CN109041205A

CN109041205A - Client registers method, apparatus and system

Info

Publication number: CN109041205A
Application number: CN201810969927.4A
Authority: CN
Inventors: 刘高峰
Original assignee: Individual
Current assignee: Individual
Priority date: 2018-08-23
Filing date: 2018-08-23
Publication date: 2018-12-18
Also published as: CN110858968A; CN110858969A; CN111050314B; CN111050314A

Abstract

The invention discloses a kind of client registers method, apparatus and systems.The described method includes: user terminal is based on mobile user identification and key, and registrar is based on identical mobile user identification and key, by the certifiede-mail protocol between user terminal and registrar, and pass through the signature verification to mobile user identification, safety verification environment is provided for the registration of the third-party application client run in the user terminal, third party's user identifier also is provided for third-party application client simultaneously, using key or authentication token, it is quick so as to be realized for third-party application client, the authentication of safety, the operation such as data encryption, due to inputting account number without user, password or key etc., the significant increase usage experience of user.

Description

Client registers method, apparatus and system

Technical field

The present invention relates to field of communication technology and Internet technical field more particularly to client registers method, apparatus and System.

Background technique

Global Subscriber identification module (USIM, Universal Subscriber Identity for 3G or more network Module) and for IMS network IP multimedia service identification module (ISIM, IPMultimedia Services Identity Module), be common carrier be used to identify the identity of contracted user, the IC that meets 3GPP standard criterion it is integrated Circuit arrangement.

ESIM as a kind of embedded SIM card, substantially by SIM card user data and encryption information by depositing originally Storage is on another hardware carrier that physical SIM card is transferred to subscriber terminal equipment itself；Soft SIM is by pure software mode generation The function that SIM is realized for physical SIM card, is equally safely stored with user data and encryption information.

Either any SIM card type is all stored with the identity and encryption information of contracted user in SIM card, is Statement is convenient, and the module of the above-mentioned identity for being stored with mobile cellular network contracted user and encryption information is referred to as " subscriber identification module SIM card ".Correspondingly, home subscriber server HSS (Home Subscriber Server, home subscriber Server) be mobile cellular network customer certification system, the inside stores corresponding signing in subscriber identification module SIM card and uses The identity and encryption information at family.

With being widely used for intelligent terminal (such as intelligent movable mobile phone), user will be installed largely on intelligent terminal Third-party application client, and third-party application client is when in use, generally require to obtain terminal user necessary information it After could normal use, and these necessary information be typically required terminal user manually enter or it is preconfigured such as defeated Enter account and corresponding password, be pre-configured with key etc., but these operations are all more loaded down with trivial details and influence the usage experience of user.

Summary of the invention

The main purpose of the present invention is to provide a kind of method, apparatus of client registers and systems, it is desirable to provide a kind of Third-party application client to run in user terminal can safely, automatically obtain the method, apparatus and system of registration information, So as to be obtained automatically for third-party application client including account, using the registration information including key, authentication token etc., into And existing third-party application client is solved in register account number, negotiating about cipher key shared, acquisition authentication token, user identity authentication etc. In the process more it is loaded down with trivial details to affect user experience the technical issues of.

To achieve the above object, the present invention provides a kind of client registers method, has third-party application objective applied to operation In the user terminal at family end, which comprises

Generate the first information to be signed, first information to be signed includes mobile user identification, and described first to The generating mode of signing messages is consistent with the registrar generation generating mode of the second information to be signed；

It generates first to ask for an autograph value, described first value that asks for an autograph is to be based on the first signature key to the first letter to be signed Breath calculates generation；

Client registers request is sent to the registrar, the client registers request includes the mobile subscriber Mark and described first asks for an autograph value；

Receive the response message that succeeds in registration that the registrar is sent.

In addition, to achieve the above object, the present invention also provides a kind of client registers methods, it is applied to registrar In, which comprises

Receive the client registers request that user terminal is sent, client registers request include mobile user identification and First asks for an autograph value；

Generate the second information to be signed, second information to be signed includes the mobile user identification, and described The generating mode of two information to be signed is consistent with the user terminal generation generating mode of the first information to be signed；

The second signature key is obtained according to the mobile user identification；

Whether first value that asks for an autograph according to second signature key and second Information Authentication to be signed has Effect；

When verifying described first asks for an autograph and is worth effective, the response message that succeeds in registration is sent to the user terminal.

In addition, to achieve the above object, the present invention also provides a kind of client registers device, the client registers device Have in the user terminal of third-party application client applied to operation, comprising: memory, processor and be stored in the memory Client registers program that is upper and can running on the processor, when the client registers program is executed by the processor The step of realizing above-mentioned client registers method.

In addition, to achieve the above object, the present invention also provides a kind of client registers device, the client registers device Applied to registrar, comprising: memory, processor and be stored on the memory and can run on the processor Client registers program, the client registers program realizes above-mentioned client registers method when being executed by the processor The step of.

In addition, to achieve the above object, the present invention also provides a kind of client registers system, the client registers system It include: user terminal and registrar；

The user terminal includes above-mentioned client registers device；

The registrar includes above-mentioned client registers device.

The present invention, which realizes, provides safe registration environment for the third-party application client run in the user terminal, And then can be that third-party application client obtain automatically including account, using the registration information including key, authentication token etc., into And existing third-party application client is solved in register account number, negotiating about cipher key shared, acquisition authentication token, user identity authentication etc. In the process it is more loaded down with trivial details to affect user experience the technical issues of, whole process does not need user's input or only a small amount of defeated Enter information, improves the usage experience of user.

Detailed description of the invention

Fig. 1 is a kind of structural representation of implementation environment involved in client registers method provided in an embodiment of the present invention Figure；

Fig. 2 is the flow diagram of client registers method first embodiment of the present invention；

Fig. 3 is the flow diagram of client registers method second embodiment of the present invention；

Fig. 4 is the flow diagram of client registers method 3rd embodiment of the present invention；

Fig. 5 is the flow diagram of client registers method fourth embodiment of the present invention；

Fig. 6 is the flow diagram of the 5th embodiment of client registers method of the present invention；

Fig. 7 is the flow diagram of root key negotiations process provided by one embodiment of the present invention.

The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.

Specific embodiment

To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention Formula is described in further detail.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and do not have to It is of the invention in limiting.

As shown in FIG. 1, FIG. 1 is the terminal structure schematic diagrames for the hardware running environment that the embodiment of the present invention is related to.

One, implementation environment structural schematic diagram

Referring to FIG. 1, it illustrates a kind of implementation rings involved in client registers method provided in an embodiment of the present invention The structural schematic diagram in border.The implementation environment includes registrar, user terminal, third-party application client.

Registrar: being connected with user terminal by network, and the root key for receiving and executing user terminal is negotiated Request and the client registers request for receiving and executing user terminal；With home subscriber server HSS (Home Subscriber Server, home subscriber server) it is connected by network, it is moved for being sent to home subscriber server HSS User authentication request and acquisition request result.Registrar is usually provided by communication operation service provider.

User terminal: user terminal by WLAN (including wifi), cellular mo-bile data, LAN, fixed broadband etc. it is wired or Wireless mode accesses network and carries out data connection with registrar.User terminal is to can be inserted into, embed or external connection There is subscriber identification module SIM card and supports the intelligent terminal read to subscriber identification module SIM card, usually intelligent hand Machine is also possible to smart television, set-top box, tablet computer, portable computer, desktop computer etc..

Third-party application client: the application program in the operating system of user terminal is operated in, is taken by third-party application Business quotient provides.It is understood that multiple thirds provided by different third-party application service providers can be run in user terminal Square applications client, each third-party application client can connect the corresponding third-party application server of access, to obtain Required service and data.

It should be noted that should also have third-party application server in practical business implementation environment.Third-party application Server is provided by third-party application service provider, for being connected with third-party application client by network, provides a user institute The application service, such as information, shopping, social activity etc. needed；For being connected with registrar by network, obtained to registrar It takes or verifies the registration information of third-party application client, such as third party's user identifier, believe using key, authentication token etc. Breath.

It will be understood by those skilled in the art that implementation environment structure shown in Fig. 1 does not constitute the limit to implementation environment It is fixed, it may include perhaps combining certain components or different component layouts than illustrating more or fewer components.

Two, related terms term

In order to make it easy to understand, some nouns being referred to herein are described and are illustrated.

Mobile user identification: for the mark of unique identification subscriber identification module SIM card, mobile user identification is IMSI (international mobile subscriber identity, International Mobile Subscriber Identification Number), or Person IMPI (IP multimedia private identity, IP Multimedia Private Identity).

Third-party application mark: third-party application mark is for uniquely identifying third-party application client, and is used for Identify the corresponding third-party application server of the third-party application client.

Three, client registers flow embodiment one

Referring to FIG. 2, this method is available it illustrates the flow chart of client registers provided by one embodiment of the present invention In implementation environment shown in FIG. 1.This method may include the following steps:

Step 101, user terminal starts client registers process.

User terminal starts client registers process after getting the operation instruction for starting client registers.

Step 102, user terminal obtains mobile user identification and the first root key.

User terminal obtains mobile user identification and the first root key, and mobile subscriber mark is stored on registrar Knowledge and the second root key corresponding with the mobile user identification.

Step 103, user terminal is based on first root key and generates the first signature key.

For example, can be using first root key as the first signature key.

In another example being based on first root key using key derivation algorithm generates the first signature key.Specifically, key is sent Raw algorithmic formula can be expressed as DK=PBKDF2 (passphrase, Salt, c, dkLen), in which: DK is the first label generated Name key, PBKDF2 is key derivation algorithm, and passphrase is first root key and or/and the mobile user identification group It is merged the character string connect；Salt is salt figure, is a fixed character string in this example；C is the number of iterations；DlLen is that key is defeated Length out.

Step 104, user terminal generates the first information to be signed, which includes mobile subscriber mark Know.

Optionally, Replay Attack, first information to be signed can also include timestamp in order to prevent, which passes through The present system time for obtaining user terminal generates, i.e., first information to be signed is the mobile user identification and the timestamp It is combined and spliced.

Step 105, user terminal is based on first signature key to first information calculating to be signed using signature algorithm First is generated to ask for an autograph value.

First value that asks for an autograph generated can uniquely identify the first information to be signed, only using the calculation of identical signature Identical signature value just can be generated in method, identical information to be signed, identical signature key.

For example, signature algorithm can be expressed as Signature=HMAC_SHA256 (k, m), wherein m is information to be signed That is first information to be signed, k are that signature key i.e. first signature key, HMAC_SHA256 is signature algorithm, Signature is that signature value i.e. first asks for an autograph value.

Step 106, user terminal sends client registers request to registrar, and client registers request includes should Mobile user identification and this first ask for an autograph value.

Optionally, if the information to be signed generated at step 104 includes timestamp, in client registers request It further include the timestamp.

Correspondingly, registrar receives the client registers request that user terminal is sent, and obtains client note Mobile user identification in volume request, first ask for an autograph value and timestamp.

Step 107, optionally, registrar determines the validity of client registers request.

If further including in step 106 timestamp in client registers request, by the timestamp and registrar Present system time be compared, determine both time difference whether in preset effective range:

If it is in effective range, then following step 108 is executed；

If not in effective range, then client registers response message, client note are sent to user terminal Volume response message is registration failure response message, then executes following step 114.

Step 108, registrar obtains the second root key according to the mobile user identification.

The corresponding relationship of mobile user identification and the second root key is stored on registrar.

Registrar searches and obtains corresponding second root key in the corresponding relationship according to the mobile user identification.

Step 109, registrar uses signature key generating mode identical with user terminal, close based on this second Key generates the second signature key.

For example, for using signature key generating mode identical with step 103 user terminal, if user terminal makes Use the first root key as the first signature key, then registrar uses second root key as the second signature key.

In another example for using signature key generating mode identical with step 103 user terminal, if user terminal The first root key is based on using key derivation algorithm and generates the first signature key, then registrar uses identical key derivation Algorithm is based on the second root key and generates the second signature key.Specifically, by taking the corresponding example of step 103 as an example, key derivation Algorithmic formula is for DK=PBKDF2 (passphrase, Salt, c, dkLen), in which: DK is that the second signature of generation is close Key, PBKDF2 are key derivation algorithms identical with user terminal, and passphrase is second root key and or/and the shifting The character string of family identifier combination splicing is employed, and combined and spliced mode is consistent with user terminal；Salt is salt figure, be one with The identical fixed character string of user terminal；C is and the number of iterations identical in user terminal；DlLen is and phase in user terminal Same key exports length.

So far, due to same mobile user identification corresponding first root key and on registrar on the subscriber terminal The value of corresponding second root key is identical, and since the first signature key and the second signature key are using identical signature Key generating mode, based on being worth what identical root key generated, therefore, the value of the first signature key and the second signature key is also It is identical.

Step 110, registrar generates the second information to be signed, which includes mobile subscriber mark Know.

Registrar generates the second information to be signed, which includes the mobile user identification, this The generating mode of two information to be signed is consistent with the user terminal generation generating mode of the first information to be signed.

Optionally, if further including in step 106 timestamp in client registers request, the second information to be signed is also Including the timestamp, i.e., the second information to be signed is the combined and spliced of the mobile user identification and the timestamp, and and user Terminal uses identical combined and spliced mode, so as to generate identical information to be signed.

Step 111, registrar uses signature algorithm identical with user terminal, based on second signature key to this Second information to be signed, which calculates, to be generated second and asks for an autograph value.

For example, signature algorithm can be expressed as using signature algorithm identical with step 105 user terminal Signature=HMAC_SHA256 (k, m), wherein m is the information to be signed of information to be signed i.e. second, and k is signature key i.e. Two signature keys, HMAC_SHA256 are signature algorithms identical with user terminal, and Signature is that signature value i.e. second is requested Signature value.

So far, since registrar uses signature algorithm identical with user terminal, the second information to be signed and First information to be signed is identical information to be signed, and the second signature key and the first signature key are identical signature keys, Second then generated ask for an autograph value and first ask for an autograph value should be identical.

Step 112, registrar compare this second ask for an autograph value and first value that asks for an autograph it is whether consistent and hold Row corresponding operation.

Registrar compare this second ask for an autograph value and first value that asks for an autograph it is whether consistent, and according to comparing knot Fruit executes corresponding operation, comprising:

If comparison result is consistent, it is determined that first, which asks for an autograph, is worth effectively, executes following step 113.

If comparison result is inconsistent, it is determined that first, which asks for an autograph, is worth invalid, and registrar is to user terminal Client registers response message is sent, which is registration failure response message, then executes following steps Rapid 114.

Step 113, registrar sends client registers response message to user terminal, which disappears Breath is the response message that succeeds in registration.

So far, the above process, the mobile user identification being mainly based upon in user terminal and the first root key, and be based on The identical mobile user identification and the second root key stored in registrar, registrar by using and user terminal Identical signature algorithm verifies mobile user identification, can be user terminal and user terminal after being verified Corresponding log-on data and service are provided to the third-party application client secure of upper operation, and registered to user terminal return Function response message.

Step 114, user terminal receives the client registers response message and the corresponding behaviour of execution that registrar is sent Make.

User terminal receives the client registers response message that registrar is sent, which is The response message that succeeds in registration either registration failure response message.

User terminal executes corresponding operation according to the client registers response message, comprising:

If client registers response message is the response message that succeeds in registration, user terminal determines registration process success, And log-on data and service needed for obtaining as needed.

If client registers response message is registration failure response message, user terminal determines that registration process fails.

In conclusion method provided in this embodiment, for user terminal and the third-party application run in the user terminal The registration of client provides safety verification environment, and after registration process success, user terminal and operation are in the user terminal Third-party application client can obtain corresponding log-on data to registrar and service, whole process not need to use Family inputs registration information, improves the usage experience of user.

Before implementing the present embodiment, need to complete root key negotiations process, to be based on depositing in subscriber identification module SIM card The mobile user identification and key of storage and based on the identical mobile user identification stored in home subscriber server HSS and Key, by the certification and negotiation between user terminal and registrar, under the premise of not exchanging key, user terminal and note Volume server is each the identical root key of same mobile user identification generation value.I.e. complete root key negotiations process it Afterwards, generating in the user terminal has the first root key, has the second root key in registrar generation and is stored with mobile use The corresponding relationship of family mark and the second root key.The detailed process of root key negotiations process can be found in following embodiment illustrated in fig. 7 In introduction and explanation.

Four, client registers process embodiments two

Referring to FIG. 3, the flow chart of the client registers provided it illustrates another embodiment of the present invention, this method can For in implementation environment shown in FIG. 1.As the more preferably embodiment provided based on embodiment one, the present embodiment is also into one It walks and provides third party's user identifier for the third-party application client run in user terminal.This method may include following several A step:

Step 201, user terminal starts client registers process.

Step 202, user terminal obtains mobile user identification and the first root key.

Step 203, user terminal obtains the corresponding third-party application mark of third-party application client.

Third-party application mark is built-in in the software installation packet of third-party application client to be stored and is pacifying It is stored in configuration file after dress, or is obtained after sending request to third-party application server from third-party application client.

The mode that user terminal obtains third-party application mark may is that

For example, third-party application client sends the operation instruction of starting client registers to user terminal, in the operation It include third-party application mark in instruction, user terminal obtains third-party application mark from the operation instruction.

In another example user terminal obtains third-party application mark from the corresponding configuration file of third-party application client.

Step 204, user terminal is based on first root key and generates the first signature key.

For example, can be using first root key as the first signature key.

In another example being based on first root key using key derivation algorithm generates the first signature key.Specifically, key is sent Raw algorithmic formula can be expressed as DK=PBKDF2 (passphrase, Salt, c, dkLen), in which: DK is the first label generated Name key, PBKDF2 are key derivation algorithms, and passphrase is first root key and or/and third-party application mark Or/and the character string that the mobile user identification is combined and spliced；Salt is salt figure, is a fixed character string in this example；C is to change Generation number；DlLen is key output length.

Step 205, user terminal generates the first information to be signed, which includes mobile subscriber mark Know.

Step 206, user terminal is based on first signature key to first information calculating to be signed using signature algorithm First is generated to ask for an autograph value.

For example, signature algorithm can be expressed as Signature=HMAC_SHA256 (k, m), wherein m is information to be signed I.e. first information to be signed, k are signature key i.e. the first signature keys, and HMAC_SHA256 is signature algorithm, and Signature is Signature value i.e. first asks for an autograph value.

Step 207, user terminal sends client registers request to registrar, and client registers request includes should Mobile user identification, third-party application mark and this first ask for an autograph value.

Optionally, if the information to be signed generated in step 205 includes timestamp, in client registers request It further include the timestamp.

Step 208, optionally, registrar determines the validity of client registers request.

If further including in step 207 timestamp in client registers request, by the timestamp and registrar Present system time be compared, determine both time difference whether in preset effective range:

If it is in effective range, then following step 209 is executed；

If not in effective range, then client registers response message, client note are sent to user terminal Volume response message is registration failure response message, then executes following step 218.

Step 209, registrar obtains the second root key according to the mobile user identification.

Step 210, registrar uses signature key generating mode identical with user terminal, close based on this second Key generates the second signature key.

For example, for using signature key generating mode identical with step 204 user terminal, if user terminal makes Use the first root key as the first signature key, then registrar uses second root key as the second signature key.

In another example for using signature key generating mode identical with step 204 user terminal, if user terminal The first root key is based on using key derivation algorithm and generates the first signature key, then registrar uses identical key derivation Algorithm is based on the second root key and generates the second signature key.Specifically, by taking the corresponding example of step 204 as an example, key derivation Algorithmic formula is for DK=PBKDF2 (passphrase, Salt, c, dkLen), in which: DK is that the second signature of generation is close Key, PBKDF2 are key derivation algorithms identical with user terminal, passphrase be second root key and or/and this Tripartite's application identities or/and the combined and spliced character string of the mobile user identification, and combined and spliced mode and user terminal one It causes；Salt is salt figure, is a fixed character string identical with user terminal；C is and the number of iterations identical in user terminal； DlLen is to export length with key identical in user terminal.

Step 211, registrar generates the second information to be signed, which includes mobile subscriber mark Know.

Optionally, if further including in step 207 timestamp in client registers request, the second information to be signed is also Including the timestamp, i.e., the second information to be signed is the combined and spliced of mobile user identification and the timestamp, and with user's end End uses identical combined and spliced mode, so as to generate identical information to be signed.

Step 212, registrar uses signature algorithm identical with user terminal, based on second signature key to this Second information to be signed, which calculates, to be generated second and asks for an autograph value.

For example, signature algorithm can be expressed as using signature algorithm identical with step 206 user terminal Signature=HMAC_SHA256 (k, m), wherein m is the information to be signed of information to be signed i.e. second, and k is signature key i.e. Two signature keys, HMAC_SHA256 are signature algorithms identical with user terminal, and Signature is that signature value i.e. second is requested Signature value.

Step 213, registrar compare this second ask for an autograph value and first value that asks for an autograph it is whether consistent and hold Row corresponding operation.

If comparison result is consistent, it is determined that first, which asks for an autograph, is worth effectively, executes following step 214.

If comparison result is inconsistent, it is determined that first, which asks for an autograph, is worth invalid, and registrar is to user terminal Client registers response message is sent, which is registration failure response message, then executes following steps Rapid 218.

Step 214, registrar is according to mobile user identification third corresponding with the third-party application identifier lookup Square user identifier.

The account of mobile user identification and third-party application mark and third party's user identifier is stored on registrar Family corresponding relationship can be searched and be obtained in account corresponding relationship according to third-party application mark and mobile user identification Corresponding third party's user identifier.

Registrar is identified according to the third-party application and the mobile user identification is searched in account corresponding relationship Corresponding third party's user identifier with acquisition.

If finding corresponding third party's user identifier, illustrate that registrar has been mobile user identification wound Third party's user identifier for third-party application mark is built, then registrar obtains corresponding third party user's mark Know, then executes following step 215.

If not finding corresponding third party's user identifier, illustrating registrar not is mobile subscriber mark Know the third party's user identifier created for third-party application mark, then executes following step 217.

Step 215, registrar creates unique third party's user identifier.

Registrar creates a new user identifier, which is that third party all on registrar uses It is uniquely identified in the mark of family, is also possible to third-party application mark in the account corresponding relationship described in step 214 and corresponds to All third party's user identifiers in uniquely identify, then using the new user identifier as third party's user identifier.

Step 216, the mobile user identification and third-party application mark and the third are established and stored to registrar The corresponding relationship of square user identifier.

Registrar increases the mobile user identification newly in the account corresponding relationship described in step 214 and the third party answers With the corresponding relationship of mark and third party's user identifier, i.e., identified according to the mobile user identification and the third-party application at this Third party's user identifier will be searched and got in account corresponding relationship.

Step 214, step 215 and step 216 are answered it is also possible that registrar is pre-established with for the third party With the application User relationship table of mark, this using being stored with mobile user identification and third party's user identifier in User relationship table One-to-one relationship.Registrar according to the mobile user identification this using searching third party user in User relationship table Mark creates unique third party's user identifier, and in the application if not finding third party's user identifier The one-to-one relationship of the mobile user identification He third party's user identifier is increased in User relationship table newly, if finding third Square user identifier then obtains third party's user identifier.

Step 214, step 215 and step 216, it is also possible that registrar is pre-established with for the mobile subscriber Mobile subscriber's relation table of mark is stored with third-party application mark and third party's user identifier in mobile subscriber's relation table One-to-one relationship.Registrar identifies according to the third-party application and searches third party's use in mobile subscriber's relation table Family mark creates unique third party's user identifier, and in the shifting if not finding third party's user identifier The one-to-one relationship for increasing third-party application mark and third party's user identifier in dynamic User relationship table newly, if found Third party's user identifier then obtains third party's user identifier.

Step 217, registrar sends client registers response message to user terminal, which disappears Breath is the response message that succeeds in registration, and including third party's user identifier.

Step 218, user terminal receives the client registers response message and the corresponding behaviour of execution that registrar is sent Make.

If client registers response message is the response message that succeeds in registration, obtain in the response message that succeeds in registration Third party's user identifier, and third party's user identifier is sent to third-party application and identifies corresponding third-party application client End.

If client registers response message is registration failure response message, terminates this process or user terminal will The registration failure response message terminates this process after being sent to third-party application client.

Process as above is also further on the basis of example 1 the third run in user terminal in the present embodiment Square applications client generates or obtains third party's user identifier.Not only have the effect of that embodiment one has, bring effect At least further include: in a first aspect, obtaining third party's user identifier automatically for third-party application client, reduce terminal user's Input operation, improves the usage experience of user；Second aspect, as long as same subscriber identification module SIM card, even replacement Onto other user terminals, as long as identical third-party application client, also can obtain automatically identical third party for it Application identities；The third aspect, the corresponding third-party application server of third-party application client are associated by that can only obtain Third-party application mark, and mobile user identification cannot be obtained, it is not leaked so as to be effectively protected the privacy of user.

Five, client registers process embodiments three

Referring to FIG. 4, the flow chart of the client registers provided it illustrates another embodiment of the present invention, this method can For in implementation environment shown in FIG. 1.As the more preferably embodiment provided based on embodiment two, the present embodiment is also into one Step is that the third-party application client run in user terminal is generated using key.This method may include following several steps It is rapid:

Step 301 to 316 with two step 201 of embodiment to 216 same or similar, repeat no more.

Step 317, registrar is based on second root key and generates second using key.

Key is applied for example, being based on the second root key using key derivation algorithm and generating second.Specifically, key derivation is calculated Method formula can be expressed as DK=PBKDF2 (passphrase, Salt, c, dkLen), in which: DK is that the second application of generation is close Key；PBKDF2 is key derivation algorithm；Passphrase be second root key and or/and the third-party application mark or/ The combined and spliced character string with third party's user identifier；Salt is salt figure, is a fixed character string in this example；C is to change Generation number；DlLen is key output length.

Step 318, registrar establishes the corresponding relationship of third party's user identifier and the second application key.

If third party's user identifier is uniquely identified in third party's user identifier all on registrar, Establish the corresponding relationship of third party's user identifier and the second application key.

If third party's user identifier is that the third-party application identifies in corresponding all third party's user identifiers uniquely Mark, then establish third party's user identifier and the third-party application mark with this second application key corresponding relationship.

So far, registrar establishes the corresponding relationship of third party's user identifier and the second application key, registration The corresponding relationship can be locally stored in server, perhaps the corresponding relationship is synchronized be sent to third party authentication server or The corresponding relationship is synchronized to the third-party application server for being sent to corresponding third-party application mark.Then, it is based on the correspondence Relationship, if the third-party application client for operating in user terminal have identical third party's user identifier and with this second application The value of key is identical to apply key, will be carried out the operation such as the authentication to third-party application client, data encryption.

By taking the corresponding relationship is locally stored in registrar as an example, registrar is pre-established with answers for the third party With the account cipher key relation table of mark, third party's user identifier and second is stored in account cipher key relation table using key One-to-one relationship.Registrar searches the second application according to third party's user identifier in account cipher key relation table Key, if not finding second using key, increased newly in the account cipher key relation table third party's user identifier and The one-to-one relationship of the second application key uses this in account cipher key relation table if found using key It is existing using key that secondary newly-generated the second application key replaces third party's user identifier.

Step 319, registrar sends client registers response message to user terminal, which disappears Breath is the response message that succeeds in registration, and including third party's user identifier.

It should be noted that above-mentioned steps 317 and step 318 can also be in step 319 registrar to user terminal It sends client registers response message to execute later, the present invention is defined not to this.

Step 320, user terminal receives the client registers response message and the corresponding behaviour of execution that registrar is sent Make.

If client registers response message is the response message that succeeds in registration, obtain in the response message that succeeds in registration Then third party's user identifier executes following step 321.

If client registers response message is registration failure response message, terminates this process or user terminal will The registration failure response message terminates this process after being sent to third-party application client, does not execute following step.

Step 321, user terminal uses application key generating mode identical with registrar, close based on this first Key generates first and applies key.

For example, for using key derivation algorithm identical with step 317 registrar.Specifically, key derivation Algorithmic formula can be expressed as DK=PBKDF2 (passphrase, Salt, c, dkLen), in which: DK is the first application generated Key；PBKDF2 is key derivation algorithm identical with registrar；Passphrase is the first root key and or/and Tripartite's application identities or/and the combined and spliced character string of third party's user identifier, and combined and spliced mode and registrar Unanimously；Salt is salt figure, is a fixed character string identical with registrar；C is iteration identical with registrar Number；DlLen is key output length identical with registrar.

So far, it is taken due to the first root key for after root key negotiations process, generating on the subscriber terminal and in registration The second root key generated on business device is identical, and since the first application key and the second application key are answered using identical It is generated with key generating mode, based on identical root key, therefore, the value of the first application key and the second application key is also It is identical.

First using key, to be sent to third-party application mark corresponding with this by third party's user identifier for user terminal Third-party application client, third-party application client can according to third party's user identifier and this first apply key The operation such as authentication, data encryption is carried out to third-party application server.

Process as above, on the basis of embodiment two obtains third party's user identifier, the present embodiment is further also the Tripartite's applications client is generated using key, not only has the effect of that embodiment two has, bring effect is at least further include: In a first aspect, generating the input operation for reducing terminal user using key for third-party application client automatically, improve The usage experience of user；Second aspect, the third-party application client run in user terminal is by can be according to the third of acquisition The operation such as quick, safety authentication, data encryption using key realization of square user identifier and generation.

Six, client registers process embodiments four

Referring to FIG. 5, the flow chart of the client registers provided it illustrates another embodiment of the present invention, this method can For in implementation environment shown in FIG. 1.As the more preferably embodiment provided based on embodiment two, the present embodiment is also into one Step is that the third-party application client run in user terminal generates authentication token.This method may include following several steps It is rapid:

Step 401 to 413 with two step 201 of embodiment to 213 same or similar, repeat no more.

Step 414, registrar is that third-party application mark generates authentication token.

Registrar is that third-party application mark generates authentication token, which is unique, and is had Enough length and enough randomness make it difficult to be hypothesized and crack.

Step 415, registrar establishes the incidence relation of the authentication token and third-party application mark.

So far, registrar establishes the incidence relation of the authentication token and third-party application mark, registration service The incidence relation can be locally stored in device, perhaps synchronize the incidence relation and be sent to third party authentication server or should Authentication token, which synchronizes, is sent to the corresponding third-party application server of third-party application mark.Then, it is based on the incidence relation, If the third-party application client for operating in user terminal has identical authentication token, third-party application server can be real Now to the authentication of third-party application client.

Step 414 and step 415, it is also possible that registrar is pre-established with authentication token and third-party application mark The User Token relation table of knowledge, is stored with authentication token in the User Token relation table and the corresponding of mobile user identification is closed System.Registrar increases the corresponding relationship of the authentication token He the mobile user identification newly in the User Token relation table.

It should be noted that phase should be cleared up in time for no longer valid authentication token it should provide cleaning mechanism The corresponding relationship answered, such as the corresponding corresponding relationship of the authentication token is deleted after authentication token verifying is primary, or to certification Token sets a validity period, deletes the corresponding corresponding relationship of authentication token that validity period is already expired in time according to validity period.Specifically This will not be repeated here for cleaning mechanism.

It should also be noted that, should also establish the authentication token to provide lasting application service to same user With the corresponding relationship of the mobile user identification, mobile user identification can be found out according to authentication token, to mention for same user For lasting service.Further, it in order to be not to reveal mobile user identification on a third party application server, can also create It builds the mobile user identification and the third-party application identifies corresponding, unique user identifier, resettle the authentication token With the corresponding relationship of the user identifier, to protect the privacy of user.This will not be repeated here for specific mechanism.

Step 416, registrar sends client registers response message to user terminal, which disappears Breath is the response message that succeeds in registration, and including the authentication token.

Step 417, user terminal receives the client registers response message and the corresponding behaviour of execution that registrar is sent Make.

If the client registers response message is the response message that succeeds in registration, obtain in the response message that succeeds in registration Authentication token, and the authentication token is passed into third-party application and identifies corresponding third-party application client to be used to recognize Card authentication, then terminates this process.

If the client registers response message is registration failure response message, terminate this process or user terminal Terminate this process after the registration failure response message is passed to third-party application client.

Process as above is further also on the basis of example 1 mobile user identification corresponding the in the present embodiment Tripartite's application identities generate authentication token.Not only have the effect of that embodiment one has, bring effect is at least further include: the On the one hand, authentication token is obtained for third-party application client automatically, reduces the input operation of terminal user, improves user Usage experience；Second aspect, the authentication token will can be used for third-party application client and take to corresponding third-party application The authentication of business device, to promote the usage experience of user；The third aspect, be used for authentication when, the authentication token by In not needing the operations such as progress computations, therefore, the applications client of some lightweights is more suitable for (as based on browser Web application).

Seven, client registers process embodiments five

Referring to FIG. 6, the flow chart of the client registers provided it illustrates another embodiment of the present invention, this method can For in implementation environment shown in FIG. 1.As the more preferably embodiment provided based on embodiment two, in the present embodiment also into One step realizes the license confirmation process of terminal user.The following step of this method is applied in the step 213 of embodiment two true Fixed first, which asks for an autograph, is worth effectively later and before step 214, comprises the following steps:

Step a, registrar is to user terminal sending application authorization request message.

This is applied in authorization request message

Or/and third-party application title, the title are third-party application client and third-party application service for identification The title of device is previously stored with the corresponding relationship of third-party application mark and third-party application title, note on registrar Volume server searches and obtains corresponding third-party application title in the corresponding relationship according to third-party application mark.

Or/and mobile subscriber's title, the title are the titles of mobile subscriber for identification, are deposited in advance on registrar The corresponding relationship of mobile user identification and mobile subscriber's title is contained, registrar is closed according to mobile user identification in the correspondence Corresponding mobile subscriber's title is searched and obtained in system.

Correspondingly, user terminal receives the application authorization request message that registrar is sent.

Step b, user terminal are shown using authority checking interface.

After user terminal receives the application authorization request message of registrar transmission, calls and show using authorization Interface is verified, with inquiry terminal user whether with the intention third-party application authorization.

On the application authority checking interface of display, may include:

Or/and third-party application title, i.e., the third-party application client that will be authorized and third-party application server Title；

Or/and mobile subscriber's title, i.e., the mobile subscriber's title that will be authorized.

After showing using authority checking interface, terminal user can input authorization message: agreeing to authorization or cancel Authorization.

It optionally, can also include safety verification code input frame, to inquire end on the application authority checking interface of display End subscriber inputs safety verification code.The safety verification code is correspondingly being registered for further verifying the authorization of terminal user The corresponding relationship of mobile user identification and safety verification code is previously stored on server.

Step c, user terminal receive the authorization message that terminal user inputs in application authority checking interface.

Step d, for user terminal to registrar sending application authorization response message, this is to answer using authorization response message Cancel message with the either application authorization of license confirmation message.

User terminal executes corresponding operation according to the authorization message that terminal user inputs, comprising:

If authorization message includes agreeing to authorization, what user terminal was sent to registrar applies authorization response message It is using license confirmation message.

Optionally, if on the application authority checking interface of display further including safety verification code input frame, and user It include safety verification code in the authorization messages of the received terminal user's input of terminal, then user terminal is sent to registrar Using further including the safety verification code in license confirmation message.

If authorization message includes cancelling authorization, what user terminal was sent to registrar applies authorization response message It is to cancel message using authorization.

Step e, registrar receive the application authorization response message that user terminal is sent and execute corresponding operation.

What registrar reception user terminal was sent applies authorization response message, this is application using authorization response message Message is cancelled in the either application authorization of license confirmation message.

Registrar executes corresponding operation using authorization response message according to this, comprising:

If this is to continue to execute subsequent step using license confirmation message using authorization response message.

Optionally, the corresponding relationship of mobile user identification and safety verification code is previously stored on registrar, such as Fruit includes safety verification code in the received application license confirmation message of registrar, then registrar is according to mobile subscriber Mark searches and obtains corresponding safety verification code in the corresponding relationship, and whether compare two safety verification codes consistent: If consistent, subsequent step is continued to execute；If it is inconsistent, terminating process, subsequent step is not executed.

If this is to cancel message using authorization using authorization response message, terminates process, do not execute subsequent step.

Method provided in this embodiment increases the process of end-user verification authorization of allowing on the basis of example 2, It by increasing this process, can more confirm that client registers process has obtained the license of terminal user, avoid due to accidentally grasping The reasons such as work are authorized to non-essential third-party application client.

The present embodiment can also form a new embodiment with embodiment three, i.e., by the method and step application of the present embodiment Example three step 313 determine first ask for an autograph be worth effectively after and step 314 before, detailed process does not repeat.

The present embodiment can also form a new embodiment with example IV, i.e., by the method and step application of the present embodiment Example four step 413 determine first ask for an autograph be worth effectively after and step 414 before, detailed process does not repeat.

Eight, root key negotiations process embodiment

Referring to FIG. 7, it illustrates the flow chart of root key negotiations process provided by one embodiment of the present invention, this method It can be used in implementation environment shown in FIG. 1.This method may include the following steps:

Step 501, user terminal starts root key negotiations process.

After getting the operation instruction negotiated for root key, user terminal starts root key negotiations process.

Step 502, user terminal obtains mobile user identification.

The mobile user identification is the mark for unique identification subscriber identification module SIM card, which is IMSI or IMPI.The mobile user identification obtained in the mobile user identification and client registers process is same mark.

For example, by taking the subscriber identification module SIM card used is usim card as an example, the mobile user identification that is obtained on USIM It is IMSI, user terminal obtains IMSI by the API in operating system and (such as uses in android system GetSubscriberId method) or user terminal pass through APDU order read usim card EFimsi value.

In another example by taking the subscriber identification module SIM card used is ISIM card as an example, the mobile subscriber that is obtained on ISIM card Mark is IMPI, and user terminal reads the EFimpi value of ISIM card by APDU order.

Step 503, user terminal sends root key to registrar and negotiates to request, and includes in root key negotiation request The mobile user identification.

Correspondingly, the root key that registrar receives that user terminal is sent negotiates request.

Step 504, registrar sends authentication request message, the authentication request message to home subscriber server HSS In include the mobile user identification.

It, can be by being sent to the SWx interface of home subscriber server HSS by taking mobile user identification is IMSI as an example Multimedia-Auth-Request authentication request message is wrapped in the Multimedia-Auth-Request authentication request message Include the mobile user identification.

It, can be by being sent to Cx the or SWx interface of home subscriber server HSS by taking mobile user identification is IMPI as an example Multimedia-Auth-Request authentication request message is wrapped in the Multimedia-Auth-Request authentication request message Include the mobile user identification.

Further, in order to support the mobile user identification of IMSI and IMPI type simultaneously, registrar can also be right The type of mobile user identification is judged, is then sent again to Cx the or SWx interface of home subscriber server HSS Multimedia-Auth-Request authentication request message.One judgment mode of mobile user identification type is to combine movement The field structure of user identifier judges, for example, IMSI be total length no more than 15 Arabic numerals (such as 234150999999999), IMPI be meet 2486 specification feature of IETF RFC network identity (such as [email protected])。

Step 505, registrar receives the authentication answer message of home subscriber server HSS feedback.

After the authentication request message that home subscriber server HSS receives registrar, home subscriber server HSS Multimedia-Auth-Answer authentication answer message is returned to registrar.Recognize in Multimedia-Auth-Answer Demonstrate,prove in response message includes SIP-Auth-Data-Item attribute value to (AVP:Attribute Value Pair), the SIP- Auth-Data-Item attribute value centering include SIP-Authenticate, SIP-Authorization, Confidentiality-Key, Integrity-Key attribute value pair.

Step 506, registrar obtains random parameter RAND, authentication-tokens AUTN, expectation from the authentication answer message Response XRES, the second encryption key CK or/and the second Integrity Key IK.

Registrar parses Multimedia-Auth-Answer authentication answer message, therefrom obtains SIP- Then Auth-Data-Item attribute value pair belongs to from the SIP-Authenticate of SIP-Auth-Data-Item attribute value centering Property value to obtaining random parameter RAND and authentication-tokens AUTN, from SIP-Authorization attribute value to obtaining expected response value XRES, from Confidentiality-Key attribute value to obtaining the second encryption key CK or/and from Integrity-Key attribute Value is to the second Integrity Key IK of acquisition.

Step 507, registrar sends root key negotiation challenge message to user terminal, which negotiates challenge and disappears Breath includes the random parameter RAND, authentication-tokens AUTN.

Registrar retains expectation response XRES, the second encryption key CK or/and the second Integrity Key IK.

Correspondingly, the root key that user terminal receives that registrar is sent negotiates challenge message.

Step 508, user terminal sends authentication request, the authentication request packet to subscriber identification module SIM card Include the random parameter RAND and authentication-tokens AUTN.

User terminal sends authentication request to subscriber identification module SIM card and (such as passes through APDU order AUTHENTICATE), Transfer Parameters are the random parameter RAND and authentication-tokens AUTN.

Step 509, user terminal receives the return value of subscriber identification module SIM card, which includes expected response value RES, the first encryption key CK, the first Integrity Key IK.

After subscriber identification module SIM card receives the authentication request of user terminal transmission, subscriber identification module SIM card by authentication calculations rear line terminal send return value, the return value include expected response value RES, first encryption it is close Key CK, the first Integrity Key IK, user terminal receive the return value.

Step 510, user terminal sends root key challenge response message to registrar, which disappears Breath includes expected response value RES.

Optionally, it in order to further protect the safety of desired response RES, avoids being leaked in transmission process, may be used also To use hash algorithm (such as SHA256) to carry out Hash calculation to expected response value RES, expected response value RES is only sent through breathing out Cryptographic Hash after uncommon calculating, without sending expected response value RES in plain text.

Correspondingly, registrar receives the expected response value RES or cryptographic Hash that user terminal is sent.

Step 511, registrar compares the expected response value XRES and whether expected response value RES is consistent.

Registrar will be answered in the expected response value XRES locally retained and from the root key challenge that user terminal returns It answers the expected response value RES obtained in message to be compared, and corresponding operation is executed according to comparison result, comprising:

If comparison result is consistent, following step 512 is executed；

If comparison result be it is inconsistent, to user terminal send root key negotiate response message, the root key association Quotient's response message is that root key negotiates failure response message, and executes following step 515.

Optionally, as described in above-mentioned steps 510, if it is to expected response value RES through Hash that registrar is received Cryptographic Hash after calculating, then registrar carries out Hash calculation generation to expected response value RES using identical hash algorithm Cryptographic Hash, and two cryptographic Hash are compared.

Step 512, registrar is based on the second encryption key CK or/and the second Integrity Key IK and generates second Root key.

For example, the second root key is the second encryption key CK or second Integrity Key IK, alternatively, the second root key Be the second encryption key CK or/and the second Integrity Key IK or/and fixed character string splicing or this second it is close Key is the value for generate after Hash calculation to spliced plaintext using hash algorithm (such as SHA256).

Step 513, registrar establishes the corresponding relationship of the mobile user identification Yu second root key.

The corresponding relationship of the mobile user identification Yu second root key is established on registrar, registrar will Corresponding second root key can be searched and obtained in the corresponding relationship according to mobile user identification.

If being stored with the corresponding relationship of the mobile user identification and the second root key on registrar, use The second root key stored before this second root key generated replacement.

It should be noted that above-mentioned steps 512 and step 513 can also be that registrar is whole to user in step 514 End sends root key and negotiates to execute after successful respond message, and the present invention is defined not to this.

Step 514, registrar sends root key negotiation response message to user terminal, which negotiates response and disappear Breath is that root key negotiates successful respond message.

Step 515, the root key that user terminal receives that registrar is sent negotiates response message and executes corresponding behaviour Make.

User terminal receives the root key that registrar is sent and negotiates response message, which, which negotiates response message, is Root key negotiates successful respond message or root key negotiates failure response message.

User terminal negotiates response message according to the root key and executes corresponding operation, comprising:

If it is that root key negotiates successful respond message that the root key, which negotiates response message, user terminal executes following steps Rapid 516.

If it is that root key negotiates failure response message that the root key, which negotiates response message, following step is not executed, is tied Shu Benci root key negotiates process.

Step 516, user terminal uses root key generating mode identical with registrar, close based on first encryption Key CK or/and the first Integrity Key IK generates the first root key.

For example, it is corresponding with root key generating mode on registrar, if the second root key is that the second encryption is close Key CK or the second Integrity Key IK, then the first root key is the first encryption key CK or first Integrity Key IK；Such as The second root key of fruit is the splicing of the second encryption key CK or/and the second Integrity Key IK or/and fixed character string, then first Root key is the splicing of the first encryption key CK or/and the first Integrity Key IK or/and identical fixed character string；If Second root key is to carry out the value that generates after Hash calculation to spliced plaintext using hash algorithm (such as SHA256), then the One root key is the value for generate after Hash calculation to spliced plaintext using identical hash algorithm (such as SHA256).

So far, since the above process is based on AKA mechanism (Authentication and Key Agreement, certification With key agreement) realize, the first encryption key CK, the first Integrity Key IK and the registrar obtained on user terminal The second encryption key CK, the second Integrity Key IK of upper acquisition are identical, and since the generating mode of root key is consistent, The value of the second root key generated on the first root key and registrar generated on the subscriber terminal is identical.

The method provided through this embodiment, user terminal is based on the mobile subscriber stored in subscriber identification module SIM card Mark and key and registrar are based on the identical mobile user identification that stores in home subscriber server HSS and close Key, by the certifiede-mail protocol process between user terminal and registrar, in the case where not exchanging root key, user Terminal and registrar are each that same mobile user identification generates the identical root key of value.

The user terminal includes above-mentioned client registers device；

The registrar includes above-mentioned client registers device.

It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row His property includes, so that the process, method, article or the system that include a series of elements not only include those elements, and And further include other elements that are not explicitly listed, or further include for this process, method, article or system institute it is intrinsic Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do There is also other identical elements in the process, method of element, article or system.

The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.

Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art The part contributed out can be embodied in the form of software products, which is stored in one as described above In storage medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that terminal device (it can be mobile phone, Computer, server, air conditioner or network equipment etc.) execute method described in each embodiment of the present invention.

The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills Art field, is included within the scope of the present invention.

Claims

1. a kind of client registers method, which is characterized in that in the user terminal for having third-party application client applied to operation, The described method includes:

Generate the first information to be signed, first information to be signed includes mobile user identification, and described first to be signed The generating mode of information is consistent with the registrar generation generating mode of the second information to be signed；

First is generated to ask for an autograph value, described first ask for an autograph value be by the first signature key to the first information to be signed based on Calculate generation；

Client registers request is sent to the registrar, the client registers request includes the mobile user identification It asks for an autograph value with described first；

2. the method according to claim 1, wherein client registers request further includes third-party application mark Know, the third-party application mark is the corresponding third-party application mark of the third-party application client.

3. according to claim 1 with method as claimed in claim 2, which is characterized in that the response message that succeeds in registration also is wrapped Include third party's user identifier.

4. according to the method described in claim 3, it is characterized in that, described receive succeeding in registration for the registrar transmission After the step of response message, further includes:

It generates first and applies key, the first application key is generated based on the first root key.

5. according to claim 1 with method as claimed in claim 2, which is characterized in that the response message that succeeds in registration includes Authentication token.

6. according to claim 2 to the described in any item methods of claim 5, which is characterized in that taken described to the registration Be engaged in after device sends client registers request, and receive that the registrar sends succeed in registration response message it Before, further includes:

Receive the application authorization request message that the registrar is sent；

Authority checking interface is applied in display；

Terminal user is received described using the authorization message inputted in authority checking interface；

If the authorization message includes confirmation authorization message, to the registrar sending application authorization response message, The application authorization response message is using license confirmation message.

7. the method according to claim 1, wherein the generation first asks for an autograph before the step of being worth, institute State method further include:

The first root key is obtained, the mobile user identification stored on first root key and the registrar is corresponding The second root key value it is identical；

The first signature key is generated, first signature key is generated based on first root key.

8. according to claim 4 or method of claim 7, which is characterized in that first root key is by the use What family terminal and the registrar were generated based on certifiede-mail protocol AKA mechanism.

9. according to the method described in claim 8, it is characterized in that, described by the user terminal and the registrar base It is generated in the AKA mechanism, comprising:

The mobile user identification is obtained from subscriber identification module SIM card；

Root key is sent to the registrar and negotiates request, and the root key negotiation request packet includes mobile subscriber's mark Know；

It receives the root key that the registrar is sent and negotiates challenge message, it includes random that the root key, which negotiates challenge message, Number RAND and authentication-tokens AUTN；

Authentication request is sent to the subscriber identification module SIM card, the authentication request includes the random parameter RAND and described Authentication-tokens AUTN；

Receive the return value of the subscriber identification module SIM card, the return value includes that expected response value RES, the first encryption are close Key CK and the first Integrity Key IK；

Root key challenge response message is sent to the registrar, the root key challenge response message includes the expectation Response RES；

It receives the root key that the registrar is sent and negotiates successful respond message, the root key negotiates successful respond message It is that the expected response value RES verified in the root key challenge response message in the registrar is effectively generated later And feed back；

First root key, and institute are generated based on the first encryption key CK or/and the first Integrity Key IK It is consistent to state generating mode and the registrar generation generating mode of the second root key of the first root key.

10. according to the method described in claim 9, it is characterised by comprising:

The subscriber identification module SIM card is Global Subscriber identification module USIM, and the mobile user identification is international mobile use Family identification code IMSI；

Alternatively,

The subscriber identification module SIM card is IP multimedia service identification module ISIM, and the mobile user identification is the more matchmakers of IP The privately owned mark IMPI of body.

11. a kind of client registers method, which is characterized in that be applied in registrar, which comprises

The client registers request that user terminal is sent is received, the client registers request includes mobile user identification and first Ask for an autograph value；

Generate the second information to be signed, second information to be signed includes the mobile user identification, and described second to The generating mode of signing messages is consistent with the user terminal generation generating mode of the first information to be signed；

Whether first value that asks for an autograph according to second signature key and second Information Authentication to be signed is effective；

12. according to the method for claim 11, which is characterized in that the client registers request further includes third-party application Mark.

13. according to claim 11 and claim 12 described in method, which is characterized in that it is described to succeed in registration response message also Including third party's user identifier.

14. according to the method for claim 12, which is characterized in that the method also includes:

According to the mobile user identification and the corresponding third party's user identifier of the third-party application identifier lookup；

If finding corresponding third party's user identifier, the corresponding third party's user identifier found is obtained；

If not finding corresponding third party's user identifier, unique third party's user identifier is created, and establish With the corresponding relationship for storing the mobile user identification and the third-party application mark and third party's user identifier.

15. according to the method for claim 12, which is characterized in that the method also includes:

Verify described first ask for an autograph be worth effective when, generate second and apply key, described second using key is based on the What two root keys generated, and the generating mode of the second application key and the user terminal generate the first application key Generating mode is consistent；

Establish the corresponding relationship of third party's user identifier and the second application key.

16. according to claim 11 and claim 12 described in method, which is characterized in that it is described to succeed in registration response message also Including authentication token.

17. according to the method for claim 16, which is characterized in that the method also includes:

It is identified for the third-party application and generates authentication token；

Establish the incidence relation of the authentication token and third-party application mark.

18. method described in any one of 2 to 16 according to claim 1, which is characterized in that described to verify first request When signature value is effective, the response message that succeeds in registration is sent to the user terminal, further includes:

When verifying described first asks for an autograph and is worth effective, to the user terminal sending application authorization request message；

Receive the user terminal transmission applies authorization response message；

If the application authorization response message is to register using license confirmation message to described in user terminal transmission Function response message.

19. according to the method for claim 11, which is characterized in that described to obtain the second label according to the mobile user identification Name key the step of include:

Corresponding second root key is obtained according to the mobile user identification, the of second root key and the user terminal The value of one root key is identical；

Generating the second signature key, second signature key is generated based on second root key, and described second The generating mode of signature key is consistent with the user terminal generation generating mode of the first signature key.

20. according to the method for claim 11, which is characterized in that described according to second signature key and described second The first whether effective step of value that asks for an autograph described in Information Authentication to be signed includes:

It generates second to ask for an autograph value, described second value that asks for an autograph is to be based on second signature key to the second letter to be signed Breath, which calculates, to be generated, and described second asks for an autograph the generating mode of value and the user terminal generates first and asks for an autograph value Generating mode it is consistent；

Compare described first value and described second that asks for an autograph to ask for an autograph value, if described first asks for an autograph value and described Two values that ask for an autograph are consistent, it is determined that described first, which asks for an autograph, is worth effectively.

21. according to claim 15 or claim 19 described in method, which is characterized in that second root key is by described What registrar and the user terminal were generated based on certifiede-mail protocol AKA mechanism.

22. according to the method for claim 21, which is characterized in that second root key be by the registrar and The user terminal is generated based on AKA mechanism, comprising:

It receives the root key that the user terminal is sent and negotiates request, the root key negotiation request packet includes mobile subscriber's mark Know；

Authentication request message is sent to home subscriber server HSS, the authentication request message includes the mobile user identification；

The authentication answer message of the home subscriber server HSS feedback is received, includes SIP- in the authentication answer message Auth-Data-Item attribute value pair；

Random parameter RAND, authentication-tokens AUTN, expected response value are obtained from the SIP-Auth-Data-Item attribute value centering XRES and the second encryption key CK or/and the second Integrity Key IK；

Root key is sent to the user terminal and negotiates challenge message, and it includes the random number that the root key, which negotiates challenge message, The RAND and authentication-tokens AUTN；

The root key challenge response message that the user terminal is sent is received, the root key challenge response message includes that expectation is rung It should value RES；

Compare the expected response value XRES and whether the expected response value RES is consistent, if unanimously, it is determined that expected response Value RES is effective, and:

Second root key, and institute are generated based on the second encryption key CK or/and the second Integrity Key IK The generating mode for stating the second root key is consistent with the generating mode that the user terminal generates first root key；

The corresponding relationship of the mobile user identification Yu second root key is established, if the mobile user identification has had Corresponding root key then replaces existing root key using second root key；

Root key, which is sent, to the user terminal negotiates successful respond message.

23. according to the method for claim 11, which is characterized in that the mobile user identification is international mobile subscriber identification Code IMSI either IP multimedia private identity IMPI.

24. a kind of client registers device, which is characterized in that the client registers device, which is applied to operation, third-party application In the user terminal of client, comprising: memory, processor and be stored on the memory and can transport on the processor Capable client registers program is realized when the client registers program is executed by the processor as in claims 1 to 10 The step of described in any item client registers methods.

25. a kind of client registers device, which is characterized in that the client registers device is applied to registrar, comprising: Memory, processor and it is stored in the client registers program that can be run on the memory and on the processor, it is described The client registers as described in any one of claim 11 to 23 are realized when client registers program is executed by the processor The step of method.

26. a kind of client registers system, which is characterized in that the client registers system includes: user terminal and registration Server；

The user terminal includes client registers device as claimed in claim 24；

The registrar includes client registers device as claimed in claim 25.