CN109041205A - Client registers method, apparatus and system - Google Patents
Client registers method, apparatus and system Download PDFInfo
- Publication number
- CN109041205A CN109041205A CN201810969927.4A CN201810969927A CN109041205A CN 109041205 A CN109041205 A CN 109041205A CN 201810969927 A CN201810969927 A CN 201810969927A CN 109041205 A CN109041205 A CN 109041205A
- Authority
- CN
- China
- Prior art keywords
- key
- registrar
- user terminal
- root key
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W60/00—Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a kind of client registers method, apparatus and systems.The described method includes: user terminal is based on mobile user identification and key, and registrar is based on identical mobile user identification and key, by the certifiede-mail protocol between user terminal and registrar, and pass through the signature verification to mobile user identification, safety verification environment is provided for the registration of the third-party application client run in the user terminal, third party's user identifier also is provided for third-party application client simultaneously, using key or authentication token, it is quick so as to be realized for third-party application client, the authentication of safety, the operation such as data encryption, due to inputting account number without user, password or key etc., the significant increase usage experience of user.
Description
Technical field
The present invention relates to field of communication technology and Internet technical field more particularly to client registers method, apparatus and
System.
Background technique
Global Subscriber identification module (USIM, Universal Subscriber Identity for 3G or more network
Module) and for IMS network IP multimedia service identification module (ISIM, IPMultimedia Services
Identity Module), be common carrier be used to identify the identity of contracted user, the IC that meets 3GPP standard criterion it is integrated
Circuit arrangement.
ESIM as a kind of embedded SIM card, substantially by SIM card user data and encryption information by depositing originally
Storage is on another hardware carrier that physical SIM card is transferred to subscriber terminal equipment itself;Soft SIM is by pure software mode generation
The function that SIM is realized for physical SIM card, is equally safely stored with user data and encryption information.
Either any SIM card type is all stored with the identity and encryption information of contracted user in SIM card, is
Statement is convenient, and the module of the above-mentioned identity for being stored with mobile cellular network contracted user and encryption information is referred to as
" subscriber identification module SIM card ".Correspondingly, home subscriber server HSS (Home Subscriber Server, home subscriber
Server) be mobile cellular network customer certification system, the inside stores corresponding signing in subscriber identification module SIM card and uses
The identity and encryption information at family.
With being widely used for intelligent terminal (such as intelligent movable mobile phone), user will be installed largely on intelligent terminal
Third-party application client, and third-party application client is when in use, generally require to obtain terminal user necessary information it
After could normal use, and these necessary information be typically required terminal user manually enter or it is preconfigured such as defeated
Enter account and corresponding password, be pre-configured with key etc., but these operations are all more loaded down with trivial details and influence the usage experience of user.
Summary of the invention
The main purpose of the present invention is to provide a kind of method, apparatus of client registers and systems, it is desirable to provide a kind of
Third-party application client to run in user terminal can safely, automatically obtain the method, apparatus and system of registration information,
So as to be obtained automatically for third-party application client including account, using the registration information including key, authentication token etc., into
And existing third-party application client is solved in register account number, negotiating about cipher key shared, acquisition authentication token, user identity authentication etc.
In the process more it is loaded down with trivial details to affect user experience the technical issues of.
To achieve the above object, the present invention provides a kind of client registers method, has third-party application objective applied to operation
In the user terminal at family end, which comprises
Generate the first information to be signed, first information to be signed includes mobile user identification, and described first to
The generating mode of signing messages is consistent with the registrar generation generating mode of the second information to be signed;
It generates first to ask for an autograph value, described first value that asks for an autograph is to be based on the first signature key to the first letter to be signed
Breath calculates generation;
Client registers request is sent to the registrar, the client registers request includes the mobile subscriber
Mark and described first asks for an autograph value;
Receive the response message that succeeds in registration that the registrar is sent.
In addition, to achieve the above object, the present invention also provides a kind of client registers methods, it is applied to registrar
In, which comprises
Receive the client registers request that user terminal is sent, client registers request include mobile user identification and
First asks for an autograph value;
Generate the second information to be signed, second information to be signed includes the mobile user identification, and described
The generating mode of two information to be signed is consistent with the user terminal generation generating mode of the first information to be signed;
The second signature key is obtained according to the mobile user identification;
Whether first value that asks for an autograph according to second signature key and second Information Authentication to be signed has
Effect;
When verifying described first asks for an autograph and is worth effective, the response message that succeeds in registration is sent to the user terminal.
In addition, to achieve the above object, the present invention also provides a kind of client registers device, the client registers device
Have in the user terminal of third-party application client applied to operation, comprising: memory, processor and be stored in the memory
Client registers program that is upper and can running on the processor, when the client registers program is executed by the processor
The step of realizing above-mentioned client registers method.
In addition, to achieve the above object, the present invention also provides a kind of client registers device, the client registers device
Applied to registrar, comprising: memory, processor and be stored on the memory and can run on the processor
Client registers program, the client registers program realizes above-mentioned client registers method when being executed by the processor
The step of.
In addition, to achieve the above object, the present invention also provides a kind of client registers system, the client registers system
It include: user terminal and registrar;
The user terminal includes above-mentioned client registers device;
The registrar includes above-mentioned client registers device.
The present invention, which realizes, provides safe registration environment for the third-party application client run in the user terminal,
And then can be that third-party application client obtain automatically including account, using the registration information including key, authentication token etc., into
And existing third-party application client is solved in register account number, negotiating about cipher key shared, acquisition authentication token, user identity authentication etc.
In the process it is more loaded down with trivial details to affect user experience the technical issues of, whole process does not need user's input or only a small amount of defeated
Enter information, improves the usage experience of user.
Detailed description of the invention
Fig. 1 is a kind of structural representation of implementation environment involved in client registers method provided in an embodiment of the present invention
Figure;
Fig. 2 is the flow diagram of client registers method first embodiment of the present invention;
Fig. 3 is the flow diagram of client registers method second embodiment of the present invention;
Fig. 4 is the flow diagram of client registers method 3rd embodiment of the present invention;
Fig. 5 is the flow diagram of client registers method fourth embodiment of the present invention;
Fig. 6 is the flow diagram of the 5th embodiment of client registers method of the present invention;
Fig. 7 is the flow diagram of root key negotiations process provided by one embodiment of the present invention.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention
Formula is described in further detail.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and do not have to
It is of the invention in limiting.
As shown in FIG. 1, FIG. 1 is the terminal structure schematic diagrames for the hardware running environment that the embodiment of the present invention is related to.
One, implementation environment structural schematic diagram
Referring to FIG. 1, it illustrates a kind of implementation rings involved in client registers method provided in an embodiment of the present invention
The structural schematic diagram in border.The implementation environment includes registrar, user terminal, third-party application client.
Registrar: being connected with user terminal by network, and the root key for receiving and executing user terminal is negotiated
Request and the client registers request for receiving and executing user terminal;With home subscriber server HSS (Home
Subscriber Server, home subscriber server) it is connected by network, it is moved for being sent to home subscriber server HSS
User authentication request and acquisition request result.Registrar is usually provided by communication operation service provider.
User terminal: user terminal by WLAN (including wifi), cellular mo-bile data, LAN, fixed broadband etc. it is wired or
Wireless mode accesses network and carries out data connection with registrar.User terminal is to can be inserted into, embed or external connection
There is subscriber identification module SIM card and supports the intelligent terminal read to subscriber identification module SIM card, usually intelligent hand
Machine is also possible to smart television, set-top box, tablet computer, portable computer, desktop computer etc..
Third-party application client: the application program in the operating system of user terminal is operated in, is taken by third-party application
Business quotient provides.It is understood that multiple thirds provided by different third-party application service providers can be run in user terminal
Square applications client, each third-party application client can connect the corresponding third-party application server of access, to obtain
Required service and data.
It should be noted that should also have third-party application server in practical business implementation environment.Third-party application
Server is provided by third-party application service provider, for being connected with third-party application client by network, provides a user institute
The application service, such as information, shopping, social activity etc. needed;For being connected with registrar by network, obtained to registrar
It takes or verifies the registration information of third-party application client, such as third party's user identifier, believe using key, authentication token etc.
Breath.
It will be understood by those skilled in the art that implementation environment structure shown in Fig. 1 does not constitute the limit to implementation environment
It is fixed, it may include perhaps combining certain components or different component layouts than illustrating more or fewer components.
Two, related terms term
In order to make it easy to understand, some nouns being referred to herein are described and are illustrated.
Mobile user identification: for the mark of unique identification subscriber identification module SIM card, mobile user identification is IMSI
(international mobile subscriber identity, International Mobile Subscriber Identification Number), or
Person IMPI (IP multimedia private identity, IP Multimedia Private Identity).
Third-party application mark: third-party application mark is for uniquely identifying third-party application client, and is used for
Identify the corresponding third-party application server of the third-party application client.
Three, client registers flow embodiment one
Referring to FIG. 2, this method is available it illustrates the flow chart of client registers provided by one embodiment of the present invention
In implementation environment shown in FIG. 1.This method may include the following steps:
Step 101, user terminal starts client registers process.
User terminal starts client registers process after getting the operation instruction for starting client registers.
Step 102, user terminal obtains mobile user identification and the first root key.
User terminal obtains mobile user identification and the first root key, and mobile subscriber mark is stored on registrar
Knowledge and the second root key corresponding with the mobile user identification.
Step 103, user terminal is based on first root key and generates the first signature key.
For example, can be using first root key as the first signature key.
In another example being based on first root key using key derivation algorithm generates the first signature key.Specifically, key is sent
Raw algorithmic formula can be expressed as DK=PBKDF2 (passphrase, Salt, c, dkLen), in which: DK is the first label generated
Name key, PBKDF2 is key derivation algorithm, and passphrase is first root key and or/and the mobile user identification group
It is merged the character string connect;Salt is salt figure, is a fixed character string in this example;C is the number of iterations;DlLen is that key is defeated
Length out.
Step 104, user terminal generates the first information to be signed, which includes mobile subscriber mark
Know.
Optionally, Replay Attack, first information to be signed can also include timestamp in order to prevent, which passes through
The present system time for obtaining user terminal generates, i.e., first information to be signed is the mobile user identification and the timestamp
It is combined and spliced.
Step 105, user terminal is based on first signature key to first information calculating to be signed using signature algorithm
First is generated to ask for an autograph value.
First value that asks for an autograph generated can uniquely identify the first information to be signed, only using the calculation of identical signature
Identical signature value just can be generated in method, identical information to be signed, identical signature key.
For example, signature algorithm can be expressed as Signature=HMAC_SHA256 (k, m), wherein m is information to be signed
That is first information to be signed, k are that signature key i.e. first signature key, HMAC_SHA256 is signature algorithm,
Signature is that signature value i.e. first asks for an autograph value.
Step 106, user terminal sends client registers request to registrar, and client registers request includes should
Mobile user identification and this first ask for an autograph value.
Optionally, if the information to be signed generated at step 104 includes timestamp, in client registers request
It further include the timestamp.
Correspondingly, registrar receives the client registers request that user terminal is sent, and obtains client note
Mobile user identification in volume request, first ask for an autograph value and timestamp.
Step 107, optionally, registrar determines the validity of client registers request.
If further including in step 106 timestamp in client registers request, by the timestamp and registrar
Present system time be compared, determine both time difference whether in preset effective range:
If it is in effective range, then following step 108 is executed;
If not in effective range, then client registers response message, client note are sent to user terminal
Volume response message is registration failure response message, then executes following step 114.
Step 108, registrar obtains the second root key according to the mobile user identification.
The corresponding relationship of mobile user identification and the second root key is stored on registrar.
Registrar searches and obtains corresponding second root key in the corresponding relationship according to the mobile user identification.
Step 109, registrar uses signature key generating mode identical with user terminal, close based on this second
Key generates the second signature key.
For example, for using signature key generating mode identical with step 103 user terminal, if user terminal makes
Use the first root key as the first signature key, then registrar uses second root key as the second signature key.
In another example for using signature key generating mode identical with step 103 user terminal, if user terminal
The first root key is based on using key derivation algorithm and generates the first signature key, then registrar uses identical key derivation
Algorithm is based on the second root key and generates the second signature key.Specifically, by taking the corresponding example of step 103 as an example, key derivation
Algorithmic formula is for DK=PBKDF2 (passphrase, Salt, c, dkLen), in which: DK is that the second signature of generation is close
Key, PBKDF2 are key derivation algorithms identical with user terminal, and passphrase is second root key and or/and the shifting
The character string of family identifier combination splicing is employed, and combined and spliced mode is consistent with user terminal;Salt is salt figure, be one with
The identical fixed character string of user terminal;C is and the number of iterations identical in user terminal;DlLen is and phase in user terminal
Same key exports length.
So far, due to same mobile user identification corresponding first root key and on registrar on the subscriber terminal
The value of corresponding second root key is identical, and since the first signature key and the second signature key are using identical signature
Key generating mode, based on being worth what identical root key generated, therefore, the value of the first signature key and the second signature key is also
It is identical.
Step 110, registrar generates the second information to be signed, which includes mobile subscriber mark
Know.
Registrar generates the second information to be signed, which includes the mobile user identification, this
The generating mode of two information to be signed is consistent with the user terminal generation generating mode of the first information to be signed.
Optionally, if further including in step 106 timestamp in client registers request, the second information to be signed is also
Including the timestamp, i.e., the second information to be signed is the combined and spliced of the mobile user identification and the timestamp, and and user
Terminal uses identical combined and spliced mode, so as to generate identical information to be signed.
Step 111, registrar uses signature algorithm identical with user terminal, based on second signature key to this
Second information to be signed, which calculates, to be generated second and asks for an autograph value.
For example, signature algorithm can be expressed as using signature algorithm identical with step 105 user terminal
Signature=HMAC_SHA256 (k, m), wherein m is the information to be signed of information to be signed i.e. second, and k is signature key i.e.
Two signature keys, HMAC_SHA256 are signature algorithms identical with user terminal, and Signature is that signature value i.e. second is requested
Signature value.
So far, since registrar uses signature algorithm identical with user terminal, the second information to be signed and
First information to be signed is identical information to be signed, and the second signature key and the first signature key are identical signature keys,
Second then generated ask for an autograph value and first ask for an autograph value should be identical.
Step 112, registrar compare this second ask for an autograph value and first value that asks for an autograph it is whether consistent and hold
Row corresponding operation.
Registrar compare this second ask for an autograph value and first value that asks for an autograph it is whether consistent, and according to comparing knot
Fruit executes corresponding operation, comprising:
If comparison result is consistent, it is determined that first, which asks for an autograph, is worth effectively, executes following step 113.
If comparison result is inconsistent, it is determined that first, which asks for an autograph, is worth invalid, and registrar is to user terminal
Client registers response message is sent, which is registration failure response message, then executes following steps
Rapid 114.
Step 113, registrar sends client registers response message to user terminal, which disappears
Breath is the response message that succeeds in registration.
So far, the above process, the mobile user identification being mainly based upon in user terminal and the first root key, and be based on
The identical mobile user identification and the second root key stored in registrar, registrar by using and user terminal
Identical signature algorithm verifies mobile user identification, can be user terminal and user terminal after being verified
Corresponding log-on data and service are provided to the third-party application client secure of upper operation, and registered to user terminal return
Function response message.
Step 114, user terminal receives the client registers response message and the corresponding behaviour of execution that registrar is sent
Make.
User terminal receives the client registers response message that registrar is sent, which is
The response message that succeeds in registration either registration failure response message.
User terminal executes corresponding operation according to the client registers response message, comprising:
If client registers response message is the response message that succeeds in registration, user terminal determines registration process success,
And log-on data and service needed for obtaining as needed.
If client registers response message is registration failure response message, user terminal determines that registration process fails.
In conclusion method provided in this embodiment, for user terminal and the third-party application run in the user terminal
The registration of client provides safety verification environment, and after registration process success, user terminal and operation are in the user terminal
Third-party application client can obtain corresponding log-on data to registrar and service, whole process not need to use
Family inputs registration information, improves the usage experience of user.
Before implementing the present embodiment, need to complete root key negotiations process, to be based on depositing in subscriber identification module SIM card
The mobile user identification and key of storage and based on the identical mobile user identification stored in home subscriber server HSS and
Key, by the certification and negotiation between user terminal and registrar, under the premise of not exchanging key, user terminal and note
Volume server is each the identical root key of same mobile user identification generation value.I.e. complete root key negotiations process it
Afterwards, generating in the user terminal has the first root key, has the second root key in registrar generation and is stored with mobile use
The corresponding relationship of family mark and the second root key.The detailed process of root key negotiations process can be found in following embodiment illustrated in fig. 7
In introduction and explanation.
Four, client registers process embodiments two
Referring to FIG. 3, the flow chart of the client registers provided it illustrates another embodiment of the present invention, this method can
For in implementation environment shown in FIG. 1.As the more preferably embodiment provided based on embodiment one, the present embodiment is also into one
It walks and provides third party's user identifier for the third-party application client run in user terminal.This method may include following several
A step:
Step 201, user terminal starts client registers process.
User terminal starts client registers process after getting the operation instruction for starting client registers.
Step 202, user terminal obtains mobile user identification and the first root key.
User terminal obtains mobile user identification and the first root key, and mobile subscriber mark is stored on registrar
Knowledge and the second root key corresponding with the mobile user identification.
Step 203, user terminal obtains the corresponding third-party application mark of third-party application client.
Third-party application mark is built-in in the software installation packet of third-party application client to be stored and is pacifying
It is stored in configuration file after dress, or is obtained after sending request to third-party application server from third-party application client.
The mode that user terminal obtains third-party application mark may is that
For example, third-party application client sends the operation instruction of starting client registers to user terminal, in the operation
It include third-party application mark in instruction, user terminal obtains third-party application mark from the operation instruction.
In another example user terminal obtains third-party application mark from the corresponding configuration file of third-party application client.
Step 204, user terminal is based on first root key and generates the first signature key.
For example, can be using first root key as the first signature key.
In another example being based on first root key using key derivation algorithm generates the first signature key.Specifically, key is sent
Raw algorithmic formula can be expressed as DK=PBKDF2 (passphrase, Salt, c, dkLen), in which: DK is the first label generated
Name key, PBKDF2 are key derivation algorithms, and passphrase is first root key and or/and third-party application mark
Or/and the character string that the mobile user identification is combined and spliced;Salt is salt figure, is a fixed character string in this example;C is to change
Generation number;DlLen is key output length.
Step 205, user terminal generates the first information to be signed, which includes mobile subscriber mark
Know.
Optionally, Replay Attack, first information to be signed can also include timestamp in order to prevent, which passes through
The present system time for obtaining user terminal generates, i.e., first information to be signed is the mobile user identification and the timestamp
It is combined and spliced.
Step 206, user terminal is based on first signature key to first information calculating to be signed using signature algorithm
First is generated to ask for an autograph value.
First value that asks for an autograph generated can uniquely identify the first information to be signed, only using the calculation of identical signature
Identical signature value just can be generated in method, identical information to be signed, identical signature key.
For example, signature algorithm can be expressed as Signature=HMAC_SHA256 (k, m), wherein m is information to be signed
I.e. first information to be signed, k are signature key i.e. the first signature keys, and HMAC_SHA256 is signature algorithm, and Signature is
Signature value i.e. first asks for an autograph value.
Step 207, user terminal sends client registers request to registrar, and client registers request includes should
Mobile user identification, third-party application mark and this first ask for an autograph value.
Optionally, if the information to be signed generated in step 205 includes timestamp, in client registers request
It further include the timestamp.
Correspondingly, registrar receives the client registers request that user terminal is sent, and obtains client note
Mobile user identification in volume request, first ask for an autograph value and timestamp.
Step 208, optionally, registrar determines the validity of client registers request.
If further including in step 207 timestamp in client registers request, by the timestamp and registrar
Present system time be compared, determine both time difference whether in preset effective range:
If it is in effective range, then following step 209 is executed;
If not in effective range, then client registers response message, client note are sent to user terminal
Volume response message is registration failure response message, then executes following step 218.
Step 209, registrar obtains the second root key according to the mobile user identification.
The corresponding relationship of mobile user identification and the second root key is stored on registrar.
Registrar searches and obtains corresponding second root key in the corresponding relationship according to the mobile user identification.
Step 210, registrar uses signature key generating mode identical with user terminal, close based on this second
Key generates the second signature key.
For example, for using signature key generating mode identical with step 204 user terminal, if user terminal makes
Use the first root key as the first signature key, then registrar uses second root key as the second signature key.
In another example for using signature key generating mode identical with step 204 user terminal, if user terminal
The first root key is based on using key derivation algorithm and generates the first signature key, then registrar uses identical key derivation
Algorithm is based on the second root key and generates the second signature key.Specifically, by taking the corresponding example of step 204 as an example, key derivation
Algorithmic formula is for DK=PBKDF2 (passphrase, Salt, c, dkLen), in which: DK is that the second signature of generation is close
Key, PBKDF2 are key derivation algorithms identical with user terminal, passphrase be second root key and or/and this
Tripartite's application identities or/and the combined and spliced character string of the mobile user identification, and combined and spliced mode and user terminal one
It causes;Salt is salt figure, is a fixed character string identical with user terminal;C is and the number of iterations identical in user terminal;
DlLen is to export length with key identical in user terminal.
Step 211, registrar generates the second information to be signed, which includes mobile subscriber mark
Know.
Registrar generates the second information to be signed, which includes the mobile user identification, this
The generating mode of two information to be signed is consistent with the user terminal generation generating mode of the first information to be signed.
Optionally, if further including in step 207 timestamp in client registers request, the second information to be signed is also
Including the timestamp, i.e., the second information to be signed is the combined and spliced of mobile user identification and the timestamp, and with user's end
End uses identical combined and spliced mode, so as to generate identical information to be signed.
Step 212, registrar uses signature algorithm identical with user terminal, based on second signature key to this
Second information to be signed, which calculates, to be generated second and asks for an autograph value.
For example, signature algorithm can be expressed as using signature algorithm identical with step 206 user terminal
Signature=HMAC_SHA256 (k, m), wherein m is the information to be signed of information to be signed i.e. second, and k is signature key i.e.
Two signature keys, HMAC_SHA256 are signature algorithms identical with user terminal, and Signature is that signature value i.e. second is requested
Signature value.
Step 213, registrar compare this second ask for an autograph value and first value that asks for an autograph it is whether consistent and hold
Row corresponding operation.
Registrar compare this second ask for an autograph value and first value that asks for an autograph it is whether consistent, and according to comparing knot
Fruit executes corresponding operation, comprising:
If comparison result is consistent, it is determined that first, which asks for an autograph, is worth effectively, executes following step 214.
If comparison result is inconsistent, it is determined that first, which asks for an autograph, is worth invalid, and registrar is to user terminal
Client registers response message is sent, which is registration failure response message, then executes following steps
Rapid 218.
Step 214, registrar is according to mobile user identification third corresponding with the third-party application identifier lookup
Square user identifier.
The account of mobile user identification and third-party application mark and third party's user identifier is stored on registrar
Family corresponding relationship can be searched and be obtained in account corresponding relationship according to third-party application mark and mobile user identification
Corresponding third party's user identifier.
Registrar is identified according to the third-party application and the mobile user identification is searched in account corresponding relationship
Corresponding third party's user identifier with acquisition.
If finding corresponding third party's user identifier, illustrate that registrar has been mobile user identification wound
Third party's user identifier for third-party application mark is built, then registrar obtains corresponding third party user's mark
Know, then executes following step 215.
If not finding corresponding third party's user identifier, illustrating registrar not is mobile subscriber mark
Know the third party's user identifier created for third-party application mark, then executes following step 217.
Step 215, registrar creates unique third party's user identifier.
Registrar creates a new user identifier, which is that third party all on registrar uses
It is uniquely identified in the mark of family, is also possible to third-party application mark in the account corresponding relationship described in step 214 and corresponds to
All third party's user identifiers in uniquely identify, then using the new user identifier as third party's user identifier.
Step 216, the mobile user identification and third-party application mark and the third are established and stored to registrar
The corresponding relationship of square user identifier.
Registrar increases the mobile user identification newly in the account corresponding relationship described in step 214 and the third party answers
With the corresponding relationship of mark and third party's user identifier, i.e., identified according to the mobile user identification and the third-party application at this
Third party's user identifier will be searched and got in account corresponding relationship.
Step 214, step 215 and step 216 are answered it is also possible that registrar is pre-established with for the third party
With the application User relationship table of mark, this using being stored with mobile user identification and third party's user identifier in User relationship table
One-to-one relationship.Registrar according to the mobile user identification this using searching third party user in User relationship table
Mark creates unique third party's user identifier, and in the application if not finding third party's user identifier
The one-to-one relationship of the mobile user identification He third party's user identifier is increased in User relationship table newly, if finding third
Square user identifier then obtains third party's user identifier.
Step 214, step 215 and step 216, it is also possible that registrar is pre-established with for the mobile subscriber
Mobile subscriber's relation table of mark is stored with third-party application mark and third party's user identifier in mobile subscriber's relation table
One-to-one relationship.Registrar identifies according to the third-party application and searches third party's use in mobile subscriber's relation table
Family mark creates unique third party's user identifier, and in the shifting if not finding third party's user identifier
The one-to-one relationship for increasing third-party application mark and third party's user identifier in dynamic User relationship table newly, if found
Third party's user identifier then obtains third party's user identifier.
Step 217, registrar sends client registers response message to user terminal, which disappears
Breath is the response message that succeeds in registration, and including third party's user identifier.
Step 218, user terminal receives the client registers response message and the corresponding behaviour of execution that registrar is sent
Make.
User terminal receives the client registers response message that registrar is sent, which is
The response message that succeeds in registration either registration failure response message.
User terminal executes corresponding operation according to the client registers response message, comprising:
If client registers response message is the response message that succeeds in registration, obtain in the response message that succeeds in registration
Third party's user identifier, and third party's user identifier is sent to third-party application and identifies corresponding third-party application client
End.
If client registers response message is registration failure response message, terminates this process or user terminal will
The registration failure response message terminates this process after being sent to third-party application client.
Process as above is also further on the basis of example 1 the third run in user terminal in the present embodiment
Square applications client generates or obtains third party's user identifier.Not only have the effect of that embodiment one has, bring effect
At least further include: in a first aspect, obtaining third party's user identifier automatically for third-party application client, reduce terminal user's
Input operation, improves the usage experience of user;Second aspect, as long as same subscriber identification module SIM card, even replacement
Onto other user terminals, as long as identical third-party application client, also can obtain automatically identical third party for it
Application identities;The third aspect, the corresponding third-party application server of third-party application client are associated by that can only obtain
Third-party application mark, and mobile user identification cannot be obtained, it is not leaked so as to be effectively protected the privacy of user.
Five, client registers process embodiments three
Referring to FIG. 4, the flow chart of the client registers provided it illustrates another embodiment of the present invention, this method can
For in implementation environment shown in FIG. 1.As the more preferably embodiment provided based on embodiment two, the present embodiment is also into one
Step is that the third-party application client run in user terminal is generated using key.This method may include following several steps
It is rapid:
Step 301 to 316 with two step 201 of embodiment to 216 same or similar, repeat no more.
Step 317, registrar is based on second root key and generates second using key.
Key is applied for example, being based on the second root key using key derivation algorithm and generating second.Specifically, key derivation is calculated
Method formula can be expressed as DK=PBKDF2 (passphrase, Salt, c, dkLen), in which: DK is that the second application of generation is close
Key;PBKDF2 is key derivation algorithm;Passphrase be second root key and or/and the third-party application mark or/
The combined and spliced character string with third party's user identifier;Salt is salt figure, is a fixed character string in this example;C is to change
Generation number;DlLen is key output length.
Step 318, registrar establishes the corresponding relationship of third party's user identifier and the second application key.
If third party's user identifier is uniquely identified in third party's user identifier all on registrar,
Establish the corresponding relationship of third party's user identifier and the second application key.
If third party's user identifier is that the third-party application identifies in corresponding all third party's user identifiers uniquely
Mark, then establish third party's user identifier and the third-party application mark with this second application key corresponding relationship.
So far, registrar establishes the corresponding relationship of third party's user identifier and the second application key, registration
The corresponding relationship can be locally stored in server, perhaps the corresponding relationship is synchronized be sent to third party authentication server or
The corresponding relationship is synchronized to the third-party application server for being sent to corresponding third-party application mark.Then, it is based on the correspondence
Relationship, if the third-party application client for operating in user terminal have identical third party's user identifier and with this second application
The value of key is identical to apply key, will be carried out the operation such as the authentication to third-party application client, data encryption.
By taking the corresponding relationship is locally stored in registrar as an example, registrar is pre-established with answers for the third party
With the account cipher key relation table of mark, third party's user identifier and second is stored in account cipher key relation table using key
One-to-one relationship.Registrar searches the second application according to third party's user identifier in account cipher key relation table
Key, if not finding second using key, increased newly in the account cipher key relation table third party's user identifier and
The one-to-one relationship of the second application key uses this in account cipher key relation table if found using key
It is existing using key that secondary newly-generated the second application key replaces third party's user identifier.
Step 319, registrar sends client registers response message to user terminal, which disappears
Breath is the response message that succeeds in registration, and including third party's user identifier.
It should be noted that above-mentioned steps 317 and step 318 can also be in step 319 registrar to user terminal
It sends client registers response message to execute later, the present invention is defined not to this.
Step 320, user terminal receives the client registers response message and the corresponding behaviour of execution that registrar is sent
Make.
User terminal receives the client registers response message that registrar is sent, which is
The response message that succeeds in registration either registration failure response message.
User terminal executes corresponding operation according to the client registers response message, comprising:
If client registers response message is the response message that succeeds in registration, obtain in the response message that succeeds in registration
Then third party's user identifier executes following step 321.
If client registers response message is registration failure response message, terminates this process or user terminal will
The registration failure response message terminates this process after being sent to third-party application client, does not execute following step.
Step 321, user terminal uses application key generating mode identical with registrar, close based on this first
Key generates first and applies key.
For example, for using key derivation algorithm identical with step 317 registrar.Specifically, key derivation
Algorithmic formula can be expressed as DK=PBKDF2 (passphrase, Salt, c, dkLen), in which: DK is the first application generated
Key;PBKDF2 is key derivation algorithm identical with registrar;Passphrase is the first root key and or/and
Tripartite's application identities or/and the combined and spliced character string of third party's user identifier, and combined and spliced mode and registrar
Unanimously;Salt is salt figure, is a fixed character string identical with registrar;C is iteration identical with registrar
Number;DlLen is key output length identical with registrar.
So far, it is taken due to the first root key for after root key negotiations process, generating on the subscriber terminal and in registration
The second root key generated on business device is identical, and since the first application key and the second application key are answered using identical
It is generated with key generating mode, based on identical root key, therefore, the value of the first application key and the second application key is also
It is identical.
First using key, to be sent to third-party application mark corresponding with this by third party's user identifier for user terminal
Third-party application client, third-party application client can according to third party's user identifier and this first apply key
The operation such as authentication, data encryption is carried out to third-party application server.
Process as above, on the basis of embodiment two obtains third party's user identifier, the present embodiment is further also the
Tripartite's applications client is generated using key, not only has the effect of that embodiment two has, bring effect is at least further include:
In a first aspect, generating the input operation for reducing terminal user using key for third-party application client automatically, improve
The usage experience of user;Second aspect, the third-party application client run in user terminal is by can be according to the third of acquisition
The operation such as quick, safety authentication, data encryption using key realization of square user identifier and generation.
Six, client registers process embodiments four
Referring to FIG. 5, the flow chart of the client registers provided it illustrates another embodiment of the present invention, this method can
For in implementation environment shown in FIG. 1.As the more preferably embodiment provided based on embodiment two, the present embodiment is also into one
Step is that the third-party application client run in user terminal generates authentication token.This method may include following several steps
It is rapid:
Step 401 to 413 with two step 201 of embodiment to 213 same or similar, repeat no more.
Step 414, registrar is that third-party application mark generates authentication token.
Registrar is that third-party application mark generates authentication token, which is unique, and is had
Enough length and enough randomness make it difficult to be hypothesized and crack.
Step 415, registrar establishes the incidence relation of the authentication token and third-party application mark.
So far, registrar establishes the incidence relation of the authentication token and third-party application mark, registration service
The incidence relation can be locally stored in device, perhaps synchronize the incidence relation and be sent to third party authentication server or should
Authentication token, which synchronizes, is sent to the corresponding third-party application server of third-party application mark.Then, it is based on the incidence relation,
If the third-party application client for operating in user terminal has identical authentication token, third-party application server can be real
Now to the authentication of third-party application client.
Step 414 and step 415, it is also possible that registrar is pre-established with authentication token and third-party application mark
The User Token relation table of knowledge, is stored with authentication token in the User Token relation table and the corresponding of mobile user identification is closed
System.Registrar increases the corresponding relationship of the authentication token He the mobile user identification newly in the User Token relation table.
It should be noted that phase should be cleared up in time for no longer valid authentication token it should provide cleaning mechanism
The corresponding relationship answered, such as the corresponding corresponding relationship of the authentication token is deleted after authentication token verifying is primary, or to certification
Token sets a validity period, deletes the corresponding corresponding relationship of authentication token that validity period is already expired in time according to validity period.Specifically
This will not be repeated here for cleaning mechanism.
It should also be noted that, should also establish the authentication token to provide lasting application service to same user
With the corresponding relationship of the mobile user identification, mobile user identification can be found out according to authentication token, to mention for same user
For lasting service.Further, it in order to be not to reveal mobile user identification on a third party application server, can also create
It builds the mobile user identification and the third-party application identifies corresponding, unique user identifier, resettle the authentication token
With the corresponding relationship of the user identifier, to protect the privacy of user.This will not be repeated here for specific mechanism.
Step 416, registrar sends client registers response message to user terminal, which disappears
Breath is the response message that succeeds in registration, and including the authentication token.
Step 417, user terminal receives the client registers response message and the corresponding behaviour of execution that registrar is sent
Make.
User terminal receives the client registers response message that registrar is sent, which is
The response message that succeeds in registration either registration failure response message.
User terminal executes corresponding operation according to the client registers response message, comprising:
If the client registers response message is the response message that succeeds in registration, obtain in the response message that succeeds in registration
Authentication token, and the authentication token is passed into third-party application and identifies corresponding third-party application client to be used to recognize
Card authentication, then terminates this process.
If the client registers response message is registration failure response message, terminate this process or user terminal
Terminate this process after the registration failure response message is passed to third-party application client.
Process as above is further also on the basis of example 1 mobile user identification corresponding the in the present embodiment
Tripartite's application identities generate authentication token.Not only have the effect of that embodiment one has, bring effect is at least further include: the
On the one hand, authentication token is obtained for third-party application client automatically, reduces the input operation of terminal user, improves user
Usage experience;Second aspect, the authentication token will can be used for third-party application client and take to corresponding third-party application
The authentication of business device, to promote the usage experience of user;The third aspect, be used for authentication when, the authentication token by
In not needing the operations such as progress computations, therefore, the applications client of some lightweights is more suitable for (as based on browser
Web application).
Seven, client registers process embodiments five
Referring to FIG. 6, the flow chart of the client registers provided it illustrates another embodiment of the present invention, this method can
For in implementation environment shown in FIG. 1.As the more preferably embodiment provided based on embodiment two, in the present embodiment also into
One step realizes the license confirmation process of terminal user.The following step of this method is applied in the step 213 of embodiment two true
Fixed first, which asks for an autograph, is worth effectively later and before step 214, comprises the following steps:
Step a, registrar is to user terminal sending application authorization request message.
This is applied in authorization request message
Or/and third-party application title, the title are third-party application client and third-party application service for identification
The title of device is previously stored with the corresponding relationship of third-party application mark and third-party application title, note on registrar
Volume server searches and obtains corresponding third-party application title in the corresponding relationship according to third-party application mark.
Or/and mobile subscriber's title, the title are the titles of mobile subscriber for identification, are deposited in advance on registrar
The corresponding relationship of mobile user identification and mobile subscriber's title is contained, registrar is closed according to mobile user identification in the correspondence
Corresponding mobile subscriber's title is searched and obtained in system.
Correspondingly, user terminal receives the application authorization request message that registrar is sent.
Step b, user terminal are shown using authority checking interface.
After user terminal receives the application authorization request message of registrar transmission, calls and show using authorization
Interface is verified, with inquiry terminal user whether with the intention third-party application authorization.
On the application authority checking interface of display, may include:
Or/and third-party application title, i.e., the third-party application client that will be authorized and third-party application server
Title;
Or/and mobile subscriber's title, i.e., the mobile subscriber's title that will be authorized.
After showing using authority checking interface, terminal user can input authorization message: agreeing to authorization or cancel
Authorization.
It optionally, can also include safety verification code input frame, to inquire end on the application authority checking interface of display
End subscriber inputs safety verification code.The safety verification code is correspondingly being registered for further verifying the authorization of terminal user
The corresponding relationship of mobile user identification and safety verification code is previously stored on server.
Step c, user terminal receive the authorization message that terminal user inputs in application authority checking interface.
Step d, for user terminal to registrar sending application authorization response message, this is to answer using authorization response message
Cancel message with the either application authorization of license confirmation message.
User terminal executes corresponding operation according to the authorization message that terminal user inputs, comprising:
If authorization message includes agreeing to authorization, what user terminal was sent to registrar applies authorization response message
It is using license confirmation message.
Optionally, if on the application authority checking interface of display further including safety verification code input frame, and user
It include safety verification code in the authorization messages of the received terminal user's input of terminal, then user terminal is sent to registrar
Using further including the safety verification code in license confirmation message.
If authorization message includes cancelling authorization, what user terminal was sent to registrar applies authorization response message
It is to cancel message using authorization.
Step e, registrar receive the application authorization response message that user terminal is sent and execute corresponding operation.
What registrar reception user terminal was sent applies authorization response message, this is application using authorization response message
Message is cancelled in the either application authorization of license confirmation message.
Registrar executes corresponding operation using authorization response message according to this, comprising:
If this is to continue to execute subsequent step using license confirmation message using authorization response message.
Optionally, the corresponding relationship of mobile user identification and safety verification code is previously stored on registrar, such as
Fruit includes safety verification code in the received application license confirmation message of registrar, then registrar is according to mobile subscriber
Mark searches and obtains corresponding safety verification code in the corresponding relationship, and whether compare two safety verification codes consistent:
If consistent, subsequent step is continued to execute;If it is inconsistent, terminating process, subsequent step is not executed.
If this is to cancel message using authorization using authorization response message, terminates process, do not execute subsequent step.
Method provided in this embodiment increases the process of end-user verification authorization of allowing on the basis of example 2,
It by increasing this process, can more confirm that client registers process has obtained the license of terminal user, avoid due to accidentally grasping
The reasons such as work are authorized to non-essential third-party application client.
The present embodiment can also form a new embodiment with embodiment three, i.e., by the method and step application of the present embodiment
Example three step 313 determine first ask for an autograph be worth effectively after and step 314 before, detailed process does not repeat.
The present embodiment can also form a new embodiment with example IV, i.e., by the method and step application of the present embodiment
Example four step 413 determine first ask for an autograph be worth effectively after and step 414 before, detailed process does not repeat.
Eight, root key negotiations process embodiment
Referring to FIG. 7, it illustrates the flow chart of root key negotiations process provided by one embodiment of the present invention, this method
It can be used in implementation environment shown in FIG. 1.This method may include the following steps:
Step 501, user terminal starts root key negotiations process.
After getting the operation instruction negotiated for root key, user terminal starts root key negotiations process.
Step 502, user terminal obtains mobile user identification.
The mobile user identification is the mark for unique identification subscriber identification module SIM card, which is
IMSI or IMPI.The mobile user identification obtained in the mobile user identification and client registers process is same mark.
For example, by taking the subscriber identification module SIM card used is usim card as an example, the mobile user identification that is obtained on USIM
It is IMSI, user terminal obtains IMSI by the API in operating system and (such as uses in android system
GetSubscriberId method) or user terminal pass through APDU order read usim card EFimsi value.
In another example by taking the subscriber identification module SIM card used is ISIM card as an example, the mobile subscriber that is obtained on ISIM card
Mark is IMPI, and user terminal reads the EFimpi value of ISIM card by APDU order.
Step 503, user terminal sends root key to registrar and negotiates to request, and includes in root key negotiation request
The mobile user identification.
Correspondingly, the root key that registrar receives that user terminal is sent negotiates request.
Step 504, registrar sends authentication request message, the authentication request message to home subscriber server HSS
In include the mobile user identification.
It, can be by being sent to the SWx interface of home subscriber server HSS by taking mobile user identification is IMSI as an example
Multimedia-Auth-Request authentication request message is wrapped in the Multimedia-Auth-Request authentication request message
Include the mobile user identification.
It, can be by being sent to Cx the or SWx interface of home subscriber server HSS by taking mobile user identification is IMPI as an example
Multimedia-Auth-Request authentication request message is wrapped in the Multimedia-Auth-Request authentication request message
Include the mobile user identification.
Further, in order to support the mobile user identification of IMSI and IMPI type simultaneously, registrar can also be right
The type of mobile user identification is judged, is then sent again to Cx the or SWx interface of home subscriber server HSS
Multimedia-Auth-Request authentication request message.One judgment mode of mobile user identification type is to combine movement
The field structure of user identifier judges, for example, IMSI be total length no more than 15 Arabic numerals (such as
234150999999999), IMPI be meet 2486 specification feature of IETF RFC network identity (such as
[email protected])。
Step 505, registrar receives the authentication answer message of home subscriber server HSS feedback.
After the authentication request message that home subscriber server HSS receives registrar, home subscriber server HSS
Multimedia-Auth-Answer authentication answer message is returned to registrar.Recognize in Multimedia-Auth-Answer
Demonstrate,prove in response message includes SIP-Auth-Data-Item attribute value to (AVP:Attribute Value Pair), the SIP-
Auth-Data-Item attribute value centering include SIP-Authenticate, SIP-Authorization,
Confidentiality-Key, Integrity-Key attribute value pair.
Step 506, registrar obtains random parameter RAND, authentication-tokens AUTN, expectation from the authentication answer message
Response XRES, the second encryption key CK or/and the second Integrity Key IK.
Registrar parses Multimedia-Auth-Answer authentication answer message, therefrom obtains SIP-
Then Auth-Data-Item attribute value pair belongs to from the SIP-Authenticate of SIP-Auth-Data-Item attribute value centering
Property value to obtaining random parameter RAND and authentication-tokens AUTN, from SIP-Authorization attribute value to obtaining expected response value
XRES, from Confidentiality-Key attribute value to obtaining the second encryption key CK or/and from Integrity-Key attribute
Value is to the second Integrity Key IK of acquisition.
Step 507, registrar sends root key negotiation challenge message to user terminal, which negotiates challenge and disappears
Breath includes the random parameter RAND, authentication-tokens AUTN.
Registrar retains expectation response XRES, the second encryption key CK or/and the second Integrity Key IK.
Correspondingly, the root key that user terminal receives that registrar is sent negotiates challenge message.
Step 508, user terminal sends authentication request, the authentication request packet to subscriber identification module SIM card
Include the random parameter RAND and authentication-tokens AUTN.
User terminal sends authentication request to subscriber identification module SIM card and (such as passes through APDU order
AUTHENTICATE), Transfer Parameters are the random parameter RAND and authentication-tokens AUTN.
Step 509, user terminal receives the return value of subscriber identification module SIM card, which includes expected response value
RES, the first encryption key CK, the first Integrity Key IK.
After subscriber identification module SIM card receives the authentication request of user terminal transmission, subscriber identification module
SIM card by authentication calculations rear line terminal send return value, the return value include expected response value RES, first encryption it is close
Key CK, the first Integrity Key IK, user terminal receive the return value.
Step 510, user terminal sends root key challenge response message to registrar, which disappears
Breath includes expected response value RES.
Optionally, it in order to further protect the safety of desired response RES, avoids being leaked in transmission process, may be used also
To use hash algorithm (such as SHA256) to carry out Hash calculation to expected response value RES, expected response value RES is only sent through breathing out
Cryptographic Hash after uncommon calculating, without sending expected response value RES in plain text.
Correspondingly, registrar receives the expected response value RES or cryptographic Hash that user terminal is sent.
Step 511, registrar compares the expected response value XRES and whether expected response value RES is consistent.
Registrar will be answered in the expected response value XRES locally retained and from the root key challenge that user terminal returns
It answers the expected response value RES obtained in message to be compared, and corresponding operation is executed according to comparison result, comprising:
If comparison result is consistent, following step 512 is executed;
If comparison result be it is inconsistent, to user terminal send root key negotiate response message, the root key association
Quotient's response message is that root key negotiates failure response message, and executes following step 515.
Optionally, as described in above-mentioned steps 510, if it is to expected response value RES through Hash that registrar is received
Cryptographic Hash after calculating, then registrar carries out Hash calculation generation to expected response value RES using identical hash algorithm
Cryptographic Hash, and two cryptographic Hash are compared.
Step 512, registrar is based on the second encryption key CK or/and the second Integrity Key IK and generates second
Root key.
For example, the second root key is the second encryption key CK or second Integrity Key IK, alternatively, the second root key
Be the second encryption key CK or/and the second Integrity Key IK or/and fixed character string splicing or this second it is close
Key is the value for generate after Hash calculation to spliced plaintext using hash algorithm (such as SHA256).
Step 513, registrar establishes the corresponding relationship of the mobile user identification Yu second root key.
The corresponding relationship of the mobile user identification Yu second root key is established on registrar, registrar will
Corresponding second root key can be searched and obtained in the corresponding relationship according to mobile user identification.
If being stored with the corresponding relationship of the mobile user identification and the second root key on registrar, use
The second root key stored before this second root key generated replacement.
It should be noted that above-mentioned steps 512 and step 513 can also be that registrar is whole to user in step 514
End sends root key and negotiates to execute after successful respond message, and the present invention is defined not to this.
Step 514, registrar sends root key negotiation response message to user terminal, which negotiates response and disappear
Breath is that root key negotiates successful respond message.
Step 515, the root key that user terminal receives that registrar is sent negotiates response message and executes corresponding behaviour
Make.
User terminal receives the root key that registrar is sent and negotiates response message, which, which negotiates response message, is
Root key negotiates successful respond message or root key negotiates failure response message.
User terminal negotiates response message according to the root key and executes corresponding operation, comprising:
If it is that root key negotiates successful respond message that the root key, which negotiates response message, user terminal executes following steps
Rapid 516.
If it is that root key negotiates failure response message that the root key, which negotiates response message, following step is not executed, is tied
Shu Benci root key negotiates process.
Step 516, user terminal uses root key generating mode identical with registrar, close based on first encryption
Key CK or/and the first Integrity Key IK generates the first root key.
For example, it is corresponding with root key generating mode on registrar, if the second root key is that the second encryption is close
Key CK or the second Integrity Key IK, then the first root key is the first encryption key CK or first Integrity Key IK;Such as
The second root key of fruit is the splicing of the second encryption key CK or/and the second Integrity Key IK or/and fixed character string, then first
Root key is the splicing of the first encryption key CK or/and the first Integrity Key IK or/and identical fixed character string;If
Second root key is to carry out the value that generates after Hash calculation to spliced plaintext using hash algorithm (such as SHA256), then the
One root key is the value for generate after Hash calculation to spliced plaintext using identical hash algorithm (such as SHA256).
So far, since the above process is based on AKA mechanism (Authentication and Key Agreement, certification
With key agreement) realize, the first encryption key CK, the first Integrity Key IK and the registrar obtained on user terminal
The second encryption key CK, the second Integrity Key IK of upper acquisition are identical, and since the generating mode of root key is consistent,
The value of the second root key generated on the first root key and registrar generated on the subscriber terminal is identical.
The method provided through this embodiment, user terminal is based on the mobile subscriber stored in subscriber identification module SIM card
Mark and key and registrar are based on the identical mobile user identification that stores in home subscriber server HSS and close
Key, by the certifiede-mail protocol process between user terminal and registrar, in the case where not exchanging root key, user
Terminal and registrar are each that same mobile user identification generates the identical root key of value.
In addition, to achieve the above object, the present invention also provides a kind of client registers device, the client registers device
Have in the user terminal of third-party application client applied to operation, comprising: memory, processor and be stored in the memory
Client registers program that is upper and can running on the processor, when the client registers program is executed by the processor
The step of realizing above-mentioned client registers method.
In addition, to achieve the above object, the present invention also provides a kind of client registers device, the client registers device
Applied to registrar, comprising: memory, processor and be stored on the memory and can run on the processor
Client registers program, the client registers program realizes above-mentioned client registers method when being executed by the processor
The step of.
In addition, to achieve the above object, the present invention also provides a kind of client registers system, the client registers system
It include: user terminal and registrar;
The user terminal includes above-mentioned client registers device;
The registrar includes above-mentioned client registers device.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row
His property includes, so that the process, method, article or the system that include a series of elements not only include those elements, and
And further include other elements that are not explicitly listed, or further include for this process, method, article or system institute it is intrinsic
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do
There is also other identical elements in the process, method of element, article or system.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases
The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art
The part contributed out can be embodied in the form of software products, which is stored in one as described above
In storage medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that terminal device (it can be mobile phone,
Computer, server, air conditioner or network equipment etc.) execute method described in each embodiment of the present invention.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair
Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills
Art field, is included within the scope of the present invention.
Claims (26)
1. a kind of client registers method, which is characterized in that in the user terminal for having third-party application client applied to operation,
The described method includes:
Generate the first information to be signed, first information to be signed includes mobile user identification, and described first to be signed
The generating mode of information is consistent with the registrar generation generating mode of the second information to be signed;
First is generated to ask for an autograph value, described first ask for an autograph value be by the first signature key to the first information to be signed based on
Calculate generation;
Client registers request is sent to the registrar, the client registers request includes the mobile user identification
It asks for an autograph value with described first;
Receive the response message that succeeds in registration that the registrar is sent.
2. the method according to claim 1, wherein client registers request further includes third-party application mark
Know, the third-party application mark is the corresponding third-party application mark of the third-party application client.
3. according to claim 1 with method as claimed in claim 2, which is characterized in that the response message that succeeds in registration also is wrapped
Include third party's user identifier.
4. according to the method described in claim 3, it is characterized in that, described receive succeeding in registration for the registrar transmission
After the step of response message, further includes:
It generates first and applies key, the first application key is generated based on the first root key.
5. according to claim 1 with method as claimed in claim 2, which is characterized in that the response message that succeeds in registration includes
Authentication token.
6. according to claim 2 to the described in any item methods of claim 5, which is characterized in that taken described to the registration
Be engaged in after device sends client registers request, and receive that the registrar sends succeed in registration response message it
Before, further includes:
Receive the application authorization request message that the registrar is sent;
Authority checking interface is applied in display;
Terminal user is received described using the authorization message inputted in authority checking interface;
If the authorization message includes confirmation authorization message, to the registrar sending application authorization response message,
The application authorization response message is using license confirmation message.
7. the method according to claim 1, wherein the generation first asks for an autograph before the step of being worth, institute
State method further include:
The first root key is obtained, the mobile user identification stored on first root key and the registrar is corresponding
The second root key value it is identical;
The first signature key is generated, first signature key is generated based on first root key.
8. according to claim 4 or method of claim 7, which is characterized in that first root key is by the use
What family terminal and the registrar were generated based on certifiede-mail protocol AKA mechanism.
9. according to the method described in claim 8, it is characterized in that, described by the user terminal and the registrar base
It is generated in the AKA mechanism, comprising:
The mobile user identification is obtained from subscriber identification module SIM card;
Root key is sent to the registrar and negotiates request, and the root key negotiation request packet includes mobile subscriber's mark
Know;
It receives the root key that the registrar is sent and negotiates challenge message, it includes random that the root key, which negotiates challenge message,
Number RAND and authentication-tokens AUTN;
Authentication request is sent to the subscriber identification module SIM card, the authentication request includes the random parameter RAND and described
Authentication-tokens AUTN;
Receive the return value of the subscriber identification module SIM card, the return value includes that expected response value RES, the first encryption are close
Key CK and the first Integrity Key IK;
Root key challenge response message is sent to the registrar, the root key challenge response message includes the expectation
Response RES;
It receives the root key that the registrar is sent and negotiates successful respond message, the root key negotiates successful respond message
It is that the expected response value RES verified in the root key challenge response message in the registrar is effectively generated later
And feed back;
First root key, and institute are generated based on the first encryption key CK or/and the first Integrity Key IK
It is consistent to state generating mode and the registrar generation generating mode of the second root key of the first root key.
10. according to the method described in claim 9, it is characterised by comprising:
The subscriber identification module SIM card is Global Subscriber identification module USIM, and the mobile user identification is international mobile use
Family identification code IMSI;
Alternatively,
The subscriber identification module SIM card is IP multimedia service identification module ISIM, and the mobile user identification is the more matchmakers of IP
The privately owned mark IMPI of body.
11. a kind of client registers method, which is characterized in that be applied in registrar, which comprises
The client registers request that user terminal is sent is received, the client registers request includes mobile user identification and first
Ask for an autograph value;
Generate the second information to be signed, second information to be signed includes the mobile user identification, and described second to
The generating mode of signing messages is consistent with the user terminal generation generating mode of the first information to be signed;
The second signature key is obtained according to the mobile user identification;
Whether first value that asks for an autograph according to second signature key and second Information Authentication to be signed is effective;
When verifying described first asks for an autograph and is worth effective, the response message that succeeds in registration is sent to the user terminal.
12. according to the method for claim 11, which is characterized in that the client registers request further includes third-party application
Mark.
13. according to claim 11 and claim 12 described in method, which is characterized in that it is described to succeed in registration response message also
Including third party's user identifier.
14. according to the method for claim 12, which is characterized in that the method also includes:
According to the mobile user identification and the corresponding third party's user identifier of the third-party application identifier lookup;
If finding corresponding third party's user identifier, the corresponding third party's user identifier found is obtained;
If not finding corresponding third party's user identifier, unique third party's user identifier is created, and establish
With the corresponding relationship for storing the mobile user identification and the third-party application mark and third party's user identifier.
15. according to the method for claim 12, which is characterized in that the method also includes:
Verify described first ask for an autograph be worth effective when, generate second and apply key, described second using key is based on the
What two root keys generated, and the generating mode of the second application key and the user terminal generate the first application key
Generating mode is consistent;
Establish the corresponding relationship of third party's user identifier and the second application key.
16. according to claim 11 and claim 12 described in method, which is characterized in that it is described to succeed in registration response message also
Including authentication token.
17. according to the method for claim 16, which is characterized in that the method also includes:
It is identified for the third-party application and generates authentication token;
Establish the incidence relation of the authentication token and third-party application mark.
18. method described in any one of 2 to 16 according to claim 1, which is characterized in that described to verify first request
When signature value is effective, the response message that succeeds in registration is sent to the user terminal, further includes:
When verifying described first asks for an autograph and is worth effective, to the user terminal sending application authorization request message;
Receive the user terminal transmission applies authorization response message;
If the application authorization response message is to register using license confirmation message to described in user terminal transmission
Function response message.
19. according to the method for claim 11, which is characterized in that described to obtain the second label according to the mobile user identification
Name key the step of include:
Corresponding second root key is obtained according to the mobile user identification, the of second root key and the user terminal
The value of one root key is identical;
Generating the second signature key, second signature key is generated based on second root key, and described second
The generating mode of signature key is consistent with the user terminal generation generating mode of the first signature key.
20. according to the method for claim 11, which is characterized in that described according to second signature key and described second
The first whether effective step of value that asks for an autograph described in Information Authentication to be signed includes:
It generates second to ask for an autograph value, described second value that asks for an autograph is to be based on second signature key to the second letter to be signed
Breath, which calculates, to be generated, and described second asks for an autograph the generating mode of value and the user terminal generates first and asks for an autograph value
Generating mode it is consistent;
Compare described first value and described second that asks for an autograph to ask for an autograph value, if described first asks for an autograph value and described
Two values that ask for an autograph are consistent, it is determined that described first, which asks for an autograph, is worth effectively.
21. according to claim 15 or claim 19 described in method, which is characterized in that second root key is by described
What registrar and the user terminal were generated based on certifiede-mail protocol AKA mechanism.
22. according to the method for claim 21, which is characterized in that second root key be by the registrar and
The user terminal is generated based on AKA mechanism, comprising:
It receives the root key that the user terminal is sent and negotiates request, the root key negotiation request packet includes mobile subscriber's mark
Know;
Authentication request message is sent to home subscriber server HSS, the authentication request message includes the mobile user identification;
The authentication answer message of the home subscriber server HSS feedback is received, includes SIP- in the authentication answer message
Auth-Data-Item attribute value pair;
Random parameter RAND, authentication-tokens AUTN, expected response value are obtained from the SIP-Auth-Data-Item attribute value centering
XRES and the second encryption key CK or/and the second Integrity Key IK;
Root key is sent to the user terminal and negotiates challenge message, and it includes the random number that the root key, which negotiates challenge message,
The RAND and authentication-tokens AUTN;
The root key challenge response message that the user terminal is sent is received, the root key challenge response message includes that expectation is rung
It should value RES;
Compare the expected response value XRES and whether the expected response value RES is consistent, if unanimously, it is determined that expected response
Value RES is effective, and:
Second root key, and institute are generated based on the second encryption key CK or/and the second Integrity Key IK
The generating mode for stating the second root key is consistent with the generating mode that the user terminal generates first root key;
The corresponding relationship of the mobile user identification Yu second root key is established, if the mobile user identification has had
Corresponding root key then replaces existing root key using second root key;
Root key, which is sent, to the user terminal negotiates successful respond message.
23. according to the method for claim 11, which is characterized in that the mobile user identification is international mobile subscriber identification
Code IMSI either IP multimedia private identity IMPI.
24. a kind of client registers device, which is characterized in that the client registers device, which is applied to operation, third-party application
In the user terminal of client, comprising: memory, processor and be stored on the memory and can transport on the processor
Capable client registers program is realized when the client registers program is executed by the processor as in claims 1 to 10
The step of described in any item client registers methods.
25. a kind of client registers device, which is characterized in that the client registers device is applied to registrar, comprising:
Memory, processor and it is stored in the client registers program that can be run on the memory and on the processor, it is described
The client registers as described in any one of claim 11 to 23 are realized when client registers program is executed by the processor
The step of method.
26. a kind of client registers system, which is characterized in that the client registers system includes: user terminal and registration
Server;
The user terminal includes client registers device as claimed in claim 24;
The registrar includes client registers device as claimed in claim 25.
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810969927.4A CN109041205A (en) | 2018-08-23 | 2018-08-23 | Client registers method, apparatus and system |
PCT/CN2019/074724 WO2020037957A1 (en) | 2018-08-23 | 2019-02-04 | Client registration method, apparatus and system |
CN201910777127.7A CN110858969A (en) | 2018-08-23 | 2019-08-22 | Client registration method, device and system |
CN201910775079.8A CN110858968A (en) | 2018-08-23 | 2019-08-22 | Client registration method, device and system |
CN201910774037.2A CN111050314B (en) | 2018-08-23 | 2019-08-22 | Client registration method, device and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810969927.4A CN109041205A (en) | 2018-08-23 | 2018-08-23 | Client registers method, apparatus and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109041205A true CN109041205A (en) | 2018-12-18 |
Family
ID=64627198
Family Applications (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810969927.4A Pending CN109041205A (en) | 2018-08-23 | 2018-08-23 | Client registers method, apparatus and system |
CN201910777127.7A Pending CN110858969A (en) | 2018-08-23 | 2019-08-22 | Client registration method, device and system |
CN201910775079.8A Pending CN110858968A (en) | 2018-08-23 | 2019-08-22 | Client registration method, device and system |
CN201910774037.2A Active CN111050314B (en) | 2018-08-23 | 2019-08-22 | Client registration method, device and system |
Family Applications After (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910777127.7A Pending CN110858969A (en) | 2018-08-23 | 2019-08-22 | Client registration method, device and system |
CN201910775079.8A Pending CN110858968A (en) | 2018-08-23 | 2019-08-22 | Client registration method, device and system |
CN201910774037.2A Active CN111050314B (en) | 2018-08-23 | 2019-08-22 | Client registration method, device and system |
Country Status (1)
Country | Link |
---|---|
CN (4) | CN109041205A (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020037957A1 (en) * | 2018-08-23 | 2020-02-27 | 刘高峰 | Client registration method, apparatus and system |
CN111327416A (en) * | 2019-12-13 | 2020-06-23 | 刘高峰 | Internet of things equipment access method and device and Internet of things platform |
CN111327583A (en) * | 2019-08-22 | 2020-06-23 | 刘高峰 | Identity authentication method, intelligent equipment and authentication server |
CN111327582A (en) * | 2019-08-22 | 2020-06-23 | 刘高峰 | Authorization method, device and system based on OAuth protocol |
CN112118243A (en) * | 2020-09-09 | 2020-12-22 | 中国联合网络通信集团有限公司 | Identity authentication method and system, and Internet application login method and system |
CN112689283A (en) * | 2020-12-15 | 2021-04-20 | 青海大学 | Key protection and negotiation method, system and storage medium |
WO2024012517A1 (en) * | 2022-07-14 | 2024-01-18 | 蔚来汽车科技(安徽)有限公司 | End-to-end data transmission method, and device and medium |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110611719B (en) * | 2019-10-16 | 2022-04-19 | 四川虹美智能科技有限公司 | Message pushing method, server and system |
CN114268953B (en) * | 2020-09-14 | 2023-08-15 | ***通信集团重庆有限公司 | Base station authentication method, query node, system and equipment |
WO2022133741A1 (en) * | 2020-12-22 | 2022-06-30 | Huawei Technologies Co., Ltd. | Registration methods using one-time identifiers for user equipments and nodes implementing the registration methods |
CN113806798B (en) * | 2021-08-13 | 2023-07-14 | 苏州浪潮智能科技有限公司 | User side verification method, system, equipment and medium |
CN114338173B (en) * | 2021-12-29 | 2023-01-24 | 渔翁信息技术股份有限公司 | Account registration method, system, equipment and computer readable storage medium |
CN114584971A (en) * | 2022-02-15 | 2022-06-03 | 北京快乐茄信息技术有限公司 | Account registration method and device, electronic equipment and storage medium |
CN115001841A (en) * | 2022-06-23 | 2022-09-02 | 北京瑞莱智慧科技有限公司 | Identity authentication method, identity authentication device and storage medium |
CN115208702B (en) * | 2022-09-16 | 2022-12-30 | 国网江西省电力有限公司电力科学研究院 | Internet of things equipment authentication and key agreement method |
CN117556411B (en) * | 2024-01-10 | 2024-05-10 | 鼎铉商用密码测评技术(深圳)有限公司 | Password generation method, password generation device, and readable storage medium |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100384120C (en) * | 2004-09-30 | 2008-04-23 | 华为技术有限公司 | Method for carrying out authentication for terminal user identification module in IP multimedia subsystem |
CN100544249C (en) * | 2004-10-29 | 2009-09-23 | 大唐移动通信设备有限公司 | Mobile communication user certification and cryptographic key negotiation method |
CN1859087A (en) * | 2005-12-30 | 2006-11-08 | 华为技术有限公司 | Key consulting method and its system for customer end and server |
EP1858278B1 (en) * | 2006-05-19 | 2013-05-15 | Research In Motion Limited | System and method for facilitating accelerated network selection in a radio network enviroment |
CN101197673B (en) * | 2006-12-05 | 2011-08-10 | 中兴通讯股份有限公司 | Fixed network access into IMS bidirectional authentication and key distribution method |
CN101488945B (en) * | 2008-01-14 | 2012-09-19 | 北京大唐高鸿数据网络技术有限公司 | Authentication method oriented to SIP |
CN102150446A (en) * | 2008-09-09 | 2011-08-10 | 爱立信电话股份有限公司 | Authentication in a communication network |
CN101635823B (en) * | 2009-08-27 | 2011-09-21 | 中兴通讯股份有限公司 | Method and system of terminal for encrypting videoconference data |
CN102196436B (en) * | 2010-03-11 | 2014-12-17 | 华为技术有限公司 | Security authentication method, device and system |
CN102196426B (en) * | 2010-03-19 | 2014-11-05 | ***通信集团公司 | Method, device and system for accessing IMS (IP multimedia subsystem) network |
CN102413464B (en) * | 2011-11-24 | 2014-07-09 | 杭州东信北邮信息技术有限公司 | GBA (General Bootstrapping Architecture)-based secret key negotiation system and method of telecommunication capability open platform |
CN104125565A (en) * | 2013-04-23 | 2014-10-29 | 中兴通讯股份有限公司 | Method for realizing terminal authentication based on OMA DM, terminal and server |
CN103259795B (en) * | 2013-05-14 | 2016-12-28 | 百度在线网络技术(北京)有限公司 | Perform registration logs in automatically method, mobile terminal and server |
US20160219039A1 (en) * | 2013-09-06 | 2016-07-28 | Mario Houthooft | Mobile Authentication Method and System for Providing Authenticated Access to Internet-Sukpported Services and Applications |
CN106161032B (en) * | 2015-04-24 | 2019-03-19 | 华为技术有限公司 | A kind of identity authentication method and device |
CN106534050A (en) * | 2015-09-11 | 2017-03-22 | 中移(杭州)信息技术有限公司 | Method and device for realizing key agreement of virtual private network (VPN) |
CN107454045B (en) * | 2016-06-01 | 2020-09-11 | 宇龙计算机通信科技(深圳)有限公司 | Method, device and system for user IMS registration authentication |
WO2018053271A1 (en) * | 2016-09-16 | 2018-03-22 | Idac Holdings, Inc. | Unified authentication framework |
CN108401275A (en) * | 2017-02-06 | 2018-08-14 | 财团法人工业技术研究院 | user equipment registration method, network controller and network communication system |
-
2018
- 2018-08-23 CN CN201810969927.4A patent/CN109041205A/en active Pending
-
2019
- 2019-08-22 CN CN201910777127.7A patent/CN110858969A/en active Pending
- 2019-08-22 CN CN201910775079.8A patent/CN110858968A/en active Pending
- 2019-08-22 CN CN201910774037.2A patent/CN111050314B/en active Active
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020037957A1 (en) * | 2018-08-23 | 2020-02-27 | 刘高峰 | Client registration method, apparatus and system |
CN111327583A (en) * | 2019-08-22 | 2020-06-23 | 刘高峰 | Identity authentication method, intelligent equipment and authentication server |
CN111327582A (en) * | 2019-08-22 | 2020-06-23 | 刘高峰 | Authorization method, device and system based on OAuth protocol |
CN111327583B (en) * | 2019-08-22 | 2022-03-04 | 刘高峰 | Identity authentication method, intelligent equipment and authentication server |
CN111327416A (en) * | 2019-12-13 | 2020-06-23 | 刘高峰 | Internet of things equipment access method and device and Internet of things platform |
CN112118243A (en) * | 2020-09-09 | 2020-12-22 | 中国联合网络通信集团有限公司 | Identity authentication method and system, and Internet application login method and system |
CN112118243B (en) * | 2020-09-09 | 2023-04-07 | 中国联合网络通信集团有限公司 | Identity authentication method and system, and Internet application login method and system |
CN112689283A (en) * | 2020-12-15 | 2021-04-20 | 青海大学 | Key protection and negotiation method, system and storage medium |
WO2024012517A1 (en) * | 2022-07-14 | 2024-01-18 | 蔚来汽车科技(安徽)有限公司 | End-to-end data transmission method, and device and medium |
Also Published As
Publication number | Publication date |
---|---|
CN110858968A (en) | 2020-03-03 |
CN110858969A (en) | 2020-03-03 |
CN111050314B (en) | 2023-06-30 |
CN111050314A (en) | 2020-04-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109041205A (en) | Client registers method, apparatus and system | |
CN111327582B (en) | Authorization method, device and system based on OAuth protocol | |
US10284555B2 (en) | User equipment credential system | |
KR102018971B1 (en) | Method for enabling network access device to access wireless network access point, network access device, application server and non-volatile computer readable storage medium | |
US10880291B2 (en) | Mobile identity for single sign-on (SSO) in enterprise networks | |
US9015819B2 (en) | Method and system for single sign-on | |
US20120284786A1 (en) | System and method for providing access credentials | |
CN111050322B (en) | GBA-based client registration and key sharing method, device and system | |
US20050135622A1 (en) | Upper layer security based on lower layer keying | |
US20110145575A1 (en) | Secure Bootstrapping Architecture Method Based on Password-Based Digest Authentication | |
CN101406021A (en) | SIM based authentication | |
KR20060049882A (en) | Device and process for wireless local area network association and corresponding products | |
CN101426190A (en) | Service access authentication method and system | |
CN101986598A (en) | Authentication method, server and system | |
CN112235799B (en) | Network access authentication method and system for terminal equipment | |
CN102014385A (en) | Authentication method for mobile terminal, and mobile terminal | |
JP5165725B2 (en) | Method and apparatus for authenticating a mobile device | |
CN105721403B (en) | For providing the method, equipment and system of wireless network resource | |
Vargic et al. | Provisioning of VoIP services for mobile subscribers using WiFi access network | |
KR102024376B1 (en) | Method of bootstrapping of internet of thing device | |
CN117915322A (en) | Slice secondary authentication method and system based on key integrity detection | |
WO2020037957A1 (en) | Client registration method, apparatus and system | |
JP6591051B2 (en) | How to authenticate a subscriber in a local network | |
Thagadur Prakash | Enhancements to Secure Bootstrapping of Smart Appliances | |
KR101532117B1 (en) | System and method for supporting emergency call after the access fail |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20181218 |
|
WD01 | Invention patent application deemed withdrawn after publication |