CN101572888B - Method for cross-validating various service engines in mobile terminals - Google Patents
Method for cross-validating various service engines in mobile terminals Download PDFInfo
- Publication number
- CN101572888B CN101572888B CN2009100995216A CN200910099521A CN101572888B CN 101572888 B CN101572888 B CN 101572888B CN 2009100995216 A CN2009100995216 A CN 2009100995216A CN 200910099521 A CN200910099521 A CN 200910099521A CN 101572888 B CN101572888 B CN 101572888B
- Authority
- CN
- China
- Prior art keywords
- engine
- certificate
- authentication center
- service
- pki
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a method for cross-validating various service engines in mobile terminals. The method of the invention can validate the certificate files among the service engines by combiningwith the characteristics of the computer network system of the mobile terminals, mutually certifying the respective identity for the certificate files among the service engines and adopting a safe tr ust network validation method based on a certification authority; and meanwhile the method can acquire reliable public keys of other service engines to complete the certification among the service engines. The method realizes the cross-validation among the service engines in the computer network system of the mobile terminals and provides the safety guarantee for calling among the service engines and for subscribers to switch among the service engines.
Description
Technical field
The present invention relates to technical field of mobile terminals and service engine validates technical field, relate in particular to method for cross-validating various service engines in a kind of portable terminal.
Background technology
One of the outstanding achievement that 20th century are human computer technology has been brought human society into the information age.Be accompanied by computer network and hand-held mobile terminal Equipment of Development, make people connect computer network based on the appearance of the computer network of portable terminal and become more and more simpler and convenient, wireless mobile communication network also produces thereupon.
The high bandwidth of new generation broadband wireless mobile communication net is the universal necessary condition that provides of mobile Internet.Time division-synchronous multiplexing TD-SCDMA network is the 3G network with independent intellectual property right of distinct Chinese characteristics.In order to promote the development of TD-SCDMA industry, need the business of the abundant TD-SCDMA of exploitation.
Carriage rack-layer at the TD-SCDMA network; Its frame structure allows the multiple service-Engine of the system integration; But in order to solve the security mechanism and mutual trust problem between the service-Engine; A kind of cross validation mechanism need be provided, avoid occurring the problem of non-authentication, call safety guarantee is provided for the engine service of striding between each service-Engine simultaneously.
Public-key infrastructure PKI is a kind of in order to guarantee the architecture of purposes such as communication security in the computer network, authentication and identification, information leakage prevent, information integrity assurance.The central idea of the PKI secret signal system PKC that is to use public-key carries out the encryption and decryption of information.
Among the PKC, key is one group with two, is called PKI and private key.With the deciphering that can use public-key of the data of encrypted private key, can decipher with private key with the data of public key encryption.Because the particularity of algorithm can obtain PKI simply from private key, then is difficult to obtain private key from PKI.In PKI, PKI is offered the user who needs the checking publisher by the publisher.Private key has only the publisher to have, and is used for enciphered message.
Certificate is meant that this PKI of proof that is guaranteed by the third party that the supplier of PKI provides among the PKI is one group of data like its alleged supplier's PKI.The content of certificate mainly contains the information and the PKIs itself such as supplier of PKI.Certificate needs the third party and signs.
Signature is meant and uses private key to encrypt and enclose necessary information to one piece of data.The holder of the PKI corresponding with this private key can verify whether this signature is authentic and valid.
The CA of authentication center is meant and the entity of proof of identification is provided among the PKI other entity.In general, an entity need provide a certificate by certain authentication center's signature for the identity that proves oneself.Like this, the entity of all these authentication centers of trust can both be verified this identity of entity.Cross validation between the authentication center is called trust network with the network that mutual trusting relationship is formed.
Service-Engine is meant in computer network the software systems that service is provided for the terminal.Service-Engine from the consideration of fail safe, when the terminal provides service, needs proof oneself to provide the engine like its alleged service at service-Engine as the entity on the software logic.For this reason, the service-Engine certificate of own identity of need witnessing.
Cross validation is the behavior of checking the other side's authenticity between a plurality of main bodys, and mode is checking the other side's certificate.When calling between the service-Engine, need checking the other side's certificate.
In mobile terminal network,, certainly will a kind of method of between many service-Engines, carrying out cross validation will be arranged, and traditional verification method can not corresponding portable terminal in order to realize the fail safe between many service-Engines.
Summary of the invention
The objective of the invention is to deficiency, method for cross-validating various service engines in a kind of portable terminal is provided to prior art.
The technical scheme that the present invention solves its technical problem employing is following:
1) to destination service engine requests certificate
The source service-Engine sends certificate request to the destination service engine, and the destination service engine sends certificate file to the source service-Engine after receiving certificate request, and this certificate is designated as Cts;
2) resolve certificate file
After the source service-Engine obtained the certificate file Cts of destination service engine transmission, the cert file was resolved, and obtained the authentication center to the certificate file signature, was designated as CAt;
3) certifying signature authentication center
Whether credible checking give the CAt of authentication center the process of destination service engine certificate file signature; It is exactly the process that obtains the CAt of this authentication center PKI through trust network; The source service-Engine sends request to the authentication center of its trust, and the PKI Kt of final access authentication center CA t;
The first step, the set TCA of source service-Engine initialization authentication center to be checked, authentication query centralization QCA, the set A K of acquired PKI:
TCA={CA1},
QCA={},
AK={K1}
Wherein
CA1: the local authentication center of source service-Engine
K1: the PKI of the CA1 of authentication center;
In second step, for each CAi of authentication center among the set TCA, the source service-Engine sends the request to the CAt certificate to CAi successively, and CAi is deleted from TCA, CAi is added among the QCA,
In the 3rd step, each receives the CAi of authentication center of CAt certificate request, for the CAj1 of authentication center that each CAi trusts, CAj2, CAj3 ..., to the source service-Engine send by the certificate C of CAi signature (CAi, CAj1), C (CAi, CAj2), C (CAi, CAj3) ...,
Wherein
C (CAi, CAjk): the certificate of the CAjk of authentication center of the CAi of authentication center signature, k=1,2,3
The 4th the step, whenever the source service-Engine receive a certificate C (i, jk), if CAjk does not belong to QCA; Then the source service-Engine joins CAjk among the set TCA, uses PKI Ki cert C (i, jk) deciphering among the AK simultaneously; The PKI Kjk of access authentication center CA jk joins Kjk among the AK
The 5th step judged whether the PKI Kt of access authentication center CA t, if Kt does not belong to AK, then repeated second and went on foot for the 5th step, if Kt belongs to AK, then got into next stage;
4) accomplish the destination service engine validates
Use the PKI Kt of the authentication center that gives destination service engine certificate signature that obtains on last stage,, obtain the PKI of destination service engine, accomplish checking the destination service engine to the deciphering of destination service engine certificate.
The present invention compares with background technology; The useful effect that has is: method of the present invention combines the characteristics of portable terminal computer network system; The certificate of utility file proves identity separately mutually between service-Engine; And make through the trust network verification method based on the safety of authentication center and to be able to the authentication certificate file between the service-Engine, obtain the reliable PKI of other service-Engine simultaneously, accomplish the authentication between the service-Engine.
(1) fail safe: this method has realized method for cross-validating various service engines in the portable terminal; Utilize trust network between the authentication center to make and be able to mutual checking between the service-Engine; Adopted strict safety certification mode in the communication process; Prevent the intervention of pseudo-authentication center and illegal service-Engine, good fail safe is arranged.
(2) intelligent: this method has been taked authentication communication mode efficiently, improves the speed of authentication, has alleviated authentication center's load of server.
(3) practicality: this method can be carried out cross validation to various dissimilar service-Engines, through the repetition test proof good practicability is arranged.
Description of drawings
Fig. 1 is an implementation process sketch map of the present invention;
Fig. 2 is the trust network sketch map that the present invention implements authentication center for example.
Embodiment
Specify the present invention below in conjunction with Fig. 1, it is more obvious that the object of the invention and effect will become.
Method for cross-validating various service engines in the portable terminal of the present invention may further comprise the steps:
1, to destination service engine requests certificate
The source service-Engine sends certificate request to the destination service engine, and the destination service engine sends certificate file to the source service-Engine after receiving certificate request, and this certificate is designated as Cts.The information that certificate mainly comprises has certificate name, the possessory PKI of certificate, and signer information etc., following table is the example of a destination service engine certificate:
| Certificate name | Owner's PKI | Signer |
| C(CA3,ts) | Kts | CA3 |
Above-mentioned first classifies certificate name as, the possessory PKI of secondary series certificate, and the 3rd classifies the authentication center to certificate signature as.
2, resolve certificate file
After the source service-Engine obtained the certificate file Cts of destination service engine transmission, the cert file was resolved, and obtained the authentication center to the certificate file signature, was designated as CAt.
In the example of superincumbent Cts, giving the authentication center of certificate signature is CA3, so the CA3 in the example is CAt.
3, certifying signature authentication center
Whether credible checking give the CAt of authentication center the process of destination service engine certificate file signature; It is exactly the process that obtains the CAt of this authentication center PKI through trust network; The source service-Engine sends request to the authentication center of its trust, and the PKI Kt of final access authentication center CA t.
In the above example, this step is exactly the process of the PKI K3 of access authentication center CA 3.
Trust network below in conjunction with authentication center shown in Figure 2 is an example, and the detailed process of this step is described, among Fig. 2, CA1, CA2, CA3, CA4 represent authentication center, and wherein, CA1 is the local authentication center of source service-Engine; Arrow between the authentication center is represented the trusting relationship between the authentication center, for example representes that from the arrow of CA1 sensing CA2 CA2 is the authentication center that CA1 trusts, and CA2 points to the arrow of CA3 and representes that CA3 is the authentication center that CA2 trusts, by that analogy.This step is specific as follows:
The first step, the set TCA of source service-Engine initialization authentication center to be checked, authentication query centralization QCA, the set A K of acquired PKI, in example, because CA1 is the local authentication center of source service-Engine, so
TCA={CA1},
QCA={},
AK={K1}。
In second step, for each CAi of authentication center among the set TCA, the source service-Engine sends the request to the CAt certificate to CAi successively, and CAi is deleted from TCA, and CAi is added among the QCA.In example, have only a CA1 of authentication center among the current set TCA, so the source service-Engine sends the request to the CA3 certificate to CA1.The source service-Engine is deleted CA1 from TCA simultaneously, and CA1 is joined among the QCA, at this moment
TCA={},
QCA={CA1},
AK={K1}。
The 3rd step; Each receives that the certificate of all authentication centers that oneself trust that oneself is signed by the authentication center of request sends to the source service-Engine; Have only CA1 to receive request in the example; Therefore CA1 sends to the source service-Engine, certificate information such as following table with the CA2 of authentication center that oneself trusts, the certificate of CA4
| Certificate name | Owner's PKI | Signer |
| C(CA2,CA1) | K2 | CA1 |
| C(CA4,CA1) | K4 | CA1 |
Above-mentioned first classifies certificate name as, the possessory PKI of secondary series certificate, and the 3rd classifies the authentication center to certificate signature as.
In the 4th step, the source service-Engine receives after the certificate judge whether the owner of certificate belongs to QCA, if not, then it is joined among the TCA, and the possessory PKI of certificate is joined among the AK.In example:
For C (CA2, therefore CA1), owner CA2 does not belong to QCA, CA2 is joined among the TCA, and its PKI K2 is joined among the AK;
(CA4, CA1), owner CA4 does not belong to QCA, therefore CA4 is joined among the TCA, and its PKI K4 is joined among the AK for C.At this moment
TCA={CA2,CA4},
QCA={CA1},
AK={K1,K2,K4}。
In the 5th step, judge whether the PKI Kt of access authentication center CA t.In example, to judge whether the PKI K3 of access authentication center CA 3 exactly, because K3 does not belong to AK, therefore repeating second went on foot for the 5th step.As follows:
Repeated for second step, the source service-Engine is to CA2, and CA4 sends the request to the CA3 certificate.The source service-Engine is deleted CA2 and CA4 from TCA simultaneously, and CA2 and CA4 are joined among the QCA, at this moment
TCA={},
QCA={CA1,CA2,CA4},
AK={K1,K2,K4};
Repeated for the 3rd step, CA2 receives request, so CA2 sends to the source service-Engine, certificate information such as following table with the CA4 of authentication center that oneself trusts, the certificate of CA3
| Certificate name | Owner's PKI | Signer |
| C(CA4,CA2) | K4 | CA2 |
| C(CA3,CA2) | K3 | CA2 |
CA4 also receives request, but CA4 does not have the authentication center of trust, so do not send;
Repeated for the 4th step, the source service-Engine receives after the certificate, for C (CA4, CA2), owner CA4 belongs to QCA, does not operate; (CA3, CA2), owner CA3 does not belong to QCA, therefore CA3 is joined among the TCA, and its PKI K3 is joined among the AK for C.At this moment
TCA={CA3},
QCA={CA1,CA2,CA4},
AK={K1,K2,K4,K3};
Repeated for the 5th step, this moment, K3 belonged to AK, got into next stage.
4, accomplish the destination service engine validates
Use the PKI Kt of the authentication center that gives destination service engine certificate signature that obtains on last stage,, obtain the PKI of destination service engine, accomplish checking the destination service engine to the deciphering of destination service engine certificate.In example, use the PKI K3 that obtains on last stage, (CA3 ts) deciphers, and obtains the PKI Kts of destination service engine to destination service engine certificate C.
So far, completion is to the cross-validation process of destination service engine.
The foregoing description is used for the present invention that explains, rather than limits the invention, and in the protection range of spirit of the present invention and claim, any modification and change to the present invention makes all fall into protection scope of the present invention.
Claims (2)
1. method for cross-validating various service engines in the portable terminal is characterized in that this method may further comprise the steps:
(1) to destination service engine requests certificate: the source service-Engine sends certificate request to the destination service engine, and the destination service engine sends certificate file to the source service-Engine after receiving certificate request, and this certificate is designated as Cts; (2) resolve certificate file: after the source service-Engine obtained the certificate file Cts of destination service engine transmission, the cert file was resolved, and obtained the authentication center to the certificate file signature, was designated as CAt;
(3) certifying signature authentication center: whether credible checking give the CAt of authentication center the process of destination service engine certificate file signature; It is exactly the process that obtains the CAt of this authentication center PKI through trust network; The source service-Engine sends request to the authentication center of its trust, and the PKI Kt of final access authentication center CA t;
(4) accomplish the destination service engine validates: use the PKI Kt of the authentication center that gives destination service engine certificate signature that obtains on last stage,, obtain the PKI of destination service engine, accomplish checking to the destination service engine to the deciphering of destination service engine certificate.
2. according to method for cross-validating various service engines in the said portable terminal of claim 1, it is characterized in that said step (3) is specific as follows:
(A) source service-Engine initialization authentication center to be checked set TCA, authentication query centralization QCA, the set A K of acquired PKI:
TCA={CAl},
QCA={},
AK={Kl}
Wherein, CAl: the local authentication center of source service-Engine, Kl: the PKI of the CAl of authentication center;
(B) for each CAi of authentication center among the set TCA, the source service-Engine sends the request to the CAt certificate to CAi successively, and CAi is deleted from TCA, and CAi is added among the QCA;
(C) each receives the CAi of authentication center of CAt certificate request, the CAjk of authentication center that trusts for each CAi, to the source service-Engine send by the certificate C of CAi signature (i, jk); Wherein, k is a natural number;
(D) whenever the source service-Engine receive a certificate C (i, jk), if CAjk does not belong to QCA; Then the source service-Engine joins CAjk among the set TCA, uses PKI Ki cert C (i, jk) deciphering among the AK simultaneously; The PKI Kjk of access authentication center CA jk joins Kjk among the AK;
(E) judge whether the PKI Kt of access authentication center CA t,, then repeat B and go on foot the E step,, then get into next stage if Kt belongs to AK if Kt does not belong to AK.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100995216A CN101572888B (en) | 2009-06-18 | 2009-06-18 | Method for cross-validating various service engines in mobile terminals |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100995216A CN101572888B (en) | 2009-06-18 | 2009-06-18 | Method for cross-validating various service engines in mobile terminals |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101572888A CN101572888A (en) | 2009-11-04 |
| CN101572888B true CN101572888B (en) | 2012-03-28 |
Family
ID=41232092
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100995216A Expired - Fee Related CN101572888B (en) | 2009-06-18 | 2009-06-18 | Method for cross-validating various service engines in mobile terminals |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101572888B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111800270B (en) * | 2018-06-25 | 2023-05-23 | 北京白山耘科技有限公司 | Certificate signing method and device, storage medium and computer equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2002039237A2 (en) * | 2000-11-09 | 2002-05-16 | International Business Machines Corporation | Method and system for web-based cross-domain single-sign-on authentication |
| WO2003079167A1 (en) * | 2002-03-18 | 2003-09-25 | Telenor Asa | Single sign-on secure service access |
-
2009
- 2009-06-18 CN CN2009100995216A patent/CN101572888B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2002039237A2 (en) * | 2000-11-09 | 2002-05-16 | International Business Machines Corporation | Method and system for web-based cross-domain single-sign-on authentication |
| WO2003079167A1 (en) * | 2002-03-18 | 2003-09-25 | Telenor Asa | Single sign-on secure service access |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101572888A (en) | 2009-11-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111083131B (en) | Lightweight identity authentication method for power Internet of things sensing terminal | |
| CN109167763B (en) | Block chain-based electric power industry electronic data preservation method and system | |
| CN106789090B (en) | Public key infrastructure system based on block chain and semi-random combined certificate signature method | |
| He et al. | An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad hoc networks | |
| CN104683112B (en) | A kind of car car safety communicating method that certification is assisted based on RSU | |
| Lee et al. | Security enhancement on a new authentication scheme with anonymity for wireless environments | |
| CN101212293B (en) | Identity authentication method and system | |
| CN104580250A (en) | System and method for authenticating credible identities on basis of safety chips | |
| CN110598422A (en) | Trusted identity authentication system and method based on mobile digital certificate | |
| CN1913434B (en) | Wireless communication system, control method, terminal and its control method | |
| CN109618326A (en) | User's dynamic identifier generation method and service registration method, login validation method | |
| CN103024743B (en) | The credible and secure cut-in method of a kind of WLAN | |
| US10742426B2 (en) | Public key infrastructure and method of distribution | |
| CN108650080B (en) | A kind of tagged keys management method and system | |
| CN103856478A (en) | Certificate signing and issuing method of trusted network, attestation method of trusted network and corresponding devices | |
| CN101807998A (en) | Authentication | |
| CN103929745B (en) | Wireless MESH network access authentication system and method based on privacy protection | |
| CN107493165B (en) | Internet of vehicles authentication and key agreement method with strong anonymity | |
| Shim | Reconstruction of a secure authentication scheme for vehicular ad hoc networks using a binary authentication tree | |
| CN108964892A (en) | Generation method, application method, management system and the application system of trusted application mark | |
| CN1802017A (en) | Identification method for preventing replay attack | |
| CN112801606A (en) | Electronic contract system of cone block chain | |
| CN1725685A (en) | Security identification method for mobiole terminal of radio cocal network | |
| CN114531680A (en) | Lightweight IBC bidirectional identity authentication system and method based on quantum key | |
| CN114331456A (en) | Communication method, device, system and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120328 Termination date: 20120618 |