP2发送给多网融合模块100,由多网融合模块100向IP2发起第一个数据包连接,这时NAT自动配置的IP3:xx就会通告给UU,UU再据此地址向多网融合模块100发起通信;第二种方案是,给NAT开发一个新的协议,该协议允许多网融合模块100所处的设备预先向NAT申请一个公网地址和端口号,例如NAT把IP3:xx预留给多网融合模块100使用,多网融合模块100就可以在第7步将IP3:xx发送给UU。The PC is connected to the Internet through a NAT (Network Address Translation) device. IP1 is an intranet address, and the required public network address and port number is IP3:xx, that is, the IP3:xx needs to be notified to the UU. There are two solutions to this. The first solution is that in the seventh step, the UU sends its public network address IP2 to the multi-network convergence module 100, and the multi-network convergence module 100 initiates the first data packet connection to the IP2. At this time, the IP3:xx automatically configured by the NAT is advertised to the UU, and the UU initiates communication to the multi-network convergence module 100 according to the address; the second solution is to develop a new protocol for the NAT, which allows multi-network convergence. The device where the module 100 is located applies for a public network address and port number to the NAT in advance. For example, the NAT reserves the IP3:xx for the multi-network convergence module 100, and the multi-network convergence module 100 can send the IP3:xx in the seventh step. Give UU.

如图13所示,是本发明的多网融合的安全与认证方法的第十实施例,其中,设置多网融合模块100,同时连接互联网和电信网络。其中,多网融合模块可置于任何互联网设备中,如,但不限于以下设备:PC、平板电脑、家庭网关等。用户端可以是智能手机、平板电脑、PC等。电信网络的信道可以是有线的或者无线的信道。As shown in FIG. 13, it is a tenth embodiment of the multi-network convergence security and authentication method of the present invention, wherein the multi-network convergence module 100 is provided, and the Internet and the telecommunication network are simultaneously connected. The multi-network convergence module can be placed in any Internet device, such as, but not limited to, the following devices: PC, tablet, home gateway, and the like. The client can be a smartphone, a tablet, a PC, or the like. The channel of the telecommunications network can be a wired or wireless channel.

在多网融合模块需要联系用户端时,多网融合模块发送信息给用户端;When the multi-network convergence module needs to contact the user end, the multi-network convergence module sends information to the user end;

用户端接收通过电信网络传送的信息,识别CID信号并回叫多网融合模块;The UE receives the information transmitted through the telecommunication network, identifies the CID signal, and calls back the multi-network convergence module;

多网融合模块通过电信网络传送的回叫,识别CID信号并摘机,与用户端建立电信网络的信道通讯;The multi-network convergence module identifies the CID signal and picks up the phone through the callback transmitted by the telecommunication network, and establishes channel communication with the user end of the telecommunication network;

多网融合模块随机产生动态密码Kd,将动态密码Kd通过电信网络的信道发送给用户端;The multi-network convergence module randomly generates a dynamic password Kd, and sends the dynamic password Kd to the user end through the channel of the telecommunication network;

用户端将其IP地址发送给多网融合模块;或者,多网融合模块与用户端交换其IP地址;用户端与多网融合模块根据得到的IP地址与动态密码Kd通过互联网进行通信。The client sends its IP address to the multi-network convergence module; or, the multi-network convergence module exchanges its IP address with the client; the client and the multi-network convergence module communicate with the dynamic password Kd via the Internet according to the obtained IP address.

可以理解的,上述信息交换均可以使用动态密码Kd进行加密。It can be understood that the above information exchange can be encrypted by using the dynamic password Kd.

可以理解的,在通过电信网络传送信息和回叫时,电信网络的交换机会产生CID信号,并在用户端和多网融合模块开通来电显示业务即可获得该CID信号。It can be understood that when transmitting information and calling back through the telecommunication network, the switch of the telecommunication network generates a CID signal, and the CID signal is obtained by opening the caller ID service at the user end and the multi-network convergence module.

如图14所示,是密钥对加密方法的一个实施例,可以用于上述所有实施例中,在用户端与多网融合模块注册时产生密钥对,密钥对包括第一密钥K1以及第二密钥K2;As shown in FIG. 14 , it is an embodiment of a key pair encryption method, which can be used in all the foregoing embodiments to generate a key pair when the UE is registered with the multi-network convergence module, and the key pair includes the first key K1. And a second key K2;

上述所有实施例中,在用注册码Kr加密动态密码Kd生成第一数据D1的步骤中,使用第一密钥K1加密动态密码Kd生成第一数据D1;In all the above embodiments, in the step of generating the first data D1 by encrypting the dynamic password Kd with the registration code Kr, the first key K1 is used to encrypt the dynamic password Kd to generate the first data D1;

在用户端用注册码Kr解密第一数据D1得到动态密码Kd的步骤中,用户端用第一密钥K1解密第一数据D1得到动态密码Kd;In the step of decrypting the first data D1 by the user terminal with the registration code Kr to obtain the dynamic password Kd, the user decrypts the first data D1 with the first key K1 to obtain the dynamic password Kd;

在用户端用动态密码Kd加密用户密码Ku生成第二数据D2的步骤中,用户端首先将动态密码Kd和用户密码Ku运算得到中间码Kdu,并使用第二密钥K2加密生成第二数据D2;In the step of the user terminal generating the second data D2 by using the dynamic password Kd to encrypt the user password Ku, the user first calculates the dynamic code Kd and the user password Ku to obtain the intermediate code Kdu, and encrypts and generates the second data D2 using the second key K2. ;

在多网融合模块用动态密码Kd解密第二数据D2,得到用户密码Ku的步骤中,多网融合模块先用第二密钥K2解密第二数据D2,得到Kdu,再利用动态密码Kd对Kdu进行运算,得到用户密码Ku。In the step of the multi-network convergence module decrypting the second data D2 with the dynamic password Kd to obtain the user password Ku, the multi-network fusion module first decrypts the second data D2 with the second key K2 to obtain Kdu, and then uses the dynamic password Kd to Kdu. Perform an operation to obtain the user password Ku.

可以理解的,以上实施例仅表达了本发明的优选实施方式,其描述较为具体和详细,但并不能因此而理解为对本发明专利范围的限制;应当指出的是,对于本领域的普通技术人员来说,在不脱离本发明构思的前提下,可以对上述技术特点进行自由组合,还可以做出若干变形和改进,这些都属于本发明的保护范围;因此,凡跟本发明权利要求范围所做的等同变换与修饰,均应属于本发明权利要求的涵盖范围。It is to be understood that the above-described embodiments are merely illustrative of the preferred embodiments of the present invention, and are not to be construed as limiting the scope of the invention; The above technical features may be freely combined, and various modifications and improvements may be made without departing from the spirit and scope of the invention; therefore, the scope of the claims of the present invention is Equivalent transformations and modifications are intended to be included within the scope of the appended claims.

Claims (10)

一种多网融合的安全与认证方法,其特征在于,包括以下步骤:A method for security and authentication of multi-network convergence, characterized in that it comprises the following steps: S1:设置多网融合模块,同时连接互联网和电信网络;S1: setting a multi-network convergence module and connecting to the Internet and the telecommunication network; S2:所述多网融合模块通过所述电信网络的信道,以电信的身份认证为基础与用户端进行安全信息交互。S2: The multi-network convergence module performs security information interaction with the user end on the basis of the identity of the telecommunication network through the channel of the telecommunication network. 根据权利要求1所述的多网融合的安全与认证方法,其特征在于,在所述步骤S2中,包括:The method for security and authentication of the multi-network convergence according to claim 1, wherein in the step S2, the method includes: S2-1:多网融合模块生成动态密码(Kd),然后用注册密码(Kr)加密所述动态密码(Kd)生成第一数据(D1),并把所述第一数据(D1)通过所述电信网络的信道发送给所述用户端;S2-1: the multi-network convergence module generates a dynamic password (Kd), and then encrypts the dynamic password (Kd) with a registration password (Kr) to generate first data (D1), and passes the first data (D1) Transmitting a channel of the telecommunication network to the user terminal; S2-2:所述用户端接收从所述电信网络传送的所述第一数据(D1),识别CID信号并用所述注册密码(Kr)解密所述第一数据(D1)得到所述动态密码(Kd);S2-2: the UE receives the first data (D1) transmitted from the telecommunication network, identifies a CID signal, and decrypts the first data (D1) with the registration password (Kr) to obtain the dynamic password. (Kd); S2-3:所述用户端用所述动态密码(Kd)加密用户密码(Ku)生成第二数据(D2),并将所述第二数据(D2)通过所述电信网络的信道发送至所述多网融合模块;S2-3: The UE generates the second data (D2) by using the dynamic password (Kd) encrypted user password (Ku), and sends the second data (D2) to the channel through the telecommunication network. Multi-network fusion module; S2-4:所述多网融合模块接收从所述电信网络传送的所述第二数据(D2),识别CID信号并用所述动态密码(Kd)解密所述第二数据(D2),得到所述用户密码(Ku),并与所述多网融合模块中保留的用户密码(Ku)进行比较,如果相同则将多网融合模块的IP地址发送给所述用户端;或者,所述用户端与所述多网融合模块交换其IP地址; S2-4: The multi-network convergence module receives the second data (D2) transmitted from the telecommunication network, identifies a CID signal, and decrypts the second data (D2) by using the dynamic password (Kd) to obtain a The user password (Ku) is compared with the user password (Ku) retained in the multi-network convergence module, and if the same, the IP address of the multi-network convergence module is sent to the user terminal; or the user terminal Exchanging its IP address with the multi-network convergence module; S2-5:所述用户端与所述多网融合模块根据得到的所述IP地址与所述动态密码(Kd)通过互联网进行通信。S2-5: The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address. 根据权利要求1所述的多网融合的安全与认证方法,其特征在于,在所述步骤S2中,包括:The method for security and authentication of the multi-network convergence according to claim 1, wherein in the step S2, the method includes: S2-1:多网融合模块发送信息给用户端;S2-1: The multi-network convergence module sends information to the user end; S2-2:所述用户端接收所述信息,识别CID信号并回叫所述多网融合模块;S2-2: the user end receives the information, identifies a CID signal, and calls back the multi-network convergence module; S2-3:所述多网融合模块接收所述回叫,识别CID信号并摘机,与所述用户端建立电信网络的信道通讯;S2-3: The multi-network convergence module receives the callback, identifies a CID signal, and picks up the phone, and establishes channel communication with the user end of the telecommunication network; S2-4:所述多网融合模块随机产生动态密码(Kd),用注册密码(Kr)加密所述动态密码(Kd),生成第一数据(D1),然后将所述第一数据(D1)通过所述电信网络的信道发送给所述用户端;S2-4: The multi-network convergence module randomly generates a dynamic password (Kd), encrypts the dynamic password (Kd) with a registration password (Kr), generates first data (D1), and then the first data (D1) Transmitting to the user terminal through a channel of the telecommunication network; S2-5:所述用户端用所述注册密码(Kr)解密所述第一数据(D1)得到所述动态密码(Kd);S2-5: the client decrypts the first data (D1) with the registration password (Kr) to obtain the dynamic password (Kd); S2-6:所述用户端用所述动态密码(Kd)加密用户密码(Ku)生成第二数据(D2),并将所述第二数据(D2)通过所述电信网络的信道发送至所述多网融合模块;S2-6: The UE generates the second data (D2) by using the dynamic password (Kd) encrypted user password (Ku), and sends the second data (D2) to the channel through the telecommunication network. Multi-network fusion module; S2-7:所述多网融合模块用所述动态密码(Kd)解密第二数据(D2)得到所述用户密码(Ku),并与所述多网融合模块存储的所述用户密码(Ku)进行比较,如果相同则将所述多网融合模块的IP地址发送给所述用户端;或者,所述用户端与所述多网融合模块交换其IP地址;S2-7: The multi-network convergence module decrypts the second data (D2) by using the dynamic password (Kd) to obtain the user password (Ku), and the user password stored in the multi-network convergence module (Ku) Comparing, if the same, sending the IP address of the multi-network convergence module to the user end; or, the user terminal and the multi-network convergence module exchange their IP addresses; S2-8:所述用户端与所述多网融合模块根据得到的所述IP地址与所述动态密码(Kd)通过互联网进行通信。S2-8: The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address. 根据权利要求1所述的多网融合的安全与认证方法,其特征在于,在所述步骤S2中,包括:The method for security and authentication of the multi-network convergence according to claim 1, wherein in the step S2, the method includes: S2-1:多网融合模块呼叫用户端;S2-1: The multi-network convergence module calls the user end; S2-2:所述用户端接收所述呼叫信号,识别CID信号并摘机,与所述多网融合模块建立电信网络的信道通讯;S2-2: the user end receives the call signal, identifies a CID signal, and picks up the phone, and establishes channel communication of the telecommunication network with the multi-network convergence module; S2-3:所述多网融合模块随机产生动态密码(Kd),用注册密码(Kr)加密所述动态密码(Kd),生成第一数据(D1),然后将所述第一数据(D1)通过所述电信网络的信道发送给所述用户端;S2-3: The multi-network convergence module randomly generates a dynamic password (Kd), encrypts the dynamic password (Kd) with a registration password (Kr), generates first data (D1), and then the first data (D1) Transmitting to the user terminal through a channel of the telecommunication network; S2-4:所述用户端用所述注册密码(Kr)解密所述第一数据(D1)得到所述动态密码(Kd);S2-4: The client decrypts the first data (D1) with the registration password (Kr) to obtain the dynamic password (Kd); S2-5:所述用户端用所述动态密码(Kd)加密用户密码(Ku)生成第二数据(D2),并将所述第二数据(D2)通过所述电信网络的信道发送至所述多网融合模块;S2-5: the UE generates the second data (D2) by using the dynamic password (Kd) encrypted user password (Ku), and sends the second data (D2) to the channel through the telecommunication network. Multi-network fusion module; S2-6:所述多网融合模块用所述动态密码(Kd)解密第二数据(D2)得到所述用户密码(Ku),并与所述多网融合模块存储的所述用户密码(Ku)进行比较,如果相同则将所述多网融合模块的IP地址发送给所述用户端;或者,所述用户端与所述多网融合模块交换其IP地址;S2-6: The multi-network convergence module decrypts the second data (D2) by using the dynamic password (Kd) to obtain the user password (Ku), and the user password stored in the multi-network fusion module (Ku) Comparing, if the same, sending the IP address of the multi-network convergence module to the user end; or, the user terminal and the multi-network convergence module exchange their IP addresses; S2-7:所述用户端与所述多网融合模块根据得到的所述IP地址与所述动态密码(Kd)通过互联网进行通信。S2-7: The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address. 根据权利要求1所述的多网融合的安全与认证方法,其特征在于,在所述步骤S2中,包括:The method for security and authentication of the multi-network convergence according to claim 1, wherein in the step S2, the method includes: S2-1:用户端发送信息给多网融合模块;S2-1: The UE sends information to the multi-network convergence module. S2-2:所述多网融合模块接收所述信息,识别CID信号并回叫所述用户端;S2-2: the multi-network convergence module receives the information, identifies a CID signal, and calls back the user terminal; S2-3:所述用户端接收所述回叫,识别CID信号并摘机,与所述多网融合模块建立电信网络的信道通讯;S2-3: The user end receives the callback, identifies a CID signal, and picks up the phone, and establishes channel communication of the telecommunication network with the multi-network convergence module; S2-4:所述多网融合模块随机产生动态密码(Kd),用注册密码(Kr)加密所述动态密码(Kd),生成第一数据(D1),然后将所述第一数据(D1)通过所述电信网络的信道发送给所述用户端;S2-4: The multi-network convergence module randomly generates a dynamic password (Kd), encrypts the dynamic password (Kd) with a registration password (Kr), generates first data (D1), and then the first data (D1) Transmitting to the user terminal through a channel of the telecommunication network; S2-5:所述用户端用所述注册密码(Kr)解密所述第一数据(D1)得到所述动态密码(Kd);S2-5: the client decrypts the first data (D1) with the registration password (Kr) to obtain the dynamic password (Kd); S2-6:所述用户端用所述动态密码(Kd)加密用户密码(Ku)生成第二数据(D2),并将所述第二数据(D2)通过所述电信网络的信道发送至所述多网融合模块;S2-6: The UE generates the second data (D2) by using the dynamic password (Kd) encrypted user password (Ku), and sends the second data (D2) to the channel through the telecommunication network. Multi-network fusion module; S2-7:所述多网融合模块用所述动态密码(Kd)解密第二数据(D2)得到所述用户密码(Ku),并与所述多网融合模块存储的所述用户密码(Ku)进行比较,如果相同则将所述多网融合模块的IP地址发送给所述用户端;或者,所述用户端与所述多网融合模块交换其IP地址;S2-7: The multi-network convergence module decrypts the second data (D2) by using the dynamic password (Kd) to obtain the user password (Ku), and the user password stored in the multi-network convergence module (Ku) Comparing, if the same, sending the IP address of the multi-network convergence module to the user end; or, the user terminal and the multi-network convergence module exchange their IP addresses; S2-8:所述用户端与所述多网融合模块根据得到的所述IP地址与所述动态密码(Kd)通过互联网进行通信。S2-8: The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address. 根据权利要求1所述的多网融合的安全与认证方法,其特征在于,在所述步骤S2中,包括:The method for security and authentication of the multi-network convergence according to claim 1, wherein in the step S2, the method includes: S2-1:用户端呼叫多网融合模块;S2-1: The UE calls the multi-network convergence module; S2-2:所述多网融合模块接收所述呼叫,识别CID信号并摘机,与所述用户端建立电信网络的信道通讯;S2-2: The multi-network convergence module receives the call, identifies a CID signal, and picks up the phone, and establishes channel communication with the user end of the telecommunication network; S2-3:所述多网融合模块随机产生动态密码(Kd),用注册密码(Kr)加密所述动态密码(Kd),生成第一数据(D1),然后将所述第一数据(D1)通过所述电信网络的信道发送给所述用户端;S2-3: The multi-network convergence module randomly generates a dynamic password (Kd), encrypts the dynamic password (Kd) with a registration password (Kr), generates first data (D1), and then the first data (D1) Transmitting to the user terminal through a channel of the telecommunication network; S2-4:所述用户端用所述注册密码(Kr)解密所述第一数据(D1)得到所述动态密码(Kd);S2-4: The client decrypts the first data (D1) with the registration password (Kr) to obtain the dynamic password (Kd); S2-5:所述用户端用所述动态密码(Kd)加密用户密码(Ku)生成第二数据(D2),并将所述第二数据(D2)通过所述电信网络的信道发送至所述多网融合模块;S2-5: the UE generates the second data (D2) by using the dynamic password (Kd) encrypted user password (Ku), and sends the second data (D2) to the channel through the telecommunication network. Multi-network fusion module; S2-6:所述多网融合模块用所述动态密码(Kd)解密第二数据(D2)得到所述用户密码(Ku),并与所述多网融合模块存储的所述用户密码(Ku)进行比较,如果相同则将所述多网融合模块的IP地址发送给所述用户端;或者,所述用户端与所述多网融合模块交换其IP地址;S2-6: The multi-network convergence module decrypts the second data (D2) by using the dynamic password (Kd) to obtain the user password (Ku), and the user password stored in the multi-network fusion module (Ku) Comparing, if the same, sending the IP address of the multi-network convergence module to the user end; or, the user terminal and the multi-network convergence module exchange their IP addresses; S2-7:所述用户端与所述多网融合模块根据得到的所述IP地址与所述动态密码(Kd)通过互联网进行通信。S2-7: The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address. 根据权利要求1所述的多网融合的安全与认证方法,其特征在于,在所述步骤S2中,包括:The method for security and authentication of the multi-network convergence according to claim 1, wherein in the step S2, the method includes: S2-1:多网融合模块发送信息给用户端;S2-1: The multi-network convergence module sends information to the user end; S2-2:所述用户端接收通过电信网络传送的信息,识别CID信号并回叫所述多网融合模块;S2-2: the UE receives information transmitted through the telecommunication network, identifies the CID signal, and calls back the multi-network convergence module; S2-3:所述多网融合模块识别CID信号并摘机,与所述用户端建立电信网络的信道通讯;S2-3: The multi-network convergence module identifies the CID signal and off-hook, and establishes channel communication with the user end of the telecommunication network; S2-4:所述多网融合模块随机产生动态密码(Kd),然后将所述动态密码(Kd)通过所述电信网络的信道发送给所述用户端;S2-4: The multi-network convergence module randomly generates a dynamic password (Kd), and then sends the dynamic password (Kd) to the user end through a channel of the telecommunication network; S2-5:所述用户端将其IP地址发送给所述多网融合模块;或者,所述多网融合模块与所述用户端交换其IP地址;S2-5: The UE sends its IP address to the multi-network convergence module; or the multi-network convergence module exchanges its IP address with the user terminal; S2-6:所述用户端与所述多网融合模块根据得到的所述IP地址与所述动态密码(Kd)通过互联网进行通信。S2-6: The UE and the multi-network convergence module communicate with the dynamic password (Kd) via the Internet according to the obtained IP address. 根据权利要求2-6任一项所述的多网融合的安全与认证方法,其特征在于,所述注册密码(Kr)为所述用户端在与所述多网融合模块注册时产生,该密码(Kr)为密钥对,所述密钥对包括第一密钥(K1)以及第二密钥(K2);The method for security and authentication of a multi-network convergence according to any one of claims 2-6, wherein the registration password (Kr) is generated when the client is registered with the multi-network convergence module, The password (Kr) is a key pair, the key pair including a first key (K1) and a second key (K2); 在用注册密码(Kr)加密所述动态密码(Kd)生成第一数据(D1)的步骤中,使用第一密钥(K1)加密所述动态密码(Kd)生成第一数据(D1);In the step of generating the first data (D1) by encrypting the dynamic password (Kd) with a registration password (Kr), encrypting the dynamic password (Kd) using the first key (K1) to generate first data (D1); 在用所述注册密码(Kr)解密所述第一数据(D1)得到所述动态密码(Kd)的步骤中,用所述第一密钥(K1)解密所述第一数据(D1)得到所述动态密码(Kd);In the step of decrypting the first data (D1) with the registration password (Kr) to obtain the dynamic password (Kd), decrypting the first data (D1) with the first key (K1) to obtain The dynamic password (Kd); 在用所述动态密码(Kd)加密用户密码(Ku)生成第二数据(D2)的步骤中,先将所述动态密码(Kd)和用户密码(Ku)运算,得到中间码(Kdu),再使用所述第二密钥(K2)加密所述中间码(Kdu)生成第二数据(D2);In the step of generating the second data (D2) by encrypting the user password (Ku) with the dynamic password (Kd), the dynamic password (Kd) and the user password (Ku) are first calculated to obtain an intermediate code (Kdu). Reusing the second key (K2) to encrypt the intermediate code (Kdu) to generate second data (D2); 在用所述动态密码(Kd)解密所述第二数据(D2),得到所述用户密码(Ku)的步骤中,先用所述第二密钥(K2)解密所述第二数据(D2),得到中间码(Kdu),再用所述动态密码(Kd)对所述中间码(Kdu)进行运算,得到所述用户密码(Ku)。In the step of decrypting the second data (D2) with the dynamic password (Kd) to obtain the user password (Ku), first decrypting the second data (D2) with the second key (K2) And obtaining an intermediate code (Kdu), and computing the intermediate code (Kdu) with the dynamic password (Kd) to obtain the user password (Ku). 一种多网融合的安全与认证系统,其特征在于,包括同时连接互联网和电信网络的多网融合模块、以及用户端;所述多网融合模块通过所述电信网络的信道,以电信的身份认证为基础与用户端进行安全信息交互。A multi-network convergence security and authentication system, comprising: a multi-network convergence module that simultaneously connects an Internet and a telecommunication network, and a user terminal; the multi-network convergence module passes the channel of the telecommunication network, and is in the identity of a telecommunication The authentication is based on the security information exchange with the client. 根据权利要求9所述的多网融合的安全与认证系统,其特征在于,所述多网络融合模块包括算法模块、以及控制逻辑模块;所述算法模块通过电信网络的信道与外界通信,并指令所述控制逻辑模块的动作;所述控制逻辑模块用于将被控对象逻辑连接到互联网上或者逻辑连接到电信网上。The multi-network convergence security and authentication system according to claim 9, wherein the multi-network fusion module comprises an algorithm module and a control logic module; the algorithm module communicates with the outside world through a channel of the telecommunication network, and commands The action of the control logic module; the control logic module is configured to logically connect the controlled object to the Internet or logically connect to the telecommunication network.
PCT/CN2017/115055 2016-12-13 2017-12-07 Multi-network integration security and authentication method and system Ceased WO2018108022A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2016111437092 2016-12-13
CN201611143709.2A CN106657045B (en) 2016-12-13 2016-12-13 Multi-network integrated security and authentication method and system

Publications (1)

Publication Number Publication Date
WO2018108022A1 true WO2018108022A1 (en) 2018-06-21

Family

ID=58825814

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/115055 Ceased WO2018108022A1 (en) 2016-12-13 2017-12-07 Multi-network integration security and authentication method and system

Country Status (2)

Country Link
CN (1) CN106657045B (en)
WO (1) WO2018108022A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106657045B (en) * 2016-12-13 2020-10-13 翁印嵩 Multi-network integrated security and authentication method and system
CN110121202B (en) * 2018-02-07 2021-06-15 成都鼎桥通信技术有限公司 Access method and terminal equipment
CN109299942A (en) * 2018-09-28 2019-02-01 新明华区块链技术(深圳)有限公司 It is a kind of applied to the key management method of block chain and internet, apparatus and system
CN110708225A (en) * 2019-11-25 2020-01-17 南京菲尔德物联网有限公司 Wireless intelligent home system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1372201A (en) * 2002-04-03 2002-10-02 张平 Novel network safety method
US20020169966A1 (en) * 2001-05-14 2002-11-14 Kai Nyman Authentication in data communication
CN101835130A (en) * 2010-04-28 2010-09-15 候万春 System and method for authenticating and authorizing Internet communication through mobile communication network
CN102437914A (en) * 2010-12-08 2012-05-02 袁永亮 Method for providing user identity identification and user identity authentication for internet service by telecommunication network
CN104735027A (en) * 2013-12-20 2015-06-24 中兴通讯股份有限公司 Safety authentication method and authentication certification server
CN106657045A (en) * 2016-12-13 2017-05-10 翁印嵩 Multi-network integrated security and authentication method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103795724B (en) * 2014-02-07 2017-01-25 陈珂 Method for protecting account security based on asynchronous dynamic password technology

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020169966A1 (en) * 2001-05-14 2002-11-14 Kai Nyman Authentication in data communication
CN1372201A (en) * 2002-04-03 2002-10-02 张平 Novel network safety method
CN101835130A (en) * 2010-04-28 2010-09-15 候万春 System and method for authenticating and authorizing Internet communication through mobile communication network
CN102437914A (en) * 2010-12-08 2012-05-02 袁永亮 Method for providing user identity identification and user identity authentication for internet service by telecommunication network
CN104735027A (en) * 2013-12-20 2015-06-24 中兴通讯股份有限公司 Safety authentication method and authentication certification server
CN106657045A (en) * 2016-12-13 2017-05-10 翁印嵩 Multi-network integrated security and authentication method and system

Also Published As

Publication number Publication date
CN106657045B (en) 2020-10-13
CN106657045A (en) 2017-05-10

Similar Documents

Publication Publication Date Title
CN101371550B (en) Method and system for automatically and freely providing user of mobile communication terminal with service access warrant of on-line service
JP5651313B2 (en) SIP signaling that does not require continuous re-authentication
RU2406251C2 (en) Method and device for establishing security association
CN111050322B (en) GBA-based client registration and key sharing method, device and system
US20150089220A1 (en) Technique For Bypassing an IP PBX
US20070283430A1 (en) Negotiating vpn tunnel establishment parameters on user's interaction
JP5192077B2 (en) Secret communication method using VPN, system thereof, program thereof, and recording medium of program
CN105307108A (en) Internet of things information interactive communication method and system
CN101277297B (en) Conversation control system and method
WO2011041962A1 (en) Method and system for end-to-end session key negotiation which support lawful interception
US8923279B2 (en) Prevention of voice over IP spam
JP7389754B2 (en) Apparatus, methods and articles of manufacture for messaging using message level security
JP2016526844A (en) Key establishment for constrained resource devices
CN109905374A (en) A privacy-preserving identity authentication method for smart home
WO2014176997A1 (en) Method and system for transmitting and receiving data, method and device for processing message
CN104683343B (en) A kind of method of terminal quick registration Wi-Fi hotspot
WO2018108022A1 (en) Multi-network integration security and authentication method and system
CN112565302A (en) Communication method, system and equipment based on security gateway
CN105577365A (en) A key negotiation method and device for user access to WLAN
WO2008074233A1 (en) A 3-element structure peer access control method
WO2009082950A1 (en) Key distribution method, device and system
WO2013053305A1 (en) Identification network end-to-end security establishing method, network side device and system
CN102594822B (en) Implementation method for secure internet phone based on secure socket layer (SSL)
CN111586017A (en) Communication user authentication method and device
WO2005079013A1 (en) A method for the achievement of the message transmission in the h323 system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17881892

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17881892

Country of ref document: EP

Kind code of ref document: A1