CN111901127A - Method for solving identity authentication in SIP (Session initiation protocol) based on identification password technology - Google Patents
Method for solving identity authentication in SIP (Session initiation protocol) based on identification password technology Download PDFInfo
- Publication number
- CN111901127A CN111901127A CN202010790274.0A CN202010790274A CN111901127A CN 111901127 A CN111901127 A CN 111901127A CN 202010790274 A CN202010790274 A CN 202010790274A CN 111901127 A CN111901127 A CN 111901127A
- Authority
- CN
- China
- Prior art keywords
- sip
- random number
- platform
- user agent
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 14
- 238000005516 engineering process Methods 0.000 title claims abstract description 10
- 230000000977 initiatory effect Effects 0.000 title abstract description 9
- 238000012795 verification Methods 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 description 5
- 238000013475 authorization Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 210000001072 colon Anatomy 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 210000003813 thumb Anatomy 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1101—Session protocols
- H04L65/1104—Session initiation protocol [SIP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a method for solving identity authentication in an SIP (session initiation protocol) based on an identification password technology, which expands the SIP, wherein a User Agent Client (UAC) and a User Agent Server (UAS) apply for a key pair to a key management center according to an identity in the SIP, at the registration or on-demand stage of the SIP, a random number is generated by the User Agent Client (UAC) and the User Agent Server (UAS), a private key held by the User Agent Client (UAC) and the User Agent Server (UAS) signs a key domain and the random number in an SIP message by using a private key held by the user agent, the signature is attached to the SIP message, and an opposite end verifies; the SM9 algorithm proposed by the current national password administration is combined, the related national requirements on safety can be met in the field of audio and video, and the method is suitable for mass equipment scenes.
Description
Technical Field
The invention relates to the technical field of passwords, in particular to the technical field of identity authentication in network communication, and particularly relates to a method for solving identity authentication in an SIP (session initiation protocol) based on an identification password technology.
Background
The standards adopted in the technical field of identity authentication in network communication at present are mainly as follows:
(I) SM9
GM/T0044.1-2016 SM9 identifies part 1 of the cipher Algorithm: general rules of thumb
GM/T0044.2-2016 SM9 identifies part 2 of the cipher Algorithm: digital signature Algorithm
GM/T0044.3-2016 SM9 identifies part 3 of the cipher Algorithm: key exchange protocol
GM/T0044.4-2016 SM9 identifies part 4 of the cipher Algorithm: key encapsulation mechanism and public key encryption algorithm
GM/T0044.5-2016 SM9 identifies part 5 of the cipher Algorithm: definition of parameters
(II) SIP protocol
The SIP (SIP) Protocol is defined by the following RFC document:
https://tools.ietf.org/html/rfc3261:SIP:Session Initiation Protocol
https://tools.ietf.org/id/draft-kupwade-sip-iba-00.html:IdentityBased Authentication in the Session Initiation Protocol draft-kupwade-sip-iba-00
(III) relevant SIP standard of national public safety industry
GB/T28181-2016 technical requirements for information transmission, exchange and control of public safety video monitoring networking system
GB 35114 plus 2017 public safety video monitoring networking information safety technical requirement
Disclosure of Invention
The invention is described by combining a domestic public security video monitoring scene based on an SM9 identification algorithm issued by the national password administration, and mainly aims at an SIP stage of initiating registration to a video platform by front-end equipment (audio and video acquisition equipment). The front-end equipment can be used by the video platform after needing to be registered to the video platform, is a precondition for communication between the two parties and is used as an IBE identity authentication stage. Before use, a key distribution center is needed to generate signature key pairs for all SIP devices according to SIP identity identifications of the SIP devices, and the signature key pairs are received and safely distributed through an external band.
A method for solving identity authentication in SIP protocol based on identification password technology specifically comprises the following steps:
the method comprises the following steps: the front-end equipment initiates registration to the video platform and carries a first random number;
step two: after receiving the registration request of the front-end equipment, the platform returns Unauthorized (what the meaning of Chinese is, please explain) and carries a second random number;
step three: the front-end equipment initiates registration again, signs the first random number, the second random number and the SIP key header domain by using a signature private key, adds the first random number, the second random number and the SIP key header domain into the SIP key header domain and sends the SIP key header domain to the platform;
step four: after receiving the request, the platform takes the SIP identity identifier of the front-end equipment from the request for verification; the platform sends 200OK (meaning, not understood, please explain), and carries the value of platform signature private key to sign the first random number, the second random number and SIP key header field to the front-end device, and the front-end device verifies according to the request SIP ID.
In a preferred embodiment of the present invention, the front-end device is an audio/video capture device; the platform is a video platform.
The invention solves the problem of identity authentication of massive SIP equipment by using an SM9 identification password technology based on the existing SIP security foundation. Meanwhile, the SIP protocol is expanded, and the SM9 data envelope format is used for realizing identity authentication and key agreement.
Aiming at the characteristic that the SIP protocol uses the identity identifier to search equipment, compared with the traditional situation that the PKI system is used to ensure the identity security of the SIP equipment, the IBE-based system is naturally suitable for the scene, so that the verification cost can be greatly reduced, a verifier can obtain the SIP identity identifier of an opposite terminal from the SIP protocol header to authenticate, the IBE-based system is more suitable for the scene of mass equipment, and the construction and operation and maintenance costs can be greatly reduced.
Drawings
The invention is further described below in conjunction with the appended drawings and the detailed description.
Fig. 1 is a flow chart of a key distribution center applying for a key in the present invention.
Fig. 2 is a flow chart of authentication in the SIP registration phase of the present invention.
Detailed Description
In order to make the technical means, the creation characteristics, the achievement purposes and the effects of the invention easy to understand, the invention is further explained below by combining the specific drawings.
The invention provides a method for solving identity authentication in SIP (Session initiation protocol) based on identification password technology, which needs to
Before use, it needs to be ensured that the device in the scene is distributed with a key by a key distribution center (KGC), and the key is distributed as shown in fig. 1. The method comprises the following specific steps:
step 1: the key distribution center generates a random number, and generates a signature master key pair according to the random number, wherein the signature master public key is public, and the signature master private key is kept by the key distribution center.
Step 2: in a scene, SIP equipment sends a user signature key application to a key distribution center according to an SIP identity, the SIP equipment identity needs to be submitted when the application is carried out, in a national public security video monitoring scene, the SIP equipment identity can use a uniform code described in appendix D in GB/T28181 plus 2016 public security video monitoring networking system information transmission, exchange and control technical requirements, the uniform code is unique in one scene, the equipment deployment site and the equipment type are described by 20 digits, and the identity is identified by adding a random code.
Referring to fig. 2, the method for solving the identity authentication in the SIP based on the identification password technology of the present invention specifically includes the following steps:
step 1: in the process that a front-end device UAC (SIP), such as an audio/video acquisition device, initiates device authentication to a video platform UAS (SIP), the front-end device generates a random number 1 (the first random number), starts an "Authorization" field, and places the random number 1 into a "nonce", wherein the random number 1 is represented by a 16-system ASCII code. Such as: the Authorization is that Digestusername is 34020000001320000001, realm is 3402000000, nonce is 6264dfc9cdea171f8de9cde509d067bf, algorithmm is SM 9. The user name identifies the SIP identity of the front-end equipment, realm is the domain name of the video platform, the nonce generates a random number 1 for the front-end equipment, and the algorithmic identifies the front-end equipment.
Step 2: after receiving the registration request of the front-end device uac (sip), the video platform uas (sip) returns Unauthorized 401, generates a random number 2 (the second random number mentioned above), starts a "WWW-authentication" field, places the random number 2 in the "nonce", and expresses the random number 2 by using 16-system ASCII code. Such as: WWW-architecture, Digest realm ═ 3402000000, "nonce ═ 243c881bedf30f807d7eadb7beb2a0e0," algorithm ═ SM 9.
And step 3: after receiving the Response, the front-end device uac (sip) restarts the initiation request, signs the data (ReqeustUri + From + To + CSeq + Call-ID + Random1+ Random2), enables the "Authorization" field, places the signature in Response, and expresses the Random number 1 and the Random number 2 by using 16-system ASCII codes. Such as: digest realm of "3402000000", nonce of "243c881bedf30f807d7eadb7beb2a0e0", Response of "h: XXX; XXXXXX', algorithms SM 9. The two parts h and S of the signature result are divided by mark, and the name and the value are divided by colon.
And 4, step 4: after receiving the request, the video platform UAS (SIP) verifies the signature, verifies according to the identity of the front-end equipment UAC (SIP) in the request, and sends 200OK (what the meaning is, is not understood, please explain); if the verification is successful, the signature can be selected, and the signature content is consistent with the step 3. The "WWW-authentication" field is enabled and the signature, nonce 1 and nonce 2 are represented in 16 ASCII codes. Such as: WWW-architecture, Digest realm ═ 3402000000, "nonce ═ 243c881bedf30f807d7eadb7beb2a0e0," algorithm ═ SM 9.
And 5: and after receiving the response, the front-end equipment UAC (SIP) verifies the signature of the video platform UAS (SIP), and verifies the signature according to the SIP identity of the self requester.
Claims (2)
1. A method for solving identity authentication in SIP protocol based on identification password technology is characterized by comprising the following steps:
the method comprises the following steps: the front-end equipment initiates registration to the video platform and carries a first random number;
step two: after receiving the registration request of the front-end equipment, the platform returns Unauthorized (what the meaning of Chinese is, please explain) and carries a second random number;
step three: the front-end equipment initiates registration again, signs the first random number, the second random number and the SIP key header domain by using a signature private key, adds the first random number, the second random number and the SIP key header domain into the SIP key header domain and sends the SIP key header domain to the platform;
step four: after receiving the request, the platform takes the SIP identity identifier of the front-end equipment from the request for verification; the platform sends 200OK (meaning, not understood, please explain), and carries the value of platform signature private key to sign the first random number, the second random number and SIP key header field to the front-end device, and the front-end device verifies according to the request SIP ID.
2. The method for solving the identity authentication in the SIP protocol based on the identification password technology as claimed in claim 1, wherein the front-end device is an audio and video acquisition device; the platform is a video platform.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010790274.0A CN111901127A (en) | 2020-08-07 | 2020-08-07 | Method for solving identity authentication in SIP (Session initiation protocol) based on identification password technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010790274.0A CN111901127A (en) | 2020-08-07 | 2020-08-07 | Method for solving identity authentication in SIP (Session initiation protocol) based on identification password technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111901127A true CN111901127A (en) | 2020-11-06 |
Family
ID=73246153
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010790274.0A Pending CN111901127A (en) | 2020-08-07 | 2020-08-07 | Method for solving identity authentication in SIP (Session initiation protocol) based on identification password technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111901127A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112713992A (en) * | 2020-12-22 | 2021-04-27 | 湖北工业大学 | Certificate-free anti-leakage authentication and key agreement method and system |
| CN113190737A (en) * | 2021-05-06 | 2021-07-30 | 上海慧洲信息技术有限公司 | Website information acquisition system based on cloud platform |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070127447A1 (en) * | 2005-11-09 | 2007-06-07 | Sung-Kwan Cho | Session initiation protocol (SIP) based voice over internet protocol (VoIP) system and method of registering SIP terminal therein |
| CN101626294A (en) * | 2008-07-07 | 2010-01-13 | 华为技术有限公司 | Certifying method based on identity, method, equipment and system for secure communication |
| CN104735068A (en) * | 2015-03-24 | 2015-06-24 | 江苏物联网研究发展中心 | SIP security authentication method based on commercial passwords |
| CN104753937A (en) * | 2015-03-24 | 2015-07-01 | 江苏物联网研究发展中心 | SIP (System In Package)-based security certificate registering method |
| CN110300287A (en) * | 2019-07-26 | 2019-10-01 | 华东师范大学 | A kind of public safety video monitoring networking camera access authentication method |
| CN110768973A (en) * | 2019-10-17 | 2020-02-07 | 公安部第一研究所 | Signaling safety evaluation system and method based on GB35114 standard |
-
2020
- 2020-08-07 CN CN202010790274.0A patent/CN111901127A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070127447A1 (en) * | 2005-11-09 | 2007-06-07 | Sung-Kwan Cho | Session initiation protocol (SIP) based voice over internet protocol (VoIP) system and method of registering SIP terminal therein |
| CN101626294A (en) * | 2008-07-07 | 2010-01-13 | 华为技术有限公司 | Certifying method based on identity, method, equipment and system for secure communication |
| CN104735068A (en) * | 2015-03-24 | 2015-06-24 | 江苏物联网研究发展中心 | SIP security authentication method based on commercial passwords |
| CN104753937A (en) * | 2015-03-24 | 2015-07-01 | 江苏物联网研究发展中心 | SIP (System In Package)-based security certificate registering method |
| CN110300287A (en) * | 2019-07-26 | 2019-10-01 | 华东师范大学 | A kind of public safety video monitoring networking camera access authentication method |
| CN110768973A (en) * | 2019-10-17 | 2020-02-07 | 公安部第一研究所 | Signaling safety evaluation system and method based on GB35114 standard |
Non-Patent Citations (3)
| Title |
|---|
| 周计成等: "一种基于身份的SIP认证与密钥协商机制", 《计算机工程与应用》 * |
| 牟明朗等: "基于身份密码的轻量级SIP安全方案", 《计算机应用》 * |
| 纪磊: "移动视频监控系统中安全技术的研究与实现", 《中国优秀硕士学位论文全文数据库 (信息科技辑)》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112713992A (en) * | 2020-12-22 | 2021-04-27 | 湖北工业大学 | Certificate-free anti-leakage authentication and key agreement method and system |
| CN113190737A (en) * | 2021-05-06 | 2021-07-30 | 上海慧洲信息技术有限公司 | Website information acquisition system based on cloud platform |
| CN113190737B (en) * | 2021-05-06 | 2024-04-16 | 上海慧洲信息技术有限公司 | Website information acquisition system based on cloud platform |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3151597B1 (en) | Method and apparatus for achieving secret communications | |
| RU2335866C2 (en) | Method of cryptographic key forming and distribution in mobile communication system and corresponding mobile communication system | |
| KR101158956B1 (en) | Method for distributing certificates in a communication system | |
| CN101030854B (en) | Method and device for mutual authentication of network entities in multimedia subsystem | |
| US20140273971A1 (en) | Secure wireless communication | |
| CN102868665A (en) | Method and device for data transmission | |
| JP2011521548A (en) | Network helper for authentication between token and verifier | |
| CN1716953B (en) | Method for identifying conversation initial protocol | |
| CN112242993B (en) | Bidirectional authentication method and system | |
| CN101488945B (en) | An Authentication Method Oriented to Session Initiation Protocol | |
| US20030097584A1 (en) | SIP-level confidentiality protection | |
| CN101449510B (en) | Method and devices for encoding and decoding media data | |
| CN111901127A (en) | Method for solving identity authentication in SIP (Session initiation protocol) based on identification password technology | |
| RU2328082C2 (en) | Protection method of interim data traffic mobile network and ims network | |
| US12177666B2 (en) | Enhancement of authentication | |
| CN111065097B (en) | Channel protection method and system based on shared secret key in mobile internet | |
| KR101016277B1 (en) | Method and apparatus for registering SPI and setting SSI session with enhanced security | |
| CN100556033C (en) | The method that is used for distributing passwords | |
| CN100544247C (en) | The negotiating safety capability method | |
| CN213938340U (en) | 5G Application Access Authentication Network Architecture | |
| WO2024082963A1 (en) | Improved 5g message rcs access authentication ims-aka method capable of balancing security and efficiency | |
| CN107801186B (en) | Non-access stratum abstract authentication method in trunking communication system | |
| WO2011147258A1 (en) | Card authenticating method, system and user equipment | |
| Gu et al. | Improved one-pass IP Multimedia Subsystem authentication for UMTS | |
| CN116567633B (en) | Identity authentication method, system and equipment based on ECDSA signature algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201106 |
|
| RJ01 | Rejection of invention patent application after publication |