A kind of method that realizes reinforced authentication by access account and service account binding
Technical field
The present invention relates to broadband access network, IPTV (IPTV) service application field, relate in particular to the authentification of user authentication techniques in the IPTV business.
Background technology
Along with enriching constantly of IPTV business is universal, customer group constantly increases, and operator need strengthen the fail safe of user account management, thereby provides the basis to the better popularization of IPTV business.
In existing the application, two input frames of the user name of log-in interface and password need the user to import correct IPTV service account information.When the user inputs account (service account name, password), carry out authentication by the professional backstage of IPTV, or by (the 97/ customer relation management CRM/ audio communication network VNET of third party system, wherein, 97 are meant 97 systems, the OSS that a kind of operator adopts) come usersaccount information is carried out authentication.
In the prior art, operator distributes the fixed broadband access account all can for user's set-top box, utilize set-top box to report this broadband access account number, but common broadband access account number and customer service account number are not done binding, may have following charging hidden danger to the professional backstage of IPTV:
(1) user can use IPTV business (being that the many people of multiple access share a service account) by a service account in many places;
(2) user can use IPTV business (being that the many people of single access share a service account) by a service account by many set-top box;
(3) user can use IPTV business (being that a service account is shared in the single access multiple terminals) by a service account by many station terminals.
More than three kinds of scenes not only can cause the operation loss of operator, simultaneously,, cause economically or the heavy losses on the information security then also may for the user who has the legitimate traffic account number if service account is stolen.
Therefore, need a kind of safer and more effective method for authenticating, under the prerequisite that guarantees account number safety, if increase the binding of broadband account number and service account, then may strengthen the fail safe of user account management, prevent that service account is stolen, avoid operator and user's loss.
Summary of the invention
Technical problem to be solved by this invention is, provide a kind of and realize the method for reinforced authentication, solve problems such as a multiple access only utilizing the customer service account to land in the prior art to cause, multi-machine shared and account number be easily stolen by the binding of access account and service account.
The invention provides a kind of method, comprise the steps: by access account and service account binding realization reinforced authentication
(1) set-top box reports the login parameters that comprises access account information, service account information, set-top box access style, inserts user type in the energising start and by behind the broadband access authentication to the IPTV system;
(2) the IPTV system judges whether that according to the set-top box access style needs mate verification to access account and service account;
When (3) needing the coupling verification, judge further that then inserting user type is special user or domestic consumer; If domestic consumer, and successfully landing before this then compares to access account and service account and judges whether both mate;
When (4) landing for special account number or for the first time of domestic consumer for mating unanimity or this user, then notify the third party system to carry out authentication as if comparison result;
(5) third party system authentication finishes, and gives set-top box with the authentication information through the IPTV system feedback.
Further, in the step (1):
Described access account information comprises access account and password; Described service account information comprises service account and password; Access way when the set-top box that is meant described set-top box access style inserts the IPTV system is for local area network (LAN) LAN access way or dial user insert ADSL mode or dynamic host configuration protocol DHCP access way; Described access user type is meant that the user is special user or domestic consumer, and wherein said special user increases for definition in the user management part of the operation support system OSS of service provider door and user management, that need not to compare coupling.
Further, in the step (2) when judging whether that according to the set-top box access style needs mate verification to access account and service account, if access style is a local area network (LAN) LAN access way, access account is empty, then need not access account and service account are mated verification; Otherwise, continue execution in step (3).
Further, be further divided in the step (3):
(3-1) utilize the User Part of the operation support system OSS of service provider to judge whether this user is the special user, land the first time that whether is domestic consumer, if land the first time of special user or domestic consumer, execution in step (4), if domestic consumer, and successfully landed before this, then continued step (3-2);
(3-2) obtain the matched rule that operator sets in advance about access account and service account;
(3-3) access account that set-top box is reported according to described matched rule and the service account matching judgment of comparing.
Further, described step (4) further comprises:
When if comparison is inconsistent, directly notice user account number mistake on electronic program list is notified the third party system with error number.
Further, described step (4) is further divided into:
(4-1), then this user profile is mail to the third party system and carries out authentication if land for the first time of domestic consumer or this user type is the special user:
A, third party system carry out authentication;
B, third party system return authentication by or the authentication result of failed authentication give electronic programming
Single system;
C, pass through as authentication, then the electronic program system notice is registered this user account number at background data base, and the announcement machine top box uses service;
D, as failed authentication, the authenticating result of electronic program system announcement machine top box failed authentication then;
E, keeper can be by carrying out special user's definition, management to third party's system user of registered mistake in the Portal door;
F, background data base make amendment to the user type of designated user according to keeper's operation;
G, Portal portal interface are returned the return messages of revising successfully or revise failure and are given the keeper; Compare with prior art, adopt technical solution of the present invention to possess following beneficial effect:
(1) strengthened the fail safe of professional opening, avoided the user according to service account, more than No. one with (a plurality of set-top box of a plurality of addresses are used service accounts), multi-machine shared (a plurality of set-top box of an address, the shared service account of PC);
(2) define the user and can only be used for using the IPTV business for the professional bandwidth that raises speed of IPTV.The user can not utilize this bandwidth to carry out functions such as information browse, data download and use, and to have reduced the operation costs of operator, the while does not impact the income of broadband services;
(3) mode of access account binding service account defines the mode that this service account can only be used for using by set-top box the IPTV business.If do not adopt this mode, then exist service account to use the mode of IPTV business by Web browser.For a kind of scene in back, for the user smoothly uses the IPTV business, the bandwidth when then needing to guarantee user's web browsing, thus influenced operator when throwing in the IPTV business, when using traditional data professional, the user, and then influences the operation of broadband services to the demand of bandwidth.Certainly, operator also can be by limiting account number at the DSLAM mechanical floor.But office side requires this function promptly to carry out restriction in business side.
Description of drawings
Fig. 1 is the operation flow of access account and service account comparison verification;
Fig. 2 is special user's definition, a management service flow process.
Embodiment
Below in conjunction with drawings and the specific embodiments, the concrete enforcement of technical solution of the present invention is described in further details.
Stolen in order to prevent the IPTV service account; Shared in order to prevent a service account multiaddress, multimachine top box; Still need comparison for fear of the service account that is labeled as the special user.Propose to increase binding comparison flow process, when access authentication of user, realize the solution of secure authentication authentication according to the comparison of binding account number.
When user's debarkation authentication, user's broadband user and service account compared, have only of the same name or coupling just is sent to the backstage or the third party system carries out business authentication, and guarantee the uniqueness that service account lands.Simultaneously, support the account number that is labeled as the special user is not done this comparison, directly be sent to the backstage or the third party system carries out business authentication.
As shown in Figure 1, the step that in the method for the invention access account and service account is compared further can be divided into following concrete steps again:
Step 101: the user is set-top box energising start, after broadband access authentication passes through, reports access account, service account and password etc. (also comprising information such as set-top box model, sequence number) separately to the IPTV system;
The parameter that step 102:IPTV system sends according to set-top box is judged the set-top box access style.If LAN (local area network (LAN)) mode inserts, then access account is empty, does not do the coupling verification operation.Access style (access methmod) can be defined as three types, can represent with the following methods: (accessmethmod=LAN|ADSL|DHCP), wherein LAN is the local area network (LAN) access way, ADSL is dial user's access way, and DHCP is DHCP (Dynamic HostConfiguration Protocol) access way;
Step 103:IPTV system judges whether this access user is special account number (need increase special user's definition, management in the user management part of service provider door OSS);
Step 104: if not special account number, then need to 2 account numbers (access account, service account) carry out matching ratio to (example: get access account ” @vod " before user name and service account name compare);
Need set man-to-man matched rule in advance during comparison, not be must be consistent, but need satisfy matched rule.But operator takes the principle of fixed line number+suffix usually when operation, for example the broadband access account number of ADSL business can adopt fixed line number+“ @adsl usually ".The IPTV service account can adopt fixed line number+“ @iptv " or fixed line number+“ @vod ".This will decide on the concrete setting of operator.
Step 105:, then directly on electronic program EPG (ElectronicProgram Guide), notify the user " account number mistake: 10001 " if compare inconsistently.10001 represent two account number comparisons inconsistent, error number are notified third party systems such as 97/CRM/VNET;
Step 106: if comparison is consistent, or be special account number, then notify the third party system to carry out authentication;
Step 107: carry out authentication by third party's system side;
Step 108: return information by the third party system and give IPTV system (authentication is passed through or failed authentication);
Step 109: return information by the IPTV system and give set-top box (authentication is passed through or failed authentication);
After having added the account number binding function, for the login first time of account number, and the setting of special account number, all need to fetch authentication information partly from the third party system.And in the flow process of not doing the account number comparison, this authentication process is unwanted.For binding, proof rule, this is customizable.Domestic consumer logins for the first time, and being does not need to mate verification, because unregistered this user's access account information still.But after landing successfully for the first time, landing after this need have been mated verification.Verification is by side's checking again.
Second step, definition special user flow process;
The first step is the scheme of front.Be to adopting special user's in the account number comparison scheme (promptly specify and need not carry out this comparison, but directly authentication) handling process by operator herein.Be intended to enrich the application scenarios of account number comparison scheme, can be applicable to that operator adopts the customizing functions under the account number comparison scheme prerequisite.
As shown in Figure 2, this step is made up of following idiographic flow again:
Step 201: the user is with set-top box energising start, and the user logins EPG request authentication;
The service account information that step 202:EPG system reports set-top box mails to IPTV system background data base, and whether for the first time to judge user's login, whether background data base has preserved this activity account information;
Whether step 203: background data base is done retrieval according to service account, registered to judge this user profile, if registered then judge this user type (special, common);
Registered and be meant that this user once logined before this, with in the step 202 to judge that whether for the first time the user logins corresponding.
Step 204: the results messages of returning the user type judgement is to EPG;
Step 205: if the unregistered mistake of this user, or this user type is the special user, then user profile mail to the third party system, carries out authentication by the third party system, and authentication comprises:
A, third party system carry out authentication;
B, third party system return authentication result (authentication is passed through or failed authentication) and give the EPG system;
C, pass through as authentication, then the EPG notifications are stepped on this user account number at background data base, and notify user's (set-top box) to use service;
D, as failed authentication, announcement machine top box authenticating result (failed authentication) then
E, keeper can be by carrying out special user's definition, management to third party's system user of registered mistake in the Portal door;
F, background data base make amendment to the attribute (special, common) of designated user according to keeper's operation;
G, Portal portal interface return messages are given keeper's (return and revise successfully or revise failure);
Step 206: if this user is a domestic consumer, and successfully landed before this, and then did the coupling verification of access account and service account:
(a) after the coupling verification is passed through, continue to be sent to the third party system and do verification, walk third party system authorizing procedure
(b) the coupling verification is not passed through, and then directly notifies the user " account number mistake: 10001 " on EPG.10001 represent two account number comparisons inconsistent, notify the third party system with error number.