Embodiment
The embodiment of the invention provides a kind of authentication method, device and system of the CDN of realization intercommunication.The CDN intercommunication can promote the ability complementation between the CDN system, as the expansion of covering power, and the load sharing of CDN flow system flow when increasing etc.Safety is one of key issue of CDN intercommunication, when CDN2 and CDN1 intercommunication, must guarantee that CDN2 only provides service for the CDN1 that has interoperation relationships with it.The technical scheme of the embodiment of the invention, the safety issue in the time of can solving the CDN intercommunication promotes the intercommunication between the different CDN system.
The CDN systemic-function framework of the embodiment of the invention as shown in Figure 3.
(1) content source: Content Source (CS)
Store original contents, and content is sent to the CDN system.CP/SP can oneself dispose content source, also can select content is stored in third party's storage system.
The content that is stored in content source can be injected into CDN system (in particular, be to be injected into the content storage entity, perhaps content delivery entity) by the content injection process.The CDN system also can be when being necessary initiatively to the content source request content.
(2) storage control: Storage Controller
Storage control selects suitable content storage to obtain content from content source; And select suitable content delivery to obtain content from the content storage of appointment.
The function of storage control specifically comprises: understand the load condition of content storage, as CPU usage, internal memory operating position, input output band width situation; Understand the ability information of content storage, as the content of supporting inject agreement (as HTTP, FTP), the content distribution protocol (HTTP, FTP) etc.; Be responsible for the route of content requests, inject request, content dispense request etc. as content.
(3) pay control: Delivery Controller
Paying control chosen content payment entity is the terminal transfers media content.
The function of paying controlled entity specifically comprises: understand the load condition of content delivery, as CPU usage, internal memory operating position, input output band width situation; Understand the ability information of content delivery, as the content of supporting inject agreement (as HTTP, FTP), the content delivery agreement (as RTSP, HTTP, SilverLight, Flash) etc.; Be responsible for the route of content association requests, inject as content, the content distribution.
(4) content route: Content Route (CR)
In the embodiment of the invention, will store control and pay control and be referred to as the content route.For simplicity, among the following embodiment of the present invention, the content route is not specifically divided into storage control and is paid control, only adopts the content route entity to describe related embodiment.
(5) safety function: Security Fucntion (SF)
In the embodiment of the invention, safety function is a logical functional entity, can be positioned at key-course, perhaps resource layer.Can independently arrange, perhaps be integrated in content route or the content delivery entity.
The function of SF specifically comprises: the management of CP security information (as sharing key, authentication method etc.); The transmission of CP security information, the security information of transmitting CP such as the SF1 of CDN1 is given the SF2 of CDN2; Finish the authentication to CP, in other words to the authentication of CP particular portal; Alternatively, also comprise the authentication between the CDN, CDN1 is the CDN that contracts such as the CDN2 authentication.
(6) content storage: Content Storage (CSG)
CSG obtains, stores original contents from content source, and is distributed to the content delivery entity; Alternatively, CSG can also carry out preliminary treatment to content, as content fragment, and transcoding.
(7) content delivery: Content Delivery (CD)
CD obtains content from the content storage, and is distributed to terminal; Alternatively, CD can also carry out the code check conversion to content, file format conversion, processing such as burst.
The embodiment of the invention is that example describes with 2 CDN intercommunications, the typical scene that this scheme is suitable for as shown in Figure 4: suppose CDN1 overlay area 1, CDN2 overlay area 2.CP wishes in zone 1 and zone 2 for the user provides service, CP only and CDN1 signatory, CDN1 and CDN2 contract.Since CP only and CDN1 signatory, so think that content is injected into the content storage entity of CDN1.Simultaneously, because CP is only signatory with CDN1, thereby the content delivery request arrives the content route of CDN1 earlier.
The intercommunication of CDN system relates to following operation flow: content distribution flow, content delivery flow process.By the content distribution flow, CDN2 obtains content from CDN1, comprises that CDN1 pushes content to CDN2, and perhaps CDN2 is to the CDN1 request content.By the content delivery flow process, terminal is obtained media content from CDN2.
Embodiment 1 has described the entire flow of CDN safe intercommunication, and embodiment 2 has described the safe intercommunication process of content distribution flow, and embodiment 3-6 describes the safe intercommunication process of content delivery flow process, and embodiment 7 is applicable to content distribution and content delivery flow process.
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
Embodiment 1:
Present embodiment at first provides a kind of authentication method of the CDN of realization intercommunication, and this method is applied to scene shown in Figure 4; Fig. 4 a is the method flow diagram of present embodiment, and shown in Fig. 4 a, this method comprises:
S401, CDN2 receive the service request from CDN1 or terminal;
Parameters for authentication and the token that is provided by CP is provided for S402, CDN2, and described CP and described CDN1 are signatory, and described CDN1 and described CDN2 are signatory, and described CP is not signatory with described CDN2;
S403, CDN2 authenticate described CP according to described parameters for authentication and token;
S404, CDN2 return service response according to authentication result to CDN1 or described terminal.
Alternatively, S402 specifically comprises: parameters for authentication and the token that is provided by CP is provided from described service request CDN2; Perhaps CDN2 is provided from described service request by the parameters for authentication that is provided by CP, and obtains the token that is provided by CP by the verification process with CP.
Alternatively, described method also comprises: CDN2 receives the security information that CDN1 sends, and described security information comprises the shared key of CP and CDN1 at least; Correspondingly, S403 specifically comprises: CDN2 generates token according to described parameters for authentication and described shared key, and relatively whether the token of Sheng Chenging is consistent with the token that obtains, if unanimity then authenticate is passed through.
Alternatively, when CDN1 was not handed down to CDN2 with security information, S403 specifically comprised: CDN2 offers CDN1 with described parameters for authentication and token, described CP is authenticated according to the shared key of CP and CDN1, described parameters for authentication and token by CDN1; And receive the authentication result of being returned by CDN1.
Alternatively, described method also comprises: carry out the conversion of agreement and/or message format between CDN1 and the CDN2 by security gateway.
Alternatively, the executive agent of described method is: the safety function device among the CDN2.
Corresponding to the method for Fig. 4 a, present embodiment also provides a kind of authenticate device of the CDN of realization intercommunication, and described device is arranged in second content distributing network CDN2; Fig. 4 b is the functional block diagram of this device, and shown in Fig. 4 b, this device 40 comprises: receiving element 401 is used for receiving the service request from CDN1 or terminal; Acquiring unit 402 is used for obtaining parameters for authentication and the token that is provided by CP, and described CP and described CDN1 are signatory, and described CDN1 and described CDN2 are signatory, and described CP is not signatory with described CDN2; Authentication ' unit 403, the parameters for authentication and the token that are used for getting access to according to described acquiring unit authenticate described CP; Transmitting element 404 is used for the authentication result according to described authentication ' unit, returns service response to CDN1 or described terminal.
Alternatively, described acquiring unit 402, concrete being used for obtained parameters for authentication and the token that is provided by CP from described service request; The parameters for authentication that is provided by CP perhaps is provided from described service request, and is obtained the token that is provided by CP by the verification process with CP.
Alternatively, described receiving element 401 also is used for receiving the security information that CDN1 sends, and described security information comprises the shared key of CP and CDN1 at least; Correspondingly, described authentication ' unit 403, concrete parameters for authentication and the described shared key that is used for getting access to according to described acquiring unit generates token, and relatively whether the token of Sheng Chenging is consistent with the token that obtains, if unanimity then authenticate is passed through.
Alternatively, when receiving element 401 does not receive security information from CDN1, described authentication ' unit 403, concrete being used for offers CDN1 with described parameters for authentication and token, described CP authenticated according to the shared key of CP and CDN1, described parameters for authentication and token by CDN1; The authentication result that reception is returned by CDN1.
Corresponding to the method for Fig. 4 a and the device of Fig. 4 b, present embodiment also provides a kind of Verification System of the CDN of realization intercommunication, and described system applies is in scene shown in Figure 4; Fig. 4 c is present embodiment system annexation schematic diagram.
Shown in Fig. 4 c, the system of present embodiment comprises: the safety function device SF2 and the safety function device SF1 that is positioned at CDN1 that are positioned at CDN2; Described SF2 is used for receiving the service request from SF1 or terminal; The parameters for authentication and the token that are provided by CP are provided, and described CP and described CDN1 are signatory, and described CDN1 and described CDN2 are signatory, and described CP is not signatory with described CDN2; According to described parameters for authentication and token described CP is authenticated; According to authentication result, return service response to SF1 or described terminal.
Alternatively, described SF2, concrete being used for obtained parameters for authentication and the token that is provided by CP from described service request; The parameters for authentication that is provided by CP perhaps is provided from described service request, and is obtained the token that is provided by CP by the verification process with CP.
Alternatively, described SF2 also is used for receiving the security information that CDN1 sends, and described security information comprises the shared key of CP and CDN1 at least; Generate token according to described parameters for authentication and described shared key, relatively whether the token of Sheng Chenging is consistent with the token that obtains, if unanimity then authenticate is passed through.
Alternatively, described SF2 also is used for described parameters for authentication and token are offered SF1, described CP is authenticated according to the shared key of CP and CDN1, described parameters for authentication and token by SF1; And receive the authentication result of being returned by SF1.
Alternatively, described system also comprises: the security gateway (not shown) between SF1 and SF2; Described security gateway is used for agreement and/or message format conversion between realization CDN1 and the CDN2.
The method of the embodiment of the invention, device and system, when CP and CDN1 are signatory, CDN1 contracts with CDN2, and CP is when signatory with CDN2, parameters for authentication and the token of CDN2 by obtaining CP, realized that the CP of CDN2 authenticates, guaranteed the fail safe of intercommunication between CDN1 and the CDN2, made CDN2 only for providing service with the signatory CP of CDN1.
Embodiment 2:
Present embodiment has been realized the authentication of the CP of CDN2 in the content distribution procedure based on the scene of Fig. 4.Under this scene, CDN1 initiatively carries out the content distribution according to the particular dispensed rule and namely initiatively content is pushed to CDN2 from CDN1.Specifically verification process is as shown in Figure 5:
S500, safety function device SF1 issue security information to safety function device SF2.
The security information particular content depends on the security information that CP and CDN1 share, and comprises authentication mode, the shared key between CP and the CDN1, certificate scheme etc.
CDN1 and CDN2 may have a plurality of signatory, each have different contracting such as the different CP of correspondence, and a plurality of different contracting are perhaps arranged under the same CP.General CDN sign and the signatory mark of adopting identifies that these are signatory, thereby identifies (CDN ID) and signatory mark (Profile ID) with the CDN that can also have that security information issues simultaneously.CDN2 can contract by the specific of certain specific CDN of unique identification by CDN sign and signatory mark.
Authentication mode has symmetric key authentication and unsymmetrical key to authenticate two kinds.When adopting the symmetric key authentication mode, the key in the security information is the shared key of CP and CDN1.When adopting unsymmetrical key (PKI) authentication mode, the key in the security information is the PKI of CP.Present embodiment is that example describes to share key.
Certificate scheme is corresponding to different digest algorithms, as MD5 (eap-message digest 5), and SHA1 (SHA 1), perhaps other digest algorithms.
The embodiment of the invention can be the part of security information as CAMEL-Subscription-Information, and service contract and the necessary shared information of CAMEL-Subscription-Information storage concluding parties are bases of service.The CAMEL-Subscription-Information example of the embodiment of the invention is as follows: CDN sign, signatory mark, security information (authentication mode, key, certificate scheme), and other CAMEL-Subscription-Information.The CAMEL-Subscription-Information of the embodiment of the invention and security information also can adopt other organizational forms, and these organizational forms do not influence the realization of this programme.
S501, content route device CR1 send service request to SF1.
Be example with the HTTP request, the URL of this business request information schematically as follows:
http://www.sina.com/movie/hero.flv。Wherein www.sina.com is domain name.
In order to realize specific business, business request information also may be passed through URL, and HTTP message header field or message body are carried other professional specific parameters, and the embodiment of the invention is not done restriction to this.
S502, SF1 send service request to SF2, wherein carry parameters for authentication.
This step can specifically comprise:
After A, SF1 receive business request information, if judge this request from signatory CP then carry out follow-up flow process, otherwise refuse this request;
If B should ask from signatory CP, SF1 judges further whether this request message has carried token;
If C carries, SF1 can carry out: substep 1) directly transmit this service request and give SF2; Perhaps substep 2) increase new parameters for authentication, as CDN ID and/or Profile ID, recomputate token, send amended service request then to SF2.
If D does not carry token, SF1 directly carries out substep 2).
The parameters for authentication of present embodiment comprises: request URL/domain name, CDN sign, signatory mark, authentication mode, certificate scheme.Signatory mark wherein, authentication mode, certificate scheme is optional.
Token is obtained by parameters for authentication and cipher key calculation.Be example with SHA1, token=SHA1 (request URL/domain name, CDN sign, signatory mark, authentication mode, certificate scheme, key).Signatory mark wherein, authentication mode, certificate scheme is optional.
During computational token, can adopt URL, perhaps the domain name among the URL.
Be example with the HTTP request, this business request information URL schematically as follows, wherein TOKEN is token:
http://www.sina.com/movie/hero.flv?CDNID=1234&ProfileID=5678&AuthMode=1&AuthAlgorithm=1&TOKEN=abcdef123456.
During specific implementation, the mode of carrying of above-mentioned information is not limit.Also can be used as the partial content of token such as parameters for authentication.Simultaneously, can carry token with the message header field.
S503, SF2 are, and service request authenticates.
SF2 determines corresponding security information according to CDN ID and/or Profile ID.SF2 is according to the key in the security information, and the parameters for authentication computational token in the service request; Whether the token that carries in the relatively new token that calculates and the service request is consistent; If consistent, then authentication is passed through, otherwise authentication is not passed through.
S504, SF2 send service request to CR2 according to authentication result.
S505, CR2 return service response and give SF2.
CR2 carries out different processing at different service request, and concrete the processing depended on carrier policy, and the embodiment of the invention is not done restriction to concrete processing procedure.
S506, SF2 send service response to SF1.
S507, SF1 send service response to CR1.
Whether in the present embodiment, CDN1 carries CP and authenticates needed parameters for authentication and token, and CDN2 recomputates token according to parameters for authentication and with the CDN1 cipher key shared, consistent with the token of receiving by the token that relatively generates, and then finishes the authentication to CP.
Embodiment 3:
Present embodiment has been realized the authentication of the CP of CDN2 in the content delivery process based on the scene of Fig. 4, and specifically verification process is as shown in Figure 6:
S600, safety function SF1 issue security information and give SF2.The detailed process of this step is referring to the S500 of Fig. 5.
Certain navigation door that S601, terminal are browsed CP in the response message that CP returns, carries parameters for authentication and token.
Parameters for authentication and token can return by URL, for example:
www.sina.com/movie/hero.flv?CDNID=1234&ProfileID=5678&ClientID=10 .144.111.11&AuthMode=1&AuthAlgorithm=1&TOKEN=abcdef123456。
Parameters for authentication comprises: request URL/domain name, CDN sign, signatory mark, client identification, authentication mode, certificate scheme.Wherein CDN identifies, signatory mark, and client identification, authentication mode, certificate scheme is optional.
Be request URL specific to above-mentioned response message: www.sina.com/movie/hero.flv, wherein www.sina.com is domain name; 1234 are the CDN sign; 5678 is signatory mark; 10.144.111.11 be client identification, this sentences the IP address is example; AuthMode=1 represents authentication mode, and AuthAlgorithm=1 represents certificate scheme.TOKEN calculates resulting token.
Here parameters for authentication has increased client identification.By increasing this sign, can prevent that other clients from retransmitting this message.The CP door can be the IP address of browse request message as client identification.
Token is according to parameters for authentication, and cipher key calculation gets.Be example with SHA1, token=SHA1 (request URL/domain name, CDN sign, signatory mark, client identification, authentication mode, certificate scheme, key).Wherein CDN identifies, signatory mark, and client identification, authentication mode, certificate scheme is optional.
S602-S603: terminal is initiated service request to CR1, and CR1 is redirected service request by service response message notice terminal and asks CR2.
Described request is carried parameters for authentication and token.Be example with the HTTP request, this business request information schematically as follows:
http://www.sina.com/movie/hero.flv?CDNID=1234&ProfileID=5678&ClientID=10.144.111.11&AuthMode=1&AuthAlgorithm=1&TOKEN=abcdef123456.
Parameters for authentication comprises: request URL/domain name, CDN sign, signatory mark, client identification, authentication mode, certificate scheme.Wherein CDN identifies, signatory mark, and client identification, authentication mode, certificate scheme is optional, if having on the CP door, can carry.
Described token is according to parameters for authentication, and cipher key calculation gets.Be example with SHA1, token=SHA1 (request URL/domain name, CDN sign, signatory mark, client identification, authentication mode, certificate scheme, key).Wherein CDN identifies, signatory mark, and client identification, authentication mode, certificate scheme is optional.
Here parameters for authentication has increased client identification.Because IP or the MAC Address difference of different clients, by increasing this sign, can prevent that other clients from retransmitting this message.Client address can adopt IP address or MAC Address.
Present embodiment can adopt URL, and perhaps the domain name among the URL is come computational token, is example with SHA1, token=SHA1 (request URL/domain name, CDN sign, signatory mark, client identification, authentication mode, certificate scheme, key).
S604, terminal send service requesting information to CR2.
Terminal is initiated service request according to the service response message of receiving among the S603 to CR2.Service request is carried parameters for authentication and token.
S605, CR2 send service request to SF2, and service request is carried parameters for authentication and token.
S606, the request of SF2 authentication business are returned service response and are given CR2.
Particularly, this step can comprise:
A, SF2 determine corresponding security information according to CDNID and/or ProfileID.If do not carry CDNID and ProfileID in the parameters for authentication, can determine corresponding security information according to the CP domain name;
B, SF2 are according to the key in the security information, and the parameters for authentication in the service request, computational token; Whether the token that carries in the relatively new token that calculates and the service request is consistent, if consistent, then authentication is passed through, and does not pass through otherwise authenticate;
Behind C, the authentication success, return service response.
S607, CR2 return service response and give terminal.
The scheme of the embodiment of the invention is given under the situation of CDN2 when issued security information at CDN1, and CDN2 obtains key from security information, and acquisition is authenticated CP by parameters for authentication and token that CP provides from service request.This moment, CP only needed and CDN1 has contract signing relationship, and a system that only needs to understand CDN1 gets final product, as disposing reporting system etc.This scheme has been simplified the work of CP greatly.
Embodiment 4:
Present embodiment has been realized the authentication of the CP of CDN2 in the content delivery process based on the scene of Fig. 4, and present embodiment hypothesis CDN1 does not issue security information and gives CDN2.Thereby CDN2 needs and CDN1 carries out finishing the authentication to service request alternately.Concrete verification process as shown in Figure 7.
S701-S704 is with the S602-S605 of embodiment 2.
The same with embodiment 2, parameters for authentication and token in the service request that terminal sends among the S701 in the present embodiment also are to be obtained by CP, detailed process referring among the embodiment 2 to the associated description of S601, no longer launch to describe herein.
Wherein, among the step S702, CR1 can increase the routing iinformation of CDN1 in redirect message, so that SF2 can send to CDN1 to service request among the step S705.Routing iinformation can directly carry URL or the IP address of SF1; Perhaps carry CDN1 sign and/or signatory mark, so that SF2 is according to the destination of the definite route of sign, the URL or the IP address that for example obtain SF1 from local configuration information.
S705, SF2 send service request to SF1.
SF2 can determine which address to send business request information to according to the routing iinformation in the message.As described in S702.
Present embodiment signal SF2 directly sends business request information to SF1, and this message also can be transmitted through CR1.
S706, the request of SF1 authentication business are returned service response and are given SF2.
Particularly, this step can comprise:
A, SF1 determine corresponding security information according to CDNID and/or ProfileID.If do not carry CDNID and ProfileID in the parameters for authentication, can determine corresponding security information according to the CP domain name;
B, SF1 are according to the key in the security information, and the parameters for authentication in the service request, computational token; The token that carries in the relatively newer token that calculates and the service request, if consistent, then authentication is passed through, otherwise authentication is not passed through;
Behind C, the authentication success, return service response.
S707, SF2 return service response and give CR2.
S708, CR2 return service response and give terminal.
The method of the embodiment of the invention, do not issue security information at CDN1 and give under the situation of CDN2, by parameters for authentication and token are offered CDN1, after being authenticated by the CP of CDN1 replaced C DN2, to CDN2 return authentication result, thereby realized the authentication of the CP of CDN2.This moment, CP only needed and CDN1 has contract signing relationship.Work such as the operation of CP system, maintenance, statistics, monitoring have been simplified greatly.
Embodiment 5:
Present embodiment has been realized the authentication of the CP of CDN2 in the content delivery process based on the scene of Fig. 4.Present embodiment supposes that equally CDN1 does not issue security information and gives CDN2.Thereby CDN2 needs and CDN1 carries out finishing the authentication to service request alternately.Specifically verification process is as shown in Figure 8:
S801-S804 is with the S602-S605 of embodiment 2.
The same with embodiment 2, parameters for authentication and token in the service request that terminal sends among the S801 in the present embodiment also are to be obtained by CP, detailed process referring among the embodiment 2 to the associated description of S601, no longer launch to describe herein.
Wherein among the S802, CR1 can increase routing iinformation in redirect message, so that CR2 can send to CDN1 to service request among the S806.Wherein routing iinformation can directly carry URL or the IP address of SF1, perhaps carries CDN2 sign and/or signatory mark, so that SF2 is according to the destination of the definite route of sign, the URL or the IP address that for example obtain SF1 from local configuration information.
CR2 is given in S805, the request of SF2 redirection business.
S806, CR2 send service request to SF1.
CR2 can determine which address to send business request information to according to the routing iinformation in the message.As described in step 2.
S807, the request of SF1 authentication business are returned service response and are given CR2.
Particularly, this step can comprise:
A, SF1 determine corresponding security information according to CDNID and/or ProfileID.If do not carry CDNID and ProfileID in the parameters for authentication, can determine corresponding security information according to the CP domain name;
B, SF1 are according to the key in the security information, and the parameters for authentication in the service request, computational token; Whether the token that carries in the relatively new token that calculates and the service request is consistent, if consistent, then authentication is passed through, and does not pass through otherwise authenticate;
Behind C, the authentication success, return service response.
S808, CR2 return service response and give terminal.
The method of the embodiment of the invention, do not issue security information at CDN1 and give under the situation of CDN2, by parameters for authentication and token are offered CDN1, after being authenticated by the CP of CDN1 replaced C DN2, to CDN2 return authentication result, thereby realized the authentication of the CP of CDN2.This moment, CP only needed and CDN1 has contract signing relationship.Simplified the work such as system's operation, maintenance, statistics, monitoring of CP greatly.
Embodiment 6:
Present embodiment has been realized the authentication of the CP of CDN2 in the content delivery process based on the scene of Fig. 4, and specifically identifying procedure is as shown in Figure 9:
S900, SF1 issue security information and give SF2.This step is with the S500 of embodiment 1.This step is optional step, gives under the situation of CDN2 and issue security information at CDN1, can finish local authentication by CDN2, do not issue security information at CDN1 and give under the situation of CDN2, and will be that CDN2 finishes verification process by CDN1.
S901-S902, terminal are initiated service request to CR1, and CR1 is redirected service request by service response message notice terminal and asks CR2.
Token is not carried in request.Be example with the HTTP request, this business request information schematically as follows:
http://www.sina.com/movie/hero.flv
S903, terminal send solicited message to CR2.
Terminal is initiated service request according to the redirect message of receiving among the step S902 to CR2.
S904, CR2 send service request to SF2.
S905, SF2 send authentication request to SF1.
Do not carry token in the SF2 judgement service request.SF2 sends authentication request to SF1, can carry the parameters for authentication of SF2 structure alternatively in this authentication request.Be example with HTTP POST:
http://www.sina.com/movie/hero.flv?CDNID=1234&ProfileID=5678&AuthMode=1&AuthAlgorithm=1.
Here CDN ID is the sign of CDN1; Profile ID is the signatory mark of CDN1 and CDN2.
The parameters for authentication of above-mentioned request message also can be passed through HTTP message header field, and perhaps message body (as XML) is carried.
Concrete route is with the description of aforesaid embodiment S701-S704.
S906, SF1 send authentication request to content operator CP (being specially the secure entity of content operator).
Be example with HTTP POST:
http://www.sina.com/movie/hero.flv?CDNID=1234&ProfileID=6789&AuthMode=1&AuthAlgorithm=1.
SF1 replaces to signatory mark between CDN1 and the CP to Profile ID.If CDN1 is handed down in the security information of CDN2, directly use the signatory mark between CP and the CDN1, then the SF1 value that need not replace signatory mark herein.
The parameters for authentication of above-mentioned request message also can be passed through HTTP message header field, and perhaps message body (as XML) is carried.
The response of S907, CP (being specially the secure entity of content operator) return authentication.
The secure entity of CP is according to parameters for authentication, and computational token is carried at token and returns to SF1 in the authentication response.
Be example with HTTP:
HTTP/1.1200OK
Authorization:response=abcdef123456.
The optional parameters for authentication of carrying of authentication response message is with the parameters for authentication of receiving in the authentication request.
Wherein, parameters for authentication, token also can pass through HTTP message header field, and perhaps message body (as XML) is carried.
S908, SF1 carry out local verification, and this step is optional step, if carry out S900 then do not need to carry out this step but carry out S910, otherwise then need to carry out this step.Particularly, SF1 generates token according to parameters for authentication and shared key, and relatively whether the token of Sheng Chenging is consistent with the token that returns from CP, if unanimity then authenticate is passed through.
S909, SF1 return authentication respond to SF2.If S908 does not carry out, then this step is also omitted.
This message is with the authentication response message among the S907.
S910, SF2 carry out local verification, and this step is optional step, if carry out S900 then need to carry out this step, on the contrary execution in step S908 then.SF2 is according to parameters for authentication and key, and computational token will be calculated the token of generation and compare from the token that CP returns.If consistent, then authentication is passed through; Otherwise authentication is not passed through.
S911, SF2 return service response and give CR2.
If authentication is passed through, SF2 returns 200OK; Otherwise return 401 (unauthorizeds).
S912CR2 returns service response and gives terminal.
Among this embodiment, SF2 sends authentication request by SF1 to CP (being specially the secure entity of content operator).SF2 also can directly send authentication request to CP.
In addition, among the S912, SF2 also can return 401 (unauthorizeds) and give UE.UE sends authentication request to CP, and transmits the authentication response that CP returns and give SF2, and SF2 verifies the authentication response that returns.
In the present embodiment, when service request is not carried token, obtain the token information that CP responds by the authentication request of initiating a CP, CDN2 can be authenticated CP according to the parameters for authentication of obtaining and token information.By said process, realized the authentication of the CP of CDN2, this moment, CP only needed and CDN1 has contract signing relationship, had simplified the work such as system's operation, maintenance, statistics, monitoring of CP greatly.
Embodiment 7:
Present embodiment has been realized the authentication of the CP of CDN2 based on the scene of Fig. 4, and wherein CDN1 adopts different safety approachs with CDN2, by the gateway intercommunication.The method of present embodiment both can be used for the content distribution procedure, also went for the content delivery process.
Service request/service response of handling as CDN1 and CDN2 is different, the agreement difference of Cai Yonging for example, and perhaps the message content difference can be passed through security gateway, asks/conversion of service response.Thereby finish the authentication of service request smoothly.In like manner, when CDN1 is different with authentication request/authentication response that CDN2 handles, also can change by security gateway.During the security gateway specific implementation, a part that can be used as safety function realizes.
The concrete identifying procedure of present embodiment is as shown in figure 10:
S1001, SF2 send service request to security gateway.
S1002, security gateway are handled the service request of receiving.
Whether security gateway checking service request is legal, and to change this service request be the manageable form of SF1.
Service request after S1003, the security gateway transmission conversion is to SF1.
S1004, SF1 return service response and give security gateway.
The service request that the SF1 authentication is received is returned service response, and service response is carried token.Concrete verification process is referring to the verification process of safety function in above-described embodiment.
S1005, security gateway are handled the service response of receiving.
Whether security gateway checking service response is legal, and to change this service response be the manageable form of SF2.
Service response after S1006, the security gateway transmission conversion is to SF2.
Security gateway is identical to the processing procedure of authentication request and authentication response, sees S1101-S1106 for details, repeats no more herein.
Present embodiment goes for above-mentioned all embodiment.
The beneficial effect that embodiment of the invention technical scheme is brought: when CP and CDN1 are signatory, CDN1 contracts with CDN2, and CP is when signatory with CDN2, obtained parameters for authentication and the token of CP by CDN2, and according to the parameters for authentication of obtaining and token described CP is authenticated, guarantee the fail safe of intercommunication between CDN1 and the CDN2, guarantee that CDN2 is only for providing service with the signatory CP of CDN1.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in above-described embodiment method, be to instruct relevant hardware to finish by computer program, described program can be stored in the computer read/write memory medium, this program can comprise the flow process as the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-Only Memory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
Above embodiment only in order to the technical scheme of the embodiment of the invention to be described, is not intended to limit; Although with reference to previous embodiment the embodiment of the invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment puts down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the scope of each embodiment technical scheme of the embodiment of the invention.